On Sat, Mar 09, 2013 at 03:05:30PM +0100, Axb wrote: > On 03/09/2013 02:55 PM, Marc Andre Selig wrote:
> >(domain=0u_e3czdty8udzyvx98_ox97tdy97utd3aut09ultcdaumtd3unqnrrntw3utwv8utweut80u.jp.dob.sibl.suppor > >t-intelligence.net. type=A class=IN) failed: a label in a domain name is > >longer than 63 bytes > try with dig & you'll get > > dig A > 0u_e3czdty8udzyvx98_ox97tdy97utd3aut09ultcdaumtd3unqnrrntw3utwv8utweut80u.jp > +short > dig: > '0u_e3czdty8udzyvx98_ox97tdy97utd3aut09ultcdaumtd3unqnrrntw3utwv8utweut80u.jp' > is not a legal name (label too long) > iirc, max label size is 63 chars. so this is hardly SA but a DNS "feature" You are perfectly right that this is an invalid label. I still think displaying this error message should be regarded as a bug in SpamAssassin because it's not the user's fault, but the spammer's, who the user does not have any influence over. In my opinion, SpamAssassin should be able to handle any kind of spam (including invalid domain names) without error messages. It should display error messages when the user has done something wrong, or when there's a condition that it cannot be expected to handle on its own. > >dns: new_dns_packet (domain=podify-merchants..com. type=A class=IN) failed: > >a domain name contains a > >null label > > I see these often but haven't been able to reproduce the two periods > before the tld. I'm sure someone here will be able to explain this > in detail. I believe that, just as the label in the first example is too long, the label in this example is simply too short (i.e. null). In this case, the domain name has been split across three lines, probably in an attempt to foil simple URIBL scanners. This is the relevant part of the original message body: ----- cut here ----- <a href="http://podify-merchants. . com/?dWlkPTI4OTA4NzEwMSZjaWQ9MjczODUmbGlkPTEmcm49Y2l0"> ----- cut here ----- Whitespace within the URL is removed in line with RFC 1738/2396/3986, and we end up with "http://podify-merchants..com/?...";, which is of course invalid. It seems to be an error on the part of the spammer, as this domain name is written correctly (without the duplicate dot, but still split across three lines) elsewhere in the same message. Again, I think SpamAssassin should be able to handle this without flagging an error message. Regards, Marc
