You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@spamassassin.apache.org by bu...@bugzilla.spamassassin.org on 2013/10/02 14:19:08 UTC

[Bug 6977] New: HTTPSMismatch does not detect HTTP(S) URL mismatch

https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6977

            Bug ID: 6977
           Summary: HTTPSMismatch does not detect HTTP(S) URL mismatch
           Product: Spamassassin
           Version: 3.3.2
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Libraries
          Assignee: dev@spamassassin.apache.org
          Reporter: fkrska@redhat.com

Created attachment 5171
  --> https://issues.apache.org/SpamAssassin/attachment.cgi?id=5171&action=edit
HTTPSMismatch.pm patch - avoid using array of cleaned uris

Description of problem:

SpamAssassin does not always detect HTTP(S) URL mismatches.

Two compressed spam samples attached.

One is proper detected, the other is not.

Version-Release number of selected component (if applicable):
spamassassin-3.3.1
spamassassin-3.3.2

How reproducible:

Always

Steps to reproduce:

xzcat sample1.eml.xz | spamassassin
xzcat sample2.eml.xz | spamassassin

Actual results:

Only sample1.eml.xz results in HTTPS_HTTP_MISMATCH, sample2.eml.xz does not
match.

Expected results:
Both sample files should match/result in HTTPS_HTTP_MISMATCH.

Additional info:

Originally reported as Red Hat bugzilla
https://bugzilla.redhat.com/show_bug.cgi?id=906804

I've reproduced the reported behaviour with following lines added to
/etc/mail/spamassassin/local.cf:

body HTTPS_HTTP_MISMATCH eval:check_https_http_mismatch('1','10')
describe HTTPS_HTTP_MISMATCH HTTPSMismatch
score HTTPS_HTTP_MISMATCH 2.0

Current HTTPSMismatch.pm uses array (seems random sorted and contains uri-like
substrings) of cleaned uris in uri_detail.

Mail::SpamAssassin::Plugin::URIDetail(3) says:

       "cleaned" is a list including the raw URI and various cleaned versions
of the raw URI (http://spamassassin.apache%2Eorg/,
http://spamassassin.apache.org/).

In our case sample2.eml.xz leads to following uri_detail:

'http://www.xx21z.cn/images/?http://us.battle.net/login/en/?ref=http%3A%2F%2Fdwthtylus.battle.net%2Fd3%2Fen%2Findex&app=com-d3'
=> {
                            'anchor_text' => [
                          
'https://us.battle.net/login/en/?ref=http%3A%2F%2Fus.battle.net%2Fd3%2Fen%2Findex&app=com-d3'
                              ],
                            'domains' => {
                            'xx21z.cn' => 1,
                            'battle.net' => 1
                          },
                            'types' => {
                          'a' => 1
                             },
                            'cleaned' => [
                           
'http://dwthtylus.battle.net/d3/en/index&app=com-d3',
                           
'http://us.battle.net/login/en/?ref=http://dwthtylus.battle.net/d3/en/index&app=com-d3',
                           
'http://www.xx21z.cn/images/?http://us.battle.net/login/en/?ref=http://dwthtylus.battle.net/d3/en/index&app=com-d3',
                           
'http://www.xx21z.cn/images/?http://us.battle.net/login/en/?ref=http%3A%2F%2Fdwthtylus.battle.net%2Fd3%2Fen%2Findex&app=com-d3'
                          ]
                          },

and first 'cleaned' uri has equal domain (battle.net) to the one in anchor
text, so it is wrongly treated as OK, although original uri has domain
xx21z.cn.

IMHO check_https_http_mismatch should use $permsgstatus->{html}->{uri_detail}
keys instead of arrays of 'cleaned' values.

I've proposed a patch, it needs thorough review, testing. (Perhaps it is a bug
in code generating 'cleaned' array which may not be supposed to contain such
substrings, then it should be fixed there)

BR

Filip

-- 
You are receiving this mail because:
You are the assignee for the bug.

[Bug 6977] HTTPSMismatch does not detect HTTP(S) URL mismatch

Posted by bu...@bugzilla.spamassassin.org.

https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6977

Filip Krška <fk...@redhat.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |fkrska@redhat.com

--- Comment #1 from Filip Krška <fk...@redhat.com> ---
Created attachment 5172
  --> https://issues.apache.org/SpamAssassin/attachment.cgi?id=5172&action=edit
sample1.eml.xz

-- 
You are receiving this mail because:
You are the assignee for the bug.

[Bug 6977] HTTPSMismatch does not detect HTTP(S) URL mismatch

Posted by bu...@bugzilla.spamassassin.org.

https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6977

--- Comment #2 from Filip Krška <fk...@redhat.com> ---
Created attachment 5173
  --> https://issues.apache.org/SpamAssassin/attachment.cgi?id=5173&action=edit
sample2.eml.xz

-- 
You are receiving this mail because:
You are the assignee for the bug.