On Wed, Aug 27, 2008 at 03:58:41PM +0200, Raimo Niskanen wrote:
> On Wed, Aug 27, 2008 at 02:57:42PM +0200, ropers wrote:
> > 2008/8/27 Raimo Niskanen <[EMAIL PROTECTED]>:
> > > On Tue, Aug 26, 2008 at 06:04:22PM -0300, Jose Fragoso wrote:
> > >> Hi,
> > >>
> > >> I am running spamd on a OpenBSD 4.1 box with the greyscanner.41 running
> > >> every
> > >> 10 minutes.
> > >>
> > >> Recently I noticed the following log entry:
> > >>
> > >> Aug 26 15:47:58 gwint greytrapper[11467]: Trapped 91.82.157.211:
> > >> Senders/Tuples ration is 9/8 senders/tuples (> 0.85)
> > >>
> > >> Now my question is how is it possible for the number of senders to be
> > >> greater than the number of tuples? Or should the script display
> > >>
> > >> 8/9 senders/tuples (> 0.85)
> > >
> > > The script appears to do it right:
> > >
> > > my @senders = split("\t", $FROM{$grey});
> > > :
> > > my $count = @senders;
> > > :
> > > my %S = undef;
> > > :
> > > foreach $s(@senders) {
> > > $S{"$s"}++;
> > > :
> > > }
> > > :
> > > my $scount = keys %S;
> > > :
> > > } elsif ($scount/$count > $MAX_SENDERS_RATIO) {
> > > $reason = "Senders/Tuples ration is $scount/$count"
> > > . " senders/tuples (> $MAX_SENDERS_RATIO)";
> > >
> > > $count is number of tuples for a host and $scount is
> > > number of unique From: addresses among these tuples.
> > >
> > > Senders/Tuples of 9/8 should not be possible.
> > > It is a strange bug...
> >
> > This is just a totally uninformed wild guess, but would it be possible
> > that someone sent the OP an email that somehow has a broken header
> > with two From: address lines?
>
> Maybe uninformed and wild, but you may be on the right track...
>
> Since greyscanner.41 analyzes the spamdb database dump containing
> data from the SMTP conversation before mail content transfer
> - it only contains the SMTP envelope "MAIL From:" and "RCPT To:",
> there can be no duplicate From: lines; they are in the mail content.
>
> However...
>
> greyscanner.41 uses the \t (TAB) character to separate the stored
> "MAIL From:" addresses in the string $FROM{$grey} per (MTA) host,
> and if a broken MTA would use a \t character in the "MAIL From:"
> envelope line that might fool greyscanner.41 to see more
> senders than there are. Depending on if spamd stores and spamdb
> reports such characters...
>
> Bug is possible, remains to be proven...
Now I think I am mistaken. \t in "MAIL From:" SMTP line
would only fake more "$count = @senders",
but "$scount = keys %S" still can not become greater.
The bug is still mysterious.
>
>
>
> On a side note I use a rewritten greyscanner.41 since I wanted
> to enable warnings (when I did there were lots of them) in Perl
> and also found this ugly \t usage and replaced it with \000,
> which hopefully spamdb should not be able to output.
>
> >
> > --ropers
>
> --
>
> / Raimo Niskanen, Erlang/OTP, Ericsson AB
--
/ Raimo Niskanen, Erlang/OTP, Ericsson AB
