You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Simon Byrnand <si...@igrin.co.nz> on 2004/02/04 21:58:49 UTC

Feature request - scanning bounce message attachments

Hi All,

(Developers in particular ;-)

I don't know if other people are finding this a big issue, but in the last 
couple of months or so I'm having a real problem with "bounce" messages of 
spam getting through.

Directly sent spam is not a problem, I have things tuned pretty well, and 
apart from the odd message that slips through, SA has been *very* effective.

But what I'm seeing now, which could be a deliberate spammer tactic, is 
bounce returns of spam which have a complete copy of the spam contained 
within it, as a standard bounce message attachment. Many/Most email clients 
extract and display this attachment as if it was part of the message, so 
the end result is that the user see's the spam.

Currently there is no good way to catch this, as the attached message does 
not get any header tests run on it, and matches few body tests either. I 
can't really do much about blocking bounces, or legitimate bounces might 
get blocked.

As far as I can see, the only people that should genuinely get bounces 
which contain spam, are spammers themselves, and since they aren't using 
their real addresses or running SA on their incomming mail, thats not a 
problem ;-)

Legitimate people using SpamAssasin aren't going to be sending their own 
spam, so we can safely assume that any bounces containing spam didn't 
originate from them.

I can only see this problem getting worse in the future as more spammers 
cotton on to this, so what I suggest (for 2.7 ?) is this:

An option to extract RFC bounce messages, and then run header and body 
tests on the contained message *as well as* the actual message itself. 
After the two scores are computed, the highest one of the two is used.

One other issue would be what to do in the case of autolearning. Obviously 
you wouldn't want the original bounce message being learnt if it was the 
attached message which was really the spam, so in that case, the extracted 
message should be learnt.

Yes it does mean double processing of *some* messages, but I don't see any 
alternative, if the practice is going to become more common. The only 
external way of doing it would be to use some external program to look for 
and extract bounce message attachments, and run a second copy of SA to 
analyze them - messy, and far more overhead than integrating it into the 
basic spamassassin architecture.

Comments anyone ?

Regards,
Simon