You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Mike Grau <m....@kcc.state.ks.us> on 2012/05/03 19:02:04 UTC

KB_FAKED_THE_BAT

Hello all,

Just an FYI ...

The meta rule in 72_active.cf "KB_FAKED_THE_BAT" is getting circumvented
here because the meta rule component

 header   __KB_DATE_CONTAINS_TAB  Date:raw =~ /^\t

is being evaded by spam that now has a space character before the tab:

# grep Date: HEADERS | od -a
0000000   D   a   t   e   :  sp  ht   T   h   u   ,  sp   3  sp   M   a
0000020   y  sp   2   0   1   2  sp   1   6   :   5   3   :   5   9  sp
0000040   +   0   7   0   0  nl
0000046vi H*

This has been Russian language spam (charset koi8-r) with various
flavors of X-Mailer: The Bat!

-- Mike G.

Re: KB_FAKED_THE_BAT

Posted by Mike Grau <m....@kcc.state.ks.us>.

>>
>> # grep Date: HEADERS | od -a
>> 0000000   D   a   t   e   :  sp  ht   T   h   u   ,  sp   3  sp   M   a
>> 0000020   y  sp   2   0   1   2  sp   1   6   :   5   3   :   5   9  sp
>> 0000040   +   0   7   0   0  nl
>> 0000046vi H*
>>
>> This has been Russian language spam (charset koi8-r) with various
>> flavors of X-Mailer: The Bat!
> 
> What version of SpamAssassin are you running?  Here's a note from that
> rule's definition (rulesrc/sandbox/kb/20_header.cf):
> 
> # NOTE  Depends on some header rule code fixes for 3.3.x to remove
> #       the leading space that was showing up in header rules.  For
> #       3.2.x releases the pattern must be changed to /^ \t/.
> 
> Karsten:  Maybe change it to   /^ ?\t/   as a workaround?
> (Yes, I know we've stopped supporting sa3.2.x)

In 3.3.2
/var/lib/spamassassin/3.003002/updates_spamassassin_org
# grep  __KB_DATE_CONTAINS_TAB 72_active.cf

header   __KB_DATE_CONTAINS_TAB  Date:raw =~ /^\t

Re: KB_FAKED_THE_BAT

Posted by Adam Katz <an...@khopis.com>.

On 05/03/2012 10:02 AM, Mike Grau wrote:
> The meta rule in 72_active.cf "KB_FAKED_THE_BAT" is getting
> circumvented here because the meta rule component
>
>  header   __KB_DATE_CONTAINS_TAB  Date:raw =~ /^\t
> 
> is being evaded by spam that now has a space character before the tab:
> 
> # grep Date: HEADERS | od -a
> 0000000   D   a   t   e   :  sp  ht   T   h   u   ,  sp   3  sp   M   a
> 0000020   y  sp   2   0   1   2  sp   1   6   :   5   3   :   5   9  sp
> 0000040   +   0   7   0   0  nl
> 0000046vi H*
> 
> This has been Russian language spam (charset koi8-r) with various
> flavors of X-Mailer: The Bat!

What version of SpamAssassin are you running?  Here's a note from that
rule's definition (rulesrc/sandbox/kb/20_header.cf):

# NOTE  Depends on some header rule code fixes for 3.3.x to remove
#       the leading space that was showing up in header rules.  For
#       3.2.x releases the pattern must be changed to /^ \t/.

Karsten:  Maybe change it to   /^ ?\t/   as a workaround?
(Yes, I know we've stopped supporting sa3.2.x)