You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@spamassassin.apache.org by Karsten Bräckelmann <gu...@rudersport.de> on 2010/02/01 17:31:37 UTC
FP prone -- onet.pl customers using The Bat!
Please see bug 6155 comment 128.
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6155#c128
The issue persists, and being an onet.pl customer using The Bat! MUA is
kind of a deadly combination. Those are being shot single-handedly.
score KB_DATE_CONTAINS_TAB 3.800 3.799 3.799 2.751
score KB_FAKED_THE_BAT 2.432 3.441 2.008 2.694
Comments? Is this something we need to worry about? I do, rather scary
to me. :/
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: FP prone -- onet.pl customers using The Bat!
Posted by Adam Katz <an...@khopis.com>.
Karsten Bräckelmann wrote:
> Please see bug 6155 comment 128.
> https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6155#c128
>
> The issue persists, and being an onet.pl customer using The Bat!
> MUA is kind of a deadly combination. Those are being shot
> single-handedly.
>
> score KB_DATE_CONTAINS_TAB 3.800 3.799 3.799 2.751
> score KB_FAKED_THE_BAT 2.432 3.441 2.008 2.694
Karsten forgot to mention that the latter rule is dependent on the
former rule.
> Comments? Is this something we need to worry about? I do, rather
> scary to me. :/
Me too. Is onet.pl the only such instance of this overlap? Why not
move KB_DATE_CONTAINS_TAB to a subrule and make some kind of
onet.pl-detector that the new meta must match against?
They have an SPF record, though we probably can't rely upon
implementations using SPF, so since it's simple enough, we could
manually parse it:
header __DATE_CONTAINS_TAB Date:raw =~ /^\t/
header __RCVD_ONET_PL X-Spam-Relays-External =~
/ ip=213\.180\.1(?:28|[345]\d)\.\d/
meta KB_DATE_CONTAINS_TAB __DATE_CONTAINS_TAB && !__RCVD_ONET_PL
# here for reference, unchanged:
meta KB_FAKED_THE_BAT __THEBAT_MUA && KB_DATE_CONTAINS_TAB
Still, this is bad as it assumes their SPF record is foolproof and
unchanging (their use of "-all" shows that it is at least
theoretically authoritative). Also, since we need it to survive
mailing lists and forwarding services, we can't key an IP check on the
last external relay, meaning that the passage through onet can be
forged. Given some other headers, we might be able to find a better
counter-filter.
To attack it from another angle: has anybody (preferably a Polish
speaker) approached Onet.pl and at least mentioned the problem if not
also a solution? Their use of SPF implies that they care about this
sort of thing...
Re: FP prone -- onet.pl customers using The Bat!
Posted by "Kevin A. McGrail" <km...@pccc.com>.
>> In my experience, the bat is highly related to spam. However, I was
>
> Now you got me confused. You mean a forged X-Mailer header, as opposed
> to the real MUA itself being involved in spam. No?
Sorry, the subject lead me to believe onet.pl was using The Bat for
customers.
Regards,
KAM
Re: FP prone -- onet.pl customers using The Bat!
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Mon, 2010-02-01 at 13:15 -0500, Kevin A. McGrail wrote:
> > Ah, that widely spread mis-information The Bat! is a spam tool. Yes,
> > indeed, I've come across that too often, and The Bat! users probably are
> > used to such issues. Doesn't make it any better, does it? ;)
>
> In my experience, the bat is highly related to spam. However, I was
Now you got me confused. You mean a forged X-Mailer header, as opposed
to the real MUA itself being involved in spam. No?
> surprised to find out as you did that major ISPs in other countries were
> using it.
That's actually not what I found. What I found is, that onet.pl breaks
the MUA generated Date header, and rewrites it to at least inject that
tab. MUA agnostic. This alone trips the DATE_CONTAINS_TAB rule.
Arguably, you get what you deserve if you break MUA generated headers to
make it look like common ratware screw-ups.
This becomes more of a problem, if the onet.pl user also uses The Bat!,
since this triggers a second rule -- the real deal I hacked up a while
ago to counter a highly specific pattern in a low-scorer flood here. The
same as above, plus the X-Mailer constraint. The MUA never generates
Date headers with tab -- only ratware forging The Bat! does. And the
onet.pl SMTP servers, on behalf of their users. :-/
guenther
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: FP prone -- onet.pl customers using The Bat!
Posted by "Kevin A. McGrail" <km...@pccc.com>.
> Ah, that widely spread mis-information The Bat! is a spam tool. Yes,
> indeed, I've come across that too often, and The Bat! users probably are
> used to such issues. Doesn't make it any better, does it? ;)
In my experience, the bat is highly related to spam. However, I was
surprised to find out as you did that major ISPs in other countries were
using it.
Re: FP prone -- onet.pl customers using The Bat!
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Mon, 2010-02-01 at 17:07 +0000, d.hill@yournetplus.com wrote:
> Quoting Karsten Bräckelmann <gu...@rudersport.de>:
>
> > Please see bug 6155 comment 128.
> > https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6155#c128
> > Comments? Is this something we need to worry about? I do, rather scary
> > to me. :/
>
> If the rule KB_FAKED_THE_BAT looks for the X-Mailer header, you can
> always tell The Bat! not to place the X-Mailer header. I use the
> professional version of the email client on my personal email account
> and have it removed as there is a telco around here that flat out
> rejects messages that bare the X-Mailer header sending from The Bat!.
Ah, that widely spread mis-information The Bat! is a spam tool. Yes,
indeed, I've come across that too often, and The Bat! users probably are
used to such issues. Doesn't make it any better, does it? ;)
Since the problem and potential for FPs is known, I figured I'd better
bring it up again -- before angry users do, whose mail ends up in the
bit bucket due to SA.
Of course, having onet.pl not break the MUA supplied headers would be
best.
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: FP prone -- onet.pl customers using The Bat!
Posted by d....@yournetplus.com.
Quoting Karsten Bräckelmann <gu...@rudersport.de>:
> Please see bug 6155 comment 128.
> https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6155#c128
>
> The issue persists, and being an onet.pl customer using The Bat! MUA is
> kind of a deadly combination. Those are being shot single-handedly.
>
> score KB_DATE_CONTAINS_TAB 3.800 3.799 3.799 2.751
> score KB_FAKED_THE_BAT 2.432 3.441 2.008 2.694
>
> Comments? Is this something we need to worry about? I do, rather scary
> to me. :/
If the rule KB_FAKED_THE_BAT looks for the X-Mailer header, you can
always tell The Bat! not to place the X-Mailer header. I use the
professional version of the email client on my personal email account
and have it removed as there is a telco around here that flat out
rejects messages that bare the X-Mailer header sending from The Bat!.