yahoo rcvd bug?

Mon, 20 Oct 2014 05:28:02 -0700 

I'm getting FORGED_YAHOO_RCVD false positives for messages with yahoo received 
headers that do not match the search pattern defined in 
check_for_forged_yahoo_received_headers(). I'm using SpamAssassin 3.3.2 with 
latest rules as per `sa-update` rule channels `sought.rules.yerp.org` and 
`updates.spamassassin.org`.

The spamassassin rule that is firing:

        *  1.6 FORGED_YAHOO_RCVD 'From' yahoo.com does not match 'Received' 
headers

The received-by header in question:

        Received: from unknown (HELO nm46-vm10.bullet.mail.bf1.yahoo.com) 
(216.109.114.203)

Full mail headers available at https://cloudup.com/cbmG8tJF71k

And finally here's the `check_for_forged_yahoo_received_headers` function that 
parses this, which doesn't contain the correct regex for this hostname:

    sub check_for_forged_yahoo_received_headers {
      my ($self, $pms) = @_;

      my $from = $pms->get('From:addr');
      if ($from !~ /\byahoo\.com$/i) { return 0; }

      my $rcvd = $pms->get('Received');

      if ($pms->get("Resent-From") ne '' && $pms->get("Resent-To") ne '') {
        my $xrcvd = $pms->get("X-Received");
        $rcvd = $xrcvd  if $xrcvd ne '';
      }
      $rcvd =~ s/\s+/ /gs;      # just spaces, simplify the regexp

      # not sure about this
      #if ($rcvd !~ /from \S*yahoo\.com/) { return 0; }

      if ($self->gated_through_received_hdr_remover($pms)) { return 0; }

      # bug 3740: ignore bounces from Yahoo!.   only honoured if the
      # correct rDNS shows up in the trusted relay list, or first untrusted 
relay
      #
      # bug 4528: [ ip=68.142.202.54 rdns=mta122.mail.mud.yahoo.com 
      # helo=mta122.mail.mud.yahoo.com by=eclectic.kluge.net ident=
      # envfrom= intl=0 id=49F2EAF13B auth= ]
      #
      if ($pms->{relays_trusted_str} =~ / rdns=\S+\.yahoo\.com /
            || $pms->{relays_untrusted_str} =~ /^[^\]]+ rdns=\S+\.yahoo\.com /)
                { return 0; }

      if ($rcvd =~ /by web\S+\.mail\S*\.yahoo\.com via HTTP/) { return 0; }
      if ($rcvd =~ /by smtp\S+\.yahoo\.com with SMTP/) { return 0; }
      my $IP_ADDRESS = IP_ADDRESS;
      if ($rcvd =~
          /from \[$IP_ADDRESS\] by \S+\.(?:groups|scd|dcn)\.yahoo\.com with 
NNFMP/) {
        return 0;
      }

      # used in "forward this news item to a friend" links.  There's no better
      # received hdrs to match on, unfortunately.  I'm not sure if the next 
test is
      # still useful, as a result.
      #
      # search for msgid <[email protected]>, subject "Yahoo!
      # News Story - Top Stories", date Sep 29 2002 on
      # <http://xent.com/pipermail/fork/> for an example.
      #
      if ($rcvd =~ /\bmailer\d+\.bulk\.scd\.yahoo\.com\b/
                    && $from =~ /\@reply\.yahoo\.com$/i) { return 0; }

      if ($rcvd =~ /by \w+\.\w+\.yahoo\.com \(\d+\.\d+\.\d+\/\d+\.\d+\.\d+\)(?: 
with ESMTP)? id \w+/) {
          # possibly sent from "mail this story to a friend"
          return 0;
      }

      return 1;
    }

Reply via email to