You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Alex <my...@gmail.com> on 2017/06/20 17:07:24 UTC
body_uri with empty body
Hi,
We've been receiving empty messages (or what appear to be empty body
messages) delivered to undisclosed-recips and I wanted to figure out
how to block them.
This one wasn't blocked at the time it was received, but somehow is now.
https://pastebin.com/inS6qiiG
I noticed despite there being no actual URI that I can see in the
body, it still hits __BODY_URI_ONLY. Even if I remove the div tags it
still hits. Just what does SA consider to be a URI?
meta __BODY_URI_ONLY __BODY_TEXT_LINE < 3 && __HAS_ANY_URI
&& !__SMIME_MESSAGE
uri __HAS_ANY_URI /./
Running the message through debug doesn't show me what it considered
to be the URI in this message.
dbg: rules: ran uri rule __DOS_HAS_ANY_URI ======> got hit: "g"
I also noticed it hit PYZOR_CHECK for 1.4 points. Doesn't that seem
high, considering virtually every "empty" message would be scored?
Can someone also explain what NML_ADSP_CUSTOM_MED is? It appears to
involve DKIM. This message appears to have been signed by gmail
successfully.
Re: body_uri with empty body
Posted by RW <rw...@googlemail.com>.
On Tue, 20 Jun 2017 13:07:24 -0400
Alex wrote:
> https://pastebin.com/inS6qiiG
> ...
> Can someone also explain what NML_ADSP_CUSTOM_MED is? It appears to
> involve DKIM. This message appears to have been signed by gmail
> successfully.
The linked email didn't actually have NML_ADSP_CUSTOM_MED. The ADSP
rules are a way of punishing mail from certain domains for not having
DKIM_VALID_AU, so if you find them together you've found a bug.
ADSP is an obsolete forerunner of DMARC, and in practice the ADSP hits
are based on the override entries in 60_adsp_override_dkim.cf. The
custom levels can only be set by an override so NML_ADSP_CUSTOM_MED
really has nothing to do with ADSP.
Re: body_uri with empty body
Posted by "Kevin A. McGrail" <ke...@mcgrail.com>.
On 6/22/2017 7:38 PM, RW wrote:
> Maybe Kevin or someone with knowledge of this could comment, as it
> effectively eliminates the effectiveness of the __EMPTY_BODY and
> __HAS_ANY_URI.
I have followed the thread a bit and agree it's likely a bug. Could you
please open something in bugzilla?
Regards,
KAM
Re: body_uri with empty body
Posted by John Hardin <jh...@impsec.org>.
On Fri, 23 Jun 2017, RW wrote:
> On Thu, 22 Jun 2017 18:59:55 -0400
> Alex wrote:
>
>
>>>> Maybe Kevin or someone with knowledge of this could comment, as it
>>>> effectively eliminates the effectiveness of the __EMPTY_BODY and
>>>> __HAS_ANY_URI.
>>>
>>> It looks like there might need to be a separate URI store for that,
>>> which is not shared with genuine body URIs.
>>
>> Do you have any thoughts on this? It appears the parse_dkim_uris in
>> your KAM.cf is effectively disabling the __EMPTY_BODY and
>> __HAS_ANY_URI rules because they match against the DKIM header.
>
> There is a difference: gmail.com in the body becomes http://gmail.com in
> the URI list. I checked and gmail.com in the DKIM header remains as
> gmail.com.
Ah, that may be a way around it. I'll do some testing.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
*Your* lack of self-control does not give you
the authority to dictate limitations on *my* freedom.
-----------------------------------------------------------------------
84 days since the first commercial re-flight of an orbital booster (SpaceX)
Re: body_uri with empty body
Posted by RW <rw...@googlemail.com>.
On Thu, 22 Jun 2017 18:59:55 -0400
Alex wrote:
> >> Maybe Kevin or someone with knowledge of this could comment, as it
> >> effectively eliminates the effectiveness of the __EMPTY_BODY and
> >> __HAS_ANY_URI.
> >
> > It looks like there might need to be a separate URI store for that,
> > which is not shared with genuine body URIs.
>
> Do you have any thoughts on this? It appears the parse_dkim_uris in
> your KAM.cf is effectively disabling the __EMPTY_BODY and
> __HAS_ANY_URI rules because they match against the DKIM header.
There is a difference: gmail.com in the body becomes http://gmail.com in
the URI list. I checked and gmail.com in the DKIM header remains as
gmail.com.
Re: body_uri with empty body
Posted by Alex <my...@gmail.com>.
Hi Kevin,
On Wed, Jun 21, 2017 at 8:31 PM, John Hardin <jh...@impsec.org> wrote:
> On Wed, 21 Jun 2017, Alex wrote:
>> On Wed, Jun 21, 2017 at 8:06 PM, Reindl Harald <h....@thelounge.net>
>> wrote:
>>> Am 22.06.2017 um 01:55 schrieb Alex:
>>>>
>>>>
>>>> Can someone else confirm this? John was unable to reproduce it on his
>>>> system, but I just installed the latest svn 3.4.2 branch and it's
>>>> doing it here. I'd appreciate if someone could help me figure out if
>>>> this is a bug, a local misconfiguration or otherwise...
>>>>
>>>> https://pastebin.com/inS6qiiG
>>>
>>>
>>> i guess you have "parse_dkim_uris" enabled as i have which is fine for
>>> URIBL an so on but don't justify body_uri
>>
>>
>> Ah, I do. It's enabled in the KAM.cf ruleset from Kevin.
>
> ...and I don't. Good catch.
>
>> Maybe Kevin or someone with knowledge of this could comment, as it
>> effectively eliminates the effectiveness of the __EMPTY_BODY and
>> __HAS_ANY_URI.
>
> It looks like there might need to be a separate URI store for that, which is
> not shared with genuine body URIs.
Do you have any thoughts on this? It appears the parse_dkim_uris in
your KAM.cf is effectively disabling the __EMPTY_BODY and
__HAS_ANY_URI rules because they match against the DKIM header.
Re: body_uri with empty body
Posted by John Hardin <jh...@impsec.org>.
On Wed, 21 Jun 2017, Alex wrote:
> Hi,
>
> On Wed, Jun 21, 2017 at 8:06 PM, Reindl Harald <h....@thelounge.net> wrote:
>>
>>
>> Am 22.06.2017 um 01:55 schrieb Alex:
>>>
>>> Can someone else confirm this? John was unable to reproduce it on his
>>> system, but I just installed the latest svn 3.4.2 branch and it's
>>> doing it here. I'd appreciate if someone could help me figure out if
>>> this is a bug, a local misconfiguration or otherwise...
>>>
>>> https://pastebin.com/inS6qiiG
>>
>> i guess you have "parse_dkim_uris" enabled as i have which is fine for URIBL
>> an so on but don't justify body_uri
>
> Ah, I do. It's enabled in the KAM.cf ruleset from Kevin.
...and I don't. Good catch.
> Maybe Kevin or someone with knowledge of this could comment, as it
> effectively eliminates the effectiveness of the __EMPTY_BODY and
> __HAS_ANY_URI.
It looks like there might need to be a separate URI store for that, which
is not shared with genuine body URIs.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
After ten years (1998-2008) of draconian gun control in the State
of Massachusetts, the results are in: firearms-related assaults up
78%, firearms-related homicides up 67%, assault-related emergency
room visits up 331%. Gun Control does not reduce violent crime.
-----------------------------------------------------------------------
83 days since the first commercial re-flight of an orbital booster (SpaceX)
Re: body_uri with empty body
Posted by Alex <my...@gmail.com>.
Hi,
On Wed, Jun 21, 2017 at 8:06 PM, Reindl Harald <h....@thelounge.net> wrote:
>
>
> Am 22.06.2017 um 01:55 schrieb Alex:
>>
>> Can someone else confirm this? John was unable to reproduce it on his
>> system, but I just installed the latest svn 3.4.2 branch and it's
>> doing it here. I'd appreciate if someone could help me figure out if
>> this is a bug, a local misconfiguration or otherwise...
>>
>> https://pastebin.com/inS6qiiG
>
> i guess you have "parse_dkim_uris" enabled as i have which is fine for URIBL
> an so on but don't justify body_uri
Ah, I do. It's enabled in the KAM.cf ruleset from Kevin.
Maybe Kevin or someone with knowledge of this could comment, as it
effectively eliminates the effectiveness of the __EMPTY_BODY and
__HAS_ANY_URI.
Re: body_uri with empty body
Posted by Alex <my...@gmail.com>.
Hi,
>>>> This one wasn't blocked at the time it was received, but somehow is now.
>>>>
>>>> https://pastebin.com/inS6qiiG
>>>>
>>>> I noticed despite there being no actual URI that I can see in the
>>>> body, it still hits __BODY_URI_ONLY. Even if I remove the div tags it
>>>> still hits. Just what does SA consider to be a URI?
>>>>
>>>> meta __BODY_URI_ONLY __BODY_TEXT_LINE < 3 && __HAS_ANY_URI
>>>> && !__SMIME_MESSAGE
>>>> uri __HAS_ANY_URI /./
>>>>
>>>> Running the message through debug doesn't show me what it considered
>>>> to be the URI in this message.
>>>
>>>
>>> Add this to your test environment:
>>>
>>> uri __ALL_URI /.+/
>>>
>>>> dbg: rules: ran uri rule __DOS_HAS_ANY_URI ======> got hit: "g"
>>
>>
>> ran uri rule __ALL_URI ======> got hit: "gmail.com"
>>
>> Is it from the From or Message-ID?
>
> It shouldn't be from either.
>
> Is your local test message *exactly* what you uploaded to pastebin? Because
> that does not hit URIs here, at all.
>
> If you edited your local test message, check to verify you didn't
> accidentally add a blank line in the middle of the message headers that
> could potentially have pushed message header(s) down into the body. Apart
> from that, I have no ideas.
I worked with John off-list and discovered that the URI that's hitting
is the gmail.com located in the DKIM signature.
Can someone else confirm this? John was unable to reproduce it on his
system, but I just installed the latest svn 3.4.2 branch and it's
doing it here. I'd appreciate if someone could help me figure out if
this is a bug, a local misconfiguration or otherwise...
https://pastebin.com/inS6qiiG
Thanks,
Alex
Re: body_uri with empty body
Posted by John Hardin <jh...@impsec.org>.
On Tue, 20 Jun 2017, Alex wrote:
> Hi,
>
> On Tue, Jun 20, 2017 at 1:40 PM, John Hardin <jh...@impsec.org> wrote:
>> On Tue, 20 Jun 2017, Alex wrote:
>>
>>> Hi,
>>>
>>> We've been receiving empty messages (or what appear to be empty body
>>> messages) delivered to undisclosed-recips and I wanted to figure out
>>> how to block them.
>>>
>>> This one wasn't blocked at the time it was received, but somehow is now.
>>>
>>> https://pastebin.com/inS6qiiG
>>>
>>> I noticed despite there being no actual URI that I can see in the
>>> body, it still hits __BODY_URI_ONLY. Even if I remove the div tags it
>>> still hits. Just what does SA consider to be a URI?
>>>
>>> meta __BODY_URI_ONLY __BODY_TEXT_LINE < 3 && __HAS_ANY_URI
>>> && !__SMIME_MESSAGE
>>> uri __HAS_ANY_URI /./
>>>
>>> Running the message through debug doesn't show me what it considered
>>> to be the URI in this message.
>>
>> Add this to your test environment:
>>
>> uri __ALL_URI /.+/
>>
>>> dbg: rules: ran uri rule __DOS_HAS_ANY_URI ======> got hit: "g"
>
> ran uri rule __ALL_URI ======> got hit: "gmail.com"
>
> Is it from the From or Message-ID?
It shouldn't be from either.
Is your local test message *exactly* what you uploaded to pastebin?
Because that does not hit URIs here, at all.
If you edited your local test message, check to verify you didn't
accidentally add a blank line in the middle of the message headers that
could potentially have pushed message header(s) down into the body. Apart
from that, I have no ideas.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Taking my gun away because I *might* shoot someone is like cutting
my tongue out because I *might* yell "Fire!" in a crowded theater.
-- Peter Venetoklis
-----------------------------------------------------------------------
82 days since the first commercial re-flight of an orbital booster (SpaceX)
Re: body_uri with empty body
Posted by Alex <my...@gmail.com>.
Hi,
On Tue, Jun 20, 2017 at 1:40 PM, John Hardin <jh...@impsec.org> wrote:
> On Tue, 20 Jun 2017, Alex wrote:
>
>> Hi,
>>
>> We've been receiving empty messages (or what appear to be empty body
>> messages) delivered to undisclosed-recips and I wanted to figure out
>> how to block them.
>>
>> This one wasn't blocked at the time it was received, but somehow is now.
>>
>> https://pastebin.com/inS6qiiG
>>
>> I noticed despite there being no actual URI that I can see in the
>> body, it still hits __BODY_URI_ONLY. Even if I remove the div tags it
>> still hits. Just what does SA consider to be a URI?
>>
>> meta __BODY_URI_ONLY __BODY_TEXT_LINE < 3 && __HAS_ANY_URI
>> && !__SMIME_MESSAGE
>> uri __HAS_ANY_URI /./
>>
>> Running the message through debug doesn't show me what it considered
>> to be the URI in this message.
>
> Add this to your test environment:
>
> uri __ALL_URI /.+/
>
>> dbg: rules: ran uri rule __DOS_HAS_ANY_URI ======> got hit: "g"
ran uri rule __ALL_URI ======> got hit: "gmail.com"
Is it from the From or Message-ID?
Re: body_uri with empty body
Posted by John Hardin <jh...@impsec.org>.
On Tue, 20 Jun 2017, Alex wrote:
> Hi,
>
> We've been receiving empty messages (or what appear to be empty body
> messages) delivered to undisclosed-recips and I wanted to figure out
> how to block them.
>
> This one wasn't blocked at the time it was received, but somehow is now.
>
> https://pastebin.com/inS6qiiG
>
> I noticed despite there being no actual URI that I can see in the
> body, it still hits __BODY_URI_ONLY. Even if I remove the div tags it
> still hits. Just what does SA consider to be a URI?
>
> meta __BODY_URI_ONLY __BODY_TEXT_LINE < 3 && __HAS_ANY_URI
> && !__SMIME_MESSAGE
> uri __HAS_ANY_URI /./
>
> Running the message through debug doesn't show me what it considered
> to be the URI in this message.
Add this to your test environment:
uri __ALL_URI /.+/
> dbg: rules: ran uri rule __DOS_HAS_ANY_URI ======> got hit: "g"
I don't get that. I also get no URI hits at all on that message.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Your mouse has moved. Your Windows Operating System must be
relicensed due to this hardware change. Please contact Microsoft
to obtain a new activation key. If this hardware change results in
added functionality you may be subject to additional license fees.
Your system will now shut down. Thank you for choosing Microsoft.
-----------------------------------------------------------------------
82 days since the first commercial re-flight of an orbital booster (SpaceX)