6305 – RATWARE_GECKO_BUILD has y2010 bug

Bug 6305 - RATWARE_GECKO_BUILD has y2010 bug

Summary: RATWARE_GECKO_BUILD has y2010 bug

Status:	RESOLVED FIXED

Alias:	None

Product:	Spamassassin
Classification:	Unclassified
Component:	Rules (show other bugs)
Version:	SVN Trunk (Latest Devel Version)
Hardware:	Other All

Importance:	P2 normal
Target Milestone:	3.3.1
Assignee:	SpamAssassin Developer Mailing List

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:	6323
	Show dependency tree

Reported:	2010-01-25 16:35 UTC by John Gardiner Myers
Modified:	2010-02-05 15:18 UTC (History)
CC List:	6 users (show)

Attachment	Type	Actions	Submitter/CLA Status
Patch to defer bug for a decade	application/octet-stream	None	John Gardiner Myers
Patch to defer bug for three decades	patch	None	John Gardiner Myers
Show Obsolete (1) Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description John Gardiner Myers 2010-01-25 16:35:06 UTC

Created attachment 4658 [details]
Patch to defer bug for a decade

RATWARE_GECKO_BUILD incorrectly fires on messages composed by the latest release of Thunderbird.

Comment 1 John Gardiner Myers 2010-01-25 17:09:50 UTC

Created attachment 4659 [details]
Patch to defer bug for three decades

On second thought, push this back until sometime after I retire.

Comment 2 Warren Togami 2010-01-25 19:14:18 UTC

User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.7) Gecko/20100120 Fedora/3.0.1-1.fc12 Thunderbird/3.0.1

My Thunderbird doesn't appear to be triggering this rule.

Comment 3 Adam Katz 2010-01-25 20:20:45 UTC

(In reply to comment #2)
> User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.7)
> Gecko/20100120 Fedora/3.0.1-1.fc12 Thunderbird/3.0.1
> 
> My Thunderbird doesn't appear to be triggering this rule.

Agreed.  I have SA 3.2.5 and Thunderbird 3.0.1 that also does not match ... despite that a raw run of perl matches it...

User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20100121 Lightning/1.0b1 Icedove/3.0.1

No mention of it in the debug output either, and I definitely have that rule.
http://ruleqa.spamassassin.org/?rule=RATWARE_GECKO_BUILD
Also doesn't hit the masscheck, either due to a bug or the fact that nobody forges this with a future date.  I suspect both.

Comment 4 Alex 2010-01-28 09:15:17 UTC

Mine does seem to trigger it (running from XP anyway, possibly also from Mac):

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.1.7) Gecko/20100111 Lightning/1.0b1 Thunderbird/3.0.1
X-Spam-Report: 1.7 RATWARE_GECKO_BUILD    Bulk email fingerprint (Gecko faked) found

Comment 5 Alex 2010-01-28 09:43:12 UTC

Incidentally, this is with 3.2.4. Is there any temporary fix for this issue? It could be a bit of a problem as my whole office use Thunderbird.

(In reply to comment #4)
> Mine does seem to trigger it (running from XP anyway, possibly also from Mac):
> 
> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.1.7)
> Gecko/20100111 Lightning/1.0b1 Thunderbird/3.0.1
> X-Spam-Report: 1.7 RATWARE_GECKO_BUILD    Bulk email fingerprint (Gecko faked)
> found

Comment 6 Alex 2010-01-29 08:32:36 UTC

Same for Mac, running OS X 10.5:

User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X 10.5; en-GB; rv:1.9.1.7) Gecko/20100111 Lightning/1.0b1 Thunderbird/3.0.1

X-Spam-Report: 1.7 RATWARE_GECKO_BUILD    Bulk email fingerprint (Gecko faked) found

Alex

Comment 7 Adam Katz 2010-01-29 11:52:09 UTC

This bug is twofold:

1.  The important part:  Fix the regex!
    This is easy and has a patch.
    +1 do it now.

2.  The tougher part:  figure out why this doesn't fire all the time.

Since it IS firing some of the time, let's knock out #1 ASAP and then deal with #2.

Comment 8 Kevin A. McGrail 2010-01-29 15:43:12 UTC

(In reply to comment #7)
> This bug is twofold:
> 
> 1.  The important part:  Fix the regex!
>     This is easy and has a patch.
>     +1 do it now.
> 
> 2.  The tougher part:  figure out why this doesn't fire all the time.
> 
> Since it IS firing some of the time, let's knock out #1 ASAP and then deal with
> #2.


I'm +1 on the very small fix and keeping the ticket open.

Comment 9 Sidney Markowitz 2010-01-30 05:26:36 UTC

I suspect that it is not differences in their t-bird user-agent causing some people to not see the rule triggered, but differences in the perl they are running. I'm seeing the rule not being triggered to and I did the following experiment.

I created a test message with the following line both in the headers and again in the body:

User-Agent: Gecko/20100111 Lightning

I then added the following to local.cf:

header TEST_GB1 User-Agent =~ /Gecko\/(?!200\d\d\d\d\d)\d/
describe TEST_GB1       Test header 1
score TEST_GB1 1.0

header TEST_GB2 User-Agent =~ /Gecko\/(?!200\d\d\d\d\d)[0-9]/
describe TEST_GB2       Test header 2
score TEST_GB2 1.0

header TEST_GB3 User-Agent =~ /Gecko\/(?!200\d\d\d\d\d)(\d)/
describe TEST_GB3       Test header 3
score TEST_GB3 1.0

rawbody TEST_GB4        /User-Agent: Gecko\/(?!200\d\d\d\d\d)\d/
describe TEST_GB4       Test rawbody
score TEST_GB4 1.0

body TEST_GB5   /User-Agent: Gecko\/(?!200\d\d\d\d\d)\d/
describe TEST_GB5       Test body
score TEST_GB5 1.0

I then ran spamassassin -t -L on the message and the result was that TEST_GB1 did not hit and all the others did.

I can't explain the results, but notice that the problem only occurs in a header rule and that it goes away if you change the final \d into either [0-9] or into (\d)

Any ideas about how this can be true? BTW, I'm running perl 5.8.9 from MacPorts under Mac OS 10.6.2

Comment 10 Sidney Markowitz 2010-01-30 15:25:20 UTC

After all sorts of debugging I finally tracked down the reason while the rule did not fire with the pattern /Gecko\/(?!200\d\d\d\d\d)\d/ on my machine.

First of all, my local.cf test rule TEST_GB1 was removed by duplicate rule detection

[35591] dbg: rules: RATWARE_GECKO_BUILD merged duplicates: TEST_GB1

So I was still only looking at RATWARE_GECKO_BUILD

Second, notice this line in 3.003000/updates_spamassassin_org/50_scores.cf

score RATWARE_GECKO_BUILD 0 # n=0 n=1 n=2 n=3

That seems to explain it :) When I set the score to 1 in local.cf the rule fires fine. I think we can put that problem to bed.

+1 on the proposed fix

Comment 11 Kevin A. McGrail 2010-01-31 06:22:08 UTC

(In reply to comment #10)
> After all sorts of debugging I finally tracked down the reason while the rule
> did not fire with the pattern /Gecko\/(?!200\d\d\d\d\d)\d/ on my machine.
> 
> First of all, my local.cf test rule TEST_GB1 was removed by duplicate rule
> detection
> 
> [35591] dbg: rules: RATWARE_GECKO_BUILD merged duplicates: TEST_GB1
> 
> So I was still only looking at RATWARE_GECKO_BUILD
> 
> Second, notice this line in 3.003000/updates_spamassassin_org/50_scores.cf
> 
> score RATWARE_GECKO_BUILD 0 # n=0 n=1 n=2 n=3
> 
> That seems to explain it :) When I set the score to 1 in local.cf the rule
> fires fine. I think we can put that problem to bed.
> 
> +1 on the proposed fix

The proposed patch doesn't fix the score issue.  Are you proposing a patch to a score of 1 AND the attached gecko.diff?  If so, I'm +1.

Comment 12 Sidney Markowitz 2010-01-31 10:45:50 UTC

(in reply to comment #11)

I just assumed that somebody pushed a score 0 out to updates while we dealt with the false positives that this y2k10 bug was generating. If that didn't happen, why is the rule there with a score of 0? What score is it supposed to be set at?

Comment 13 Justin Mason 2010-02-01 02:57:57 UTC

(In reply to comment #12)
> (in reply to comment #11)
> 
> I just assumed that somebody pushed a score 0 out to updates while we dealt
> with the false positives that this y2k10 bug was generating. If that didn't
> happen, why is the rule there with a score of 0? What score is it supposed to
> be set at?

fwiw, it's zeroed in trunk:

: 41...; ./spamassassin -Lt < tst | grep -C2 X-Spam-Status
        jmason.ubuntu.amazon.com
X-Spam-Level: 
X-Spam-Status: No, score=0.0 required=5.0 tests=T_FSL_HELO_NON_FQDN_2,
        T_KHOP_NEWSLETTER,T_KHOP_PGP_INLINE,T_RP_MATCHES_RCVD autolearn=unavailable
        version=3.4.0-r904526

Comment 14 Justin Mason 2010-02-01 03:03:01 UTC

+1 on the second rule patch

Comment 15 John Gardiner Myers 2010-02-03 14:05:12 UTC

Committed revision 906263.

Leaving bug open in case someone else wants to deal with the score issue.

Comment 16 John Gardiner Myers 2010-02-03 14:08:02 UTC

Actually, the score issue is an entirely separate bug.  Resolving this bug.