https://bz.apache.org/SpamAssassin/show_bug.cgi?id=8401

            Bug ID: 8401
           Summary: Redirectors plugin incorrectly promotes arbitrary
                    query parameter values into hostnames for URIDNSBL
                    lookups
           Product: Spamassassin
           Version: 4.0.3
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: major
          Priority: P2
         Component: Plugins
          Assignee: [email protected]
          Reporter: [email protected]
  Target Milestone: Undefined

Created attachment 6068
  --> https://bz.apache.org/SpamAssassin/attachment.cgi?id=6068&action=edit
substack to8ex example

The stock Mail::SpamAssassin::Plugin::Redirectors plugin appears to incorrectly
treat an arbitrary query parameter value as a redirect target and generates a
synthetic hostname which is then subjected to URIDNSBL lookups.

This can result in false positives when URI reputation or domain-age DNSBLs are
used.

The original message contains the following URL:

https://substack.com/signup?r=to8ex

There is no URI in the message that references:

http://to8ex
http://to8ex.com
http://www.to8ex.com

or any variation thereof. However, with the stock Redirectors plugin enabled,
SpamAssassin generates the following debug output:

dbg: uri: canonicalizing parsed uri: https://substack.com/signup?r=to8ex
dbg: uri: cleaned uri: https://substack.com/signup?r=to8ex
dbg: uri: added host: substack.com domain: substack.com

dbg: uri: canonicalizing parsed uri: http://to8ex
dbg: uri: cleaned uri: http://to8ex
dbg: uri: cleaned uri: http://www.to8ex.com
dbg: uri: added host: www.to8ex.com domain: to8ex.com

SpamAssassin then performs URIDNSBL lookups against:

to8ex.com

which can trigger URI reputation rules such as SEM URI reputation and age-based
lists.

Initially I suspected a third-party plugin.

To eliminate local causes I disabled all custom URL decoding plugins. The
behavior remained unchanged. I then disabled the stock Redirectors plugin by
commenting out:

loadplugin Mail::SpamAssassin::Plugin::Redirectors

from v402.pre. After doing so, SpamAssassin no longer generated:

http://to8ex
www.to8ex.com
to8ex.com

and no URIDNSBL lookups occurred for that synthetic domain.

Therefore the behavior appears to originate within the stock Redirectors
plugin.

The only change I made was to comment out the Redirectors plugin in v402.pre.
#loadplugin Mail::SpamAssassin::Plugin::Redirectors

Example attached.

-- 
You are receiving this mail because:
You are the assignee for the bug.

Reply via email to