[Bug 7601] New: The X-Ham-Report heater violates RFC 5532

Fri, 24 Aug 2018 14:33:50 -0700 

https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7601

            Bug ID: 7601
           Summary: The X-Ham-Report heater violates RFC 5532
           Product: Spamassassin
           Version: 3.4.2
          Hardware: All
                OS: Linux
            Status: NEW
          Severity: critical
          Priority: P2
         Component: spamassassin
          Assignee: dev@spamassassin.apache.org
          Reporter: c...@clerew.man.ac.uk
  Target Milestone: Undefined

Created attachment 5581
  --> https://bz.apache.org/SpamAssassin/attachment.cgi?id=5581&action=edit
Headers and start of Body

The attached file is typical of that produced by Spamassasin.

The critical lines in it are:

X-Ham-Report: Spam detection software, running on the system
"phantom.hostingseries.net",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 root\@localhost for details.

 Content preview:  On 23/08/18 16:49, Charles Lindsey wrote: > They have
migrated
    us without warning, in spite of my efforts to get > them to hold off until
    an account cont...@usenet.org.uk had been created > and our do

 Content analysis details:   (1.0 points, 5.0 required)

  pts rule name              description
 ---- ---------------------- --------------------------------------------------
  0.0 WEIRD_PORT             URI: Uses non-standard port number for HTTP
  1.0 KAM_LAZY_DOMAIN_SECURITY Sending domain does not have any
                             anti-forgery methods

This is a "folded header" (and mail agents may refold it for display, but I
have shown what was on-the-wire). The empty line above the " Content analysis
details:" and in other places actually contains a single space, which purports
to ensure that the whole of what I have shown constitutes a single
X-Ham-Report: header.

But RFC5322, which is the current Internet Standard for email, explicitly
states in section 3.2.2 that
   ......  However, where CFWS occurs in this specification, it MUST NOT
   be inserted in such a way that any line of a folded header field is
   made up entirely of WSP characters and nothing else.

Evidently this is because buggy software is likely to interpret that apparently
empty line as the separator between the Headers and the Body of the message
(which is supposed to be a blank line with Nothing in it).

And such buggy software undoubtedly exists (STUMP is the the immediate cause of
my concern, but Google reveals many examples of similar problems going back
over many years).

It is clearly intolerable that Spamassassin should be generating
non-standard-compliant emails.

-- 
You are receiving this mail because:
You are the assignee for the bug.

Reply via email to