#161 False DSPAM headers confuse dspamc retraining

v3.10.x
open
Stevan Bajic
None
5
2014-01-02
2013-02-01
Brendan Cully
No

I just received a spam email which included its own DSPAM headers (imitation is the sincerest form of flattery!), including:
X-DSPAM-Signature: 1,510c1e2526783905217225

The message also had legitimate DSPAM headers added by my dspam at the very end of the headers, but when I sent the message to dspamc for retraining, it errored out at the bogus header:
Feb 1 12:07:41 xxx dspam[xxx]: Signature retrieval for '1,510c1e2526783905217225' failed
Feb 1 12:07:41 xxx dspam[xxx]: Unable to find a valid signature. Aborting.

Perhaps dspam should keep looking if lookup fails, instead of giving up immediately?

Walking the headers backwards would also work for me since dspam's are at the end, but I could see that breaking with more complicated email flows that might involve passing through more than one dspam instance.

Discussion

  • Stevan Bajic
    Stevan Bajic
    2013-02-01

    • assigned_to: nobody --> sbajic
     
  • Stevan Bajic
    Stevan Bajic
    2013-02-01

    Hello Brendan, I don't understand what the problem is? Can you please rephrase your problem? How did you pass that message to dspamc for retraining?

     
  • Brendan Cully
    Brendan Cully
    2013-02-01

    I received a message that already had a set of DSPAM headers (generated to fool spam filters, presumably). When my dspam received it, it misclassified it as innocent and added its own second set of DSPAM headers:

    From: ...
    Subject: ...
    Received...
    X-DSPAM-Signature: bogussig
    ...
    Received...
    X-DSPAM-Result: Innocent
    X-DSPAM-Signature: goodsig

    The first set of DSPAM headers are fake, created as part of the spam message to fool spam detection. The second set are generated by my DSPAM instance when I receive the message.

    I tried to reclassify the message as spam by bouncing it to my spam-foo@domain address, which pipes it trhough dspamc --class=spam --source=error. But reclassification failed because it took the signature from the first X-DSPAM-Signature header, couldn't find it in my user database, and gave up. If it had continued looking for the signature instead of giving up, it would have found the second, valid signature and succeeded at reclassifying the message.

     
  • Stevan Bajic
    Stevan Bajic
    2013-02-01

    Thank you for clarification. Now I understand.

     
  • Tom Hendrikx
    Tom Hendrikx
    2013-02-01

    Typically you would configure your MTA to remove or rename the untrusted headers before the message reaches DSPAM. It depends on the way you built your mail stack, but I use this in postfix:

    main.cf:
    header_checks = pcre:/etc/postfix/header_checks.pcre

    header_checks.pcre:
    # Rename headers of incoming messages that might interfere with our own setup.
    /^X-(DSPAM-.*): (.*)$/m REPLACE X-External-$1: $2

     
  • Brendan Cully
    Brendan Cully
    2013-02-01

    Renaming the headers is probably a good idea (I guess dspam will still treat them as spam/notspam signals the same way even if they're under a different name), but I think it would still be a good idea for dspam to search the entire header set for the signature when retraining.

     
  • Tom Hendrikx
    Tom Hendrikx
    2014-01-02

    Stevan: you accepted the bug. Any updates on this?