False DSPAM headers confuse dspamc retraining
Brought to you by:
paulcockings,
sbajic
Menu
▾
▴
#161 False DSPAM headers confuse dspamc retraining
I just received a spam email which included its own DSPAM headers (imitation is the sincerest form of flattery!), including:
X-DSPAM-Signature: 1,510c1e2526783905217225
The message also had legitimate DSPAM headers added by my dspam at the very end of the headers, but when I sent the message to dspamc for retraining, it errored out at the bogus header:
Feb 1 12:07:41 xxx dspam[xxx]: Signature retrieval for '1,510c1e2526783905217225' failed
Feb 1 12:07:41 xxx dspam[xxx]: Unable to find a valid signature. Aborting.
Perhaps dspam should keep looking if lookup fails, instead of giving up immediately?
Walking the headers backwards would also work for me since dspam's are at the end, but I could see that breaking with more complicated email flows that might involve passing through more than one dspam instance.
Hello Brendan, I don't understand what the problem is? Can you please rephrase your problem? How did you pass that message to dspamc for retraining?
I received a message that already had a set of DSPAM headers (generated to fool spam filters, presumably). When my dspam received it, it misclassified it as innocent and added its own second set of DSPAM headers:
From: ...
Subject: ...
Received...
X-DSPAM-Signature: bogussig
...
Received...
X-DSPAM-Result: Innocent
X-DSPAM-Signature: goodsig
The first set of DSPAM headers are fake, created as part of the spam message to fool spam detection. The second set are generated by my DSPAM instance when I receive the message.
I tried to reclassify the message as spam by bouncing it to my spam-foo@domain address, which pipes it trhough dspamc --class=spam --source=error. But reclassification failed because it took the signature from the first X-DSPAM-Signature header, couldn't find it in my user database, and gave up. If it had continued looking for the signature instead of giving up, it would have found the second, valid signature and succeeded at reclassifying the message.
Thank you for clarification. Now I understand.
Typically you would configure your MTA to remove or rename the untrusted headers before the message reaches DSPAM. It depends on the way you built your mail stack, but I use this in postfix:
main.cf:
header_checks = pcre:/etc/postfix/header_checks.pcre
header_checks.pcre:
# Rename headers of incoming messages that might interfere with our own setup.
/^X-(DSPAM-.*): (.*)$/m REPLACE X-External-$1: $2
Renaming the headers is probably a good idea (I guess dspam will still treat them as spam/notspam signals the same way even if they're under a different name), but I think it would still be a good idea for dspam to search the entire header set for the signature when retraining.
Stevan: you accepted the bug. Any updates on this?