Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: SpamAssassin: devel

[Bug 6823] Malformed messages allow evasion of URIBL checks

 

 

SpamAssassin devel RSS feed   Index | Next | Previous | View Threaded


bugzilla-daemon at bugzilla

Aug 11, 2012, 8:30 PM

Post #1 of 5 (222 views)
Permalink
[Bug 6823] Malformed messages allow evasion of URIBL checks

https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6823

Marco d'Itri <md [at] linux> changed:

What |Removed |Added
----------------------------------------------------------------------------
CC| |md [at] linux
Component|Tools |Libraries

--- Comment #1 from Marco d'Itri <md [at] linux> ---
A malformed MIME message with an URI in the last line of the full body allows
perfectly evading URIBL checks, because the URI is totally ignored.
This has been used by a spamming operation for months with massive spam-runs.

See the attached sample for details.

--
You are receiving this mail because:
You are the assignee for the bug.


bugzilla-daemon at bugzilla

Aug 11, 2012, 8:32 PM

Post #2 of 5 (220 views)
Permalink
[Bug 6823] Malformed messages allow evasion of URIBL checks [In reply to]

https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6823

--- Comment #2 from Marco d'Itri <md [at] linux> ---
Created attachment 5083
--> https://issues.apache.org/SpamAssassin/attachment.cgi?id=5083&action=edit
A malformed message which allows evading URI checks.

--
You are receiving this mail because:
You are the assignee for the bug.


bugzilla-daemon at bugzilla

Aug 11, 2012, 8:33 PM

Post #3 of 5 (220 views)
Permalink
[Bug 6823] Malformed messages allow evasion of URIBL checks [In reply to]

https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6823

--- Comment #3 from Marco d'Itri <md [at] linux> ---
Just to be clear: URIBL checks fail because the last line of these messages is
not considered part of the body, so uri and rawbody rules do fail as well. A
full rule is needed to be able to match the line content.

--
You are receiving this mail because:
You are the assignee for the bug.


bugzilla-daemon at bugzilla

Aug 12, 2012, 3:28 AM

Post #4 of 5 (213 views)
Permalink
[Bug 6823] Malformed messages allow evasion of URIBL checks [In reply to]

https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6823

Henrik Krohns <hege [at] hege> changed:

What |Removed |Added
----------------------------------------------------------------------------
CC| |hege [at] hege

--- Comment #4 from Henrik Krohns <hege [at] hege> ---
It seems Message.pm does not handle missing boundary end well. From what I see,
it has been like this since 2004..

# if we're on the last body line, or we find any boundary marker,
# deal with the mime part
if ( --$line_count == 0 || (defined $boundary &&
/^--\Q$boundary\E(?:--)?\s*$/) ) {
my $line = $_; # remember the last line

After that, there's nothing adding the "remembered $line" to body array, so
indeed it goes missing. I could come up with a quick patch, not sure if there
are any caveeats..

--
You are receiving this mail because:
You are the assignee for the bug.


bugzilla-daemon at bugzilla

Aug 12, 2012, 5:21 AM

Post #5 of 5 (214 views)
Permalink
[Bug 6823] Malformed messages allow evasion of URIBL checks [In reply to]

https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6823

--- Comment #5 from Henrik Krohns <hege [at] hege> ---
Created attachment 5085
--> https://issues.apache.org/SpamAssassin/attachment.cgi?id=5085&action=edit
Proposed fix


Here's a minimum change patch proposal.

I've run it against 20000s/10000h multipart messages and reviewed the diffs of
internal data (Data::Dumper(find_parts)) by hand. Zero differences in ham and
only few dozen cases of missing end boundary in spam. But that's my very old
corpus.

So the change looks safe to me.. waiting for another opinion to commit. ;-)

--
You are receiving this mail because:
You are the assignee for the bug.

SpamAssassin devel RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.