Re: received-header: unknown format

Thu, 04 Aug 2005 00:18:22 -0700 

At 03:05 AM 8/4/2005, [EMAIL PROTECTED] wrote:

I'm new to the list but have been running SA for some time

I am using spamassassin-3.0.4-1.fc3
with qmail-scanner-1.25-st-qms

+


<snip>



Some of the  "received-header: unknown format" entries:--


This header from a SPAM email scored at 13.3/5.0
...
Jul 31 07:44:33 backup spamd[3748]: debug: received-header: unknown
format: from creative-workers.ch (creative-workers.ch [217.26.52.13])by
user-0c99gr6.cab
le.mindspring.com with esmtpid 7D892D14F9 for <emailremoved>; Sat, 30 Jul
2005 23:43:08 -0700


<snip>
Yep, that's invalid. There's a missing space that should precede "by"


It appears to me that the received-header: unknown format: is being
exploited by the spammers to minimise the scoring.
Shouldn't matter, unless ALL the Received: headers are unparseable in which case ALL_TRUSTED could misfire. Check for that in the messages.
Since your MTA should be adding it's own header, that should be valid and outside of spammer control. Thus, a spammer should not be able to cause ALL_TRUSTED to misfire unless your mailserver is broken.
(AFAIK the ALL_TRUSTED misfire is fixed in 3.1.x, although that really only works around the problem of a broken MTA) 




My questions are as follows:

Does the header problem indicate that an email that is non compliant with
rfc formats?


Well, the received headers in question are non-compliant with RFC standards.



Are there legitimate situations where you could expect this parsing
problem to occur (Assuming email/SA software setup correctly)?
Yes, many "inline AV" products produce completely borked Received: headers.. At least one of them has the "by" clause first, and the "from" clause second, which isn't in-spec. However, this particular invalid format is one I've not seen in legitimate mail. 



Can I configure spamassassin to flag any email with this problem as spam?


This should detect the missing-space case, and not other unparsables.

header RCVD_BY_NOSPACE  Received =~ /\d\]\)by\b/
score RCVD_BY_NOSPACE 0.1
Note: I've set the score to 0.1 because it's untested. Test it, see what it does, and bump up the score if it is not hitting any nonspam. 




Chris

Reply via email to