Re: SA trusts all hosts as soon as IPv6 is enabled? (was Re: AWL problem. Assigning very low scores to spam.)

Tue, 26 Feb 2008 08:38:39 -0800 

Hi,

On Tue, Feb 26, 2008 at 16:26 +0000, Justin Mason wrote:
> Stefan `Sec` Zehl writes:
> > Ok, so you're telling me that not only is this bug known, but it went
> > unfixed fot over a year?
> 
> Unfortunately, nobody who's bothered by it, has bothered fixing it
> and sending us a patch.  I'll omit any comments about IPv6 users ;)
[...]
> yes, we know that ;)  If we had infinite time, it'd be fixed by now.

Ok, here is a patch which fixes this specific (IPv6) problem until
someone has time to make SA completely v6 aware:

--- Mail/SpamAssassin/Message/Metadata/Received.pm.orig 2008-02-26 
17:28:28.000000000 +0100
+++ Mail/SpamAssassin/Message/Metadata/Received.pm      2008-02-26 
17:28:52.000000000 +0100
@@ -1208,7 +1208,8 @@
   $ip = Mail::SpamAssassin::Util::extract_ipv4_addr_from_string ($ip);
   if (!$ip) {
     dbg("received-header: could not parse IPv4 address, assuming IPv6");
-    return 0;   # ignore IPv6 handovers
+#    return 0;   # ignore IPv6 handovers
+       $ip="0.0.0.0";
   }
 
   # DISABLED: if we cut out localhost-to-localhost SMTP handovers,

> > But the bigger problem remains, and it is not the IPv6 stuff. The main
> > problem here is, that if the first Received header is (for what reason
> > ever) unparsable, all the other (spammer-controlled) headers are
> > trusted if they have an "auth" part.  I would say the default here is
> > definitely the wrong way round.
> 
> it's a bug.  It needs fixing... the right way is to parse IPv6 headers.
> So far it hasn't been a significant problem, since I think yours is
> the first example I've seen of spam traversing IPv6 networks to arrive
> at a trusted network.

My point is. ANY reason to misparse a received-header leads to automatic
trusting of untrusted headers.

Do you trust SA to never misparse a Received-line? I have seen the
inside of that function and the tons of regexps there. I would not trust
it to be completely bugfree.

I may well be the first person to report a spam, but I am quite sure
there are more people out there with Spam mistakenly getting the
ALL_TRUSTED label. After all, who checks the headers of their
Spam-Mailbox regularely?

> > But then, I'm only a stupid user and who cares about those %)
> Hardly representative of our attitude.

I'll take your word for it. I was miffed realizing that after half a day
of debugging I found a year old bug -- which is still unfixed.

CU,
    Sec
-- 
Hofstadter's Law: Everything takes longer than you expect,
                  even taking into account Hofstadter's Law.

Reply via email to