spamassassin-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From John Hardin <jhar...@impsec.org>
Subject Re: Problems with BCCing from spammers
Date Wed, 14 Aug 2013 23:22:16 GMT
On Wed, 14 Aug 2013, Ted Mittelstaedt wrote:

> 1) WTF is pastebin?  (not you, the other guy)

pastebin.com, a way to share files for public review. It's a far better 
way to share spamples than posting them to the list, but be aware the 
files *do* expire. Upload a spample to pastebin.com and post the URL to 
the list.

> I take it by the:
>
> a) lack of usable responses
> b) responses NOT claiming this ISN'T a bug
> c) responses tacitly acknowledging this is an "Oh crap they forgot about
> BCCs when they wrote it but I don't have the balls to publicly call them out 
> on it like he did"
>
> that I am dealing with a bona-fide Spamassassing design fuck-up, and in 
> summary if I'm going to continue to use spamass-milter that the option
> all_spam_to is off the table.

I think this is happening because spamass-milter is passing the message to 
SA before the MTA has split it up for delivery to individual local users. 
While doing the latter is more resource-intensive, it allows per-user SA 
config and message disposition (e.g. quarantine folders) and keeps things 
like whitelists from leaking cross-user in the way you're seeing.

Unfortunately it appears spamass-milter is hardcoded to scan at that point 
in the process. I don't think there's much SA can do about it.

SA scans for whitelist addresses in a specific list of message headers; 
it's likely spamass-milter is creating a pseudo-header[1] with the BCC 
recipients for SA's use. Posting to pastebin the headers from a message 
improperly whitelisted due to a BCC recipient might let us determine that.

It's also possible that spamass-milter is not retaining that pseudo-header 
after the scan, in which case you'd have to do some debugging or review 
the spamass-milter code to see if that's indeed what's happening. But I 
think that's what's happening, as SA has nowhere to get the BCC recipients 
apart from the headers in the message it's been given to scan.

You might consider changing the glue to be on the delivery side of your 
MTA, e.g. using procmail.

> No, I'm not going to tear apart the server and replace spamass-milter
> with something else.  Not unless there's something else out there that
> is simple and doesn't require 600 dependent Perl modules (like mailscanner) 
> and run like a 15 year old dog in the middle of August.
> (also like mailscanner)

Procmail is simple if all you're going to do with it is call SA at 
delivery time. There may be some other lightweight delivery-time glue 
utilities that I'm not aware of which somebody else here may suggest.

> Coolest would be someone posting a patch to spamass-milter to the list that 
> would add "ignore BCC in header" as an option, just like someone
> posted a patch a few years ago for spamass-milter that adds an authentication 
> bypass.  (which has yet to be added to the spamassassin
> distro, even though many Linux/Unix distros now include it)

Quite possibly, especially if spamass-milter is composing a pseudo-header 
with the BCC addresses. But that's not something the SA team can do. 
spamass-milter is a third-party tool that is not part of the SpamAssassin 
project and is not shipped as part of the SpamAssassin install.


[1] I have not inspected the spamass-milter source code to verify this, 
but this is pretty common practice in milters - for example, the local 
Received header *must* be "forged" in this manner.


> Ted
>
> On 8/14/2013 1:59 PM, Axb wrote:
>>  On 08/14/2013 08:08 PM, Ted Mittelstaedt wrote:
>> >  Hi All,
>> > 
>> >     I'm having a lot of problem with spammers who are sending spams with
>> >  a To: of a user who is NOT in my all_spam_to list and a BCC: listing
>> >  a user IN the all_spam_list.  Usually the BCC's list multiple users,
>> >  I guess on the theory that they are trying to hide which one it is.
>> > 
>> >     The user gets the spam and it's got a score of -93 or some
>> >  such but they don't understand why since they aren't in the all_spam_to
>> >  list.
>> > 
>> >     My thought is that this is a bug - SA should not be looking at the
>> >  email addresses in the BCC to determine scoring adjustments for an email
>> >  message.  So far the spammers haven't listed the abuse email address
>> >  in the BCC but that is a natural one that almost always has to be in
>> >  the all_spam_to list.
>> > 
>> >  Suggestions?
>>
>>  tried splitting recipients before msg is sent thru SA?



-- 
  John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
  jhardin@impsec.org    FALaholic #11174     pgpk -a jhardin@impsec.org
  key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
   North Korea: the only country in the world where people would risk
   execution to flee to communist China.                  -- Ride Fast
-----------------------------------------------------------------------
  Tomorrow: the 68th anniversary of the end of World War II

Mime
View raw message