I'm once again trying to debug some of my rules, and I'm having trouble
with what *seems* to be a bug in the handling of some types of nested
multipart MIME messages.
A customer reported an untagged pornspam over the weekend. They
forwarded the message as an attachment (attached), so I can see which
tests got triggered, and the more or less raw message body to pull out
URLs and so on to specifically add to a set of rules. (Bayes doesn't
help bring a 2-line 0.5-scoring pornspam over the default threshold of 5
without at least a *little* help. :/ )
This particular message should, so far as I can tell, have tripped the
built-in NORMAL_HTTP_TO_IP test. But it didn't.
OK, so I add a somewhat shorter test to my miscellaneous rules file
(misc.cf), and test to see if it triggers. No go. I make the rule much
simpler, define a few rules to match "http://"; and an IP address
(neither with any kind of bounding); no match. (Scores carefully set
to 0.001 for all three.)
rawbody IP_ADDR /\d{1,3}(?:\.\d{1,3}){3}/
rawbody HTTP /http\:\/\//
(First rule left out; it's a slightly simplified version of the
NORMAL_HTTP_TO_IP rule.)
In desperation, I've just gone through a series of incremental body
rules:
rawbody NULLMATCH_1 /h/
rawbody NULLMATCH_2 /ht/
rawbody NULLMATCH_3 /htt/
The first two match (finally!).... but the third doesn't!
spamassassin -D doesn't tell me anything useful. Adding -t just adds
the description of the rules at the bottom of the message. Specifying
-D rulesrun=255 doesn't tell me anything useful; beyond the fact that
my rule is not triggering. --lint doesn't complain about anything.
The *only* difference between this message and a long list of others
that customers have forwarded is that it's a nested multipart message;
all others I can recall were only single-depth. Just for kicks, I also
tried full instead of rawbody on those NULLMATCH tests.... and it only
matched on the *first* one- a test for an h, anywhere in the message
body.
Is there any way to get SA to print lines or line fragments for matching
rules? It looks like the NULLMATCH rules I listed above are matching on
the "Content-Type: text/html" MIME header fragment, rather than on
anything within that MIME part- otherwise, all of the rules I've tried
should match just fine.
SA 2.55, RedHat 7.3 (no *known* Perl oddities).
-kgd
--
<erno> hm. I've lost a machine.. literally _lost_. it responds to
ping, it works completely, I just can't figure out where in my
apartment it is.Return-Path: <[EMAIL PROTECTED]>
Received: from wtc.vianet.ca (wtc.vianet.ca [209.91.181.2])
by filtermail.webhart.net (8.12.8/8.12.8) with ESMTP id h7GBShb0027871
for <[EMAIL PROTECTED]>; Sat, 16 Aug 2003 07:28:43 -0400
Received: from CPE-65-27-117-48.mn.rr.com (CPE-65-27-117-48.mn.rr.com [65.27.117.48])
by wtc.vianet.ca (8.9.3p2/8.9.3) with SMTP id HAA22231
for <[EMAIL PROTECTED]>; Sat, 16 Aug 2003 07:28:42 -0400 (EDT)
Date: Sat, 16 Aug 2003 07:28:42 -0400 (EDT)
From: [EMAIL PROTECTED]
Message-Id: <[EMAIL PROTECTED]>
To: Smith <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Sender: [EMAIL PROTECTED]
Subject: Re [2]: S E,X CRlMES IN lRAQ cOFhMBzAu
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----=_NextPart_000_0012_01C27DD2.75377C90"
X-Scanned-By: MIMEDefang 2.28 (www . roaringpenguin . com / mimedefang)
X-Spam-Status: No, hits=3.6 required=5.4
tests=BAYES_60,NO_REAL_NAME
version=2.55
X-Spam-Level: ***
X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp)
Status:
This is a multi-part message in MIME format.
------=_NextPart_000_0012_01C27DD2.75377C90
Content-Type: multipart/related; type="multipart/alternative";
boundary="----=_NextPart_002_0012_01C27DD2.75377C90"
------=_NextPart_002_0012_01C27DD2.75377C90
Content-Type: multipart/alternative;
boundary="----=_NextPart_001_0012_01C27DD2.75377C90"
------=_NextPart_001_0012_01C27DD2.75377C90
Content-Type: text/plain
Content-Transfer-Encoding: 8bit
UIr
http://81.180.94.7/u7/rg/iq/
jtowfbJ
------=_NextPart_001_0012_01C27DD2.75377C90
Content-Type: text/html
Content-Transfer-Encoding: 8bit
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p><a href="http://81.180.94.7/u7/rg/iq/";><img src="cid:pic.gif"; width="208"
height="202" border="0"></a>
</p>
<p><font color="#FFFFE3">Hey Smith CxrkaQHOl .</font></p>
<p><font color="#FFFFD8">iinZOwM Smith</font></p>
<p><a href="http://81.180.94.7/u7/rems/delink.php";><img src="cid:pic1.gif"; width="55"
height="9" border="0"></a></p>
</body>
</html>
------=_NextPart_001_0012_01C27DD2.75377C90--
------=_NextPart_002_0012_01C27DD2.75377C90
Content-Type: image/gif; name="pic.gif"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="pic.gif"
Content-ID: <pic.gif>
R0lGODlh1ADfAPEAAAAAAP8AAP//AP///yH5BAQAAAAALAAAAADUAN8AAAL/hI+py+0Po5y0
2ouz3rz7D27DOCZkORxks7LpUprISauv3ZrxVetobzjNbhKaMEgEABnGVbMJMyqeyqfQ+qtB
h1eKtYq9SaWQMPhKju6qQx3TmQPjVG71mxhH4teOI1KPMuOTxcM3d+gC0yZjZ4P4Bxk5lYSz
5zM1Yai0WOcoh6F5xvmm6GnK1Wm4s0o5yiXGp9pKinkIexlaNOuXN1ka9ItaJ+vZKzx4+0in
G8wqCTir2wqUC9iXJEvZslsc/ewYE2fsNa4HqVnOHMX2ee33umTuW/1Hzz4fbsmRhuz9Xkhq
mzd42KhskufGXrx1dvIBs5cp3hYXA8vs+nGO3KIU/73G/VOT7t4wjMo2VbyGahvIk4kYwnlw
sVhGhG1COnTXKNyxMxBjyrtJMIMxgcAoMmTHUeepbr4iVRt6a03HFwOhbkyqDatQdFGrEqtH
lerOT1/J+uMKTawTVzhTTSuIleWkt2mLzu2ElOwrYeKcLR0r6V9ZiwUBSz0sF7DIj8h4ViIJ
lx8rWPkQG0Q6Ji3jO1kmx63suSeWblpWjgkzdSGU1ahPt368eS6V1p9BKzRD2ye13Hs88uoB
3OAX30oj2AaXGVpd48JnQwwBPbr06dSrW7+OPbv27dy7e/8OPrz48eTLmz+PPr369ezbu38P
n7uA+fTrCzBgP79+DPQ56P+fH1+AANjHwH8GVlCfBgYSKGB7DCrw4AH5IZigBRMisF+D6kWI
YYUJXCgBhxGIKCGJGopnYooeQgBiiCsu0OKJ46nYH4wvOpDhiDdCaKKM3tEIoI01snhfjx8a
WeKOPnYH5H1COqnjgEjiN6WUSi65XZMFDkkklVw2UKWXX2Ipn5IkXsljkkHiGKaVY5KpnZZH
rhmlmlBuieacb8KJnZxqUkCnm3c+GSibefI5nZYx1mnnoHoWCmabiIIg56IPFGqkpXjuOSl1
fkoKaaZtatppomZ6SGqahEZ6aKOlxnkql6l2uCCns9LK6avQ+Smmo4TW6muvwfKYq64h8Cro
sCX/GgqpsDq2amwHyAp6qbLJbtrso9H2GSumohJp65SSbpvBtNduCW621DJrLbkemHvukc+G
e+W47vLXbbCWqourtTHeeq+0+bL6ZbGusntgwJ4uKOyZE/6H7a0JK0yxfwZXjHG1OWbMcboT
49dxyFL2C7HIHA/7sckqE9vuyi6/DLMGAcxMc80BGGBzzjkDoHPPM0tgswJBJzA0Ajs74HPR
uiZNM85MB/200kjXLDTVRFtt9NEMRN30q1gf8HXXEYjdAdlgf332zQv8/PMDZjvddqdop521
2mPH7cHbUvOM99V8Q/A23XL37bfgd9udN+FsIw731oszXjXkhiMaeAOV/69N+AZ636x45n87
7bbnfEuO5eWYk356CGY3vbrncYveuOOo+7i37KnXfbsFZHeNd+Vim+676bTrPLXkrRsPe/FZ
n4075oXbHvnspScdvc9XM43B7nb3nvnxlj/trvV1Uz+++Lq/jv723fd9OfgVKx2495FnwDv3
sc//PP5VZ4x1/OyvLz3lfY55o8td8/S3P4z9LnkHBEH9Cuc/7Bkwf5SD3QIDOLkPsO5/nAMg
+RBIQT4BL33fUx/qhFfCzUWwhBNcXqnmBjcTsvB+IJxA7W4ouhVCb1Jai2EDr5fBH9oQhnsT
ngpnyMOoXc99o2Pi+VR4vOD1D4ZNxKCGenY6Jv9yzYpZRF4UczhFKTIwZmQsoxnPiMY0qnGN
bGyjG98IxzjKcY50rON2JLjFx3WudkAj3hI/WL60jTBsefxjD6mjxCqC75CHHKL7ChnIGLYP
fpBUpB+rMzdCcrGANezjF4XYxAnyUZKdzGL0rENF7W2Sk0F0pOwQN0nIfTKFshxjKseoOQvC
EpcZROEODRhLEG7QcqxsZSlBh0leFtOTxjycAGkIxGjSzXUdrCUGfZnMTWIzmsqUpit/Cc1h
Ou+IgOtmdEbpzWZucJWgDB3pMslBZLqQnNJE53WwiMR2kpJ+5oygF7lZS2guk4b45I4Ey1dQ
cD7xiYD8Yf0Y1zYomk//ko28Z0ItWVFBslOftLykMNHnwoEmsnpUzA4l/0lLmfWTmuBcYEjp
yVGNiieMLZymOZuZzxAu84IEFCkAHblR1ZGwAjy9QEnvN0lR2m+APg3qMRM3u6JS4IJBNeJQ
nffRXcqzqc7MKXQGqc54xjSFz0xqVhEqxGCCFZFiDOsu95g9KeoTpjuV31z1+MpsRvGubzWl
UffK17OOL50DtSnaqLbOwhJ1pBQ1XyMzWryLVvGVJkyfZS+LUOtxrXGJ1aBHNUq+z+6ToWJ8
ZxgxK9PRYvSzCU3sNu0I29jKdra0ra1tb4vb3Op2t7ztrW8blJjf7iMr0chBZf5yr+cEyCqN
/3BKMuzyKn2AILjR4cpbiuuT6FK3AsqdjnUxkYtQdBe429VIeNAhEpNg4xTPtYYgOlMS5bw3
D4K5xztiAQ8ZxOYwo0gKHQSTmvQ+BA/OTYZAVHKO4DCiKZjxC2aWY2A0PBc0NHlMOw4Mh+Mm
WBAVLsoqAjPh9nJCKfhl8IZroo/imIK/6QWKgEE8YrEsJiwbwcsyPjzjFYtYFN/AsYkfjOKr
gIS9NBYycnOsY7y4mCTIjQqRkwxj+2ZlGT92MRuaM5Int7jI34iyc5UcltPY2C6B8LKDz7zj
K7eEKUE+ipS1HAsuvxjJX+6vnJeCXi3X+c17Rgt2s8xh8UrXwUBmc/+X6cxnONOFLQfxcqLR
jBA/o6TAVF5MlI076BAzms6YBjN7KX0J6B5BwnGxBSEYc5u+tMPCPDYHpkst31YTpxJy+M1k
WG2NkJhnvJsWbnbKe2hfYwfYcxa2d6ELEGP/mteDULaznw3taEt72tSutrWvjW3oMDvb1VEu
sbld3W+DOwTbHrcX5stiXJsbFBQ2C1GCvW7m6JnQxY43TNoL6V7be9KcFnG5103ofB953/xO
N73/be6A43vhUN43qRHx6jg3nOAUr7jFL47xjGt847KViK0zHHGQh6YzltEwT2oDG5RrxjHG
8jiGRW4bkse8NmEe9cxPXnOY55zk0XL5cfL/y3JW+zznFInzyxsT9IANPdbyXXrSWb4QdUMd
wEenmNOvTvWfC32/WSc60KO+LazT1+Zjr/rWyyF2o2td6V1n+tTLvva3h7ftTw+OrkuV9sh4
/exq37ts9O52uyP8RHlHeuG/znW4+13u4tbQ4fkO+LqTfe6KD/zkG09eLZCBNYI3g+TN/nfD
02blg4dP3mW++JWIHu10BztB/Euuxzed1MTtu9uBDvmn6z72re896D8fd9zP/veub7nvbc94
pOeeM5HvvPLZXnng753uy1c94iP+/OQev/kf7w3yXf/4JRRfV7JPPtPLL3zzJ3382o2+7Hfj
/sR//77dr1j5nY9r/85fXsP6Bz38ad9z27d686d5ihdmsHFyUtd5PMdxDeiADwiBESiBE0iB
FWiBF4iBfLJ5/ydzCth9O0d64leAIad8G1h/u6ceW2CCtBca17d/IbiANKduMQhh+Pce7Od0
CTh8qUaAyKeD6ld0mPcdOEh9QWeDQTiAkRdrR8h8S0KE7qeDTGh91dd0UXh5hFF64PGE37eD
qRd6Lth8XXh7XygjWxiGCSiFZCiGX1cXaZh9mceD3GeFwaeGQDh1c+iFbyggZih6bfh7U7iG
W+eHdKiHyxUbHnhgcziG/SCD0udqdreI6QeH3DeCiYiGcUeDadB//FeAlvdyIHiD24d6uaym
YI5oiptYc1boiS2Ic6EYf68IiovHhLM4eRC2ihXBfuNxf1e4ebfoi6fIgh5WhE3oHrtYdclh
jJh4hWj4i+6Qhd0mgGC4HL+YjF4nGcMIiOtRjUvIgUnojdI4jTmIhMUYjdWnieUYiIF4jtHn
jEJIHdu4frRIfMtIhSuohOPYHiooj2tnjzEHg/SYjv0Iioz3jND4gsDIjv34j6xIhUa4gJDn
jhkokRMJMwUAADs=
------=_NextPart_002_0012_01C27DD2.75377C90
Content-Type: image/gif; name="pic1.gif"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="pic1.gif"
Content-ID: <pic1.gif>
R0lGODlhNwAJAPAAAAAAAP///yH5BAQAABAALAAAAAA3AAkAAAJLjI+pm8APo0RuMlANzg7T
HGwHGIaVN3qnNmprCXPs584cSc1x08K9/zIpNsGgS+TTyUxEnq1HwkV/xtep+ATqlNAWqoat
pZZUqqcAADs=
------=_NextPart_002_0012_01C27DD2.75377C90--
------=_NextPart_000_0012_01C27DD2.75377C90--
![cid:pic.gif"](cid:pic.gif"){kind=link}
![cid:pic1.gif"](cid:pic1.gif"){kind=link}