5198 – RCVD_FORGED_WROTE doesn't match when it should

Bug 5198 - RCVD_FORGED_WROTE doesn't match when it should

Summary: RCVD_FORGED_WROTE doesn't match when it should

Status:	RESOLVED FIXED

Alias:	None

Product:	Spamassassin
Classification:	Unclassified
Component:	Rules (show other bugs)
Version:	3.1.7
Hardware:	Other other

Importance:	P5 normal
Target Milestone:	Undefined
Assignee:	SpamAssassin Developer Mailing List

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2006-11-20 09:25 UTC by Tony Finch
Modified:	2018-01-30 03:29 UTC (History)
CC List:	2 users (show)

Attachment	Type	Modified	Status	Actions	Submitter/CLA Status
example with new forged received line	text/plain			None	Tony Finch
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Tony Finch 2006-11-20 09:25:52 UTC

Received: from 69.80.208.30 (HELO mail.boscodog.com)                           
        
     by dotat.at with esmtp (.).2),I8R07 >/-3)                                 
        
     id 01(4K<-<K864B-G7                                                       
        
     for dot@dotat.at; Mon, 20 Nov 2006 16:48:11 +0180                         
        

This doesn't match because of the [A-Z0-9] at the end of RCVD_FORGED_WROTE

I suggest

header RCVD_FORGED_WROTE    Received =~ /from [0-9.]+ \(HELO \S+[a-z]+\) by
(\S+) with esmtp \(\S+\s\S+\) id \S{6}-\S{6}-\S\S for \S+@\1;/s

Comment 1 Justin Mason 2006-11-20 12:34:54 UTC

thanks, that's in as RCVD_FORGED_WROTE2 for testing.

Comment 2 Tony Finch 2006-11-22 07:45:49 UTC

I've just seen another variant of this forged Received: line, so I suggest

header RCVD_FORGED_WROTE3    Received =~ /from \[[0-9.]+\] \(port=\d+
helo=\S+[a-z]+\) by (\S+) with asmtp id \S{6}-\S{6}-\S\S for \S+@\1;/s

(seems to be a bit closer to exim's layout, but still faked)

Comment 3 Tony Finch 2006-11-22 07:46:35 UTC

Created attachment 3755 [details]
example with new forged received line

Comment 4 Tony Finch 2006-11-22 11:03:26 UTC

hmm, looks like we get occasional capitalized hostnames too

header RCVD_FORGED_WROTE    Received =~ /from [0-9.]+ \(HELO \S+[A-Za-z]+\) by
(\S+) with esmtp \(\S+\s\S+\) id \S{6}-\S{6}-\S\S for \S+@\1;/s

header RCVD_FORGED_WROTE3    Received =~ /from \[[0-9.]+\] \(port=\d+
helo=\S+[A-Za-z]+\) by (\S+) with asmtp id \S{6}-\S{6}-\S\S for \S+@\1;/s

Comment 5 Giovanni Bechis 2018-01-29 08:29:09 UTC

Committed in r502645 (2007-02-02), can this bz be closed ?

Comment 6 Bill Cole 2018-01-30 03:29:49 UTC

Fixed a decade ago.