Bug 1446 - Security violation reported by sendmail
Summary: Security violation reported by sendmail
Status: RESOLVED WORKSFORME
Alias: None
Product: Spamassassin
Classification: Unclassified
Component: spamc/spamd (show other bugs)
Version: SVN Trunk (Latest Devel Version)
Hardware: PC Linux
: P4 minor
Target Milestone: ---
Assignee: SpamAssassin Developer Mailing List
URL:
Whiteboard:
Keywords:
: 1660 (view as bug list)
Depends on:
Blocks:
 
Reported: 2003-02-04 08:45 UTC by Harris Landgarten
Modified: 2003-03-20 00:08 UTC (History)
1 user (show)


Attachment Type Modified Status Actions Submitter/CLA Status
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Harris Landgarten 2003-02-04 08:45:11 UTC 
Sendmail logs the following on every email received after spamd check:

Feb  4 11:41:46 d8100 sendmail[3599]: h14Gfh0t003599: POSSIBLE ATTACK from
XXXXXXXXXXXX: newline in string " X-Spam-Checker-Version: SpamAssassin 2.50-cvs
(1.167-2003-02-03-exp)"
Comment 1 Theo Van Dinter 2003-02-04 08:56:44 UTC 
Subject: Re: [SAdev]  New: Security violation reported by sendmail

On Tue, Feb 04, 2003 at 08:45:11AM -0800, bugzilla-daemon@hughes-family.org wrote:
> Feb  4 11:41:46 d8100 sendmail[3599]: h14Gfh0t003599: POSSIBLE ATTACK from
> XXXXXXXXXXXX: newline in string " X-Spam-Checker-Version: SpamAssassin 2.50-cvs
> (1.167-2003-02-03-exp)"

So it looks like this is running via a milter?
Comment 2 Harris Landgarten 2003-02-04 09:14:30 UTC 
Subject: Re:  Security violation reported by sendmail

Yes, it is running via spamass-milter

On Tue, 2003-02-04 at 11:56, bugzilla-daemon@hughes-family.org wrote:
> http://www.hughes-family.org/bugzilla/show_bug.cgi?id=1446
> 
> 
> 
> 
> 
> ------- Additional Comments From felicity@kluge.net  2003-02-04 08:56 -------
> Subject: Re: [SAdev]  New: Security violation reported by sendmail
> 
> On Tue, Feb 04, 2003 at 08:45:11AM -0800, bugzilla-daemon@hughes-family.org wrote:
> > Feb  4 11:41:46 d8100 sendmail[3599]: h14Gfh0t003599: POSSIBLE ATTACK from
> > XXXXXXXXXXXX: newline in string " X-Spam-Checker-Version: SpamAssassin 2.50-cvs
> > (1.167-2003-02-03-exp)"
> 
> So it looks like this is running via a milter?
> 
> 
> 
> 
> 
> ------- You are receiving this mail because: -------
> You reported the bug, or are watching the reporter.
Comment 3 Theo Van Dinter 2003-02-04 13:12:54 UTC 
Subject: Re: [SAdev]  Security violation reported by sendmail

On Tue, Feb 04, 2003 at 09:14:30AM -0800, bugzilla-daemon@hughes-family.org wrote:
> Yes, it is running via spamass-milter
> > > Feb  4 11:41:46 d8100 sendmail[3599]: h14Gfh0t003599: POSSIBLE ATTACK from
> > > XXXXXXXXXXXX: newline in string " X-Spam-Checker-Version: SpamAssassin 2.50-cvs
> > > (1.167-2003-02-03-exp)"

Hmmm.  I can't see anything wrong with the output, just a standard
header...  I also can't find info in sendmail as to what that error
refers to...  So what if there's a newline in the header?  It's at the
end, it's supposed to be there.

Perhaps a bug with the milter?
Comment 4 Harris Landgarten 2003-02-04 14:33:35 UTC 
Subject: Re:  Security violation reported by sendmail

This behavior started with the install of todays CVS over the 1-15-03
CVS so I doubt it is the milter but anything is possible. I have also
confirmed that it is not happening on every email so I am sending you as
much detail as I can regarding a sample that triggers this behavior so
that hopefully you can reproduce it. The following is the complete
mail.log entry for the email I am attaching. Let me know if you need
anything else.

Harris

Feb  4 17:20:04 d8100 sendmail[11514]: h14MK4Ck011514:
from=<afterthebell-text_a-return-595-harrisl=lhjonline.com@mail.marketwatchmail.com>, size=7716, class=0, nrcpts=1, msgid=<200302042220.h14MK4Ck011514@d8100.landgarten.local>, proto=SMTP, daemon=MTA, relay=q3.marketwatchmail.com [206.146.143.88]
Feb  4 17:20:04 d8100 spamc[11516]: dbg: connect() to spamd at 127.0.0.1
Feb  4 17:20:05 d8100 spamd[3320]: connection from localhost.localdomain
[127.0.0.1] at port 36416
Feb  4 17:20:05 d8100 spamd[11517]: info: setuid to root succeeded
Feb  4 17:20:05 d8100 spamd[11517]: Still running as root: user not
specified with -u, not found, or set to root.  Fall back to nobody.
Feb  4 17:20:05 d8100 spamd[11517]: processing message (unknown) for
root:99.
Feb  4 17:20:11 d8100 spamd[11517]: clean message (-4.3/5.0) for root:99
in 6.6 seconds, 7900 bytes.
Feb  4 17:20:11 d8100 sendmail[11514]: h14MK4Ck011514: Milter add:
header: X-Spam-Status: No, hits=-4.3
required=5.0\n\ttests=BAYES_01,CLICK_BELOW,INVALID_DATE,LINES_OF_YELLING,\n\t      LINES_OF_YELLING_2,LINES_OF_YELLING_3,MISSING_MIMEOLE,\n\t      MISSING_OUTLOOK_NAME,MSGID_HAS_NO_AT,OPT_IN,\n\t      RAZOR2_CF_RANGE_21_30,RAZOR2_CHECK,RCVD_IN_BONDEDSENDER,\n\t      US_DOLLARS_2\n\tversion=2.50-cvs
Feb  4 17:20:11 d8100 sendmail[11514]: h14MK4Ck011514: Milter add:
header: X-Spam-Level: \nX-Spam-Checker-Version: SpamAssassin 2.50-cvs
(1.167-2003-02-03-exp)
Feb  4 17:20:11 d8100 sendmail[11514]: h14MK4Ck011514: Milter add:
header: X-Spam-Checker-Version: SpamAssassin 2.50-cvs
(1.167-2003-02-03-exp)
Feb  4 17:20:11 d8100 sendmail[11514]: h14MK4Ck011514: POSSIBLE ATTACK
from q3.marketwatchmail.com: newline in string " X-Spam-Checker-Version:
SpamAssassin 2.50-cvs (1.167-2003-02-03-exp)"
Feb  4 17:20:11 d8100 sendmail[11519]: h14MK4Ck011514:
to=<harrisl@lhjonline.com>, delay=00:00:07, xdelay=00:00:00,
mailer=cyrus, pri=31059, relay=localhost, dsn=2.0.0, stat=Sent











On Tue, 2003-02-04 at 16:12, bugzilla-daemon@hughes-family.org wrote:
> http://www.hughes-family.org/bugzilla/show_bug.cgi?id=1446
> 
> 
> 
> 
> 
> ------- Additional Comments From felicity@kluge.net  2003-02-04 13:12 -------
> Subject: Re: [SAdev]  Security violation reported by sendmail
> 
> On Tue, Feb 04, 2003 at 09:14:30AM -0800, bugzilla-daemon@hughes-family.org wrote:
> > Yes, it is running via spamass-milter
> > > > Feb  4 11:41:46 d8100 sendmail[3599]: h14Gfh0t003599: POSSIBLE ATTACK from
> > > > XXXXXXXXXXXX: newline in string " X-Spam-Checker-Version: SpamAssassin 2.50-cvs
> > > > (1.167-2003-02-03-exp)"
> 
> Hmmm.  I can't see anything wrong with the output, just a standard
> header...  I also can't find info in sendmail as to what that error
> refers to...  So what if there's a newline in the header?  It's at the
> end, it's supposed to be there.
> 
> Perhaps a bug with the milter?
> 
> 
> 
> 
> 
> ------- You are receiving this mail because: -------
> You reported the bug, or are watching the reporter.
Comment 5 Theo Van Dinter 2003-02-04 15:06:47 UTC 
Subject: Re: [SAdev]  Security violation reported by sendmail

On Tue, Feb 04, 2003 at 02:33:35PM -0800, bugzilla-daemon@hughes-family.org wrote:
> This behavior started with the install of todays CVS over the 1-15-03
> CVS so I doubt it is the milter but anything is possible. I have also

Well, the change in question is that X-Spam-Checker-Version is now added
to every message instead of just spam.

> Feb  4 17:20:11 d8100 sendmail[11514]: h14MK4Ck011514: Milter add:
> header: X-Spam-Status: No, hits=-4.3
> required=5.0\n\ttests=BAYES_01,CLICK_BELOW,INVALID_DATE,LINES_OF_YELLING,\n\t      LINES_OF_YELLING_2,LINES_OF_YELLING_3,MISSING_MIMEOLE,\n\t      MISSING_OUTLOOK_NAME,MSGID_HAS_NO_AT,OPT_IN,\n\t      RAZOR2_CF_RANGE_21_30,RAZOR2_CHECK,RCVD_IN_BONDEDSENDER,\n\t      US_DOLLARS_2\n\tversion=2.50-cvs
> Feb  4 17:20:11 d8100 sendmail[11514]: h14MK4Ck011514: Milter add:
> header: X-Spam-Level: \nX-Spam-Checker-Version: SpamAssassin 2.50-cvs
> (1.167-2003-02-03-exp)
> Feb  4 17:20:11 d8100 sendmail[11514]: h14MK4Ck011514: Milter add:
> header: X-Spam-Checker-Version: SpamAssassin 2.50-cvs
> (1.167-2003-02-03-exp)
> Feb  4 17:20:11 d8100 sendmail[11514]: h14MK4Ck011514: POSSIBLE ATTACK
> from q3.marketwatchmail.com: newline in string " X-Spam-Checker-Version:
> SpamAssassin 2.50-cvs (1.167-2003-02-03-exp)"

Hmmm.  So the headers get added, but X-Spam-Checker-Version seems to
get added twice for you, once with a \n at the front, and the second
looks normal.  Hmmm, not sure why it's added twice, it's only added once
in the code...
Comment 6 Harris Landgarten 2003-02-04 15:11:16 UTC 
Subject: Re:  Security violation reported by sendmail

I found what is causing the problem.

If the number of hits is a positive number then the X-SPAM-LEVEL: *****
header is inserted properly. However if the number of hits is negative
the following is inserted:

X-Spam-Level: \nX-Spam-Checker-Version: SpamAssassin 2.50-cvs
(1.167-2003-02-03-exp)

and sendmail thinks the embedded \n is a possible attack. In the prior
2.50 CVS I was running, if the number of hits was negative the
X-SPAM-LEVEL header was not added.

Harris


On Tue, 2003-02-04 at 16:12, bugzilla-daemon@hughes-family.org wrote:
> http://www.hughes-family.org/bugzilla/show_bug.cgi?id=1446
> 
> 
> 
> 
> 
> ------- Additional Comments From felicity@kluge.net  2003-02-04 13:12 -------
> Subject: Re: [SAdev]  Security violation reported by sendmail
> 
> On Tue, Feb 04, 2003 at 09:14:30AM -0800, bugzilla-daemon@hughes-family.org wrote:
> > Yes, it is running via spamass-milter
> > > > Feb  4 11:41:46 d8100 sendmail[3599]: h14Gfh0t003599: POSSIBLE ATTACK from
> > > > XXXXXXXXXXXX: newline in string " X-Spam-Checker-Version: SpamAssassin 2.50-cvs
> > > > (1.167-2003-02-03-exp)"
> 
> Hmmm.  I can't see anything wrong with the output, just a standard
> header...  I also can't find info in sendmail as to what that error
> refers to...  So what if there's a newline in the header?  It's at the
> end, it's supposed to be there.
> 
> Perhaps a bug with the milter?
> 
> 
> 
> 
> 
> ------- You are receiving this mail because: -------
> You reported the bug, or are watching the reporter.
Comment 7 Theo Van Dinter 2003-02-04 15:32:15 UTC 
Subject: Re: [SAdev]  Security violation reported by sendmail

On Tue, Feb 04, 2003 at 03:11:17PM -0800, bugzilla-daemon@hughes-family.org wrote:
> I found what is causing the problem.

:)

> header is inserted properly. However if the number of hits is negative
> the following is inserted:
> 
> X-Spam-Level: \nX-Spam-Checker-Version: SpamAssassin 2.50-cvs
> (1.167-2003-02-03-exp)
> 
> and sendmail thinks the embedded \n is a possible attack. In the prior
> 2.50 CVS I was running, if the number of hits was negative the
> X-SPAM-LEVEL header was not added.

Hmmm again.  Can't reproduce this.  Perhaps the milter sees the empty
header addition is invalid and grabs the next line too?
Comment 8 Harris Landgarten 2003-02-04 15:56:23 UTC 
Subject: Re:  Security violation reported by sendmail

Problem is fixed. I upgraded spamass-milter from 1.2 to 1.3a and now
X-SPAM-LEVEL is not being added for negative hits. There is some mention
in the milter change.log about fixed duplicate header problems. You
should add to your installation docs that spamass-milter users should
upgrade to the latest. Thanks for the help

Harris

On Tue, 2003-02-04 at 18:32, bugzilla-daemon@hughes-family.org wrote:
> http://www.hughes-family.org/bugzilla/show_bug.cgi?id=1446
> 
> 
> 
> 
> 
> ------- Additional Comments From felicity@kluge.net  2003-02-04 15:32 -------
> Subject: Re: [SAdev]  Security violation reported by sendmail
> 
> On Tue, Feb 04, 2003 at 03:11:17PM -0800, bugzilla-daemon@hughes-family.org wrote:
> > I found what is causing the problem.
> 
> :)
> 
> > header is inserted properly. However if the number of hits is negative
> > the following is inserted:
> > 
> > X-Spam-Level: \nX-Spam-Checker-Version: SpamAssassin 2.50-cvs
> > (1.167-2003-02-03-exp)
> > 
> > and sendmail thinks the embedded \n is a possible attack. In the prior
> > 2.50 CVS I was running, if the number of hits was negative the
> > X-SPAM-LEVEL header was not added.
> 
> Hmmm again.  Can't reproduce this.  Perhaps the milter sees the empty
> header addition is invalid and grabs the next line too?
> 
> 
> 
> 
> 
> ------- You are receiving this mail because: -------
> You reported the bug, or are watching the reporter.
Comment 9 Theo Van Dinter 2003-02-04 16:02:11 UTC 
:)  Glad to hear things are fixed now.
Comment 10 Theo Van Dinter 2003-03-20 09:08:21 UTC 
*** Bug 1660 has been marked as a duplicate of this bug. ***