7896 – Seeming counting error with tflags multiple

Bug 7896 - Seeming counting error with tflags multiple

Summary: Seeming counting error with tflags multiple

Status:	RESOLVED WORKSFORME

Alias:	None

Product:	Spamassassin
Classification:	Unclassified
Component:	Rules (show other bugs)
Version:	3.4.0
Hardware:	PC Windows XP

Importance:	P2 normal
Target Milestone:	Undefined
Assignee:	SpamAssassin Developer Mailing List

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2021-03-30 19:02 UTC by Loren Wilton
Modified:	2021-03-30 22:43 UTC (History)
CC List:	3 users (show)

Attachment	Type	Modified	Status	Actions	Submitter/CLA Status
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Loren Wilton 2021-03-30 19:02:53 UTC

I have the following rule in user_prefs:

header		__DUP_LIST_UNSUBSCRIBE		List-Unsubscribe	=~ /./
tflags		__DUP_LIST_UNSUBSCRIBE		multiple
meta		LW_DUP_LIST_UNSUBSCRIBE		(__DUP_LIST_UNSUBSCRIBE > 1)
score		LW_DUP_LIST_UNSUBSCRIBE		1
describe	LW_DUP_LIST_UNSUBSCRIBE		Two or more List-Unsubscribe headers

I received a spam that hit (among many others) this rule:

 1.0 LW_DUP_LIST_UNSUBSCRIBE Two or more List-Unsubscribe headers

The problem is there is only one List-Unsubscribe header in the message. I think that the header detection may have been fooled by the formatting of the DKIM-Signature header:

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; s=dkim; d=product-bills.com;
 h=Message-ID:Date:Subject:From:Reply-To:To:MIME-Version:Content-Type:
 List-Unsubscribe:List-Id;
 bh=j+nGf5OHKxHxXjPQ+72DSHdl8grj1qHvjk8tfDj3sa4=;
 b=gE60zOF5GYxkCSCqMmkSfBz4m0Vt6dwCxW9C4hqQdVK3dEOvc3UeRW/YREKlUXmqVSe9f1aHviYI
   0rpcUTG0D7HYJmyjJFSxqladmipwlBqGg9XceK/2MXmA7iCoNCXm78Ag/gPnzwzzbjBhUwRoQ+C/
   K+vmtIzKXdYTlw8azYM=
List-Unsubscribe: <http://ehk74.com/index.php/lists/tx608bw2ye27b/unsubscribe/mq0498zn4qe56/wq618tykbad15/unsubscribe-direct?source=email-client-unsubscribe-button>,
 <mailto:noreply@awscell.com?subject=Campaign-Uid:wq618tykbad15 /
 Subscriber-Uid:mq0498zn4qe56 - Unsubscribe request&body=Please unsubscribe
 me!>

Note the " List-Unsubscribe:" in the DKIM-Signature multiline text.

I can supply the original spam if the above is not enough to track the problem down.

Comment 1 Bill Cole 2021-03-30 19:57:21 UTC

Without anchoring, I believe that rule will match as many times as there are characters in the List-Unsubscribe header.

To debug, use the '-D rules' option for spamassassin and look in the output for the matches to your rule. Or just put a '^' in front of the '.' in the regex.

Comment 2 Bill Cole 2021-03-30 21:01:40 UTC

(In reply to Bill Cole from comment #1)
> Without anchoring, I believe that rule will match as many times as there are
> characters in the List-Unsubscribe header.
> 
> To debug, use the '-D rules' option for spamassassin and look in the output
> for the matches to your rule. Or just put a '^' in front of the '.' in the
> regex.

I have confirmed that with the rules provided and mail with this header:

     List-Unsubscribe: 123

A check by 'spamassassin -D rules' shows these matches:

     Mar 30 16:56:17.093 [8735] dbg: rules: ran header rule __DUP_LIST_UNSUBSCRIBE ======> got hit: "1"
     Mar 30 16:56:17.094 [8735] dbg: rules: ran header rule __DUP_LIST_UNSUBSCRIBE ======> got hit: "2"
     Mar 30 16:56:17.094 [8735] dbg: rules: ran header rule __DUP_LIST_UNSUBSCRIBE ======> got hit: "3"

Changing the regex to '/^./' solves the problem. 

Works as designed.

Comment 3 Loren Wilton 2021-03-30 21:11:46 UTC

Thanks Bill!

Comment 4 RW 2021-03-30 22:43:35 UTC

(In reply to Bill Cole from comment #2)

> Changing the regex to '/^./' solves the problem. 


The regex needs to be '/^./m'