You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@spamassassin.apache.org by bu...@bugzilla.spamassassin.org on 2004/04/22 22:09:19 UTC

[Bug 3293] New: Possible denial of service because of AWL and GTUBE combination

http://bugzilla.spamassassin.org/show_bug.cgi?id=3293

           Summary: Possible denial of service because of AWL and GTUBE
                    combination
           Product: Spamassassin
           Version: 2.63
          Platform: Other
        OS/Version: other
            Status: NEW
          Severity: normal
          Priority: P5
         Component: spamassassin
        AssignedTo: spamassassin-dev@incubator.apache.org
        ReportedBy: v13@priest.com


Anyone can cause mails to be lost on every host/user that uses AWL. 
 
Suppose that I want to 'attack' user A. Then I'll send him about 1000 emails 
using email addresses that I the user possibly gets mail from and include the 
GTUBE string in them. This will cause a score of 1000. 
 
This way the AWL will have a very very very high score for all those emails. 
This will lead to a couple of mails beeing lost for each of those 'from's. 
 
The worst part comes next since user A gets a mail with score 1000. After that 
he gets another one that AWL boosts it to (lets say) 800... etc etc... The 
'from' email address will be almost useless because no rule can really 
decrease the score of the GTUBE test. 
 
I've sent an email from a user using his own email as from and to and I've 
included GTUBE string in the mail. After that I sent about 30 mails that were 
lost because of AWL (using auto_whitelist_factor 0.2). This user was using M$ 
outlook and html messages so there were some points from that too. 
 
Now this gets really bad when bayes autolearning is used since this way 
someone can easily train bayes to produce 99% probability just by forwarding 
common mails and including the GTUBE string. 
 
I believe that a warning about GTUBE risks should be included in the 
documentation or the GTUBE should not be considered for AWL and bayes. 
 
Appart from that, keep up the great work! 
 
Thanks in advance 
 
<<V13>>



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.