The whole @vanhouwelingen.com domain is recip-blacklisted, and [EMAIL PROTECTED] and [EMAIL PROTECTED] are specifically recip-whitelisted. However, I was using 3.1.0, not 3.1.3. Is the same "bug" present in 3.1.0? If so then we have our answer. If not, here is the log: I was running log_level=4 (that's the highest, right?)
Jan 17 14:25:18 buzz spamdyke[3328]: INFO: querying 203.177.20.81.in-addr.arpa with DNS server 127.0.0.1:53 (attempt 1) Jan 17 14:25:18 buzz spamdyke[3328]: INFO: received DNS packet: 204 bytes Jan 17 14:25:18 buzz spamdyke[3328]: INFO: received DNS response: PTR Jan 17 14:25:18 buzz spamdyke[3328]: INFO: found PTR record for 203.177.20.81.in-addr.arpa: 81-20-177-203.dsl1.localdial.com Jan 17 14:25:18 buzz spamdyke[3328]: INFO: querying 81-20-177-203.dsl1.localdial.com with DNS server 127.0.0.1:53 (attempt 1) Jan 17 14:25:18 buzz spamdyke[3328]: INFO: received DNS packet: 180 bytes Jan 17 14:25:18 buzz spamdyke[3328]: INFO: received DNS response: A Jan 17 14:25:18 buzz spamdyke[3328]: INFO: found A record for 81-20-177-203.dsl1.localdial.com: 81.20.177.203 Jan 17 14:25:18 buzz spamdyke[3328]: INFO: querying 203.177.20.81.dnsbl.sorbs.net with DNS server 127.0.0.1:53 (attempt 1) Jan 17 14:25:18 buzz spamdyke[3328]: INFO: received DNS packet: 103 bytes Jan 17 14:25:18 buzz spamdyke[3328]: INFO: received DNS packet: 103 bytes Jan 17 14:25:18 buzz spamdyke[3328]: INFO: received DNS packet: 103 bytes Jan 17 14:25:18 buzz spamdyke[3328]: INFO: found no records for 203.177.20.81.dnsbl.sorbs.net Jan 17 14:25:18 buzz spamdyke[3328]: INFO: querying 203.177.20.81.combined.njabl.org with DNS server 127.0.0.1:53 (attempt 1) Jan 17 14:25:18 buzz spamdyke[3328]: INFO: received DNS packet: 95 bytes Jan 17 14:25:18 buzz spamdyke[3328]: INFO: received DNS packet: 95 bytes Jan 17 14:25:18 buzz spamdyke[3328]: INFO: received DNS packet: 95 bytes Jan 17 14:25:18 buzz spamdyke[3328]: INFO: found no records for 203.177.20.81.combined.njabl.org Jan 17 14:25:18 buzz spamdyke[3328]: INFO: querying 203.177.20.81.bl.spamcop.net with DNS server 127.0.0.1:53 (attempt 1) Jan 17 14:25:18 buzz spamdyke[3328]: INFO: received DNS packet: 99 bytes Jan 17 14:25:18 buzz spamdyke[3328]: INFO: found no records for 203.177.20.81.bl.spamcop.net Jan 17 14:25:18 buzz spamdyke[3328]: INFO: querying aaronradez.com with DNS server 127.0.0.1:53 (attempt 1) Jan 17 14:25:18 buzz spamdyke[3328]: INFO: received DNS packet: 119 bytes Jan 17 14:25:18 buzz spamdyke[3328]: INFO: received DNS response: MX Jan 17 14:25:18 buzz spamdyke[3328]: INFO: found MX record for aaronradez.com: 10 mail.aaronradez.com Jan 17 14:25:18 buzz spamdyke[3328]: INFO: querying mail.aaronradez.com with DNS server 127.0.0.1:53 (attempt 1) Jan 17 14:25:18 buzz spamdyke[3328]: INFO: received DNS packet: 98 bytes Jan 17 14:25:18 buzz spamdyke[3328]: INFO: received DNS packet: 91 bytes Jan 17 14:25:18 buzz spamdyke[3328]: INFO: received DNS packet: 103 bytes Jan 17 14:25:18 buzz spamdyke[3328]: INFO: received DNS response: A Jan 17 14:25:18 buzz spamdyke[3328]: INFO: found A record for mail.aaronradez.com: 216.240.142.159 Jan 17 14:25:18 buzz spamdyke[3328]: DENIED_RECIPIENT_BLACKLISTED(/home/spamdyke/recipient-blacklist-file:5) from: [EMAIL PROTECTED] to: [EMAIL PROTECTED] origin_ip: 81.20.177.203 origin_rdns: 81-20-177-203.dsl1.localdial.com auth: (unknown) Jan 17 14:25:19 buzz spamdyke[3328]: ALLOWED from: [EMAIL PROTECTED] to: [EMAIL PROTECTED] origin_ip: 81.20.177.203 origin_rdns: 81-20-177-203.dsl1.localdial.com auth: (unknown) Jan 17 14:25:19 buzz spamdyke[3328]: ALLOWED from: [EMAIL PROTECTED] to: [EMAIL PROTECTED] origin_ip: 81.20.177.203 origin_rdns: 81-20-177-203.dsl1.localdial.com auth: (unknown) Jan 17 14:25:19 buzz spamdyke[3328]: ALLOWED from: [EMAIL PROTECTED] to: [EMAIL PROTECTED] origin_ip: 81.20.177.203 origin_rdns: 81-20-177-203.dsl1.localdial.com auth: (unknown) Jan 17 14:25:19 buzz spamdyke[3328]: ALLOWED from: [EMAIL PROTECTED] to: [EMAIL PROTECTED] origin_ip: 81.20.177.203 origin_rdns: 81-20-177-203.dsl1.localdial.com auth: (unknown) Jan 17 14:25:20 buzz spamdyke[3328]: ALLOWED from: [EMAIL PROTECTED] to: [EMAIL PROTECTED] origin_ip: 81.20.177.203 origin_rdns: 81-20-177-203.dsl1.localdial.com auth: (unknown) Jan 17 14:25:20 buzz spamdyke[3328]: ALLOWED from: [EMAIL PROTECTED] to: [EMAIL PROTECTED] origin_ip: 81.20.177.203 origin_rdns: 81-20-177-203.dsl1.localdial.com auth: (unknown) Jan 17 14:25:20 buzz spamdyke[3328]: ALLOWED from: [EMAIL PROTECTED] to: [EMAIL PROTECTED] origin_ip: 81.20.177.203 origin_rdns: 81-20-177-203.dsl1.localdial.com auth: (unknown) Jan 17 14:25:20 buzz spamdyke[3328]: ALLOWED from: [EMAIL PROTECTED] to: [EMAIL PROTECTED] origin_ip: 81.20.177.203 origin_rdns: 81-20-177-203.dsl1.localdial.com auth: (unknown) ----- Original Message ----- From: "Sam Clippinger" <[EMAIL PROTECTED]> To: "spamdyke users" <[email protected]> Sent: Thursday, January 17, 2008 9:20 PM Subject: Re: [spamdyke-users] Missing angle bracket causing security hole? > It's possible the missing angle brackets are causing the problem but the > text you're seeing is part of the message headers, not part of the SMTP > envelope. The angle brackets may not be missing there. > > Is [EMAIL PROTECTED] in a recipient whitelist file? spamdyke > 3.1.3 allows all recipients after a whitelisted recipient is seen in the > SMTP envelope. I've fixed that bug in the next version but haven't > released it yet. > > If the address isn't whitelisted, could you enable full logging (with > "full-log-dir") and send me a log of one of these messages? I'd like to > reproduce this bug and squash it. > > -- Sam Clippinger > > Marc Van Houwelingen wrote: >> I have been scratching my head as to how some blacklisted recipients are >> getting through SpamDyke, and I think I've finally figured it out. I >> think >> it has something to do the spam having an incorrectly formatted Cc: line >> (Missing closing angle brackets). Here are the To and CC from the header >> as >> it came in: >> >> ----------------------------------------------------- >> To: <[EMAIL PROTECTED]> >> Cc: <[EMAIL PROTECTED]>, >> <[EMAIL PROTECTED], >> <[EMAIL PROTECTED], >> <[EMAIL PROTECTED] >> ----------------------------------------------------- >> >> Note the missing ">" on the last 3 emails. >> >> Now, three of these recipients are blacklisted: baldwind, andrews, and >> andrewsd. The other two, amber and amber-bike, are not blacklisted. >> >> Here is the log: >> >> ----------------------------------------------------- >> Jan 17 14:25:18 buzz spamdyke[3328]: >> DENIED_RECIPIENT_BLACKLISTED(/home/spamdyke/recipient-blacklist-file:5) >> from: [EMAIL PROTECTED] to: [EMAIL PROTECTED] origin_ip: >> 81.20.177.203 origin_rdns: 81-20-177-203.dsl1.localdial.com auth: >> (unknown) >> Jan 17 14:25:19 buzz spamdyke[3328]: ALLOWED from: >> [EMAIL PROTECTED] >> to: [EMAIL PROTECTED] origin_ip: 81.20.177.203 origin_rdns: >> 81-20-177-203.dsl1.localdial.com auth: (unknown) >> Jan 17 14:25:19 buzz spamdyke[3328]: ALLOWED from: >> [EMAIL PROTECTED] >> to: [EMAIL PROTECTED] origin_ip: 81.20.177.203 origin_rdns: >> 81-20-177-203.dsl1.localdial.com auth: (unknown) >> Jan 17 14:25:19 buzz spamdyke[3328]: ALLOWED from: >> [EMAIL PROTECTED] >> to: [EMAIL PROTECTED] origin_ip: 81.20.177.203 origin_rdns: >> 81-20-177-203.dsl1.localdial.com auth: (unknown) >> Jan 17 14:25:19 buzz spamdyke[3328]: ALLOWED from: >> [EMAIL PROTECTED] >> to: [EMAIL PROTECTED] origin_ip: 81.20.177.203 origin_rdns: >> 81-20-177-203.dsl1.localdial.com auth: (unknown) >> Jan 17 14:25:20 buzz spamdyke[3328]: ALLOWED from: >> [EMAIL PROTECTED] >> to: [EMAIL PROTECTED] origin_ip: 81.20.177.203 origin_rdns: >> 81-20-177-203.dsl1.localdial.com auth: (unknown) >> Jan 17 14:25:20 buzz spamdyke[3328]: ALLOWED from: >> [EMAIL PROTECTED] >> to: [EMAIL PROTECTED] origin_ip: 81.20.177.203 origin_rdns: >> 81-20-177-203.dsl1.localdial.com auth: (unknown) >> Jan 17 14:25:20 buzz spamdyke[3328]: ALLOWED from: >> [EMAIL PROTECTED] >> to: [EMAIL PROTECTED] origin_ip: 81.20.177.203 origin_rdns: >> 81-20-177-203.dsl1.localdial.com auth: (unknown) >> Jan 17 14:25:20 buzz spamdyke[3328]: ALLOWED from: >> [EMAIL PROTECTED] >> to: [EMAIL PROTECTED] origin_ip: 81.20.177.203 origin_rdns: >> 81-20-177-203.dsl1.localdial.com auth: (unknown) >> ----------------------------------------------------- >> >> The first recipient is correctly denied. Then the next two are allowed >> (also >> correct). But then it gets screwy - the last two are allowed, despite >> being >> blacklisted, and then all 4 CC'd email addresses are repeated. >> >> Is it possible the missing angle-bracket is a way for spammers to sneak >> past >> spamdyke? >> >> >> _______________________________________________ >> spamdyke-users mailing list >> [email protected] >> http://www.spamdyke.org/mailman/listinfo/spamdyke-users > _______________________________________________ > spamdyke-users mailing list > [email protected] > http://www.spamdyke.org/mailman/listinfo/spamdyke-users > _______________________________________________ spamdyke-users mailing list [email protected] http://www.spamdyke.org/mailman/listinfo/spamdyke-users
