You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Mike Grau <m....@kcc.state.ks.us> on 2012/05/03 19:02:04 UTC
KB_FAKED_THE_BAT
Hello all,
Just an FYI ...
The meta rule in 72_active.cf "KB_FAKED_THE_BAT" is getting circumvented
here because the meta rule component
header __KB_DATE_CONTAINS_TAB Date:raw =~ /^\t
is being evaded by spam that now has a space character before the tab:
# grep Date: HEADERS | od -a
0000000 D a t e : sp ht T h u , sp 3 sp M a
0000020 y sp 2 0 1 2 sp 1 6 : 5 3 : 5 9 sp
0000040 + 0 7 0 0 nl
0000046vi H*
This has been Russian language spam (charset koi8-r) with various
flavors of X-Mailer: The Bat!
-- Mike G.
Re: KB_FAKED_THE_BAT
Posted by Mike Grau <m....@kcc.state.ks.us>.
>>
>> # grep Date: HEADERS | od -a
>> 0000000 D a t e : sp ht T h u , sp 3 sp M a
>> 0000020 y sp 2 0 1 2 sp 1 6 : 5 3 : 5 9 sp
>> 0000040 + 0 7 0 0 nl
>> 0000046vi H*
>>
>> This has been Russian language spam (charset koi8-r) with various
>> flavors of X-Mailer: The Bat!
>
> What version of SpamAssassin are you running? Here's a note from that
> rule's definition (rulesrc/sandbox/kb/20_header.cf):
>
> # NOTE Depends on some header rule code fixes for 3.3.x to remove
> # the leading space that was showing up in header rules. For
> # 3.2.x releases the pattern must be changed to /^ \t/.
>
> Karsten: Maybe change it to /^ ?\t/ as a workaround?
> (Yes, I know we've stopped supporting sa3.2.x)
In 3.3.2
/var/lib/spamassassin/3.003002/updates_spamassassin_org
# grep __KB_DATE_CONTAINS_TAB 72_active.cf
header __KB_DATE_CONTAINS_TAB Date:raw =~ /^\t
Re: KB_FAKED_THE_BAT
Posted by Adam Katz <an...@khopis.com>.
On 05/03/2012 10:02 AM, Mike Grau wrote:
> The meta rule in 72_active.cf "KB_FAKED_THE_BAT" is getting
> circumvented here because the meta rule component
>
> header __KB_DATE_CONTAINS_TAB Date:raw =~ /^\t
>
> is being evaded by spam that now has a space character before the tab:
>
> # grep Date: HEADERS | od -a
> 0000000 D a t e : sp ht T h u , sp 3 sp M a
> 0000020 y sp 2 0 1 2 sp 1 6 : 5 3 : 5 9 sp
> 0000040 + 0 7 0 0 nl
> 0000046vi H*
>
> This has been Russian language spam (charset koi8-r) with various
> flavors of X-Mailer: The Bat!
What version of SpamAssassin are you running? Here's a note from that
rule's definition (rulesrc/sandbox/kb/20_header.cf):
# NOTE Depends on some header rule code fixes for 3.3.x to remove
# the leading space that was showing up in header rules. For
# 3.2.x releases the pattern must be changed to /^ \t/.
Karsten: Maybe change it to /^ ?\t/ as a workaround?
(Yes, I know we've stopped supporting sa3.2.x)