Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: SpamAssassin: users

Newest spammer trick - non-blank subject lines?

  

 
First page Previous page 1 2 3 Next page Last page  View All SpamAssassin users RSS feed   Index | Next | Previous | View Threaded


tedm at ipinc

Feb 9, 2010, 12:58 PM

Post #1 of 65 (1892 views)
Permalink
Newest spammer trick - non-blank subject lines?
OK All,

Please let me know if anyone has seen this one before.

We have SA configured to insert "*****SPAM***** in the
beginning of the subject lines of spams before sending them on to
customers, then mail the message as an attachment to the user
along with the SA report as to why it's spam.

Lately I've seen a new trick the spammers are using.

They are putting characters in the subject line that
are not text characters - I don't know what they are,
I haven't looked into this closely yet. Our SA installation
is correctly tagging this as spam and sending it forward
to the user.

The problem is the mail client program, specifically
Thunderbird. There must be a bug in T-bird that is tickled
by these non-text characters because although the Subject
line exists with ***SPAM*** in it if I look at the actual
message in the mailbox with an editor, T-bird displays
the subject line as a BLANK subject. Of course, since the
Subject is blank then you don't see that it is SPAM and
you have to go to the bother of opening it before you see
the SA report that it's spam.

This has only happened to a few spams so far, and I want
to nip it in the bud.

Now, why don't I just write a rule in T-bird that trashes mail
that has a blank subject line, I hear you ask?

It's because we have a few moronic customers who seem to
think it's OK to send out e-mails with blank subject lines!!

It would be most useful if when SA was creating the subject
lines of the e-mails with the spams attached, that instead of
just blindly copying over the Subject line from the spam and
inserting the *****SPAM***** in front of the subject, that
SA stripped out all the non-text characters in the Subject
line.

Any suggestions appreciated! (even the smart-ass ones but
they have to be clever)

Thanks!
Ted


gene.heskett at verizon

Feb 9, 2010, 1:07 PM

Post #2 of 65 (1848 views)
Permalink
Re: Newest spammer trick - non-blank subject lines? [In reply to]
On Tuesday 09 February 2010, Ted Mittelstaedt wrote:
>OK All,
>
> Please let me know if anyone has seen this one before.
>
> We have SA configured to insert "*****SPAM***** in the
>beginning of the subject lines of spams before sending them on to
>customers, then mail the message as an attachment to the user
>along with the SA report as to why it's spam.
>
> Lately I've seen a new trick the spammers are using.
>
> They are putting characters in the subject line that
>are not text characters - I don't know what they are,
>I haven't looked into this closely yet. Our SA installation
>is correctly tagging this as spam and sending it forward
>to the user.
>
> The problem is the mail client program, specifically
>Thunderbird. There must be a bug in T-bird that is tickled
>by these non-text characters because although the Subject
>line exists with ***SPAM*** in it if I look at the actual
>message in the mailbox with an editor, T-bird displays
>the subject line as a BLANK subject. Of course, since the
>Subject is blank then you don't see that it is SPAM and
>you have to go to the bother of opening it before you see
>the SA report that it's spam.
>
> This has only happened to a few spams so far, and I want
>to nip it in the bud.
>
> Now, why don't I just write a rule in T-bird that trashes mail
>that has a blank subject line, I hear you ask?
>
> It's because we have a few moronic customers who seem to
>think it's OK to send out e-mails with blank subject lines!!

Put a valid subject line required into your TOS, mail it to everybody, & then
do it a day later, bounce it at them if no subject line content. They will
either jump ship in which case offer to hold the door, or come around and do
it right in a day or so.

> It would be most useful if when SA was creating the subject
>lines of the e-mails with the spams attached, that instead of
>just blindly copying over the Subject line from the spam and
>inserting the *****SPAM***** in front of the subject, that
>SA stripped out all the non-text characters in the Subject
>line.
>
> Any suggestions appreciated! (even the smart-ass ones but
>they have to be clever)
>
>Thanks!
>Ted
>


--
Cheers, Gene
"There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)

Hurd and architecture in one sentence? Uh-oh...

- Al Viro on linux-kernel


tedm at ipinc

Feb 9, 2010, 1:24 PM

Post #3 of 65 (1851 views)
Permalink
Re: Newest spammer trick - non-blank subject lines? [In reply to]
Gene Heskett wrote:
> On Tuesday 09 February 2010, Ted Mittelstaedt wrote:
>> OK All,
>>
>> Please let me know if anyone has seen this one before.
>>
>> We have SA configured to insert "*****SPAM***** in the
>> beginning of the subject lines of spams before sending them on to
>> customers, then mail the message as an attachment to the user
>> along with the SA report as to why it's spam.
>>
>> Lately I've seen a new trick the spammers are using.
>>
>> They are putting characters in the subject line that
>> are not text characters - I don't know what they are,
>> I haven't looked into this closely yet. Our SA installation
>> is correctly tagging this as spam and sending it forward
>> to the user.
>>
>> The problem is the mail client program, specifically
>> Thunderbird. There must be a bug in T-bird that is tickled
>> by these non-text characters because although the Subject
>> line exists with ***SPAM*** in it if I look at the actual
>> message in the mailbox with an editor, T-bird displays
>> the subject line as a BLANK subject. Of course, since the
>> Subject is blank then you don't see that it is SPAM and
>> you have to go to the bother of opening it before you see
>> the SA report that it's spam.
>>
>> This has only happened to a few spams so far, and I want
>> to nip it in the bud.
>>
>> Now, why don't I just write a rule in T-bird that trashes mail
>> that has a blank subject line, I hear you ask?
>>
>> It's because we have a few moronic customers who seem to
>> think it's OK to send out e-mails with blank subject lines!!
>
> Put a valid subject line required into your TOS, mail it to everybody, & then
> do it a day later, bounce it at them if no subject line content. They will
> either jump ship in which case offer to hold the door, or come around and do
> it right in a day or so.
>

I have doubts that the offenders can even read at all, let alone
read a TOS or even know what it is. We have customers
who call in for tech support and when I tell them to open their
web browser they don't know what I'm talking about. I swear to
God this is true, I'm not making a joke!

I got a call the other day from a customer who is a dialup
customer who was planning on buying one of those Atom-based
half-a-laptop netbooks and wanted to know how to put a modem on it -
and she was NOT planning on doing this because she was
traveling - she was planning on keeping her dialup as
her main Internet connection at home!! (don't even ask
what she is currently using, just imagine)

We've got calls in the past from customers who disconnected
service from us (went to some other DSL provider than us)
and wanted to know why their e-mail stopped working (and
expected us to fix it!)


Ted

>> It would be most useful if when SA was creating the subject
>> lines of the e-mails with the spams attached, that instead of
>> just blindly copying over the Subject line from the spam and
>> inserting the *****SPAM***** in front of the subject, that
>> SA stripped out all the non-text characters in the Subject
>> line.
>>
>> Any suggestions appreciated! (even the smart-ass ones but
>> they have to be clever)
>>
>> Thanks!
>> Ted
>>
>
>


Darxus at ChaosReigns

Feb 9, 2010, 1:35 PM

Post #4 of 65 (1842 views)
Permalink
Re: Newest spammer trick - non-blank subject lines? [In reply to]
On 02/09, Ted Mittelstaedt wrote:
> Thunderbird. There must be a bug in T-bird that is tickled

Submit a bug report against thunderbird.

--
"Dance, dance, wherever you may be" - Lord of the Dance
http://www.ChaosReigns.com


tedm at ipinc

Feb 9, 2010, 1:50 PM

Post #5 of 65 (1844 views)
Permalink
Re: Newest spammer trick - non-blank subject lines? [In reply to]
Darxus [at] ChaosReigns wrote:
> On 02/09, Ted Mittelstaedt wrote:
>> Thunderbird. There must be a bug in T-bird that is tickled
>
> Submit a bug report against thunderbird.
>

I don't want to have to play wack-a-mole with every mail
client out there.

I can just imagine that bug report anyway:

Dear t-bird maintainers:

I am getting spams that have non-ASCII characters in the
subject line and t-bird is displaying the entire subject line
as a blank line. I really want to see what my spammer friends
are putting in their subject lines, so could you please fix
t-bird so that it displays the bogus characters that my spammer
friends are putting in their spams to me?

I'd stand a better chance of that bug being fixed if I
DIDN'T report it!!!

Ted


guenther at rudersport

Feb 9, 2010, 1:57 PM

Post #6 of 65 (1844 views)
Permalink
Re: Newest spammer trick - non-blank subject lines? [In reply to]
On Tue, 2010-02-09 at 12:58 -0800, Ted Mittelstaedt wrote:
> The problem is the mail client program, specifically
> Thunderbird. There must be a bug in T-bird that is tickled
> by these non-text characters because although the Subject
> line exists with ***SPAM*** in it if I look at the actual
> message in the mailbox with an editor, T-bird displays
> the subject line as a BLANK subject.

As you said, this appears to be a thunderbird issue. Went there to
report it?


> Now, why don't I just write a rule in T-bird that trashes mail
> that has a blank subject line, I hear you ask?

Err, nope. :) Note that the Subject actually is NOT empty, as you said.
And unless filtering in TB on (raw or decoded) headers is affected by
the very same bug /displaying/ the Subject header in a specific widget
is... Very unlikely. What's invisible to the eye in the UI seriously
isn't invisible to code logic.

This appears to be a client *rendering*, displaying bug. Not to be
confused with an actual empty header (which isn't the same as a missing
header either) to filter on.


Even though this most likely is a TB bug, it would be interesting to
have a look at these headers. If possible, the raw one, prior to your SA
header munging, err, rewriting option.

guenther


--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}


jdow at earthlink

Feb 9, 2010, 2:27 PM

Post #7 of 65 (1839 views)
Permalink
Re: Newest spammer trick - non-blank subject lines? [In reply to]
From: "Ted Mittelstaedt" <tedm [at] ipinc>
Sent: Tuesday, 2010/February/09 13:24


> Gene Heskett wrote:
>> On Tuesday 09 February 2010, Ted Mittelstaedt wrote:
>>> OK All,
>>>
>>> Please let me know if anyone has seen this one before.
>>>
>>> We have SA configured to insert "*****SPAM***** in the
>>> beginning of the subject lines of spams before sending them on to
>>> customers, then mail the message as an attachment to the user
>>> along with the SA report as to why it's spam.
>>>
>>> Lately I've seen a new trick the spammers are using.
>>>
>>> They are putting characters in the subject line that
>>> are not text characters - I don't know what they are,
>>> I haven't looked into this closely yet. Our SA installation
>>> is correctly tagging this as spam and sending it forward
>>> to the user.
>>>
>>> The problem is the mail client program, specifically
>>> Thunderbird. There must be a bug in T-bird that is tickled
>>> by these non-text characters because although the Subject
>>> line exists with ***SPAM*** in it if I look at the actual
>>> message in the mailbox with an editor, T-bird displays
>>> the subject line as a BLANK subject. Of course, since the
>>> Subject is blank then you don't see that it is SPAM and
>>> you have to go to the bother of opening it before you see
>>> the SA report that it's spam.
>>>
>>> This has only happened to a few spams so far, and I want
>>> to nip it in the bud.
>>>
>>> Now, why don't I just write a rule in T-bird that trashes mail
>>> that has a blank subject line, I hear you ask?
>>>
>>> It's because we have a few moronic customers who seem to
>>> think it's OK to send out e-mails with blank subject lines!!
>>
>> Put a valid subject line required into your TOS, mail it to everybody, &
>> then do it a day later, bounce it at them if no subject line content.
>> They will either jump ship in which case offer to hold the door, or come
>> around and do >> it right in a day or so.
>>
>
> I have doubts that the offenders can even read at all, let alone
> read a TOS or even know what it is. We have customers
> who call in for tech support and when I tell them to open their
> web browser they don't know what I'm talking about. I swear to
> God this is true, I'm not making a joke!

I have a thoroughly retired and partially disabled friend I try to
help out, such as he'll let me. (I thought I was paranoid until I
met him...) I am slowly breaking him of the thought pattern that
opening Internet Explorer connected him to the Internet. He WAS at
one time on dial-up where this might have be true. He's on DSL now.
So he's always connected. He still talks about connecting when he
means opening the browser.

> I got a call the other day from a customer who is a dialup
> customer who was planning on buying one of those Atom-based
> half-a-laptop netbooks and wanted to know how to put a modem on it -
> and she was NOT planning on doing this because she was
> traveling - she was planning on keeping her dialup as
> her main Internet connection at home!! (don't even ask
> what she is currently using, just imagine)

Two tin cans and a string? {^_-}

> We've got calls in the past from customers who disconnected
> service from us (went to some other DSL provider than us)
> and wanted to know why their e-mail stopped working (and
> expected us to fix it!)

Ah yes, and they won't take, "It is not a free service we offer
to everybody, " for an answer, will they? Perhaps offer then a
one month period for forwarding email to their new address once
they can provide it - for say $10.00 or something like that. It
would give them time to inform all their correspondents of their
new email address. After the first month allow them to continue
it for a full "email only" account rate.

{^_-}


jdow at earthlink

Feb 9, 2010, 2:29 PM

Post #8 of 65 (1839 views)
Permalink
Re: Newest spammer trick - non-blank subject lines? [In reply to]
From: <Darxus [at] ChaosReigns>
Sent: Tuesday, 2010/February/09 13:35


> On 02/09, Ted Mittelstaedt wrote:
>> Thunderbird. There must be a bug in T-bird that is tickled
>
> Submit a bug report against thunderbird.

I seem to remember "way back when" that a cr/lf pair in the subject
line could result in strange things being displayed in the Outlook
Express subject line. If T'bird scrolls the subject in that case
you'd get the effect he's talking about.

{^_^}


jdow at earthlink

Feb 9, 2010, 2:31 PM

Post #9 of 65 (1841 views)
Permalink
Re: Newest spammer trick - non-blank subject lines? [In reply to]
From: "Ted Mittelstaedt" <tedm [at] ipinc>
Sent: Tuesday, 2010/February/09 13:50


> Darxus [at] ChaosReigns wrote:
>> On 02/09, Ted Mittelstaedt wrote:
>>> Thunderbird. There must be a bug in T-bird that is tickled
>>
>> Submit a bug report against thunderbird.
>>
>
> I don't want to have to play wack-a-mole with every mail
> client out there.
>
> I can just imagine that bug report anyway:
>
> Dear t-bird maintainers:
>
> I am getting spams that have non-ASCII characters in the
> subject line and t-bird is displaying the entire subject line
> as a blank line. I really want to see what my spammer friends
> are putting in their subject lines, so could you please fix
> t-bird so that it displays the bogus characters that my spammer
> friends are putting in their spams to me?
>
> I'd stand a better chance of that bug being fixed if I
> DIDN'T report it!!!
>
> Ted

Ted, you cannot expect any more help from them than you give to
expired accounts, you know. You MUST give them some data to work
with. Figure out what those characters are. I am betting it would
be a simple "cr/lf" pair or maybe even a simple "lf". But without
good knowledge of what it is how can the T'bird people fix it?
"Insufficient data" is as good a reason as "insufficient account."

{^_-}


guenther at rudersport

Feb 9, 2010, 2:40 PM

Post #10 of 65 (1840 views)
Permalink
Re: Newest spammer trick - non-blank subject lines? [In reply to]
On Tue, 2010-02-09 at 14:27 -0800, jdow wrote:
> I have a thoroughly retired and partially disabled friend I try to
> help out, such as he'll let me. (I thought I was paranoid until I
> met him...) I am slowly breaking him of the thought pattern that
> opening Internet Explorer [...]

Being paranoid. Using IE... *boggle*

Nope, he is definitely not paranoid enough, if he never questioned the
part about needing IE. Let alone never ever read / heard anything about
security and main-stream mom-and-pap computer usage.

Come on, IE exploits have been all over the general news in this country
quite a few times.

--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}


guenther at rudersport

Feb 9, 2010, 2:54 PM

Post #11 of 65 (1847 views)
Permalink
Re: Newest spammer trick - non-blank subject lines? [In reply to]
On Tue, 2010-02-09 at 13:50 -0800, Ted Mittelstaedt wrote:
> > > Thunderbird. There must be a bug in T-bird that is tickled
> >
> > Submit a bug report against thunderbird.
>
> I don't want to have to play wack-a-mole with every mail
> client out there.

TB doesn't display the Subject header. It is a TB bug, weather you like
it or not.

> I can just imagine that bug report anyway:
>
> Dear t-bird maintainers:
>
> I am getting spams that have non-ASCII characters in the
> subject line and t-bird is displaying the entire subject line
> as a blank line. I really want to see what my spammer friends
> are putting in their subject lines, so could you please fix
> t-bird so that it displays the bogus characters that my spammer
> friends are putting in their spams to me?

This bug report is insufficient and NEEDINFO. ;) Seriously, this needs
an attachment at the very least with the headers.

And again, as I mentioned in a previous post -- yes, seeing these
headers would be nice. For this audience, too. Yes, that even enables
some of us to check other MUAs. So, well, you wouldn't need to report it
for those...


> I'd stand a better chance of that bug being fixed if I
> DIDN'T report it!!!

Now there's OSS involvement speaking. Sorry, Ted.

If you or someone else don't report it, it won't be fixed. Period.
Unless it accidentally gets fixed by an unrelated code change nearby.

guenther


--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}


tedm at ipinc

Feb 9, 2010, 2:56 PM

Post #12 of 65 (1851 views)
Permalink
Re: Newest spammer trick - non-blank subject lines? [In reply to]
Karsten Bräckelmann wrote:
> On Tue, 2010-02-09 at 12:58 -0800, Ted Mittelstaedt wrote:
>> The problem is the mail client program, specifically
>> Thunderbird. There must be a bug in T-bird that is tickled
>> by these non-text characters because although the Subject
>> line exists with ***SPAM*** in it if I look at the actual
>> message in the mailbox with an editor, T-bird displays
>> the subject line as a BLANK subject.
>
> As you said, this appears to be a thunderbird issue. Went there to
> report it?
>
>
>> Now, why don't I just write a rule in T-bird that trashes mail
>> that has a blank subject line, I hear you ask?
>
> Err, nope. :) Note that the Subject actually is NOT empty, as you said.
> And unless filtering in TB on (raw or decoded) headers is affected by
> the very same bug /displaying/ the Subject header in a specific widget
> is... Very unlikely. What's invisible to the eye in the UI seriously
> isn't invisible to code logic.
>
> This appears to be a client *rendering*, displaying bug. Not to be
> confused with an actual empty header (which isn't the same as a missing
> header either) to filter on.
>
>
> Even though this most likely is a TB bug, it would be interesting to
> have a look at these headers. If possible, the raw one, prior to your SA
> header munging, err, rewriting option.
>

OK I did it - and this one is really, really cool!!!

Thunderbird is barfing when it gets TWO "Subject:" lines in the e-mail
message.

SA processes it and here's the result:


From maumet [at] ionizer Tue Feb 9 14:22:38 2010
Return-Path: <maumet [at] ionizer>
Received: from nqcek.charter.com (71-87-206-218.dhcp.kgpt.tn.charter.com
[71.87.206.218])
by mail.ipinc.net (8.13.8/8.13.8) with SMTP id o19MMY9W075540
for <newuser [at] ipinc>; Tue, 9 Feb 2010 14:22:35 -0800 (PST)
(envelope-from maumet [at] ionizer)
From: Bugarewicz <maumet [at] ionizer>
To: newuser [at] ipinc
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----------=_4B71E02E.A0717A8B"
Date: Tue, 09 Feb 2010 17:22:37 -0500
Subject: *****SPAM*****
Subject:
Message-ID: <1265753645.minding [at] nosbih>
X-Greylist: Delayed for 00:15:02 by milter-greylist-3.0 (mail.ipinc.net
[65.75.192.11]); Tue, 09 Feb 2010 14:22:35 -0800 (PST)
X-Spam-Flag: YES
X-Spam-Status: Yes, score=11.7 required=4.1 tests=DYN_RDNS_AND_INLINE_IMAGE,

EMPTY_MESSAGE,MISSING_SUBJECT,RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_PBL,RCVD_IN_XBL,
RDNS_DYNAMIC,SPF_NEUTRAL,TVD_SPACE_RATIO autolearn=disabled
version=3.2.3
X-Spam-Level: ***********
X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on mail.ipinc.net
Status: O
X-Status:
X-Keywords:
X-UID: 25585826


Thunderbird only displays the SECOND subject line.


Now, why the message that SA is creating is getting TWO Subject: lines
is a different question.

cat -v does not show any non-printable chars.

Here's the original header from the SA attachment:


------------=_4B71E02E.A0717A8B
Content-Type: message/rfc822; x-spam-type=original
Content-Description: original message before SpamAssassin
Content-Disposition: attachment
Content-Transfer-Encoding: 8bit

X-Envelope-From: <maumet [at] ionizer>
X-Envelope-To: <newuser [at] ipinc>
Received: from nqcek.charter.com (71-87-206-218.dhcp.kgpt.tn.charter.com
[71.87.206.218])
by mail.ipinc.net(8.13.8/8.13.8) with SMTP id o19MMY9W075540
Tue, 9 Feb 2010 14:22:34 -0800 (PST)
(envelope-from <maumet [at] ionizer>
From: Bugarewicz <maumet [at] ionizer>
To: newuser [at] ipinc
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="-------------0BCB4D94223158510682CA52847"
Date: Tue, 09 Feb 2010 17:22:37 -0500
Subject:
Message-ID: <1265753645.minding [at] nosbih>
X-Greylist: Delayed for 00:15:02 by milter-greylist-3.0 (mail.ipinc.net
[65.75.192.11]); Tue, 09 Feb 2010 14:22:35 -0800 (PST)

This is a multi-part message in MIME format.
---------------0BCB4D94223158510682CA52847
Content-Type: text/plain; charset=ISO-8859-9; format=flowed
Content-Transfer-Encoding: 7bit



---------------0BCB4D94223158510682CA52847
Content-Type: image/jpeg;
name="mimosa.jpg"
Content-Transfer-Encoding: base64
Content-Disposition: inline

/9j/4AAQSkZJRgABAQEBLAEsAAD/2wBDACgcHiMeGSgjISMtKygwPGRBPDc3PHtYXUlkkYCZ
lo+AjIqgtObDoKrarYqMyP/L2u71////m8H////6/+b9//j/2wBDASstLTw1PHZBQXb4pYyl
+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj/wAAR
CAEQAV8DASIAAhEBAxEB/8QAHwAAAQUBAQEBAQEAAAAAAAAAAAECAwQFBgcICQoL/8QAtRAA
.
.
.



Ted


martin at gregorie

Feb 9, 2010, 2:57 PM

Post #13 of 65 (1842 views)
Permalink
Re: Newest spammer trick - non-blank subject lines? [In reply to]
On Tue, 2010-02-09 at 14:31 -0800, jdow wrote:
> From: "Ted Mittelstaedt" <tedm [at] ipinc>
> Sent: Tuesday, 2010/February/09 13:50
>
>
> > Darxus [at] ChaosReigns wrote:
> >> On 02/09, Ted Mittelstaedt wrote:
> >>> Thunderbird. There must be a bug in T-bird that is tickled
> >>
> >> Submit a bug report against thunderbird.
> >>
> >
> > I don't want to have to play wack-a-mole with every mail
> > client out there.
> >
> > I can just imagine that bug report anyway:
> >
> > Dear t-bird maintainers:
> >
> > I am getting spams that have non-ASCII characters in the
> > subject line and t-bird is displaying the entire subject line
> > as a blank line. I really want to see what my spammer friends
> > are putting in their subject lines, so could you please fix
> > t-bird so that it displays the bogus characters that my spammer
> > friends are putting in their spams to me?
> >
> > I'd stand a better chance of that bug being fixed if I
> > DIDN'T report it!!!
> >
> > Ted
>
> Ted, you cannot expect any more help from them than you give to
> expired accounts, you know. You MUST give them some data to work
> with. Figure out what those characters are. I am betting it would
> be a simple "cr/lf" pair or maybe even a simple "lf". But without
> good knowledge of what it is how can the T'bird people fix it?
> "Insufficient data" is as good a reason as "insufficient account."
>
Agreed. Have you looked at their bug tracker to see it its a known
problem? If it is, adding a 'me too' comment should raise its urgency.
If there's no matching bug report, howinhell can you expect them to know
there's something that needs fixing?

If their bug tracker accepts attachments, attach the whole message.
Otherwise, stuff the Subkect: line through 'od' and send them the
output.

Re wack_a_mole: I think you'll find the major MUAs have already woken
up: non-ASCII doesn't disturb Evolution, the only MUA I use. Besides, I
have the distinct impression that FireFox occupies most of Mozilla's
attention and TB is definitely sucking on the hind teat.


Martin


guenther at rudersport

Feb 9, 2010, 3:07 PM

Post #14 of 65 (1842 views)
Permalink
Re: Newest spammer trick - non-blank subject lines? [In reply to]
On Tue, 2010-02-09 at 14:56 -0800, Ted Mittelstaedt wrote:
> Karsten Bräckelmann wrote:

> > Even though this most likely is a TB bug, it would be interesting to
> > have a look at these headers. If possible, the raw one, prior to your SA
> > header munging, err, rewriting option.
>
> OK I did it - and this one is really, really cool!!!
>
> Thunderbird is barfing when it gets TWO "Subject:" lines in the e-mail
> message.
>
> SA processes it and here's the result:
[...]
> Date: Tue, 09 Feb 2010 17:22:37 -0500
> Subject: *****SPAM*****
> Subject:

The second one does not have a space (or tab) after the colon. An
artifact of copy-n-paste, or the same with the raw message?


> Thunderbird only displays the SECOND subject line.
>
> Now, why the message that SA is creating is getting TWO Subject: lines
> is a different question.
>
> cat -v does not show any non-printable chars.
>
> Here's the original header from the SA attachment:
[...]
> Date: Tue, 09 Feb 2010 17:22:37 -0500
> Subject:

Single Subject header. No white-space here either. Again, copy-n-paste?

What about the RAW, incoming mail, as fed into SA? No white-space there
either? Any monkey business in the original header?

This might after all turn out to be a SA header re-write bug. :(


--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}


spamassassin-users at lists

Feb 9, 2010, 3:28 PM

Post #15 of 65 (1839 views)
Permalink
Re: Newest spammer trick - non-blank subject lines? [In reply to]
On 09/02/2010 22:56, Ted Mittelstaedt wrote:

I sometimes send email without adding a Subject line. I guess that makes
me "moronic" in your eyes. Oh well.

> OK I did it - and this one is really, really cool!!!

Not really.

> SA processes it and here's the result:
>
>
> From maumet [at] ionizer Tue Feb 9 14:22:38 2010
> Return-Path: <maumet [at] ionizer>
> Received: from nqcek.charter.com (71-87-206-218.dhcp.kgpt.tn.charter.com
> [71.87.206.218])
> by mail.ipinc.net (8.13.8/8.13.8) with SMTP id o19MMY9W075540
> for <newuser [at] ipinc>; Tue, 9 Feb 2010 14:22:35 -0800 (PST)
> (envelope-from maumet [at] ionizer)
> From: Bugarewicz <maumet [at] ionizer>
> To: newuser [at] ipinc
> MIME-Version: 1.0
> Content-Type: multipart/mixed; boundary="----------=_4B71E02E.A0717A8B"
> Date: Tue, 09 Feb 2010 17:22:37 -0500
> Subject: *****SPAM*****
> Subject:

<snip rest of message>

> Thunderbird only displays the SECOND subject line.

So Thunderbird displays the last Subject line header it comes across. Is
that incorrect behaviour for an MUA? Is it valid for an email to have
more than one Subject line? Bring it up with Mozilla.

> Now, why the message that SA is creating is getting TWO Subject: lines
> is a different question.
>
> cat -v does not show any non-printable chars.

Try saving it to disk and uploading it using the file upload method to
spamalyser.com. It might show characters that you can't see.

> Here's the original header from the SA attachment:

<snip to subject>

> Subject:

So that's just a blank subject line? Using SpamAssassin 3.3 here, if I
run this command:

echo -ne "Subject:\nX-Foo: bar\n\nviagra CIALIS\n"|spamassassin

I end up with a single Subject line of:

Subject: *****SPAM*****

And no additional empty subject line. That's how it should work.

--
Mike Cardwell : UK based IT Consultant, Perl developer, Linux admin
Cardwell IT Ltd. : UK Company - http://cardwellit.com/ #06920226
Technical Blog : Tech Blog - https://secure.grepular.com/
Spamalyser : Spam Tool - http://spamalyser.com/


tedm at ipinc

Feb 9, 2010, 3:44 PM

Post #16 of 65 (1850 views)
Permalink
Re: Newest spammer trick - non-blank subject lines? [In reply to]
Karsten Bräckelmann wrote:
> On Tue, 2010-02-09 at 14:56 -0800, Ted Mittelstaedt wrote:
>> Karsten Bräckelmann wrote:
>
>>> Even though this most likely is a TB bug, it would be interesting to
>>> have a look at these headers. If possible, the raw one, prior to your SA
>>> header munging, err, rewriting option.
>> OK I did it - and this one is really, really cool!!!
>>
>> Thunderbird is barfing when it gets TWO "Subject:" lines in the e-mail
>> message.
>>
>> SA processes it and here's the result:
> [...]
>> Date: Tue, 09 Feb 2010 17:22:37 -0500
>> Subject: *****SPAM*****
>> Subject:
>
> The second one does not have a space (or tab) after the colon. An
> artifact of copy-n-paste, or the same with the raw message?
>

if I load it up in vi then vi claims there is a single blank
space after the colon.

>
>> Thunderbird only displays the SECOND subject line.
>>
>> Now, why the message that SA is creating is getting TWO Subject: lines
>> is a different question.
>>
>> cat -v does not show any non-printable chars.
>>
>> Here's the original header from the SA attachment:
> [...]
>> Date: Tue, 09 Feb 2010 17:22:37 -0500
>> Subject:
>
> Single Subject header. No white-space here either. Again, copy-n-paste?
>

No. once more, vi claims there is a single blank space after the colon

> What about the RAW, incoming mail, as fed into SA? No white-space there
> either? Any monkey business in the original header?
>

I don't have that. All mail that comes in to here goes through
sa-milter.

However, I telnetted into port 25 and just typed in a test message.

When I used "Subject:" WITHOUT a trailing space after the colon, the
resulting message in my inbox - with SA headers that of course
don't say the message is spam - DOES HAVE a single trailing space after
the colon.

It DOES NOT have 2 "Subject: lines, however.

> This might after all turn out to be a SA header re-write bug. :(
>
>

I suspect it is. I also tried this test on another mailserver we
have here that's running a similar setup EXCEPT for SA - and it
DOES NOT have the trailing space after the Subject: So clearly
SA is adding that trailing space.

I'm not sure, though, that the addition of the trailing space in
the Subject: line has any relevance to the duplicated Subject line.

Ted


tedm at ipinc

Feb 9, 2010, 4:04 PM

Post #17 of 65 (1841 views)
Permalink
Re: Newest spammer trick - non-blank subject lines? [In reply to]
Mike Cardwell wrote:
> On 09/02/2010 22:56, Ted Mittelstaedt wrote:
>
> I sometimes send email without adding a Subject line. I guess that makes
> me "moronic" in your eyes. Oh well.
>
>> OK I did it - and this one is really, really cool!!!
>
> Not really.
>
>> SA processes it and here's the result:
>>
>>
>> From maumet [at] ionizer Tue Feb 9 14:22:38 2010
>> Return-Path: <maumet [at] ionizer>
>> Received: from nqcek.charter.com (71-87-206-218.dhcp.kgpt.tn.charter.com
>> [71.87.206.218])
>> by mail.ipinc.net (8.13.8/8.13.8) with SMTP id o19MMY9W075540
>> for <newuser [at] ipinc>; Tue, 9 Feb 2010 14:22:35 -0800 (PST)
>> (envelope-from maumet [at] ionizer)
>> From: Bugarewicz <maumet [at] ionizer>
>> To: newuser [at] ipinc
>> MIME-Version: 1.0
>> Content-Type: multipart/mixed; boundary="----------=_4B71E02E.A0717A8B"
>> Date: Tue, 09 Feb 2010 17:22:37 -0500
>> Subject: *****SPAM*****
>> Subject:
>
> <snip rest of message>
>
>> Thunderbird only displays the SECOND subject line.
>
> So Thunderbird displays the last Subject line header it comes across. Is
> that incorrect behaviour for an MUA?

I think it is. Setting aside the question of whether they are supposed
to be there or not, the purpose of an MUA is to make it easier for
the user to interact with a mail message. Multiple Subject: lines
can contain multiple amounts of information, and only displaying the
last Subject line is denying the user information that they are
supposed to be able to see see.

A deeper question is do all parts of t-bird treat this equally. If
the filtering in t-bird reacts to both Subject line contents then
this definitely is a bug. A user might have a filter saying
"delete all mail with viagrera in its subject line except mail
that has "fred" in it's subject line. The spammer sends a message
with the first subject line having viagrera in it, the second
subject line having fred in it, and the message is not deleted - but
the display only shows viagrea.

> Is it valid for an email to have
> more than one Subject line?

I do not think this defined anywhere. But I won't swear to it. I
think it's not particularly valid, however because the results are
undefined.

> Bring it up with Mozilla.
>

Since this is a SA bug I think I will file it with Mozilla just
to have it in the database, but I would only argue for internal
consistency in t-bird.

>> Now, why the message that SA is creating is getting TWO Subject: lines
>> is a different question.
>>
>> cat -v does not show any non-printable chars.
>
> Try saving it to disk and uploading it using the file upload method to
> spamalyser.com. It might show characters that you can't see.
>

To determine this I tailed it from the mail file then cat -v'ed it.
this is on the actual UNIX server the mailbox is on. The mailbox is
in mbox format. If you understand how cat -v works you will understand
that there are no chars I can't see.

I can try uploading to spamalyser but this is after SA has processed
the message, so the internal structure of the message has been altered
already and whatever condition caused the bug is probably gone. I need
the raw message.

>> Here's the original header from the SA attachment:
>
> <snip to subject>
>
>> Subject:
>
> So that's just a blank subject line? Using SpamAssassin 3.3 here, if I
> run this command:
>
> echo -ne "Subject:\nX-Foo: bar\n\nviagra CIALIS\n"|spamassassin
>
> I end up with a single Subject line of:
>
> Subject: *****SPAM*****
>
> And no additional empty subject line. That's how it should work.
>

And that is how it works here, too, when the normal blank-subject-line
spam comes in.

Something is different with these spams that is causing the SA parser to
duplicate the Subject line.

At this point I am up against a wall. For starters this is an old ver
of sa, old sendmail, etc. This server is scheduled for re-gen soon and
there's no point in filing a bug on the old code. I will continue to
observe and once the server is re-gened then if it keeps happening then
I'll look into it further. I'll probably have to run the server for a
few hours with SA turned off to get the raw spam, not something that is
going to be very popular.

Ted


martin at gregorie

Feb 9, 2010, 4:15 PM

Post #18 of 65 (1841 views)
Permalink
Re: Newest spammer trick - non-blank subject lines? [In reply to]
On Tue, 2010-02-09 at 15:44 -0800, Ted Mittelstaedt wrote:
> if I load it up in vi then vi claims there is a single blank
> space after the colon.
>
It would be better to use od or beav rather than vi - both use
unambiguous notation for non-printable bytes. beav (if you have it) will
show you exactly what's there in a scrolling screen. So will
"od -c file" if you pipe it through less.


Martin


spamassassin-users at lists

Feb 9, 2010, 4:19 PM

Post #19 of 65 (1843 views)
Permalink
Re: Newest spammer trick - non-blank subject lines? [In reply to]
On 10/02/2010 00:04, Ted Mittelstaedt wrote:

>>> Thunderbird only displays the SECOND subject line.
>>
>> So Thunderbird displays the last Subject line header it comes across. Is
>> that incorrect behaviour for an MUA?
>
> I think it is. Setting aside the question of whether they are supposed
> to be there or not, the purpose of an MUA is to make it easier for
> the user to interact with a mail message. Multiple Subject: lines
> can contain multiple amounts of information, and only displaying the
> last Subject line is denying the user information that they are
> supposed to be able to see see.
>
> A deeper question is do all parts of t-bird treat this equally. If
> the filtering in t-bird reacts to both Subject line contents then
> this definitely is a bug. A user might have a filter saying
> "delete all mail with viagrera in its subject line except mail
> that has "fred" in it's subject line. The spammer sends a message
> with the first subject line having viagrera in it, the second
> subject line having fred in it, and the message is not deleted - but
> the display only shows viagrea.

You could probably have tested that yourself in the time it took you to
write that paragraph.

>> Is it valid for an email to have
>> more than one Subject line?
>
> I do not think this defined anywhere. But I won't swear to it. I
> think it's not particularly valid, however because the results are
> undefined.

Did you check? I would bet that it is defined...

I just took a quick gander at rfc2822 and it states:

"No multiple occurrences of fields (except resent and received).*"

There might be other RFCs involved, but it looks to me from that as
though it's only valid for an email to have one Subject header. It's
understandable that an MUA might not display an invalidly formatted
email correctly.

>> Bring it up with Mozilla.
>>
>
> Since this is a SA bug I think I will file it with Mozilla just
> to have it in the database, but I would only argue for internal
> consistency in t-bird.

You've no reason to believe there is any internal inconsistency with
regards to how Thunderbird treats Subject lines. And if it's true that
it's not valid for an email to have more than one Subject line then this
is not a Thunderbird bug, but still something that they may or may not
wish to workaround.

> At this point I am up against a wall. For starters this is an old ver
> of sa, old sendmail, etc. This server is scheduled for re-gen soon and
> there's no point in filing a bug on the old code. I will continue to
> observe and once the server is re-gened then if it keeps happening then
> I'll look into it further. I'll probably have to run the server for a
> few hours with SA turned off to get the raw spam, not something that is
> going to be very popular.

Alternatively, configure your MTA to deliver an unmodified second copy
of all incoming email to a separate maildir.

--
Mike Cardwell : UK based IT Consultant, Perl developer, Linux admin
Cardwell IT Ltd. : UK Company - http://cardwellit.com/ #06920226
Technical Blog : Tech Blog - https://secure.grepular.com/
Spamalyser : Spam Tool - http://spamalyser.com/


terry at cnysupport

Feb 9, 2010, 4:27 PM

Post #20 of 65 (1825 views)
Permalink
Re: Newest spammer trick - non-blank subject lines? [In reply to]
Quoting jdow <jdow [at] earthlink>:

> From: <Darxus [at] ChaosReigns>
> Sent: Tuesday, 2010/February/09 13:35
>
>
>> On 02/09, Ted Mittelstaedt wrote:
>>> Thunderbird.&nbsp; There must be a bug in T-bird that is tickled
>>
>> Submit a bug report against thunderbird.
>
> I seem to remember "way back when" that a cr/lf pair in the subject
> line could result in strange things being displayed in the Outlook
> Express subject line. If T'bird scrolls the subject in that case
> you'd get the effect he's talking about.

I'm guessing that it's nothing more interesting than a bunch of
backspaces. If so, it's a *really* old trick.

Terry


maillists at conactive

Feb 9, 2010, 4:31 PM

Post #21 of 65 (1823 views)
Permalink
Re: Newest spammer trick - non-blank subject lines? [In reply to]
Ted Mittelstaedt wrote on Tue, 09 Feb 2010 12:58:01 -0800:

> Our SA installation
> is correctly tagging this as spam and sending it forward
> to the user.

Well, the usual procedure (*) is to add headers that identify the message
as spam and maybe even show the score, so users can have the mail client
file it to junk. I would consider adding "Spam" in the subject as a
courtesy. You do not have control over the subject at all, it could even
come from another system and be already "tagged" as spam there. However,
you have control over the headers you add yourself and there's where the
music should play.

(*) I personally think that it's a waste to deliver all these messages,
anyway. We put all messages over a certain score in quarantine and there's
almost never a need to release one.

I was about to ask about the message, but I just see that you posted it
now.

Kai

--
Get your web at Conactive Internet Services: http://www.conactive.com


maillists at conactive

Feb 9, 2010, 4:31 PM

Post #22 of 65 (1826 views)
Permalink
Re: Newest spammer trick - non-blank subject lines? [In reply to]
Ted Mittelstaedt wrote on Tue, 09 Feb 2010 14:56:49 -0800:

> MISSING_SUBJECT,

> Now, why the message that SA is creating is getting TWO Subject: lines
> is a different question.

because SA thinks it's got no subject, so it adds one as it is instructed
to tag the subject. Obviously, it wants to see at least a whitespace after
the colon to accept it as a header. I did some research on this matter some
time ago and if I remember correctly the latest RFCs (5322, maybe 2822)
indeed require a whitespace while older RFCs (822) were not 100% clear
about this. And it's good practice for clients to be forgiving in the
interpretation of received messages. Thus, Thunderbird finds two subjects
and displays the second one. I'm sure it's not the only program that does
that.
What SA probably should do is use the existing subject header, repair it
with a whitespace and then tag it.
To be sure that there are really no characters (you said there are some
unprintable characters, but it rather looks like there are no characters at
all) you should examine that message with a hex editor.

Kai

--
Get your web at Conactive Internet Services: http://www.conactive.com


kurt.buff at gmail

Feb 9, 2010, 4:37 PM

Post #23 of 65 (1824 views)
Permalink
Re: Newest spammer trick - non-blank subject lines? [In reply to]
2010/2/9 Karsten Bräckelmann <guenther [at] rudersport>:
> On Tue, 2010-02-09 at 14:27 -0800, jdow wrote:
>> I have a thoroughly retired and partially disabled friend I try to
>> help out, such as he'll let me. (I thought I was paranoid until I
>> met him...) I am slowly breaking him of the thought pattern that
>> opening Internet Explorer [...]
>
> Being paranoid. Using IE... *boggle*
>
> Nope, he is definitely not paranoid enough, if he never questioned the
> part about needing IE. Let alone never ever read / heard anything about
> security and main-stream mom-and-pap computer usage.
>
> Come on, IE exploits have been all over the general news in this country
> quite a few times.

Uh, paranoia is not mitigated by ignorance. Remember the earlier
description of her friend: retired and partially disabled. This
probably means older and not nearly as educated as we are about
computers, and set in his/her ways. This, augmented by scare stories
in the mass media, probably contribute to the difficulty.

If I had to guess, for this friend of hers, new == deeply suspicious

Kurt


jdow at earthlink

Feb 9, 2010, 5:51 PM

Post #24 of 65 (1826 views)
Permalink
Re: Newest spammer trick - non-blank subject lines? [In reply to]
From: "Karsten Bräckelmann" <guenther [at] rudersport>
Sent: Tuesday, 2010/February/09 14:40


> On Tue, 2010-02-09 at 14:27 -0800, jdow wrote:
>> I have a thoroughly retired and partially disabled friend I try to
>> help out, such as he'll let me. (I thought I was paranoid until I
>> met him...) I am slowly breaking him of the thought pattern that
>> opening Internet Explorer [...]
>
> Being paranoid. Using IE... *boggle*
>
> Nope, he is definitely not paranoid enough, if he never questioned the
> part about needing IE. Let alone never ever read / heard anything about
> security and main-stream mom-and-pap computer usage.
>
> Come on, IE exploits have been all over the general news in this country
> quite a few times.

Even with FireFox he calls THAT connecting to the Internet.

And for the type of applications he wants his best bet is Windows,
sadly enough. And, predictably, he's infected. He and I are paranoid
different ways. I am rather careful about my browsing and my system's
still clean. I got nailed ONCE so far - that's from being online since
the 80s. That was during an install. I simply started over with a full
format. Since then - negativum perspirium. And that is with using IE
and (mostly) FireFox on my part. Safe browsing is the key.

{^_-}


jdow at earthlink

Feb 9, 2010, 5:55 PM

Post #25 of 65 (1825 views)
Permalink
Re: Newest spammer trick - non-blank subject lines? [In reply to]
From: "Ted Mittelstaedt" <tedm [at] ipinc>
Sent: Tuesday, 2010/February/09 14:56


> Karsten Bräckelmann wrote:
>> On Tue, 2010-02-09 at 12:58 -0800, Ted Mittelstaedt wrote:
>>> The problem is the mail client program, specifically
>>> Thunderbird. There must be a bug in T-bird that is tickled
>>> by these non-text characters because although the Subject
>>> line exists with ***SPAM*** in it if I look at the actual
>>> message in the mailbox with an editor, T-bird displays
>>> the subject line as a BLANK subject.
>>
>> As you said, this appears to be a thunderbird issue. Went there to
>> report it?
>>
>>
>>> Now, why don't I just write a rule in T-bird that trashes mail
>>> that has a blank subject line, I hear you ask?
>>
>> Err, nope. :) Note that the Subject actually is NOT empty, as you said.
>> And unless filtering in TB on (raw or decoded) headers is affected by
>> the very same bug /displaying/ the Subject header in a specific widget
>> is... Very unlikely. What's invisible to the eye in the UI seriously
>> isn't invisible to code logic.
>>
>> This appears to be a client *rendering*, displaying bug. Not to be
>> confused with an actual empty header (which isn't the same as a missing
>> header either) to filter on.
>>
>>
>> Even though this most likely is a TB bug, it would be interesting to
>> have a look at these headers. If possible, the raw one, prior to your SA
>> header munging, err, rewriting option.
>>
>
> OK I did it - and this one is really, really cool!!!
>
> Thunderbird is barfing when it gets TWO "Subject:" lines in the e-mail
> message.
>
> SA processes it and here's the result:
>
>
> From maumet [at] ionizer Tue Feb 9 14:22:38 2010
> Return-Path: <maumet [at] ionizer>
> Received: from nqcek.charter.com (71-87-206-218.dhcp.kgpt.tn.charter.com
> [71.87.206.218])
> by mail.ipinc.net (8.13.8/8.13.8) with SMTP id o19MMY9W075540
> for <newuser [at] ipinc>; Tue, 9 Feb 2010 14:22:35 -0800 (PST)
> (envelope-from maumet [at] ionizer)
> From: Bugarewicz <maumet [at] ionizer>
> To: newuser [at] ipinc
> MIME-Version: 1.0
> Content-Type: multipart/mixed; boundary="----------=_4B71E02E.A0717A8B"
> Date: Tue, 09 Feb 2010 17:22:37 -0500
> Subject: *****SPAM*****
> Subject:
> Message-ID: <1265753645.minding [at] nosbih>
> X-Greylist: Delayed for 00:15:02 by milter-greylist-3.0 (mail.ipinc.net
> [65.75.192.11]); Tue, 09 Feb 2010 14:22:35 -0800 (PST)
> X-Spam-Flag: YES
> X-Spam-Status: Yes, score=11.7 required=4.1
> tests=DYN_RDNS_AND_INLINE_IMAGE,
>
> EMPTY_MESSAGE,MISSING_SUBJECT,RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_PBL,RCVD_IN_XBL,
> RDNS_DYNAMIC,SPF_NEUTRAL,TVD_SPACE_RATIO autolearn=disabled
> version=3.2.3
> X-Spam-Level: ***********
> X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on mail.ipinc.net
> Status: O
> X-Status:
> X-Keywords:
> X-UID: 25585826
>
>
> Thunderbird only displays the SECOND subject line.
>
>
> Now, why the message that SA is creating is getting TWO Subject: lines is
> a different question.
>
> cat -v does not show any non-printable chars.
>
> Here's the original header from the SA attachment:

I don't see a problem here with what got through the emails for that
header here. I submit it's a bug in your setup, Ted. Empty subjects
here end up looking quite normal here.
===8<---
To: undisclosed recipients:;
Subject: *****SPAM***** 007.9 **
Date: Tue, 9 Feb 2010 02:11:22 -0800 (PST)
Message-Id: <369.95984.qm [at] web82008>
===8<---

I have SpamAssassin provide the markup. How do you generate your markup?

{^_^}

First page Previous page 1 2 3 Next page Last page  View All SpamAssassin users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.