Bug 358 - New header rule for To: "john@doe.com" <john@doe.com>
Summary: New header rule for To: "john@doe.com" <john@doe.com>
Status: RESOLVED FIXED
Alias: None
Product: Spamassassin
Classification: Unclassified
Component: Rules (show other bugs)
Version: 2.20
Hardware: Other other
: P3 enhancement
Target Milestone: ---
Assignee: Daniel Quinlan
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2002-05-28 17:57 UTC by anirvan
Modified: 2002-06-14 09:26 UTC (History)
0 users



Attachment Type Modified Status Actions Submitter/CLA Status

Note You need to log in before you can comment on or make changes to this bug.
Description anirvan 2002-05-28 17:57:27 UTC
I've seen a couple of spam messages that have the complete email address used as 
the recipient's name. For example:

    To: "john@doe.com" <john@doe.com>

This is related to TO_LOCALPART_EQ_REAL, which catches

    To: "john" <john@doe.com>


I suggest something like the following:

header TO_ADDRESS_EQ_REAL      To =~ /^\s*"([^"@]+\@[^"@]+)"\s+<\1>\s*$/
describe TO_ADDRESS_EQ_REAL    To: repeats address as real name
Comment 1 Daniel Quinlan 2002-06-13 23:38:02 UTC
I'll look at this.  I think we might be able to use the same idea for From: too.
Comment 2 Daniel Quinlan 2002-06-13 23:39:28 UTC
changing owner to me
Comment 3 Malte S. Stretz 2002-06-14 07:49:43 UTC
That's probably not the best idea. Some version of Outlook (I think 98) 
produces froms like this in some cases. I don't know when (don't use Outlook) 
but it might be when you (using Outlook) receive a mail which's From has no 
real name (From: <john@doe.com>) and you add it to your address book.  
  
Hmmm... if somebody finds out which Outlook version does this, maybe this test 
could be triggered only if X-Mailer does not contain an Outlook signature. 
Comment 4 Malte S. Stretz 2002-06-14 07:51:09 UTC
errr... s/froms/tos/ in line 2 
Comment 5 Malte S. Stretz 2002-06-14 08:49:29 UTC
Ahhh. Got it. Seems like some Outlook/Exchange combination sometimes produces 
headers like this:  
| To: "'malte@stretz.net'" <malte@stretz.net> 
| X-Mailer: Internet Mail Service (5.5.2650.21) 
Comment 6 Daniel Quinlan 2002-06-14 11:09:36 UTC
I already checked to make sure the rule does not match these types of headers:

  To: "'malte@stretz.net'" <malte@stretz.net>

It doesn't (as you can tell by looking at the regular expression).

My non-spam "good.log" has 6037 emails in it.  I had only 7 false positives for
TO_ADDRESS_EQ_REAL and 1 for FROM_ADDRESS_EQ_REAL. It had very high accuracy.
There were 137 hits in my spam.log (1809 messages) for TO_ADDRESS_EQ_REAL and 29
hits for FROM_ADDRESS_EQ_REAL.

$ egrep -i TO_ADDRESS_EQ_REAL good.log|awk '{print $3}'|xargs egrep -ih X-Mailer
X-Mailer: VM 6.75 under Emacs 20.4.1
X-Mailer: VM 6.75 under Emacs 20.4.1
X-mailer: AspMail 3.03 (SMTP812B8F)
X-Mailer: Mozilla 4.78 [en] (X11; U; Linux 2.4.7-10 i686)
X-Mailer: Talisma Mail Component Version 2.5
X-Mailer: Mozilla 4.78 [en] (X11; U; Linux 2.4.9-31 i686)
X-Mailer: Mozilla 4.78 [en] (X11; U; Linux 2.4.9-31 i686)

Not a major concern because I have hundreds of Mozilla 4.78 messages in
good.log, hundreds of VM 6.75 (that's me, actually). I only had one match
for Talisma and AspMail each, so maybe they always screw up, but even that
seems unlikely.

$ egrep -i FROM_ADDRESS_EQ_REAL good.log|awk '{print $3}'|xargs egrep -ih X-Mailer
X-Mailer: KMail [version 1.3.2]

Not a concern because I have 11 additional messages in good.log with that
exact version of KMail and none of those match.
Comment 7 Malte S. Stretz 2002-06-14 11:43:33 UTC
You're right. I didn't have a look at the RE, just remebered that there might 
be a problem. Your Mozilla hits are probably all from the same person. All in 
all this test looks very good I think. 
Comment 8 Daniel Quinlan 2002-06-14 17:26:56 UTC
applied to HEAD now that 2.30 branch is available