You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Per Jessen <pe...@computer.org> on 2010/05/31 14:12:54 UTC
leading blanks on From:addr prevents e.g. blacklisting from working
I have just this morning come across an interesting issue (SA 3.2.5). I
was trying to blacklist a From: address using 'blacklist_from', but it
wasn't working. I took a closer look at the email, and noticed:
From: "something or other" < mailing@example.com>
The single leading space in the address part is the issue. Before I go
and open a bugreport (I suspect the same issue may be present in the
3.3 series), I just wanted to see if this just might be a known issue?
/Per Jessen, Zürich
Re: leading blanks on From:addr prevents e.g. blacklisting from working
Posted by Per Jessen <pe...@computer.org>.
Benny Pedersen wrote:
> On Mon 31 May 2010 02:12:54 PM CEST, Per Jessen wrote
>> From: "something or other" < mailing@example.com>
>
> mailzu / amavisd-new also using the From: header, here i am just
> unsure if this is just on web it displays the From: addr, might be
> related or not
>
> anyway why not blacklist_from envelope_sender ?
Because it is a mass-emailing company.
/Per Jessen, Zürich
Re: leading blanks on From:addr prevents e.g. blacklisting from
working
Posted by Benny Pedersen <me...@junc.org>.
On Mon 31 May 2010 02:12:54 PM CEST, Per Jessen wrote
> From: "something or other" < mailing@example.com>
mailzu / amavisd-new also using the From: header, here i am just
unsure if this is just on web it displays the From: addr, might be
related or not
anyway why not blacklist_from envelope_sender ?
in postfix this is Return-Path, is there a space there ?
spamassassin should not be idiotic checking the wrong header where
anything not authed can be writed
is there any mta that will accept space in mail-from ?
--
xpoint http://www.unicom.com/pw/reply-to-harmful.html
Re: leading blanks on From:addr prevents e.g. blacklisting from working
Posted by Per Jessen <pe...@computer.org>.
Michael Scheidell wrote:
> On 5/31/10 8:12 AM, Per Jessen wrote:
>> I have just this morning come across an interesting issue (SA 3.2.5).
>> I was trying to blacklist a From: address using 'blacklist_from', but
>> it wasn't working. I took a closer look at the email, and noticed:
>>
>> From: "something or other"< mailing@example.com>
>>
> Interesting.. the addr part of the email address would be invalid by
> RFC standards (the addr part cannot start with a space)
Correct.
> just use your MTA to block invalid addresses at the gateway.
This is _only_ the From: in the header - AFAIK, the MTA (postfix)
doesn't check or even care much about it.
> with the MTA blocking it, the sender (if they are really the sender
> and not a bot) will get the NDR without the issue of backscatter to
> (what address would you bounce it to? %20mailing@example.com ?
No, the envelope address is a genuine bounce-<something> from a
mass-emailing service.
> is this in the header from, the envelope from or both? postfix strips
> the %20 (space), and changes the envelope (return-path) to
> mailing@example.com so is this just in the header from?
Yup.
/Per Jessen, Zürich
Re: leading blanks on From:addr prevents e.g. blacklisting from working
Posted by Mark Martinec <Ma...@ijs.si>.
On Monday 31 May 2010 16:13:24 Per Jessen wrote:
> Michael Scheidell wrote:
> > interesting that sa 3.3.1 only scores this as a +1 score. must mean
> > it doesn't match a lot of spam vs ham.
>
> Must also mean that it is not an issue in SA 3.3, good. In my case, the
> email is not spam as such, I suspect the leading blank is just a
> programming error.
Looks fine with 3.3.1, seems the leading space is stripped and blacklisting
works.
Mark
Re: leading blanks on From:addr prevents e.g. blacklisting from working
Posted by Per Jessen <pe...@computer.org>.
Michael Scheidell wrote:
> interesting that sa 3.3.1 only scores this as a +1 score. must mean
> it doesn't match a lot of spam vs ham.
Must also mean that it is not an issue in SA 3.3, good. In my case, the
email is not spam as such, I suspect the leading blank is just a
programming error.
/Per Jessen, Zürich
Re: leading blanks on From:addr prevents e.g. blacklisting from working
Posted by Michael Scheidell <sc...@secnap.net>.
On 5/31/10 8:39 AM, Michael Scheidell wrote:
> On 5/31/10 8:12 AM, Per Jessen wrote:
>> I have just this morning come across an interesting issue (SA 3.2.5). I
>> was trying to blacklist a From: address using 'blacklist_from', but it
>> wasn't working. I took a closer look at the email, and noticed:
>>
>> From: "something or other"< mailing@example.com>
> Interesting.. the addr part of the email address would be invalid by
> RFC standards (the addr part cannot start with a space)
> just use your MTA to block invalid addresses at the gateway. with the
> MTA blocking it, the sender (if they are really the sender and not a
> bot) will get the NDR without the issue of backscatter to (what
> address would you bounce it to? %20mailing@example.com ?
>
> is this in the header from, the envelope from or both? postfix strips
> the %20 (space), and changes the envelope (return-path) to
> mailing@example.com so is this just in the header from?
>
interesting that sa 3.3.1 only scores this as a +1 score. must mean it
doesn't match a lot of spam vs ham.
FROM_WSP_LEAD
(the 1+ score is a default based on not having a score value listed anywhere)
grep FROM_WSP_LEAD /var/db/spamassassin/3.003001/updates_spamassassin_org/* /usr/local/etc/mail/spamassassin//*.cf
/var/db/spamassassin/3.003001/updates_spamassassin_org/72_active.cf:##{ FROM_WSP_LEAD
/var/db/spamassassin/3.003001/updates_spamassassin_org/72_active.cf:header FROM_WSP_LEAD From:raw =~ /< \s+ [^>\s] [^>]*> [^<>]* \z/xm
/var/db/spamassassin/3.003001/updates_spamassassin_org/72_active.cf:describe FROM_WSP_LEAD Leading whitespace after '<' in From header field
/var/db/spamassassin/3.003001/updates_spamassassin_org/72_active.cf:##} FROM_WSP_LEAD
> my understanding of SA (from a while back) is that it will
> blacklist_from based on header from, envelope from and/or sender from,
> so if that is so, it should have worked.
>
>
>
--
Michael Scheidell, CTO
Phone: 561-999-5000, x 1259
> *| *SECNAP Network Security Corporation
* Certified SNORT Integrator
* 2008-9 Hot Company Award Winner, World Executive Alliance
* Five-Star Partner Program 2009, VARBusiness
* Best Anti-Spam Product 2008, Network Products Guide
* King of Spam Filters, SC Magazine 2008
______________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r).
For Information please see http://www.secnap.com/products/spammertrap/
______________________________________________________________________
Re: leading blanks on From:addr prevents e.g. blacklisting from working
Posted by Michael Scheidell <sc...@secnap.net>.
On 5/31/10 8:12 AM, Per Jessen wrote:
> I have just this morning come across an interesting issue (SA 3.2.5). I
> was trying to blacklist a From: address using 'blacklist_from', but it
> wasn't working. I took a closer look at the email, and noticed:
>
> From: "something or other"< mailing@example.com>
>
Interesting.. the addr part of the email address would be invalid by RFC
standards (the addr part cannot start with a space)
just use your MTA to block invalid addresses at the gateway. with the
MTA blocking it, the sender (if they are really the sender and not a
bot) will get the NDR without the issue of backscatter to (what address
would you bounce it to? %20mailing@example.com ?
is this in the header from, the envelope from or both? postfix strips
the %20 (space), and changes the envelope (return-path) to
mailing@example.com so is this just in the header from?
my understanding of SA (from a while back) is that it will
blacklist_from based on header from, envelope from and/or sender from,
so if that is so, it should have worked.
--
Michael Scheidell, CTO
Phone: 561-999-5000, x 1259
> *| *SECNAP Network Security Corporation
* Certified SNORT Integrator
* 2008-9 Hot Company Award Winner, World Executive Alliance
* Five-Star Partner Program 2009, VARBusiness
* Best Anti-Spam Product 2008, Network Products Guide
* King of Spam Filters, SC Magazine 2008
______________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r).
For Information please see http://www.secnap.com/products/spammertrap/
______________________________________________________________________