duplicate subject lines in headers (again)

Mark Sapiro mark at msapiro.net
Sun Nov 13 20:56:37 UTC 2016 

On 11/13/2016 12:36 PM, Warwick Brown wrote:
> 
> Nice and quick test.....not the answer you were hoping for though:


But good information.


> 018  X-Spam-Status: No
> 076  X-MyOrg-MailScanner-Watermark: 1479672988.91017 at AfSF0dfSQNo9m+YscRQWqA
> 033  Subject: Has two trailing spaces
> 048  X-MyOrg-MailScanner-From: me at externaldomain.com
> 038  X-MyOrg-MailScanner-SpamScore: 4
> 204  X-MyOrg-MailScanner-SpamCheck: not spam, SpamAssassin (score=4.107,
>         required 6, ALL_TRUSTED -1.00, INVALID_MSGID 1.17, MISSING_DATE 1.40,
>         MISSING_FROM 1.00, MISSING_HEADERS 1.21, MSGID_SHORT 0.34)
> 044  X-MyOrg-MailScanner: Found to be clean
> 046  X-MyOrg-MailScanner-ID: 1c61C4-0001vp-58
> 096  X-MyOrg-MailScanner-Information: Please report any suspicious emails to phishing at myorg.com
> 253P Received: from [10.11.12.13] (port=57525 helo=moo)
>         by smtp.myorg.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256)
>         (Exim 4.86)
>         (envelope-from <me at externaldomain.com>)
>         id 1c61C4-0001vp-58
>         for warwick at myorg.com; Sun, 13 Nov 2016 20:16:28 +0000
> 024I Message-ID: Faked-By-Me
> 035  Subject: Has two trailing spaces
> 
> I checked the file in vi and the subject on the bottom line definitely has the trailing spaces.


So it is definitely a MailScanner issue, but it was supposed to be fixed
a long time ago.

Look at
<https://github.com/MailScanner/v4/blob/master/mailscanner/bin/MailScanner/Exim.pm>.
At line 845 is the DeleteHeader subroutine.

The previous issue was that lines 863 and 864 used to be

    next if !$usingregexp &&
            lc($metadata->{headers}[$hdrnum]{name}) ne lc $key;

instead of

    next if !$usingregexp &&
            lc(quotemeta($metadata->{headers}[$hdrnum]{name})) ne lc $key;


This is the fix that Jules referred to at
<http://lists.mailscanner.info/pipermail/mailscanner/2009-September/093266.html>.

Compare that routine to the one in your MailScanner/Exim.pm and see if
you are missing the 'quotemeta' or if there are other differences.

...
> So I'm afraid it does look like MailScanner rather than exim....

Yes, I think so.

> do we need to dig down into perl modules?

I don't think so. I think it's in that DeleteHeader routine, so let's
look at your version.

-- 
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan

More information about the MailScanner mailing list