Bug 6780 - Existing but empty From: and To:
Summary: Existing but empty From: and To:
Status: NEW
Alias: None
Product: Spamassassin
Classification: Unclassified
Component: Rules (show other bugs)
Version: unspecified
Hardware: PC Linux
: P2 normal
Target Milestone: Undefined
Assignee: SpamAssassin Developer Mailing List
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2012-03-31 13:14 UTC by Lemat
Modified: 2015-04-06 23:46 UTC (History)
4 users (show)



Attachment Type Modified Status Actions Submitter/CLA Status

Note You need to log in before you can comment on or make changes to this bug.
Description Lemat 2012-03-31 13:14:09 UTC
in recent wave of spam I have seen existing but empty From: and To: headers. I mean MISSING_HEADERS does not match since these headers exist. The closest rule to match such spam is FH_FROMEML_NOTLD, but it is only for From: header. Therefore I propose something like that:

header EMPTY_FROM         From =~ /^\s*$/
describe EMPTY_FROM       empty From:

header EMPTY_TO         To =~ /^\s*$/
describe EMPTY_TO       empty To:

or meta EMPTY_TO & EMPTY_FROM
Comment 1 D. Stussy 2012-03-31 22:56:20 UTC
If these rules only operate when the header is present, the I suggest the same with ALL other headers except "Bcc:" - since if present, they may not be empty.

Only BCC is permitted to be empty when present, and except for mail submission agent processing, is expected ans supposed to be empty if present.
Comment 2 Kevin A. McGrail 2012-04-02 22:03:15 UTC
(In reply to comment #1)
> If these rules only operate when the header is present, the I suggest the same
> with ALL other headers except "Bcc:" - since if present, they may not be empty.
> 
> Only BCC is permitted to be empty when present, and except for mail submission
> agent processing, is expected ans supposed to be empty if present.

I agree. I think it needs a meta for !MISSING_HEADERS.

header __EMPTY_FROM From =~ /^\s*$/
header __EMPTY_TO   To =~ /^\s*$/
header __EMPTY_CC   Cc =~ /^\s*$/

meta EMPTY_TO_AND_FROM (!MISSING_HEADERS && (__EMPTY_FROM + __EMPTY_TO + __EMPTY_CC >= 2))
describe EMPTY_TO_AND_FROM Mail contains headers that are blank and shouldn't be.
score EMPTY_TO_AND_FROM 1.0

Lemat, the above passes lint. Does it hit on the emails you are seeing?

regards,
KAM
Comment 3 Lemat 2012-04-03 23:57:11 UTC
Kevin, your rules do match the spamrun I see.

Meanwhile I was also testing something different:

header __HAS_FROM           exists:From  
header __EMPTY_FROM         From =~ /^\s*$/
meta EMPTY_FROM __HAS_FROM && __EMPTY_FROM
describe EMPTY_FROM       empty from
score EMPTY_FROM          1

header __HAS_TO           exists:To
header __EMPTY_TO         To =~ /^\s*$/
meta EMPTY_TO __HAS_TO && __EMPTY_TO
describe EMPTY_TO       empty to
score EMPTY_TO          1

and it also did the job. But (I believe) your rule is faster.
Comment 4 Lemat 2012-04-04 00:16:34 UTC
hmm... MISSING_HEADERS is operating only on To: header:

header MISSING_HEADERS         eval:check_for_missing_to_header()

sub check_for_missing_to_header {
  my ($self, $pms) = @_;

  my $hdr = $pms->get('To');
  $hdr = $pms->get('Apparently-To')  if $hdr eq '';
  return 1  if $hdr eq '';

  return 0;
}

which is not exactly identical to what I have been thinking about. And I have been thinking not about AND but OR, something like that:

header __EMPTY_FROM From =~ /^\s*$/
header __EMPTY_TO   To =~ /^\s*$/
header __EMPTY_CC   Cc =~ /^\s*$/
header __HAS_FROM         exists:From 
header __HAS_TO           exists:To   
header __HAS_CC           exists:CC

meta EMPTY_TO_OR_FROM_OR_CC (__HAS_TO && __EMPTY_TO) || (__HAS_FROM && __EMPTY_FROM) || (__HAS_CC &&  __EMPTY_CC)
describe EMPTY_TO_OR_FROM_OR_CC Mail contains headers that are blank and shouldn't be.
score EMPTY_TO_OR_FROM_OR_CC 1.0
Comment 5 Mark Martinec 2012-05-14 16:18:48 UTC
> hmm... MISSING_HEADERS is operating only on To: header

Right, your rules set seems more to the point.


If multiple (although illegal) From/To/Cc header fields are taken
into account, a regexp /m flag should be used:

header __HAS_FROM   exists:From
header __HAS_TO     exists:To
header __HAS_CC     exists:CC
header __EMPTY_FROM From =~ /^\s*$/m
header __EMPTY_TO   To =~ /^\s*$/m
header __EMPTY_CC   Cc =~ /^\s*$/m

meta EMPTY_FROM_OR_TO_OR_CC (__EMPTY_FROM && __HAS_FROM) || (__EMPTY_TO && __HAS_TO) || (__EMPTY_CC && __HAS_CC)
describe EMPTY_FROM_OR_TO_OR_CC  Contains a header field that is blank and shouldn't be.
score EMPTY_FROM_OR_TO_OR_CC 1.0


( If we don't care to for multiple instances, a rule like
    header __EMPTY_FROM From !~ /\S/
  might be faster. )

Btw, a __HAS_FROM rule we already have (along with 
__HAS_RCVD, __HAS_MESSAGE_ID, __HAS_DATE and __HAS_SUBJECT).
Can't hurt to add __HAS_TO and __HAS_CC for completeness,
even if it turns out they won't be used.
Comment 6 Kevin A. McGrail 2013-06-21 16:25:47 UTC
Moving all open bugs where target is defined and 3.4.0 or lower to 3.4.1 target
Comment 7 Adam Katz 2013-06-27 22:22:24 UTC
Be careful with this, MS Exchange (and, separately, MS Outlook) will note the missing To header by adding one that looks like this:

To: Undisclosed recipients:;

Other inbox servers and/or email clients and/or combinations of those may have other defaults.

This means that mass-check runs on corpora partially constructed from infrastructure that mucks with this will give erroneous results.
Comment 8 Kevin A. McGrail 2015-04-06 23:46:00 UTC
Rules are not bound to a specific code release.  Changing to undefined release.