You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by "Martin G. Diehl" <md...@nac.net> on 2005/05/11 12:58:19 UTC
SPAMassassin headers missplaced and follow message body
Greetings,
I saw a SPAM message with the SPAMassassin message headers
(X-spam headers) grossly out of sequence. The message
was recognized as SPAM ... but because the X-spam headers
were written in the wrong part of the message, it was able
to 'appear' as a non-SPAM message.
I have included all of the headers ... just replaced
the message content with '[snip]' ... you'll see those
headers below my name.
Here is what I can see is wrong in the message headers
after being processed by SPAMassassin ...
(a) the message has 2 'Subject:' headers
(b) the first subject header is the original unmodified
header from the SPAMmer: 'Subject: Urgent Security Notice'
(c) the second subject header is what SPAMassassin
generated: 'Subject: *****SPAM***** '
(d) the message was recognized as SPAM ... 'X-Spam-Flag: YES'
(e) all of the X-Spam- headers follow the message body
(f) this probably resulted from intentional misscoding of the
MIME headers.
IOW, I know what is happening ... but I don't know why.
My questions ...
(1) why do the X-Spam headers follow the message body?
(2) are the MIME headers properly coded?
(3) what kind of configuration error could cause the X-spam
headers to be misplaced?
(4) are the message headers misscoded to exploit a bug in
SPAMassassin?
--
Martin G. Diehl
~-~-~-~-~-~-~-~-~-~-~-~-[beg_SPAM_headers]-~-~-~-~-~-~-~-~-~-~-~-~
From - Mon Apr 25 12:36:07 2005
X-UIDL: 1114445011.M327672P25855.mx4.oct
X-Mozilla-Status: 0000
X-Mozilla-Status2: 00000000
Return-Path: <xg...@antronomia.com>
Delivered-To: mdiehl@nac.net
Received: (qmail 25794 invoked by uid 1005); 25 Apr 2005 16:03:19 -0000
Received: from xgnuxytjltrdq@antronomia.com by mx4.oct by uid 0 with qmail-scanner-1.20rc3
(sophie: 2.14/3.73. spamassassin: 2.60-cvs. Clear:RC:0:.
Processed in 0.95741 secs); 25 Apr 2005 16:03:19 -0000
X-Qmail-Scanner-Mail-From: xgnuxytjltrdq@antronomia.com via mx4.oct
X-Qmail-Scanner-Rcpt-To: mdiehl@nac.net
X-Qmail-Scanner: 1.20rc3 (Clear:RC:0:. Processed in 0.95741 secs)
Received: from unknown (HELO Sue-38) (83.104.159.186)
by rbl-mx4.oct.nac.net with SMTP; 25 Apr 2005 16:03:18 -0000
From: "Charter One BANK" <cu...@charteronebank.com>
To: <md...@nac.net>
Subject: Urgent Security Notice
Date: Mon, 25 Apr 2005 17:03:22 +0100
X-Priority: 3
X-MSMail-Priority: Normal
Message-ID: <kf...@Sue-38>
MIME-Version: 1.0
Content-Type: multipart/related;
type="multipart/alternative";
boundary="----fmkdahmjgeazvksmslealhoy"
X-Mailer: WEBMail
X-MimeOLE: Produced By Microsoft MimeOLE V4.00.2600.1106
This is a multi-part message in MIME format.
------fmkdahmjgeazvksmslealhoy
Content-Type: multipart/alternative;
boundary="----vjjqdusbszwilaadlkdvppfa"
------vjjqdusbszwilaadlkdvppfa
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
[snip]
------vjjqdusbszwilaadlkdvppfa
Content-Type: text/html;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
[snip]
------vjjqdusbszwilaadlkdvppfa--
------fmkdahmjgeazvksmslealhoy
Content-Type: image/gif;
name="tuzjytembpavuggfvypmopuj.gif"
Content-Transfer-Encoding: base64
Content-ID: <wa...@charterone.com>
Content-Disposition: inline;
filename="tuzjytembpavuggfvypmopuj.gif"
[snip]
------fmkdahmjgeazvksmslealhoy--
X-Qmail-Scanner-Message-ID: <11...@mx4.oct>
Subject: *****SPAM*****
X-Spam-Prev-Subject: (nonexistent)
X-Spam-Flag: YES
X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on spamd6.oct.nac.net
X-Spam-Level: ******
X-Spam-PrefsFile: nac.net/mdiehl
X-Spam-Status: Yes, score=6.1 required=4.7 tests=FROM_ENDS_IN_NUMS,
FROM_HAS_ULINE_NUMS,MISSING_DATE,MISSING_SUBJECT,
RAZOR2_CF_RANGE_51_100,RAZOR2_CHECK autolearn=disabled version=3.0.2
X-Spam-Report:
* 0.5 FROM_ENDS_IN_NUMS From: ends in numbers
* 0.0 MISSING_DATE Missing Date: header
* 2.5 RAZOR2_CF_RANGE_51_100 BODY: Razor2 gives confidence level above 50%
* [cf: 96]
* 1.1 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)
* 1.6 MISSING_SUBJECT Missing Subject: header
* 0.4 FROM_HAS_ULINE_NUMS From: contains an underline and numbers/letters
~-~-~-~-~-~-~-~-~-~-~-~-[end_SPAM_headers]-~-~-~-~-~-~-~-~-~-~-~-~
Re: SPAMassassin headers missplaced and follow message body
Posted by "Martin G. Diehl" <md...@nac.net>.
Loren Wilton wrote:
> You should open a Bugzilla ticket on this, and ATTACH, NOT COPY/PASTE the
> ENTIRE original message as an attachment to the bug ticket. That way
> someone will be able to look at it and see what is really happening.
Someone else made an eMail request for the entire message ... I sent the
entire text of the original message as an attachment but what he received
didn't have all of what I sent
Would it be OK to attach a ZIP file?
> Since you pasted that into the text, I have no clue on what any transport
> agents or mail readers may have done with the text.
The copy I received from sapmassassin.apache.org looked exactly like what I
sent ... how would I know that's an issue?
I intentionally omitted the original message text (replaced with a '[snip]')
(a) to improve readability, (b) reduce bandwidth
> (Which is why you need
> to attach the message to the bug report, not paste it.) If they haven't
> mangled it too badly, what I see is a lot of missing required blank lines
> following the header and all of the content headers. The headers end with
> a blank line.
I want everything I say to be perfectly clear to my audience. If I failed
in that intention, I need to know about my failure and will work to correct
whatever is standing in the way of good communication.
I think I need to see what you're seeing. You could ...
(a) use ms word to get a screen print of what outlook is showing you
(Alt-PrintScreen ... in word, Paste);
(b) using ms photo editor to get a screen print of what outlook is showing you
(Alt-PrintScreen ... in ms PhotoEditor: Edit -> Paste as New; File -> Save As
-> set a different file name for each successive image; "Save as Type" to
JPEG; click "More >>" to increase the JPEG quality factor; and "Save".
whether (a) or (b) ... scroll down, rinse, repeat until done.
You might also save the message as a txt file ... and then zip that.
ms PhotoEditor is included with ms Office -- and should be located in
"\program files\microsoft office\" ... but that might be version dependent;
standard disclaimers may apply, YMMV, &c.
Send the whole thing (I prefer the images to a word document, zip) to me.
> Loren
--
Martin G. Diehl
Re: SPAMassassin headers missplaced and follow message body
Posted by Loren Wilton <lw...@earthlink.net>.
You should open a Bugzilla ticket on this, and ATTACH, NOT COPY/PASTE the
ENTIRE original message as an attachment to the bug ticket. That way
someone will be able to look at it and see what is really happening.
Since you pasted that into the text, I have no clue on what any transport
agents or mail readers may have done with the text. (Which is why you need
to attach the message to the bug report, not paste it.) If they haven't
mangled it too badly, what I see is a lot of missing required blank lines
following the header and all of the content headers. The headers end with a
blank line.
Loren
Re: SPAMassassin headers missplaced and follow message body
Posted by "Eric A. Hall" <eh...@ehsco.com>.
On 5/11/2005 3:02 PM, Martin G. Diehl wrote:
> Eric A. Hall wrote:
>>I haven't really looked into this much yet, but it appears that some
>>embedded CR or LF characters are getting processed by SA and then fed back
>>to Postfix, which then cleans up the message and splits the headers where
>>it sees the bare CR or LF. The result is two sets of headers, the second
>>of which naturally becomes part of the body.
>>If somebody wants to see the message I should have it in my trash still.
>
> Please send the headers for that message.
Return-Path: <Go...@rocketmail.com>
Received: from goose.ehsco.com (localhost [127.0.0.1])
by goose.ehsco.com (Cyrus v2.2.3) with LMTP; Tue, 10 May 2005 04:01:56 -0500
X-Sieve: CMU Sieve 2.2
Received: from goose.ehsco.com (localhost [127.0.0.1])
by clean.ehsco.com (Postfix ) with ESMTP id 5AED93D877
for <eh...@ntrg.com>; Tue, 10 May 2005 04:01:48 -0500 (CDT)
X-Envelope-Sender: <Go...@rocketmail.com>
X-Envelope-Recipients: < ehall@ntrg.com>
Received: from 24.232.159.2 (OL2-159.fibertel.com.ar [24.232.159.2])
by goose.ehsco.com (Postfix ) with SMTP
for <eh...@ntrg.com>; Tue, 10 May 2005 04:01:48 -0500 (CDT)
Received: from 168.213.224.150 by ; Tue, 10 May 2005 21:58:35 +0100
Message-Id: <20...@goose.ehsco.com>
Date: Tue, 10 May 2005 04:01:48 -0500 (CDT)
From: Gonzalez@rocketmail.com
To: undisclosed-recipients:;
sdp.com.arMSS_ID
From: "Pablo" <mm...@yahoo.com.ar>
Subject: Su sitio web en doce cuotas de 35 pesos
Date: Wed, 11 May 2005 02:59:35 +0600
MIME-Version: 1.0
Content-Type: multipart/related;
type="multipart/alternative";
boundary="----=_NextPart_000_0001_01C55496.4B31A720"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1106
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
X-Spam-Status: Yes
X-Spam-Checker-Version: SpamAssassin 3.0.3 (2005-04-27) on goose.ehsco.com
X-Spam-NTRG: ******************* (19.0); AWL,DNS_FROM_RFC_ABUSE,
EXTRA_MPART_TYPE,FORGED_MUA_OUTLOOK,FORGED_RCVD_HELO,HTML_10_20,
HTML_MESSAGE,L_SMTP_MANY_PROBS,MIME_MISSING_BOUNDARY,
RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_NERDS_AR,RCVD_IN_NJABL_DUL,
RCVD_IN_SORBS_DUL,RCVD_NUMERIC_HELO,UNWANTED_LANGUAGE_BODY
X-Spam-Virus: No
--
Eric A. Hall http://www.ehsco.com/
Internet Core Protocols http://www.oreilly.com/catalog/coreprot/
Re: SPAMassassin headers missplaced and follow message body
Posted by "Martin G. Diehl" <md...@nac.net>.
Eric A. Hall wrote:
> On 5/11/2005 6:58 AM, Martin G. Diehl wrote:
>
>>I saw a SPAM message with the SPAMassassin message headers
>>(X-spam headers) grossly out of sequence. The message
>>was recognized as SPAM ... but because the X-spam headers
>>were written in the wrong part of the message, it was able
>
> I get this periodically too. Very annoying.
>
> I haven't really looked into this much yet, but it appears that some
> embedded CR or LF characters are getting processed by SA and then fed back
> to Postfix, which then cleans up the message and splits the headers where
> it sees the bare CR or LF. The result is two sets of headers, the second
> of which naturally becomes part of the body.
>
> I've dealt with this phenomenon by having postfix check the message body
> for the locally-generated X-Spam-NTRG "header" (apart from the header
> block check), and reject those messages.
>
> If somebody wants to see the message I should have it in my trash still.
Please send the headers for that message.
Thanks
Martin
Re: SPAMassassin headers missplaced and follow message body
Posted by "Eric A. Hall" <eh...@ehsco.com>.
On 5/11/2005 6:58 AM, Martin G. Diehl wrote:
> I saw a SPAM message with the SPAMassassin message headers
> (X-spam headers) grossly out of sequence. The message
> was recognized as SPAM ... but because the X-spam headers
> were written in the wrong part of the message, it was able
I get this periodically too. Very annoying.
I haven't really looked into this much yet, but it appears that some
embedded CR or LF characters are getting processed by SA and then fed back
to Postfix, which then cleans up the message and splits the headers where
it sees the bare CR or LF. The result is two sets of headers, the second
of which naturally becomes part of the body.
I've dealt with this phenomenon by having postfix check the message body
for the locally-generated X-Spam-NTRG "header" (apart from the header
block check), and reject those messages.
If somebody wants to see the message I should have it in my trash still.
--
Eric A. Hall http://www.ehsco.com/
Internet Core Protocols http://www.oreilly.com/catalog/coreprot/