Re: leading blanks on From:addr prevents e.g. blacklisting from working

Mon, 31 May 2010 05:55:46 -0700 

On 5/31/10 8:39 AM, Michael Scheidell wrote:

On 5/31/10 8:12 AM, Per Jessen wrote:

I have just this morning come across an interesting issue (SA 3.2.5). I
was trying to blacklist a From: address using 'blacklist_from', but it
wasn't working.  I took a closer look at the email, and noticed:

From: "something or other"<  mail...@example.com>
Interesting.. the addr part of the email address would be invalid by RFC standards (the addr part cannot start with a space) just use your MTA to block invalid addresses at the gateway. with the MTA blocking it, the sender (if they are really the sender and not a bot) will get the NDR without the issue of backscatter to (what address would you bounce it to? %20mail...@example.com ?
is this in the header from, the envelope from or both? postfix strips the %20 (space), and changes the envelope (return-path) to mail...@example.com so is this just in the header from?
interesting that sa 3.3.1 only scores this as a +1 score. must mean it doesn't match a lot of spam vs ham. 

FROM_WSP_LEAD

(the 1+ score is a default based on not having a score value listed anywhere)

grep FROM_WSP_LEAD /var/db/spamassassin/3.003001/updates_spamassassin_org/* 
/usr/local/etc/mail/spamassassin//*.cf
/var/db/spamassassin/3.003001/updates_spamassassin_org/72_active.cf:##{ 
FROM_WSP_LEAD
/var/db/spamassassin/3.003001/updates_spamassassin_org/72_active.cf:header   FROM_WSP_LEAD      
From:raw =~ /<  \s+ [^>\s] [^>]*>  [^<>]* \z/xm
/var/db/spamassassin/3.003001/updates_spamassassin_org/72_active.cf:describe 
FROM_WSP_LEAD      Leading whitespace after '<' in From header field
/var/db/spamassassin/3.003001/updates_spamassassin_org/72_active.cf:##} 
FROM_WSP_LEAD
my understanding of SA (from a while back) is that it will blacklist_from based on header from, envelope from and/or sender from, so if that is so, it should have worked. 






--
Michael Scheidell, CTO
Phone: 561-999-5000, x 1259
> *| *SECNAP Network Security Corporation

   * Certified SNORT Integrator
   * 2008-9 Hot Company Award Winner, World Executive Alliance
   * Five-Star Partner Program 2009, VARBusiness
   * Best Anti-Spam Product 2008, Network Products Guide
   * King of Spam Filters, SC Magazine 2008

______________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ ______________________________________________________________________

Reply via email to