Yes, the bug is present in spamdyke 3.1.0 also. I haven't checked, but I think it was originally introduced when I first added the recipient whitelisting feature. I just didn't think through the code well enough (or write complex enough test scripts).
-- Sam Clippinger Marc Van Houwelingen wrote: > The whole @vanhouwelingen.com domain is recip-blacklisted, and [EMAIL > PROTECTED] and > [EMAIL PROTECTED] are specifically recip-whitelisted. However, I was using > 3.1.0, not 3.1.3. Is the same "bug" present in 3.1.0? If so then we have our > answer. If not, here is the log: I was running log_level=4 (that's the > highest, right?) > > Jan 17 14:25:18 buzz spamdyke[3328]: INFO: querying > 203.177.20.81.in-addr.arpa with DNS server 127.0.0.1:53 (attempt 1) > Jan 17 14:25:18 buzz spamdyke[3328]: INFO: received DNS packet: 204 bytes > Jan 17 14:25:18 buzz spamdyke[3328]: INFO: received DNS response: PTR > Jan 17 14:25:18 buzz spamdyke[3328]: INFO: found PTR record for > 203.177.20.81.in-addr.arpa: 81-20-177-203.dsl1.localdial.com > Jan 17 14:25:18 buzz spamdyke[3328]: INFO: querying > 81-20-177-203.dsl1.localdial.com with DNS server 127.0.0.1:53 (attempt 1) > Jan 17 14:25:18 buzz spamdyke[3328]: INFO: received DNS packet: 180 bytes > Jan 17 14:25:18 buzz spamdyke[3328]: INFO: received DNS response: A > Jan 17 14:25:18 buzz spamdyke[3328]: INFO: found A record for > 81-20-177-203.dsl1.localdial.com: 81.20.177.203 > Jan 17 14:25:18 buzz spamdyke[3328]: INFO: querying > 203.177.20.81.dnsbl.sorbs.net with DNS server 127.0.0.1:53 (attempt 1) > Jan 17 14:25:18 buzz spamdyke[3328]: INFO: received DNS packet: 103 bytes > Jan 17 14:25:18 buzz spamdyke[3328]: INFO: received DNS packet: 103 bytes > Jan 17 14:25:18 buzz spamdyke[3328]: INFO: received DNS packet: 103 bytes > Jan 17 14:25:18 buzz spamdyke[3328]: INFO: found no records for > 203.177.20.81.dnsbl.sorbs.net > Jan 17 14:25:18 buzz spamdyke[3328]: INFO: querying > 203.177.20.81.combined.njabl.org with DNS server 127.0.0.1:53 (attempt 1) > Jan 17 14:25:18 buzz spamdyke[3328]: INFO: received DNS packet: 95 bytes > Jan 17 14:25:18 buzz spamdyke[3328]: INFO: received DNS packet: 95 bytes > Jan 17 14:25:18 buzz spamdyke[3328]: INFO: received DNS packet: 95 bytes > Jan 17 14:25:18 buzz spamdyke[3328]: INFO: found no records for > 203.177.20.81.combined.njabl.org > Jan 17 14:25:18 buzz spamdyke[3328]: INFO: querying > 203.177.20.81.bl.spamcop.net with DNS server 127.0.0.1:53 (attempt 1) > Jan 17 14:25:18 buzz spamdyke[3328]: INFO: received DNS packet: 99 bytes > Jan 17 14:25:18 buzz spamdyke[3328]: INFO: found no records for > 203.177.20.81.bl.spamcop.net > Jan 17 14:25:18 buzz spamdyke[3328]: INFO: querying aaronradez.com with DNS > server 127.0.0.1:53 (attempt 1) > Jan 17 14:25:18 buzz spamdyke[3328]: INFO: received DNS packet: 119 bytes > Jan 17 14:25:18 buzz spamdyke[3328]: INFO: received DNS response: MX > Jan 17 14:25:18 buzz spamdyke[3328]: INFO: found MX record for > aaronradez.com: 10 mail.aaronradez.com > Jan 17 14:25:18 buzz spamdyke[3328]: INFO: querying mail.aaronradez.com with > DNS server 127.0.0.1:53 (attempt 1) > Jan 17 14:25:18 buzz spamdyke[3328]: INFO: received DNS packet: 98 bytes > Jan 17 14:25:18 buzz spamdyke[3328]: INFO: received DNS packet: 91 bytes > Jan 17 14:25:18 buzz spamdyke[3328]: INFO: received DNS packet: 103 bytes > Jan 17 14:25:18 buzz spamdyke[3328]: INFO: received DNS response: A > Jan 17 14:25:18 buzz spamdyke[3328]: INFO: found A record for > mail.aaronradez.com: 216.240.142.159 > Jan 17 14:25:18 buzz spamdyke[3328]: > DENIED_RECIPIENT_BLACKLISTED(/home/spamdyke/recipient-blacklist-file:5) > from: [EMAIL PROTECTED] to: [EMAIL PROTECTED] origin_ip: > 81.20.177.203 origin_rdns: 81-20-177-203.dsl1.localdial.com auth: (unknown) > Jan 17 14:25:19 buzz spamdyke[3328]: ALLOWED from: [EMAIL PROTECTED] > to: [EMAIL PROTECTED] origin_ip: 81.20.177.203 origin_rdns: > 81-20-177-203.dsl1.localdial.com auth: (unknown) > Jan 17 14:25:19 buzz spamdyke[3328]: ALLOWED from: [EMAIL PROTECTED] > to: [EMAIL PROTECTED] origin_ip: 81.20.177.203 origin_rdns: > 81-20-177-203.dsl1.localdial.com auth: (unknown) > Jan 17 14:25:19 buzz spamdyke[3328]: ALLOWED from: [EMAIL PROTECTED] > to: [EMAIL PROTECTED] origin_ip: 81.20.177.203 origin_rdns: > 81-20-177-203.dsl1.localdial.com auth: (unknown) > Jan 17 14:25:19 buzz spamdyke[3328]: ALLOWED from: [EMAIL PROTECTED] > to: [EMAIL PROTECTED] origin_ip: 81.20.177.203 origin_rdns: > 81-20-177-203.dsl1.localdial.com auth: (unknown) > Jan 17 14:25:20 buzz spamdyke[3328]: ALLOWED from: [EMAIL PROTECTED] > to: [EMAIL PROTECTED] origin_ip: 81.20.177.203 origin_rdns: > 81-20-177-203.dsl1.localdial.com auth: (unknown) > Jan 17 14:25:20 buzz spamdyke[3328]: ALLOWED from: [EMAIL PROTECTED] > to: [EMAIL PROTECTED] origin_ip: 81.20.177.203 origin_rdns: > 81-20-177-203.dsl1.localdial.com auth: (unknown) > Jan 17 14:25:20 buzz spamdyke[3328]: ALLOWED from: [EMAIL PROTECTED] > to: [EMAIL PROTECTED] origin_ip: 81.20.177.203 origin_rdns: > 81-20-177-203.dsl1.localdial.com auth: (unknown) > Jan 17 14:25:20 buzz spamdyke[3328]: ALLOWED from: [EMAIL PROTECTED] > to: [EMAIL PROTECTED] origin_ip: 81.20.177.203 origin_rdns: > 81-20-177-203.dsl1.localdial.com auth: (unknown) > > > > ----- Original Message ----- > From: "Sam Clippinger" <[EMAIL PROTECTED]> > To: "spamdyke users" <[email protected]> > Sent: Thursday, January 17, 2008 9:20 PM > Subject: Re: [spamdyke-users] Missing angle bracket causing security hole? > > >> It's possible the missing angle brackets are causing the problem but the >> text you're seeing is part of the message headers, not part of the SMTP >> envelope. The angle brackets may not be missing there. >> >> Is [EMAIL PROTECTED] in a recipient whitelist file? spamdyke >> 3.1.3 allows all recipients after a whitelisted recipient is seen in the >> SMTP envelope. I've fixed that bug in the next version but haven't >> released it yet. >> >> If the address isn't whitelisted, could you enable full logging (with >> "full-log-dir") and send me a log of one of these messages? I'd like to >> reproduce this bug and squash it. >> >> -- Sam Clippinger >> >> Marc Van Houwelingen wrote: >>> I have been scratching my head as to how some blacklisted recipients are >>> getting through SpamDyke, and I think I've finally figured it out. I >>> think >>> it has something to do the spam having an incorrectly formatted Cc: line >>> (Missing closing angle brackets). Here are the To and CC from the header >>> as >>> it came in: >>> >>> ----------------------------------------------------- >>> To: <[EMAIL PROTECTED]> >>> Cc: <[EMAIL PROTECTED]>, >>> <[EMAIL PROTECTED], >>> <[EMAIL PROTECTED], >>> <[EMAIL PROTECTED] >>> ----------------------------------------------------- >>> >>> Note the missing ">" on the last 3 emails. >>> >>> Now, three of these recipients are blacklisted: baldwind, andrews, and >>> andrewsd. The other two, amber and amber-bike, are not blacklisted. >>> >>> Here is the log: >>> >>> ----------------------------------------------------- >>> Jan 17 14:25:18 buzz spamdyke[3328]: >>> DENIED_RECIPIENT_BLACKLISTED(/home/spamdyke/recipient-blacklist-file:5) >>> from: [EMAIL PROTECTED] to: [EMAIL PROTECTED] origin_ip: >>> 81.20.177.203 origin_rdns: 81-20-177-203.dsl1.localdial.com auth: >>> (unknown) >>> Jan 17 14:25:19 buzz spamdyke[3328]: ALLOWED from: >>> [EMAIL PROTECTED] >>> to: [EMAIL PROTECTED] origin_ip: 81.20.177.203 origin_rdns: >>> 81-20-177-203.dsl1.localdial.com auth: (unknown) >>> Jan 17 14:25:19 buzz spamdyke[3328]: ALLOWED from: >>> [EMAIL PROTECTED] >>> to: [EMAIL PROTECTED] origin_ip: 81.20.177.203 origin_rdns: >>> 81-20-177-203.dsl1.localdial.com auth: (unknown) >>> Jan 17 14:25:19 buzz spamdyke[3328]: ALLOWED from: >>> [EMAIL PROTECTED] >>> to: [EMAIL PROTECTED] origin_ip: 81.20.177.203 origin_rdns: >>> 81-20-177-203.dsl1.localdial.com auth: (unknown) >>> Jan 17 14:25:19 buzz spamdyke[3328]: ALLOWED from: >>> [EMAIL PROTECTED] >>> to: [EMAIL PROTECTED] origin_ip: 81.20.177.203 origin_rdns: >>> 81-20-177-203.dsl1.localdial.com auth: (unknown) >>> Jan 17 14:25:20 buzz spamdyke[3328]: ALLOWED from: >>> [EMAIL PROTECTED] >>> to: [EMAIL PROTECTED] origin_ip: 81.20.177.203 origin_rdns: >>> 81-20-177-203.dsl1.localdial.com auth: (unknown) >>> Jan 17 14:25:20 buzz spamdyke[3328]: ALLOWED from: >>> [EMAIL PROTECTED] >>> to: [EMAIL PROTECTED] origin_ip: 81.20.177.203 origin_rdns: >>> 81-20-177-203.dsl1.localdial.com auth: (unknown) >>> Jan 17 14:25:20 buzz spamdyke[3328]: ALLOWED from: >>> [EMAIL PROTECTED] >>> to: [EMAIL PROTECTED] origin_ip: 81.20.177.203 origin_rdns: >>> 81-20-177-203.dsl1.localdial.com auth: (unknown) >>> Jan 17 14:25:20 buzz spamdyke[3328]: ALLOWED from: >>> [EMAIL PROTECTED] >>> to: [EMAIL PROTECTED] origin_ip: 81.20.177.203 origin_rdns: >>> 81-20-177-203.dsl1.localdial.com auth: (unknown) >>> ----------------------------------------------------- >>> >>> The first recipient is correctly denied. Then the next two are allowed >>> (also >>> correct). But then it gets screwy - the last two are allowed, despite >>> being >>> blacklisted, and then all 4 CC'd email addresses are repeated. >>> >>> Is it possible the missing angle-bracket is a way for spammers to sneak >>> past >>> spamdyke? >>> >>> >>> _______________________________________________ >>> spamdyke-users mailing list >>> [email protected] >>> http://www.spamdyke.org/mailman/listinfo/spamdyke-users >> _______________________________________________ >> spamdyke-users mailing list >> [email protected] >> http://www.spamdyke.org/mailman/listinfo/spamdyke-users >> > > _______________________________________________ > spamdyke-users mailing list > [email protected] > http://www.spamdyke.org/mailman/listinfo/spamdyke-users _______________________________________________ spamdyke-users mailing list [email protected] http://www.spamdyke.org/mailman/listinfo/spamdyke-users
