Re: problem of extracting IP string from header (bug?)
Justin Mason a écrit : Hi -- unfortunately the space is required, and appears in the output from the MTAs that I'm aware of. It appears that the nifty.com mailserver is producing unusual headers there. The code may however be modified to account for such things, I think. because uncoformant or not, this doesn't seem hard to parse. but I may be missing something of course.
Re: problem of extracting IP string from header (bug?)
unfortunately the space is required, and appears in the output from the MTAs that I'm aware of. It appears that the nifty.com mailserver is producing unusual headers there. Justin, this sounds very similar to the (I believe bz) report a few days ago where someone suggested spammers may be doing this deliberately in faked received headers. Loren
RE: problem of extracting IP string from header (bug?)
If this header line was faked, it would be inappropriate to run DNSBL's on it. If it was not faked, the receiving MTA at nifty.com is not RFC conformant. To me it doesn't look faked; see the header excerpt below. Most likely it's just a case of a misconfigured MTA. Now, whether or not SA should parse malformed Received lines is another question... Pierre Received: from localhost ([127.0.0.1]) by vawr.pblnet.local with esmtp (Exim 4.50) id 1E56bi-5v-PL for [EMAIL PROTECTED]; Wed, 17 Aug 2005 03:56:18 +0900 Received: from pop.nifty.com [202.248.238.11] by localhost with POP3 (fetchmail-6.2.5.2) for [EMAIL PROTECTED] (single-drop); Wed, 17 Aug 2005 03:56:18 +0900 (JST) Received: by mbox53.nifty.com id 430236b0494c63; Wed, 17 Aug 2005 03:55:44 +0900 Received: from makorsha.biz ([218.64.103.25])by mxg509.nifty.com with SMTP id j7GItZAo029596; Wed, 17 Aug 2005 03:55:36 +0900 To: Alfonzo Seifert [EMAIL PROTECTED] -Original Message- From: Loren Wilton [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 17, 2005 7:44 AM To: users@spamassassin.apache.org Subject: Re: problem of extracting IP string from header (bug?) unfortunately the space is required, and appears in the output from the MTAs that I'm aware of. It appears that the nifty.com mailserver is producing unusual headers there. Justin, this sounds very similar to the (I believe bz) report a few days ago where someone suggested spammers may be doing this deliberately in faked received headers. Loren
Re: problem of extracting IP string from header (bug?)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Loren Wilton writes: unfortunately the space is required, and appears in the output from the MTAs that I'm aware of. It appears that the nifty.com mailserver is producing unusual headers there. Justin, this sounds very similar to the (I believe bz) report a few days ago where someone suggested spammers may be doing this deliberately in faked received headers. yes, but looking at the sample, it's a real header. - --j. -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.5 (GNU/Linux) Comment: Exmh CVS iD8DBQFDA4oCMJF5cimLx9ARAo4pAKC9wxEo/QOXJSUBGWyiWWl5iIG8pwCdE6aD hNA2zWquR/wfAJ8mprv+MAo= =z9w9 -END PGP SIGNATURE-
Re: problem of extracting IP string from header (bug?)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Pierre Thomson writes: If this header line was faked, it would be inappropriate to run DNSBL's on it. If it was not faked, the receiving MTA at nifty.com is not RFC conformant. To me it doesn't look faked; see the header excerpt below. Most likely it's just a case of a misconfigured MTA. Now, whether or not SA should parse malformed Received lines is another question... Yes. We're reasonably happy to do this if it's seen widely -- e.g. if a certain version of sendmail or Exchange is released that does this -- but if it's one or two MTAs, it's better to fix the MTA instead. - --j. Pierre Received: from localhost ([127.0.0.1]) by vawr.pblnet.local with esmtp (Exim 4.50) id 1E56bi-5v-PL for [EMAIL PROTECTED]; Wed, 17 Aug 2005 03:56:18 +0900 Received: from pop.nifty.com [202.248.238.11] by localhost with POP3 (fetchmail-6.2.5.2) for [EMAIL PROTECTED] (single-drop); Wed, 17 Aug 2005 03:56:18 +0900 (JST) Received: by mbox53.nifty.com id 430236b0494c63; Wed, 17 Aug 2005 03:55:44 +0900 Received: from makorsha.biz ([218.64.103.25])by mxg509.nifty.com with SMTP id j7GItZAo029596; Wed, 17 Aug 2005 03:55:36 +0900 To: Alfonzo Seifert [EMAIL PROTECTED] -Original Message- From: Loren Wilton [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 17, 2005 7:44 AM To: users@spamassassin.apache.org Subject: Re: problem of extracting IP string from header (bug?) unfortunately the space is required, and appears in the output from the MTAs that I'm aware of. It appears that the nifty.com mailserver is producing unusual headers there. Justin, this sounds very similar to the (I believe bz) report a few days ago where someone suggested spammers may be doing this deliberately in faked received headers. Loren -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.5 (GNU/Linux) Comment: Exmh CVS iD8DBQFDA4pNMJF5cimLx9ARAqhzAKCHME9doPwIdQULpax1J/tG4YrorwCgik5o s+Cto9ig1lyFcxMOFnqS//Y= =lyS4 -END PGP SIGNATURE-
Re: problem of extracting IP string from header (bug?)
Justin Mason a écrit : We're reasonably happy to do this if it's seen widely -- e.g. if a certain version of sendmail or Exchange is released that does this -- but if it's one or two MTAs, it's better to fix the MTA instead. ok, I fixed it ;-p Come on... It's easier for me to believe that SA is designed to detect spam only if it travels across conformant MTAs. Too bad...
problem of extracting IP string from header (bug?)
Hello, spamassassiners. Nowadays, many people discuss 'uk.geocities.com' redirecting spam. I also received the many spams, too. By the way, I found a problem of SpamAssassin's extracting IP string function. My SpamAssassin (3.0.4) failed to detect almost of all 'uk.geo' spam's host IP and executing DNSBL procedure. For example, below header string, SA failed to execute DNSBLs. | Received: from makorsha.biz ([218.64.103.25])by mxg509.nifty.com with SMTP id j7GItZAo029596; | Wed, 17 Aug 2005 03:55:36 +0900 But, below header string, SA succeeded to execute DNSBLs. | Received: from makorsha.biz ([218.64.103.25]) by mxg509.nifty.com with SMTP id j7GItZAo029596; | Wed, 17 Aug 2005 03:55:36 +0900 Yes, it's simply inserting a whitespace between IP str and 'by ...'. It seems to be a bug of SA 3.0.4. Has the problem been solved in 3.1.0-rc1? My LinuxBox is debian sarge, and it's not still released 3.1.0-rc1 debian package, so I can't test it on rc1. Thanks, -- Nothing but a peace sign. Yoh-ichi MATSUDA(yoh) mailto:[EMAIL PROTECTED] http://www.flcl.org/~yoh/diary/ (only Japanese) Attached files are sample spams. You can test: $ spamassassin -t -D 1830_org.txt 21|less $ spamassassin -t -D 1830_modified.txt 21|less samplespams.tar.gz Description: Binary data
