On Tue, 20 Oct 2015, Amir Caspi wrote:
On Oct 19, 2015, at 1:16 PM, RW <rwmailli...@googlemail.com> wrote:
body URI_HOST_IN_BLACKLIST eval:check_uri_host_in_blacklist()
header HEADER_HOST_IN_BLACKLIST eval:check_uri_host_listed('BLACK')
These appear to be the same thing. The first call is just a shorthand
form for the second. I don't see where headers come into it. I think the
second rule is probably just a mistake.
So, following up on this... do any of the main devs see the second rule
as a problem? It seems to be that a header rule shouldn't be checking
URI hosts, but even if so, it absolutely shouldn't be hitting when those
hosts aren't even in the headers (per the two spamples I posted).
My default assumption for the behavior of a header eval() rule would be
that it only checks message headers. If that's not the case (as you
describe) then I'd agree the rule is a problem, especially if it leads to
duplicate hits.
Whether that's a bug in the documentation, or a bug in the rules, or a bug
in eval(), or a bug in the implementation of check_uri_host_*, I can't
really say at this point.
Speculation: If the check_uri_host_* eval()s are looking only at the URI
list regardless of the rule type (i.e. it always behaves as if it was a
uri rule) then I'd say that needs to be documented clearly (if it isn't
documented by more than just an example uri rule) and the rules fixed to
remove the duplicate hits. If the intent of the eval()s was to respect the
rule type, it's apparently not doing that.
I don't have time at the moment to dig around in the code to see what it's
doing and whether it's a documentation/rule issue or an eval() code issue.
Kevin, John, others?
Obviously this is only causing a few rare FPs, and presumably it would
most likely affect this or some other spam-discussion list... but it
appears to be a bug, no?
Thanks!
--- Amir
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhar...@impsec.org FALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
You cannot bring about prosperity by discouraging thrift. You
cannot help small men by tearing down big men. You cannot
strengthen the weak by weakening the strong. You cannot lift the
wage-earner by pulling down the wage-payer. You cannot help the
poor man by destroying the rich. You cannot keep out of trouble by
spending more than your income. You cannot further the brotherhood
of man by inciting class hatred. You cannot establish security on
borrowed money. You cannot build character and courage by taking
away men's initiative and independence. You cannot help men
permanently by doing for them what they could and should do for
themselves. -- William J. H. Boetcker
-----------------------------------------------------------------------
