You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@spamassassin.apache.org by bu...@bugzilla.spamassassin.org on 2011/09/25 21:23:42 UTC
[Bug 6664] New: check_freemail_header() misses many domains
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6664
Bug #: 6664
Summary: check_freemail_header() misses many domains
Product: Spamassassin
Version: 3.3.1
Platform: PC
OS/Version: Linux
Status: NEW
Severity: normal
Priority: P2
Component: Plugins
AssignedTo: dev@spamassassin.apache.org
ReportedBy: cedric@gn.apc.org
Classification: Unclassified
Created attachment 4972
--> https://issues.apache.org/SpamAssassin/attachment.cgi?id=4972
Patch to Freemail.pm to catch freemail forgeries
FREEMAIL_FORGED_REPLYTO is missing about 50% of potential hits, because the
Reply-To address passed to _is_freemail() is usually terminated with a chevron
and/or newline. As a result it only matches the regexes ending .*. This is
because of a Perl programming error. What is intended is:
@@ -419,7 +423,7 @@
}
}
- my $email = lc($pms->get(index($header,':') ? $header : $header.":addr"));
+ my $email = lc($pms->get(index($header,':') >= 0 ? $header :
$header.":addr"));
if ($email eq '') {
dbg("header $header not found from mail");
However, there are further issues I'd suggest fixing at the same time.
Firstly, a spammer wanting a reply to a freemail address might include it as
one of *multiple* addresses in a Reply-To header. Hence, each should be tested
for freemail and compared to the From.
Secondly, by adding an optional parameter for a header to compare to,
FREEMAIL_FORGED_REPLYTO could be made quite versatile and catch more freemail
spam in the first instance then FREEMAIL_REPLYTO (excluding lists and annoying
anomalies like Linkedin in the rules); also FREEMAIL_REPLYTO_END_DIGIT could
lose the FPs where From and Reply-To are equal (eg in a personalised Mailman
list); and various other combinations testing (X-)Sender and Errors-To against
>From become possible. (I've tested the variant rules against a live stream and
would like to submit them for mass testing and scoring in a separate bug.)
--
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
[Bug 6664] check_freemail_header() misses many domains
Posted by bu...@bugzilla.spamassassin.org.
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6664
--- Comment #5 from Mark Martinec <Ma...@ijs.si> 2011-10-04 16:49:17 UTC ---
> As a result it only matches the regexes ending .*.
> This is because of a Perl programming error.
A bug indeed, index() returns -1 on a failure.
Where does the $hdrexclude in the patch come from?
Should be declared, defined and documented.
--
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
[Bug 6664] check_freemail_header() misses many domains
Posted by bu...@bugzilla.spamassassin.org.
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6664
Kevin A. McGrail <km...@pccc.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |kmcgrail@pccc.com
--- Comment #4 from Kevin A. McGrail <km...@pccc.com> 2011-09-26 13:31:45 UTC ---
(In reply to comment #3)
> (BTW I have signed a CLA as listed at
> http://people.apache.org/committer-index.html#unlistedclas)
CLA status should be up to date. Thanks.
--
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
[Bug 6664] check_freemail_header() misses many domains
Posted by bu...@bugzilla.spamassassin.org.
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6664
Cedric Knight <ce...@gn.apc.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |cedric@gn.apc.org
--- Comment #3 from Cedric Knight <ce...@gn.apc.org> 2011-09-25 19:53:02 UTC ---
(BTW I have signed a CLA as listed at
http://people.apache.org/committer-index.html#unlistedclas)
--
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
[Bug 6664] check_freemail_header() misses many domains
Posted by bu...@bugzilla.spamassassin.org.
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6664
--- Comment #2 from Cedric Knight <ce...@gn.apc.org> 2011-09-25 19:30:32 UTC ---
Created attachment 4974
--> https://issues.apache.org/SpamAssassin/attachment.cgi?id=4974
Easier test case caught by either complete or partial fix
--
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
[Bug 6664] check_freemail_header() misses many domains
Posted by bu...@bugzilla.spamassassin.org.
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6664
--- Comment #1 from Cedric Knight <ce...@gn.apc.org> 2011-09-25 19:29:10 UTC ---
Created attachment 4973
--> https://issues.apache.org/SpamAssassin/attachment.cgi?id=4973
Test case that intended code will miss
--
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.