On Wed, 14 Aug 2013, Ted Mittelstaedt wrote:
1) WTF is pastebin? (not you, the other guy)
pastebin.com, a way to share files for public review. It's a far better
way to share spamples than posting them to the list, but be aware the
files *do* expire. Upload a spample to pastebin.com and post the URL to
the list.
I take it by the:
a) lack of usable responses
b) responses NOT claiming this ISN'T a bug
c) responses tacitly acknowledging this is an "Oh crap they forgot about
BCCs when they wrote it but I don't have the balls to publicly call them out
on it like he did"
that I am dealing with a bona-fide Spamassassing design fuck-up, and in
summary if I'm going to continue to use spamass-milter that the option
all_spam_to is off the table.
I think this is happening because spamass-milter is passing the message to
SA before the MTA has split it up for delivery to individual local users.
While doing the latter is more resource-intensive, it allows per-user SA
config and message disposition (e.g. quarantine folders) and keeps things
like whitelists from leaking cross-user in the way you're seeing.
Unfortunately it appears spamass-milter is hardcoded to scan at that point
in the process. I don't think there's much SA can do about it.
SA scans for whitelist addresses in a specific list of message headers;
it's likely spamass-milter is creating a pseudo-header[1] with the BCC
recipients for SA's use. Posting to pastebin the headers from a message
improperly whitelisted due to a BCC recipient might let us determine that.
It's also possible that spamass-milter is not retaining that pseudo-header
after the scan, in which case you'd have to do some debugging or review
the spamass-milter code to see if that's indeed what's happening. But I
think that's what's happening, as SA has nowhere to get the BCC recipients
apart from the headers in the message it's been given to scan.
You might consider changing the glue to be on the delivery side of your
MTA, e.g. using procmail.
No, I'm not going to tear apart the server and replace spamass-milter
with something else. Not unless there's something else out there that
is simple and doesn't require 600 dependent Perl modules (like mailscanner)
and run like a 15 year old dog in the middle of August.
(also like mailscanner)
Procmail is simple if all you're going to do with it is call SA at
delivery time. There may be some other lightweight delivery-time glue
utilities that I'm not aware of which somebody else here may suggest.
Coolest would be someone posting a patch to spamass-milter to the list that
would add "ignore BCC in header" as an option, just like someone
posted a patch a few years ago for spamass-milter that adds an authentication
bypass. (which has yet to be added to the spamassassin
distro, even though many Linux/Unix distros now include it)
Quite possibly, especially if spamass-milter is composing a pseudo-header
with the BCC addresses. But that's not something the SA team can do.
spamass-milter is a third-party tool that is not part of the SpamAssassin
project and is not shipped as part of the SpamAssassin install.
[1] I have not inspected the spamass-milter source code to verify this,
but this is pretty common practice in milters - for example, the local
Received header *must* be "forged" in this manner.
Ted
On 8/14/2013 1:59 PM, Axb wrote:
On 08/14/2013 08:08 PM, Ted Mittelstaedt wrote:
> Hi All,
>
> I'm having a lot of problem with spammers who are sending spams with
> a To: of a user who is NOT in my all_spam_to list and a BCC: listing
> a user IN the all_spam_list. Usually the BCC's list multiple users,
> I guess on the theory that they are trying to hide which one it is.
>
> The user gets the spam and it's got a score of -93 or some
> such but they don't understand why since they aren't in the all_spam_to
> list.
>
> My thought is that this is a bug - SA should not be looking at the
> email addresses in the BCC to determine scoring adjustments for an email
> message. So far the spammers haven't listed the abuse email address
> in the BCC but that is a natural one that almost always has to be in
> the all_spam_to list.
>
> Suggestions?
tried splitting recipients before msg is sent thru SA?
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhar...@impsec.org FALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
North Korea: the only country in the world where people would risk
execution to flee to communist China. -- Ride Fast
-----------------------------------------------------------------------
Tomorrow: the 68th anniversary of the end of World War II
