You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by "Benning, Markus" <ic...@markusbenning.de> on 2016/02/24 17:02:25 UTC
Parsing of address headers in spamassassin ($pms->get('From:name'))
Hello,
recently i'm recieving mails which try to fool user by sending
mails with a From: like
From: "John Doe <jo...@doe-company.tld>" <sp...@spamdomain.tld>
While implementing a header check to detect such attempts i noticed
that SA seems to have problems parsing such addresses correctly.
When accessing the displayname with From:name the PerMsgStatus.pm module
only returns the string "\"John Doe".
$pms->get('From:name');
> "John Doe
The regex should be extended to cover all characters of a quoted string
to the closing quote.
On line 2056 in PerMsgStatus.pm:
http://svn.apache.org/viewvc/spamassassin/trunk/lib/Mail/SpamAssassin/PerMsgStatus.pm?view=markup#l2056
It should be extended to something like:
if ($result =~ /^ \s* ( [^"]*? | "[^"]*" ) \s* < [^<>]* >/sx) {
Markus
--
https://markusbenning.de/
Re: Parsing of address headers in spamassassin
($pms->get('From:name'))
Posted by "Benning, Markus" <ic...@markusbenning.de>.
On 2016-02-24 17:20, Benning, Markus wrote:
> Some MTAs only show the displayname and this is an attempt to
s/MTA/MUA/
--
https://markusbenning.de/
Re: Parsing of address headers in spamassassin
($pms->get('From:name'))
Posted by "Benning, Markus" <ic...@markusbenning.de>.
On 2016-02-24 17:06, Axb wrote:
> afaik the correct syntax would be
>
> From: "John Doe" <jo...@doe-company.tld> <sp...@spamdomain.tld>
>
> so SA is doing it right and you can probably use
>
> /\>\" \</ as a borked template trait rule
The address part is only spamuser@spamdomain.tld.
It is correctly parsed when retrieving it from $pms->get('From:addr').
The displayname string is "John Doe <jo...@doe-company.tld>", but
SA truncates it at the < when retrieving it with 'From:name'.
The address within the displayname is just handled as a string.
Some MTAs only show the displayname and this is an attempt to
make the user believe the mail was sent from john.doe@doe-company.tld
when its actual spamuser@spamdomain.tld.
Markus
--
https://markusbenning.de/
Re: Parsing of address headers in spamassassin
($pms->get('From:name'))
Posted by "Benning, Markus" <ic...@markusbenning.de>.
On 2016-02-24 18:01, John Hardin wrote:
> Markus, I think this is a valid issue, I think you should file a bug.
I just opened
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7300
but the tracker shows 774 bug status NEW with the oldest dating back to
2007.
If the tracker is still activly used someone should cleanup old tickets.
Opening a ticket in such a bug tracker doesn't make me feel like it
will change anything.
Markus
--
https://markusbenning.de/
Re: Parsing of address headers in spamassassin
($pms->get('From:name'))
Posted by John Hardin <jh...@impsec.org>.
On Wed, 24 Feb 2016, Axb wrote:
> On 02/24/2016 05:02 PM, Benning, Markus wrote:
>> Hello,
>>
>> recently i'm recieving mails which try to fool user by sending
>> mails with a From: like
>>
>> From: "John Doe <jo...@doe-company.tld>" <sp...@spamdomain.tld>
>
> afaik the correct syntax would be
>
> From: "John Doe" <jo...@doe-company.tld> <sp...@spamdomain.tld>
That is (probably) correct syntax for an email with two senders. The
example is of someone trying to *obfuscate* a single sender by what's in
the display name.
> so SA is doing it right
I disagree. The display name is defined as a quoted string, so *all* the
content between the quotes is the display name part, even if it *appears*
to contain a validly-formatted email address.
> and you can probably use
>
> /\>\" \</ as a borked template trait rule
That's just a workaround for broken SA code.
Markus, I think this is a valid issue, I think you should file a bug.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
...given the choice between a criminal and a communist,
Iowa democrats shrugged their shoulders and flipped a coin.
-- aerodawg
-----------------------------------------------------------------------
65 days since the first successful real return to launch site (SpaceX)
Re: Parsing of address headers in spamassassin
($pms->get('From:name'))
Posted by Axb <ax...@gmail.com>.
On 02/24/2016 05:02 PM, Benning, Markus wrote:
> Hello,
>
> recently i'm recieving mails which try to fool user by sending
> mails with a From: like
>
> From: "John Doe <jo...@doe-company.tld>" <sp...@spamdomain.tld>
>
> While implementing a header check to detect such attempts i noticed
> that SA seems to have problems parsing such addresses correctly.
>
> When accessing the displayname with From:name the PerMsgStatus.pm module
> only returns the string "\"John Doe".
>
> $pms->get('From:name');
>
>> "John Doe
>
> The regex should be extended to cover all characters of a quoted string
> to the closing quote.
>
> On line 2056 in PerMsgStatus.pm:
>
> http://svn.apache.org/viewvc/spamassassin/trunk/lib/Mail/SpamAssassin/PerMsgStatus.pm?view=markup#l2056
>
>
> It should be extended to something like:
>
> if ($result =~ /^ \s* ( [^"]*? | "[^"]*" ) \s* < [^<>]* >/sx) {
>
afaik the correct syntax would be
From: "John Doe" <jo...@doe-company.tld> <sp...@spamdomain.tld>
so SA is doing it right and you can probably use
/\>\" \</ as a borked template trait rule