Migrate from GitHub to SourceForge with this tool. Check out all of SourceForge's recent improvements.
Close

#161 False DSPAM headers confuse dspamc retraining

v3.10.x
open
None
5
2014-01-02
2013-02-01
No

I just received a spam email which included its own DSPAM headers (imitation is the sincerest form of flattery!), including:
X-DSPAM-Signature: 1,510c1e2526783905217225

The message also had legitimate DSPAM headers added by my dspam at the very end of the headers, but when I sent the message to dspamc for retraining, it errored out at the bogus header:
Feb 1 12:07:41 xxx dspam[xxx]: Signature retrieval for '1,510c1e2526783905217225' failed
Feb 1 12:07:41 xxx dspam[xxx]: Unable to find a valid signature. Aborting.

Perhaps dspam should keep looking if lookup fails, instead of giving up immediately?

Walking the headers backwards would also work for me since dspam's are at the end, but I could see that breaking with more complicated email flows that might involve passing through more than one dspam instance.

Discussion

  • Stevan Bajic

    Stevan Bajic - 2013-02-01
    • assigned_to: nobody --> sbajic
     
  • Stevan Bajic

    Stevan Bajic - 2013-02-01

    Hello Brendan, I don't understand what the problem is? Can you please rephrase your problem? How did you pass that message to dspamc for retraining?

     
  • Brendan Cully

    Brendan Cully - 2013-02-01

    I received a message that already had a set of DSPAM headers (generated to fool spam filters, presumably). When my dspam received it, it misclassified it as innocent and added its own second set of DSPAM headers:

    From: ...
    Subject: ...
    Received...
    X-DSPAM-Signature: bogussig
    ...
    Received...
    X-DSPAM-Result: Innocent
    X-DSPAM-Signature: goodsig

    The first set of DSPAM headers are fake, created as part of the spam message to fool spam detection. The second set are generated by my DSPAM instance when I receive the message.

    I tried to reclassify the message as spam by bouncing it to my spam-foo@domain address, which pipes it trhough dspamc --class=spam --source=error. But reclassification failed because it took the signature from the first X-DSPAM-Signature header, couldn't find it in my user database, and gave up. If it had continued looking for the signature instead of giving up, it would have found the second, valid signature and succeeded at reclassifying the message.

     
  • Stevan Bajic

    Stevan Bajic - 2013-02-01

    Thank you for clarification. Now I understand.

     
  • Tom Hendrikx

    Tom Hendrikx - 2013-02-01

    Typically you would configure your MTA to remove or rename the untrusted headers before the message reaches DSPAM. It depends on the way you built your mail stack, but I use this in postfix:

    main.cf:
    header_checks = pcre:/etc/postfix/header_checks.pcre

    header_checks.pcre:
    # Rename headers of incoming messages that might interfere with our own setup.
    /^X-(DSPAM-.*): (.*)$/m REPLACE X-External-$1: $2

     
  • Brendan Cully

    Brendan Cully - 2013-02-01

    Renaming the headers is probably a good idea (I guess dspam will still treat them as spam/notspam signals the same way even if they're under a different name), but I think it would still be a good idea for dspam to search the entire header set for the signature when retraining.

     
  • Tom Hendrikx

    Tom Hendrikx - 2014-01-02

    Stevan: you accepted the bug. Any updates on this?

     

Log in to post a comment.