Quinn Comendant
2014-10-20 12:26:45 UTC
I'm getting FORGED_YAHOO_RCVD false positives for messages with yahoo received headers that do not match the search pattern defined in check_for_forged_yahoo_received_headers(). I'm using SpamAssassin 3.3.2 with latest rules as per `sa-update` rule channels `sought.rules.yerp.org` and `updates.spamassassin.org`.
The spamassassin rule that is firing:
* 1.6 FORGED_YAHOO_RCVD 'From' yahoo.com does not match 'Received' headers
The received-by header in question:
Received: from unknown (HELO nm46-vm10.bullet.mail.bf1.yahoo.com) (216.109.114.203)
Full mail headers available at https://cloudup.com/cbmG8tJF71k
And finally here's the `check_for_forged_yahoo_received_headers` function that parses this, which doesn't contain the correct regex for this hostname:
sub check_for_forged_yahoo_received_headers {
my ($self, $pms) = @_;
my $from = $pms->get('From:addr');
if ($from !~ /\byahoo\.com$/i) { return 0; }
my $rcvd = $pms->get('Received');
if ($pms->get("Resent-From") ne '' && $pms->get("Resent-To") ne '') {
my $xrcvd = $pms->get("X-Received");
$rcvd = $xrcvd if $xrcvd ne '';
}
$rcvd =~ s/\s+/ /gs; # just spaces, simplify the regexp
# not sure about this
#if ($rcvd !~ /from \S*yahoo\.com/) { return 0; }
if ($self->gated_through_received_hdr_remover($pms)) { return 0; }
# bug 3740: ignore bounces from Yahoo!. only honoured if the
# correct rDNS shows up in the trusted relay list, or first untrusted relay
#
# bug 4528: [ ip=68.142.202.54 rdns=mta122.mail.mud.yahoo.com
# helo=mta122.mail.mud.yahoo.com by=eclectic.kluge.net ident=
# envfrom= intl=0 id=49F2EAF13B auth= ]
#
if ($pms->{relays_trusted_str} =~ / rdns=\S+\.yahoo\.com /
|| $pms->{relays_untrusted_str} =~ /^[^\]]+ rdns=\S+\.yahoo\.com /)
{ return 0; }
if ($rcvd =~ /by web\S+\.mail\S*\.yahoo\.com via HTTP/) { return 0; }
if ($rcvd =~ /by smtp\S+\.yahoo\.com with SMTP/) { return 0; }
my $IP_ADDRESS = IP_ADDRESS;
if ($rcvd =~
/from \[$IP_ADDRESS\] by \S+\.(?:groups|scd|dcn)\.yahoo\.com with NNFMP/) {
return 0;
}
# used in "forward this news item to a friend" links. There's no better
# received hdrs to match on, unfortunately. I'm not sure if the next test is
# still useful, as a result.
#
# search for msgid <***@xent.com>, subject "Yahoo!
# News Story - Top Stories", date Sep 29 2002 on
# <http://xent.com/pipermail/fork/> for an example.
#
if ($rcvd =~ /\bmailer\d+\.bulk\.scd\.yahoo\.com\b/
&& $from =~ /\@reply\.yahoo\.com$/i) { return 0; }
if ($rcvd =~ /by \w+\.\w+\.yahoo\.com \(\d+\.\d+\.\d+\/\d+\.\d+\.\d+\)(?: with ESMTP)? id \w+/) {
# possibly sent from "mail this story to a friend"
return 0;
}
return 1;
}
The spamassassin rule that is firing:
* 1.6 FORGED_YAHOO_RCVD 'From' yahoo.com does not match 'Received' headers
The received-by header in question:
Received: from unknown (HELO nm46-vm10.bullet.mail.bf1.yahoo.com) (216.109.114.203)
Full mail headers available at https://cloudup.com/cbmG8tJF71k
And finally here's the `check_for_forged_yahoo_received_headers` function that parses this, which doesn't contain the correct regex for this hostname:
sub check_for_forged_yahoo_received_headers {
my ($self, $pms) = @_;
my $from = $pms->get('From:addr');
if ($from !~ /\byahoo\.com$/i) { return 0; }
my $rcvd = $pms->get('Received');
if ($pms->get("Resent-From") ne '' && $pms->get("Resent-To") ne '') {
my $xrcvd = $pms->get("X-Received");
$rcvd = $xrcvd if $xrcvd ne '';
}
$rcvd =~ s/\s+/ /gs; # just spaces, simplify the regexp
# not sure about this
#if ($rcvd !~ /from \S*yahoo\.com/) { return 0; }
if ($self->gated_through_received_hdr_remover($pms)) { return 0; }
# bug 3740: ignore bounces from Yahoo!. only honoured if the
# correct rDNS shows up in the trusted relay list, or first untrusted relay
#
# bug 4528: [ ip=68.142.202.54 rdns=mta122.mail.mud.yahoo.com
# helo=mta122.mail.mud.yahoo.com by=eclectic.kluge.net ident=
# envfrom= intl=0 id=49F2EAF13B auth= ]
#
if ($pms->{relays_trusted_str} =~ / rdns=\S+\.yahoo\.com /
|| $pms->{relays_untrusted_str} =~ /^[^\]]+ rdns=\S+\.yahoo\.com /)
{ return 0; }
if ($rcvd =~ /by web\S+\.mail\S*\.yahoo\.com via HTTP/) { return 0; }
if ($rcvd =~ /by smtp\S+\.yahoo\.com with SMTP/) { return 0; }
my $IP_ADDRESS = IP_ADDRESS;
if ($rcvd =~
/from \[$IP_ADDRESS\] by \S+\.(?:groups|scd|dcn)\.yahoo\.com with NNFMP/) {
return 0;
}
# used in "forward this news item to a friend" links. There's no better
# received hdrs to match on, unfortunately. I'm not sure if the next test is
# still useful, as a result.
#
# search for msgid <***@xent.com>, subject "Yahoo!
# News Story - Top Stories", date Sep 29 2002 on
# <http://xent.com/pipermail/fork/> for an example.
#
if ($rcvd =~ /\bmailer\d+\.bulk\.scd\.yahoo\.com\b/
&& $from =~ /\@reply\.yahoo\.com$/i) { return 0; }
if ($rcvd =~ /by \w+\.\w+\.yahoo\.com \(\d+\.\d+\.\d+\/\d+\.\d+\.\d+\)(?: with ESMTP)? id \w+/) {
# possibly sent from "mail this story to a friend"
return 0;
}
return 1;
}