You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@spamassassin.apache.org by bu...@bugzilla.spamassassin.org on 2009/06/05 20:30:28 UTC

[Bug 6125] New: Didn't catch 2 obvious spam violations

https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6125

           Summary: Didn't catch 2 obvious spam violations
           Product: Spamassassin
           Version: unspecified
          Platform: Other
        OS/Version: Linux
            Status: NEW
          Severity: blocker
          Priority: P5
         Component: Rules (Eval Tests)
        AssignedTo: dev@spamassassin.apache.org
        ReportedBy: fnoell@channel-islands-sw.com


The FROM field in the header contained: VIAGRA Inc.
<sa...@channel-islands-sw.com>
The TO field contained: sales@channel-islands-sw.com
The REPLY-TO contained sales@channel-islands-sw.com

>From and To contained the same address.  From contained VIAGRA (spelled
correctly).

No rules caught either of these.

While I have *@channel-islands-sw.com in my white list, I can change this as
there are only 3 "real" e-mail addresses, however "sales@..." is one of them. 
If I could set TO = REPLY TO to somehting more than 100, it would easily solve
this problem, also, it VIAGRA (spelled correctly) was caught I could do the
same. Both would void the white list entry.

I am using HostGator as my host.

Thanks for the excellent product!

Frank Noell
fnoell@channel-islands-sw.com


-- 
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

[Bug 6125] Didn't catch 2 obvious spam violations

Posted by bu...@bugzilla.spamassassin.org.

https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6125


Karsten Bräckelmann <gu...@rudersport.de> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |INVALID




--- Comment #1 from Karsten Bräckelmann <gu...@rudersport.de>  2009-06-05 11:59:28 PST ---
> From and To contained the same address.

This is a valid, commonly used approach when sending to a pure Bcc list and
does occur in ham. See various discussions in the list archives.


> While I have *@channel-islands-sw.com in my white list, I can change this as
> there are only 3 "real" e-mail addresses, however "sales@..." is one of them. 

Do NOT use whitelist_from, but whitelist_from_rcvd with your own, outbound SMTP
servers. Spammers often use the target address as the sender, because
(a) it's an easy pass in case of mis-configuration and  (b) a lot of MUAs then
display remote images, because the address is in the local address-book.

The plain whitelist_from must only be used as a (dangerous) last resort, if it
really is necessary to whitelist in the first place, and none of the other
variants (rcvd, auth, etc.) can be used.

The whitelist_from is a custom configuration.


> If I could set TO = REPLY TO to somehting more than 100, it would easily solve
> this problem, also, it VIAGRA (spelled correctly) was caught I could do the
> same. Both would void the white list entry.

Such a TO_EQ_REPLYTO rule /can/ be written using the pseudo ALL header and
multi-line matching. From memory it doesn't seem worthwhile to include it in
stock though, since this is a rarely used pattern and may occur in ham.

Scoring *anything* 100 is a very, very bad idea. And the reason to ask for this
in the first place is an unsafe whitelist. Fix that instead. :)


IMHO, this is not a bug but a local (mis-) configuration issue. Sorry.
Closing RESOLVED INVALID.


-- 
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

[Bug 6125] Didn't catch 2 obvious spam violations

Posted by bu...@bugzilla.spamassassin.org.

https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6125





--- Comment #2 from Karsten Bräckelmann <gu...@rudersport.de>  2009-06-05 12:05:49 PST ---
Oh, also -- in particular correctly spelled, non-obfuscated "medical words" are
totally legit in ham.

However, in places like that (the From address), Bayes will easily take care of
that. It takes the headers into account, so "Viagra" as the sender's name will
be treated much more easily as a very spammy token, than the same word in the
body, for example.

Just train your Bayes.


-- 
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.