spam addrs

David Relson relson at osagesoftware.com
Tue Jun 29 14:45:03 CEST 2004 

On 29 Jun 2004 08:30:05 -0400
Tom Anderson wrote:

> On Mon, 2004-06-28 at 19:31, David Relson wrote:
> > > Perhaps the better test would be if "by", "for", etc., didn't come
> > > before the IP, as an IP address in the "by" or "for" sections
> > > would also follow"from" in most cases.
> > 
> > Bogofilter only needs to handle the info added by the local MDA.  It
> > doesn't need to handle whatever (forgeable) junk is provided by the
> > original sender.
> > 
> > To date, the various means of identifying the address stop looking
> > once they've found an address.  In "from address by/for/etc other
> > stuff", only "address" will be identified and "other" and "stuff"
> > will be ignored.  Show me an MDA that generates "from by
> > local_address remote_address" and I'll worry about the problem. 
> > Until that MDA shows up, writing code to avoid problems that don't
> > occur seems pointless.
> 
> I think you mean MTA, not MDA.  The MTA is not always able to resolve
> an IP address for every sender due to possible DNS problems, and I
> think the solution is usually to deliver the mail anyway after the
> lookup times out or fails.  Although it may return a 5xx error with
> "relaying denied" or whatnot.  Guess it depends on the MTA and the
> configuration though.  Some people may even turn off IP lookups due to
> speed constraints.  It's possible that people will have headers like
> this:

My mistake.  MTA is correct.  The MTA should always have the connecting
address (1.2.3.4 or whatever).  A DNS problem means there's no name,
rather than no address.  Postfix handles that with:

Received: from blaster3.omessage.com (unknown [204.180.130.223])

> Received: from spammer.com by 192.168.1.1 for you at localhost
> 
> Yeah, I know you don't want to hear about the 5% of users who may have
> their servers configured this way, just as with the lines I previously
> identified which would screw up the parsing, eg:
> 
> Received: from [1.2.3.4] (helo=5.6.7.8) with smtp (Exim 4.12)
> vs
> Received: from 5.6.7.8 [1.2.3.4] with smtp (8.9.10)

Looking at these examples makes me wonder about having a "receive" mode
in the lexer grammer that, in addition to returning the usual tokens
would also deal with square brackets, perhaps look for
"[digits.digits.digits.digits]" or something similar.  Do you think that
would resolve the various issues?

> However, I fear that someone without a whole lot of knowledge about
> the matter (most of us) will accept bogofilter's output as gospel and
> start blocking random innocent IPs, perhaps even their own.  Saying
> these problems "don't occur" is a little optimistic.  I'd prefer to
> assume that they do occur, and often, and prevent it from being a
> problem by nipping it at the bud with accurate parsing or none at all.

There will always be people who know more and people who know less.  I,
for one, am still learning.  I expect that displaying the message
address will always be optional, which will require some level of
hacking on the user's part (if only to read bogofilter.cf and discover
that '%I' exists).

> But that's just my opinion...

And you're entitled!

David

More information about the Bogofilter mailing list