https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6860
Priority: P2
Bug ID: 6860
Assignee: [email protected]
Summary: incorrectly treats "Received: from .* by .* with
HTTP;" as authenticated
Severity: minor
Classification: Unclassified
OS: All
Reporter: [email protected]
Hardware: All
Status: NEW
Version: SVN Trunk (Latest Devel Version)
Component: Libraries
Product: Spamassassin
Spamassassin incorrectly treats any message received "with HTTP" as
authenticated. See this comment from SpamAssassin/Message/Metadata/Received.pm.
# with HTTP should only be authenticated webmail sessions
While this may have been true in the past, it is technically incorrect. A valid
use case of spamassassin is to put up an unauthenticated web form generating
emails and filtering them with spamassassin. However all those messages are
marked as ALL_TRUSTED, because the logic below the comment fires:
if (/ by / && / with (ESMTPA|ESMTPSA|LMTPA|LMTPSA|ASMTP|HTTPU?)(?: |$)/i) {
$auth = $1;
}
Due to the technically correct "with HTTP" the message is marked as
authenticated and DNS black lists checks are skipped. As a workaround one can
change the header to "with UNAUTHENTICATED-HTTP" in the mail generating
software and evade the above logic.
Ironically spamassassin treats "with HTTPS" as unauthenticated.
--
You are receiving this mail because:
You are the assignee for the bug.
