Anti-spear-phishing, round 2

Mark Sapiro mark at msapiro.net
Fri Jan 9 16:18:40 GMT 2009


On Fri, Jan 09, 2009 at 10:50:58AM +0000, Julian Field wrote:
> 
> 
> On 8/1/09 22:38, Mark Sapiro wrote:
> >On Thu, Jan 08, 2009 at 02:57:43PM -0500, Gottschalk, David wrote:
> >   
> >>I'm running MailScanner version 4.60.8.
> >>
> >>Am I running too old of a version?
> >>     
> >
> >
> >It's too old for the _TO_ replacement in the header action.
> >That requires 4.74.9 minimum.
> >
> >Also, the unknown _TO_ replacement will cause the wntire action to be
> >ignored.
> >   
> No it won't. It just won't be replaced with the list of recipients. 
> What's breaking it is your version may well be too old to have 
> SpamAssassin Rule Actions at all! :)


I have the following in MailScanner.conf

SpamAssassin Rule Actions = %rules-dir%/spamassassin_rule_actions.rules
Log SpamAssassin Rule Actions = yes

and in spamassassin_rule_actions.rules I have as the default

X_GPC_PHISHING_ADDRESS=>store,not-deliver,forward msapiro+phish at sbh16.songbird.com,header "X-GPC-Phishing-Address: to was _TO_"

With 4.74.7, I got the following in maillog

Jan  2 14:14:52 sbh16 MailScanner[12869]: Message CC97F6900C2.88120 produced illegal Non-Spam Actions ""X-GPC-Phishing-Address:  to was _TO_"", so message is being delivered

although the message was stored and forwarded, these actions weren't logged,
and the message was delivered to the original recipient in spite of the
not-deliver action.

With 4.74.11, I got

Jan  2 14:39:43 sbh16 MailScanner[19427]: SpamAssassin Rule Actions: rule x_gpc_phishing_address caused action store in message C9B356900C2.1CAB1
Jan  2 14:39:43 sbh16 MailScanner[19427]: SpamAssassin Rule Actions: rule x_gpc_phishing_address caused action not-deliver in message C9B356900C2.1CAB1
Jan  2 14:39:43 sbh16 MailScanner[19427]: SpamAssassin Rule Actions: rule x_gpc_phishing_address caused action forward msapiro+phish at sbh16.songbird.com in message C9B356900C2.1CAB1
Jan  2 14:39:43 sbh16 MailScanner[19427]: SpamAssassin Rule Actions: rule x_gpc_phishing_address caused action header "X-GPC-Phishing-Address: was to _TO_" in message C9B356900C2.1CAB1

So, it appears that while _TO_ didn't break the actions completely in 4.74.7,
it did break more than just the non replacement of _TO_.

-- 
Mark Sapiro mark at msapiro net       The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan


More information about the MailScanner mailing list