On 03/16/2015 10:54 AM, Per Jessen wrote:
I've recently upgraded to SA 3.4.0 - I'm seeing URI_DOTDOT_LOW_CNTRST
scoring on many legitimate mails. E.g. from linkedin and distrelec.
For instance:
http://files.jessen.ch/Tektronix-4-Kanal-Oszilloskop-deutlich-reduziert-TDS-2024C.eml
When the above was processed I noticed this in the log:
spamd[865]: dns: new_dns_packet (domain=chde..distrelec.com. type=A
class=IN) failed: a domain name contains a null label
As far as I can tell, the email above contains no such uri.
I grep'ed a bit and found some more:
http://files.jessen.ch/more-dotdot.txt
I'm pretty certain 99% of those are false positives. Probably a hiccup
on my installation, I was just wondering if anyone else is seeing this?
your more-dotdot.txt log shows what could be a bug somewhere.
Pls open a bug & attach that log and the distrelec news eml with all
relevant detail
if you have more verified sample msgs which don't include a .. in the
URL yet log .., pls attach a few for dev team to work with.
Thanks
Axb
