hello --
thank you for your excellent product. i'm using spamassassin 2.63 +
procmail. it normally works great, but i recently got a spam message
with the following headers:
From: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]>
To: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]>
Subject: CC: Chicks with DICKS gmie
Date: Tue, 24 Feb 2004 03:37:58 -0800
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_00B1_01C3FAD7.14379D52"
X-Priority: 3
X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on
inman.medianstrip.net
X-Spam-Status: No, hits=-77.8 required=5.0 tests=BAYES_99,CLICK_BELOW_CAPS,
FORGED_YAHOO_RCVD,HTML_60_70,HTML_FONTCOLOR_BLUE,HTML_FONTCOLOR_RED,
HTML_FONTCOLOR_UNSAFE,HTML_IMAGE_ONLY_06,HTML_IMAGE_RATIO_04,
HTML_LINK_CLICK_CAPS,HTML_LINK_CLICK_HERE,HTML_MESSAGE,
MIME_HTML_MOSTLY,PRIORITY_NO_NAME,RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_DSBL,
RCVD_IN_NJABL,RCVD_IN_NJABL_PROXY,RCVD_IN_SORBS,RCVD_IN_SORBS_HTTP,
RCVD_IN_SORBS_SOCKS,SUBJ_HAS_SPACES,USER_IN_WHITELIST autolearn=no
version=2.63
the only reason why this got through was they put one of my email
address in the From, in quotes. i'm no RFC822 or whatever expert, but
that seems like it shouldn't get tagged by the USER_IN_WHITELIST test.
in particular, it seems strange that
check_from_in_whitelist()
found my address in the quotes, but
MANY_FROMS
did not.
if you fix MANY_FROMS you could add (as a hack)
meta USER_IN_WHITELIST_BUT_MANY_FROMS {USER_IN_WHITELIST && MANY_FROMS}
score USER_IN_WHITELIST_BUT_MANY_FROMS 94
describe USER_IN_WHITELIST_BUT_MANY_FROMS Possible use of many froms to abuse
whitelist
but it seems like the real solution is for check_from_in_whitelist()
to distinguish between real addresses and quoted names that look like
email addresses. this probably means making a new function since you
probably don't want to change find_all_addrs_in_line(). unless i'm
completely misunderstanding what the code is supposed to do.
please rectify me if i've misunderstood.
thanks, B
