[Bug 6664] check_freemail_header() misses many domains

2017-11-30 Thread bugzilla-daemon 
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=6664

--- Comment #8 from Giovanni Bechis  ---
The bug[¹] has been fixed in both trunk and 3.4 branch, as for the enhancement,
I will finish the patch soon.

[¹] 
-my $email = lc($pms->get(index($header,':') ? $header : $header.":addr"));
+my $email = lc($pms->get(index($header,':') >= 0 ? $header :
$header.":addr"));

-- 
You are receiving this mail because:
You are the assignee for the bug.

whitelist_* in default ruleset considered harmful (was Re: Extending the entries in 60_whitelist_spf.cf)

2017-11-30 Thread Bill Cole 
TL;DR: These need to be def_whitelist_auth NOT whitelist_auth as you 
have been committing them. See the earlier exchange between myself and 
RW, who had assumed this was only about def_whitelist_auth entries.


Precisely because most users will never bother managing a large number 
of local rules, using whitelist_auth with its -100 score prevents the 
rest of SA (and prudent local rules) from mitigating the whitelisting 
effect in the event of a compromise or change in behavior of a 'trusted' 
sender. While the documentation doesn't say so explicitly, the 
implication in the Mail::SpamAssassin::Conf descriptions of the 
def_whitelist_* directives is that the default whitelist entries all use 
those less powerful versions. That was true until this week. I think 
changing back to that practice is imperative, albeit not enough of an 
emergency to fix unilaterally without discussion here.


On 26 Nov 2017, at 12:04 (-0500), Dave Jones wrote:

The current 60_whitelist_spf.cf is 11 years old.  What does everyone 
think about starting a 60_whitelist_auth.cf and extending this list to 
known good senders like *@alertsp.chase.com and 
*@email.dropboxmail.com?


My SA platform has very good results with thousands of whitelist_auth 
entries but 98% of the SA users are not going to know to create/manage 
these entries themselves.  Combined with other rules this also helps 
with spoofing legit senders like the IRS, Bank of America, etc.  I am 
not suggesting we put thousands of entries in the new 
60_whitelist_auth.cf but the common, high-profile, large senders that 
often get spoofed.


The current list of def_whitelist_from_spf entries is very beneficial 
and should be extended now that SPF and DKIM are widely deployed and 
are being taken seriously by the major mail hosting providers like 
Google.


Thanks,

Dave




--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Currently Seeking Steady Work: https://linkedin.com/in/billcole

[Bug 7509] Missing free(3) in error path

2017-11-30 Thread bugzilla-daemon 
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7509

--- Comment #4 from RW  ---
I don't see the point of this. The author very likely made a decision not to
bother freeing these small strings as they can't add up to more than the size
of the ARGV variables. On average you are probably wasting more memory on the
free() calls than you gain on the heap.

-- 
You are receiving this mail because:
You are the assignee for the bug.

[Bug 7509] Missing free(3) in error path

2017-11-30 Thread bugzilla-daemon 
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7509

Giovanni Bechis  changed:

   What|Removed |Added

 CC||giova...@paclan.it

--- Comment #3 from Giovanni Bechis  ---
Created attachment 5488
  --> https://bz.apache.org/SpamAssassin/attachment.cgi?id=5488=edit
More free(3) call

-- 
You are receiving this mail because:
You are the assignee for the bug.

[Bug 7510] Virtual Config dir: Insecure dependency in mkdir while running with -T switch

2017-11-30 Thread bugzilla-daemon 
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7510

Kevin A. McGrail  changed:

   What|Removed |Added

 CC||kmcgr...@apache.org

--- Comment #1 from Kevin A. McGrail  ---
I think perhaps the newer perl is more strict (or accurate) on a taint issue?

What happens if you make the directory?

Something like this might be in order in spamd to untaint the dir:

if (mkdir untaint($spam_conf_dir), 0700) {

That something you can modify and test to give feedback?

regards,
KAM

-- 
You are receiving this mail because:
You are the assignee for the bug.

[Bug 7509] Missing free(3) in error path

2017-11-30 Thread bugzilla-daemon 
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7509

RW  changed:

   What|Removed |Added

 CC||rwmailli...@googlemail.com

--- Comment #2 from RW  ---
Is it just the error path? I don't see where it's ever freed.

It actually makes no practical difference whether opt is freed or not.

-- 
You are receiving this mail because:
You are the assignee for the bug.

[Bug 6664] check_freemail_header() misses many domains

2017-11-30 Thread bugzilla-daemon 
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=6664

--- Comment #7 from Kevin A. McGrail  ---
I think it was just missed because of the duplicated bug.  I had it my mind it
was fixed.  Do you mind looking at this and checking 3.4 and trunk to make a
patch that you think is ready to commit?

Regards,
KAM

-- 
You are receiving this mail because:
You are the assignee for the bug.

[Bug 7509] Missing free(3) in error path

2017-11-30 Thread bugzilla-daemon 
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7509

Kevin A. McGrail  changed:

   What|Removed |Added

 CC||kmcgr...@apache.org
 Status|NEW |RESOLVED
 Resolution|--- |FIXED

--- Comment #1 from Kevin A. McGrail  ---
Thanks Giovanni.  It's very helpful with these patches and your BZ grooming.  I
look forward to looking at your bigger patches and having you earn committer
karma sooner than later.

Trunk: 
Committed revision 1816708.
3.4:
Committed revision 1816710.

-- 
You are receiving this mail because:
You are the assignee for the bug.

[Bug 7511] New: SpamAssassin Plugin to detect VBA/OLE2 Macros

2017-11-30 Thread bugzilla-daemon 
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7511

Bug ID: 7511
   Summary: SpamAssassin Plugin to detect VBA/OLE2 Macros
   Product: Spamassassin
   Version: SVN Trunk (Latest Devel Version)
  Hardware: PC
OS: OpenBSD
Status: NEW
  Severity: normal
  Priority: P2
 Component: Plugins
  Assignee: dev@spamassassin.apache.org
  Reporter: giova...@paclan.it
  Target Milestone: Undefined

I developed a plugin (originally forked from JonathanThorpe plugin but then
rewrote from scratch) to detect VBA/OLE2 Macros.
Full code available here, permission to include in spamassassin source tree is
granted.
https://github.com/bigio/spamassassin-vba-macro

-- 
You are receiving this mail because:
You are the assignee for the bug.

[Bug 7510] New: Virtual Config dir: Insecure dependency in mkdir while running with -T switch

2017-11-30 Thread bugzilla-daemon 
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7510

Bug ID: 7510
   Summary: Virtual Config dir: Insecure dependency in mkdir while
running with -T switch
   Product: Spamassassin
   Version: 3.4.1
  Hardware: PC
OS: Linux
Status: NEW
  Severity: minor
  Priority: P2
 Component: spamc/spamd
  Assignee: dev@spamassassin.apache.org
  Reporter: mathia...@gmx.at
  Target Milestone: Undefined

Currently moving to a new Server with newer OS, Perl and SpamAssassin Version.
From: Ubuntu 14.04.5 LTS Perl 5.18.2 SpamAssassin version 3.4.0
To: Ubuntu 16.04.3 LTS Perl 5.22.1 SpamAssassin version 3.4.1
/etc/default/spamassassin
OPTIONS="-u spamd -D --create-prefs -m5 --virtual-config-dir=/var/opt/spamd/%u
-x --daemonize --max-children 5" 
The above Options worked fine on the old Server, on the new Server i get a Perl
error during creating the Folders for the User directories. 

Could not find anyone with the same problem, bug or a config error on my side? 
/var/opt/spamd exists rights should also be fine. 

Part from the Log: (Recipient address was off...@domain.tld)
spamd[1468]: spamd: using default config for office:
/var/opt/spamd/office/user_prefs
spamd[1468]: info: user has changed
spamd[1468]: bayes: learner_new
self=Mail::SpamAssassin::Plugin::Bayes=HASH(0x3065950),
bayes_store_module=Mail::SpamAssassin::BayesStore::DBM
spamd[1468]: bayes: learner_new: got
store=Mail::SpamAssassin::BayesStore::DBM=HASH(0x35da948)
spamd[1468]: config: using "/var/opt/spamd/office" for user state dir
spamd[1468]: config: mkdir /var/opt/spamd/office failed: Insecure dependency in
mkdir while running with -T switch at /usr/share/perl/5.22/File/Path.pm line
136,  line 2.
spamd[1468]: bayes: no dbs present, cannot tie DB R/O:
/var/opt/spamd/office/bayes_toks
spamd[1468]: config: score set 1 chosen.
spamd[1468]: spamd: running as uid 1001
spamd[1468]: config: time limit 300.0 s
spamd[1468]: message: line ending changed to CRLF
spamd[1468]: message: main message type: text/plain
spamd[1468]: spamd: processing message (unknown) for office:1001
spamd[1468]: check: pms new, time limit in 299.978 s
spamd[1468]: bayes: no dbs present, cannot tie DB R/O:
/var/opt/spamd/office/bayes_toks 
Has anyone seen this before?
Thanks, Mathias

-- 
You are receiving this mail because:
You are the assignee for the bug.

[Bug 6664] check_freemail_header() misses many domains

2017-11-30 Thread bugzilla-daemon 
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=6664

Giovanni Bechis  changed:

   What|Removed |Added

 CC||giova...@paclan.it

--- Comment #6 from Giovanni Bechis  ---
Bug is a duplicated of bz #6871 and fixed in svn r1416457.
Enhancement is not documented and is lying for 6 years.
Is somebody interested in this enhancement or we should close the bz ?

-- 
You are receiving this mail because:
You are the assignee for the bug.