8211 – pccc.com HASHBL

Bug 8211 - pccc.com HASHBL

Summary: pccc.com HASHBL

Status:	RESOLVED INVALID

Alias:	None

Product:	Spamassassin
Classification:	Unclassified
Component:	spamassassin (show other bugs)
Version:	unspecified
Hardware:	PC Linux

Importance:	P2 normal
Target Milestone:	Undefined
Assignee:	SpamAssassin Developer Mailing List

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2024-01-19 14:17 UTC by threadmarkone
Modified:	2024-01-22 00:55 UTC (History)
CC List:	3 users (show)

Attachment	Type	Modified	Status	Actions	Submitter/CLA Status
pccc.com mcgrail config	image/png			None	threadmarkone
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description threadmarkone 2024-01-19 14:17:30 UTC

Created attachment 5934 [details]
pccc.com mcgrail config

This may have been a legitimate service from pccc.com but its not responding to anything sent like an rbl should. Looking at the DNS logs this is sending out every email address and phone number scanned by SA, and sending as a dns query eg " md5hash.wild.pccc.com" the phone numbers are sent as plain text. I have looked at the documentation and this service is supposed to reply like any rbl. The fact that pccc.com rbl seems dead, and the ns is still live, this is indicative of data exfiltration. The md5 hash converting the dns query is a legitimate SA function, but pccc.com is receiving only?. Every email address and phone number, in an email scanned by SA with these rules enabled, its being captured by the ns.pccc.com name server.

Comment 1 Bill Cole 2024-01-19 17:00:14 UTC

While multiple current and former PCCC associates (including myself) are heavily involved in supporting and maintaining SpamAssassin, PCCC is an independent commercial entity offering products that can be used with SpamAssassin but are NOT part of the ASF SpamAssassin Project. Their specific rules distributed as the "KAM rules channel" and their HashBLs are not distributed or supported here. The ASF SpamAssassin Project does not operate *any* HashBL. We provide the HashBL plugin so that users can configure their own systems to use 3rd-party HashBLs. There are NO specific HashBLs or HashBL rules configured in the code distribution or in the default rules channel maintained by the ASF SpamAssassin Project. 

You may also benefit from opening this discussion on the SpamAssassin Users mailing list and by re-reading the documentation of what HashBLs are for, how they work, and why they are fundamentally DIFFERENT from DNSBLs: 'perldoc Mail::SpamAssassin::Plugin::HashBL' will show you the internal documentation. If you believe there's something wrong with the PCCC HashBL or the rules in the KAM channel that reference it, contact PCCC for specific help with their products. 

There is no bug in SA described in this report.

Comment 2 tm86 2024-01-22 00:55:47 UTC

(In reply to Bill Cole from comment #1)
> While multiple current and former PCCC associates (including myself) are
> heavily involved in supporting and maintaining SpamAssassin, PCCC is an
> independent commercial entity offering products that can be used with
> SpamAssassin but are NOT part of the ASF SpamAssassin Project. Their
> specific rules distributed as the "KAM rules channel" and their HashBLs are
> not distributed or supported here. The ASF SpamAssassin Project does not
> operate *any* HashBL. We provide the HashBL plugin so that users can
> configure their own systems to use 3rd-party HashBLs. There are NO specific
> HashBLs or HashBL rules configured in the code distribution or in the
> default rules channel maintained by the ASF SpamAssassin Project. 
> 
> You may also benefit from opening this discussion on the SpamAssassin Users
> mailing list and by re-reading the documentation of what HashBLs are for,
> how they work, and why they are fundamentally DIFFERENT from DNSBLs:
> 'perldoc Mail::SpamAssassin::Plugin::HashBL' will show you the internal
> documentation. If you believe there's something wrong with the PCCC HashBL
> or the rules in the KAM channel that reference it, contact PCCC for specific
> help with their products. 
> 
> There is no bug in SA described in this report.

Thank-you for letting me know this has absolutely nothing to to with SA. I didnt know that ok.

As a previous associate of pccc.com you should be ashamed. The domain name inst even signed? I think this may be specific to the email gateways im looking at. Since this has nothing to do with SA and Apache, ill take the bug to ASD and cyber.gov.au pccc.com have not replied to any questions. 

Thanks for the help bud :)