You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@spamassassin.apache.org by bu...@bugzilla.spamassassin.org on 2012/08/12 05:27:19 UTC
[Bug 6823] New: Malformed messages allow evasion of URIBL checks
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6823
Priority: P2
Bug ID: 6823
Assignee: dev@spamassassin.apache.org
Summary: Malformed messages allow evasion of URIBL checks
Severity: normal
Classification: Unclassified
OS: Linux
Reporter: md@linux.it
Hardware: PC
Status: NEW
Version: 3.3.2
Component: Tools
Product: Spamassassin
--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 6823] [review] Malformed messages allow evasion of URIBL checks
/ Last body line skipped if multipart end boundary missing
Posted by bu...@bugzilla.spamassassin.org.
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6823
--- Comment #8 from Mark Martinec <Ma...@ijs.si> ---
> Ok patch as is in trunk..
> Committed revision 1372304.
+1 looks alright to me (code inspection)
--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 6823] [review] Malformed messages allow evasion of URIBL checks
/ Last body line skipped if multipart end boundary missing
Posted by bu...@bugzilla.spamassassin.org.
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6823
Henrik Krohns <he...@hege.li> changed:
What |Removed |Added
----------------------------------------------------------------------------
Summary|Malformed messages allow |[review] Malformed messages
|evasion of URIBL checks |allow evasion of URIBL
| |checks / Last body line
| |skipped if multipart end
| |boundary missing
--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 6823] Malformed messages allow evasion of URIBL checks
Posted by bu...@bugzilla.spamassassin.org.
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6823
--- Comment #5 from Henrik Krohns <he...@hege.li> ---
Created attachment 5085
--> https://issues.apache.org/SpamAssassin/attachment.cgi?id=5085&action=edit
Proposed fix
Here's a minimum change patch proposal.
I've run it against 20000s/10000h multipart messages and reviewed the diffs of
internal data (Data::Dumper(find_parts)) by hand. Zero differences in ham and
only few dozen cases of missing end boundary in spam. But that's my very old
corpus.
So the change looks safe to me.. waiting for another opinion to commit. ;-)
--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 6823] Malformed messages allow evasion of URIBL checks
Posted by bu...@bugzilla.spamassassin.org.
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6823
--- Comment #3 from Marco d'Itri <md...@linux.it> ---
Just to be clear: URIBL checks fail because the last line of these messages is
not considered part of the body, so uri and rawbody rules do fail as well. A
full rule is needed to be able to match the line content.
--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 6823] Malformed messages allow evasion of URIBL checks
Posted by bu...@bugzilla.spamassassin.org.
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6823
--- Comment #2 from Marco d'Itri <md...@linux.it> ---
Created attachment 5083
--> https://issues.apache.org/SpamAssassin/attachment.cgi?id=5083&action=edit
A malformed message which allows evading URI checks.
--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 6823] Malformed messages allow evasion of URIBL checks
Posted by bu...@bugzilla.spamassassin.org.
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6823
Marco d'Itri <md...@linux.it> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |md@linux.it
Component|Tools |Libraries
--- Comment #1 from Marco d'Itri <md...@linux.it> ---
A malformed MIME message with an URI in the last line of the full body allows
perfectly evading URIBL checks, because the URI is totally ignored.
This has been used by a spamming operation for months with massive spam-runs.
See the attached sample for details.
--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 6823] [review] Malformed messages allow evasion of URIBL checks
/ Last body line skipped if multipart end boundary missing
Posted by bu...@bugzilla.spamassassin.org.
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6823
--- Comment #7 from Henrik Krohns <he...@hege.li> ---
Ok patch as is in trunk..
Sending Message.pm
Transmitting file data .
Committed revision 1372304.
--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 6823] Malformed messages allow evasion of URIBL checks
Posted by bu...@bugzilla.spamassassin.org.
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6823
Henrik Krohns <he...@hege.li> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |hege@hege.li
--- Comment #4 from Henrik Krohns <he...@hege.li> ---
It seems Message.pm does not handle missing boundary end well. From what I see,
it has been like this since 2004..
# if we're on the last body line, or we find any boundary marker,
# deal with the mime part
if ( --$line_count == 0 || (defined $boundary &&
/^--\Q$boundary\E(?:--)?\s*$/) ) {
my $line = $_; # remember the last line
After that, there's nothing adding the "remembered $line" to body array, so
indeed it goes missing. I could come up with a quick patch, not sure if there
are any caveeats..
--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 6823] [review] Malformed messages allow evasion of URIBL checks
/ Last body line skipped if multipart end boundary missing
Posted by bu...@bugzilla.spamassassin.org.
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6823
Henrik Krohns <he...@hege.li> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |FIXED
--- Comment #9 from Henrik Krohns <he...@hege.li> ---
I guess it works so resolved.
--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 6823] [review] Malformed messages allow evasion of URIBL checks
/ Last body line skipped if multipart end boundary missing
Posted by bu...@bugzilla.spamassassin.org.
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6823
João Gouveia <jo...@anubisnetworks.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |joao.gouveia@anubisnetworks
| |.com
--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 6823] [review] Malformed messages allow evasion of URIBL checks
/ Last body line skipped if multipart end boundary missing
Posted by bu...@bugzilla.spamassassin.org.
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6823
Kevin A. McGrail <km...@pccc.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |kmcgrail@pccc.com
--- Comment #6 from Kevin A. McGrail <km...@pccc.com> ---
+1 from me. I would say this is urgent and needs testing but from your code,
you are just pushing the last part of the message into the buffer and I can't
predict many issues.
Great catch.
And definitely open another ticket for the idea " Could "missing end boundary"
be a useful rule?"
I don't think the concern that the message was modified/corrupted along the way
should be consider valid. It will fail many other checks such as DKIM as well.
regards,
KAM
--
You are receiving this mail because:
You are the assignee for the bug.