Bug#435441: Problem with hotmail forge...

Ola Lundqvist Tue, 31 Jul 2007 12:07:12 -0700

Package: spamassassin
Severity: normal
Tags: patch
Version: 3.1.7-2

Hi


I got a mail from a friend that I'm confident that actually use
a hotmail account, and do not forge it.

Some of the headers looked like this:

Delivery-date: Tue, 31 Jul 2007 18:54:13 +0200
Received: from bay0-omc1-s37.bay0.hotmail.com ([65.54.246.109])
        by bixbite.opalsys.net with esmtp (Exim 4.63)
        (envelope-from <[EMAIL PROTECTED]>)
        id 1IFuyo-0004dd-PF
        for [EMAIL PROTECTED]; Tue, 31 Jul 2007 18:54:13 +0200
Received: from BAY126-W3 ([65.55.131.38]) by bay0-omc1-s37.bay0.hotmail.com 
with Microsoft SMTPSVC(6.0.3790.2668);
         Tue, 31 Jul 2007 09:52:58 -0700
Message-ID: <[EMAIL PROTECTED]>
Content-Type: multipart/alternative;
        boundary="_ae6636d4-147e-4396-9224-fc39571484bf_"
X-Originating-IP: [213.65.225.224]

It was classified as:
        2.2 FORGED_HOTMAIL_RCVD    Forged hotmail.com 'Received:' header found
        0.0 HTML_MESSAGE           BODY: HTML included in message
        0.9 HTML_10_20             BODY: Message is 10% to 20% HTML
        0.5 DNS_FROM_RFC_ABUSE     RBL: Envelope sender in 
abuse.rfc-ignorant.org
        1.4 DNS_FROM_RFC_POST      RBL: Envelope sender in
        postmaster.rfc-ignorant.org

The main problem here is that it classified this mail as an HOTMAIL
forge, but it is not.

The reason behind that is in /usr/share/perl5/Mail/SpamAssassin/EvalTests.pm
because it do not handle when the from line contain an IP.
So I checked this ip 65.54.246.109 with whois and found that
65.54.*.* is all microsoft.

This means that it can be allowed.

The attached patch should fix this problem. I have not verified it yet
though.

Best regards,

// Ola

-- 
 --- Ola Lundqvist systemkonsult --- M Sc in IT Engineering ----
/  [EMAIL PROTECTED]                   Annebergsslingan 37        \
|  [EMAIL PROTECTED]                   654 65 KARLSTAD            |
|  http://opalsys.net/               Mobile: +46 (0)70-332 1551 |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9  /
 ---------------------------------------------------------------

--- /usr/share/perl5/Mail/SpamAssassin/EvalTests.pm~	2007-02-15 06:28:21.000000000 +0100
+++ /usr/share/perl5/Mail/SpamAssassin/EvalTests.pm	2007-07-31 20:53:29.000000000 +0200
@@ -360,6 +360,8 @@
 
   if ($rcvd =~ /from \S*hotmail.com \(\S+\.hotmail(?:\.msn)?\.com[ \)]/ && $ip)
                 { return; }
+  if ($rcvd =~ /from \S*hotmail.com \(\[65\.54.*\]\)/ && $ip)
+                { return; }
   if ($rcvd =~ /from \S+ by \S+\.hotmail(?:\.msn)?\.com with HTTP\;/ && $ip)
                 { return; }
   if ($rcvd =~ /from \[66\.218.\S+\] by \S+\.yahoo\.com/ && $ip)

Bug#435441: Problem with hotmail forge...

Reply via email to