anomalous subjects & subject line anomaly

Pavel Kankovsky peak at argo.troja.mff.cuni.cz
Sat Nov 27 16:58:04 CET 2004 

On 24 Nov 2004, Tom Anderson wrote:

> Very strange behavior... two emails out of 403 correctly classified
> spams in the past 11 days did not mark up the subject line
> appropriately.  I prefix all spam subjects with the word "[SPAM]" in
> order to sort it correctly on my Windows box at work.  [...]
> The "X-bogosity: Yes" was added appropriately, but for some reason, in
> these 2/403 spams, the word "[SPAM]" was not.

I have not seen the messages but one of our users experienced a similar 
problem and it was caused by a message having TWO Subject headers.
Bogofilter added its tag to the first one while his MUA displayed the 
second one.

Here is an sample from the headers of a similar message sent to me
(I can't find a genuine message mentioned in the previous paragraph):

  Received: from 73.110.189.255 by bemadden.cyprian.hotmail.msn.com with HTTP;
          Fri, 19 Nov 2004 02:04:03 +0400 GMT
  X-Originating-IP: [134.41.236.135]
  X-Originating-Email: [cummins at dancom.com]
  From: "Mitzi Redmond" <Butlerdmpz at swserver.net>
  To: peak at kerberos.troja.mff.cuni.cz
  Subject: YOU JUST WONT A FREE GREENCARD!   <--- Bf. tagged this line
  Date: Thu, 18 Nov 2004 23:11:03 +0100
  Mime-Version: 1.0
  Received: from dancom.com ([250.52.132.232])
            by volvo.seguros.com.br
            (InterMail vK.4.04.00.00 444-375-541 license 0qg466cy3412y9rf6s3pfw4281s4tew3)
            with ESMTP id <80231754475973.FDZK4762.volvo.seguros.com.br>
            for <peak at kerberos.troja.mff.cuni.cz>; Fri, 19 Nov 2004 00:04:03 +0200
  From: "Mitzi Redmond" <Butlerdmpz at swserver.net>
  To: "Peak" <peak at kerberos.troja.mff.cuni.cz>
  Subject: YOU JUST WONT A FREE GREENCARD!
  Sender: "Mitzi Redmond" <Butlerdmpz at swserver.net>
  Fri, 19 Nov 2004 04:05:03 +0600
  MIME-Version: 1.0
  Content-Type: text/html;
          charset="us-ascii"
  Content-Transfer-Encoding: quoted-printable
  Message-ID: <DX5L14E5795B236o7a7Z08XN685E5J6RXB at sapo.pt>

You can see the headers is pretty wierd. A large of it is duplicated and
there is a bogus line containing a timestamp in the middle of it (this is 
probably related to one of types of corruption described below).


On Thu, 25 Nov 2004, David Relson wrote:

> Subject: Antidote found in Crocodiles^M^M 
> (with the last 3 characters being CR, CR, SP).

This kind of message corruption (?) is neither rare nor new.
I have been receiving spam with headers like:

  Subject: Guaranteed Generic Viagra!^M                                                  cpbhgywor

or

  To:  <peak at argo.troja.mff.cuni.cz^M>

since the beginning of 2002. (^M stands for CR)

A more insidious trick that has become very popular recently is to pollute
the contents (esp. RFC 2822 headers, MIME headers, and QP/BASE64 encoded
contents) with zero characters, e.g.:

  Subject: =?Windows-1251?B?UmVbN106IM7h5fHv5ffo7CDC4PEg5+Lu7erg7Ogg6uv`o?=^@?
          =?Windows-1251?B?5e3y7uIgcm9VZldv?=^@?

(^@ stands for NUL).

Yet another very popular corruption is the lack of an empty line
separating the RFC 2822 header and the message boundary in a multipart 
MIME  message:

  Subject:  St0cksinPlay
  Date: Sun, 14 Nov 2004 13:28:11 -0400
  X-Mailer: AOL 2.0 for Windows US sub 327
  MIME-Version: 1.0
  Content-Type: multipart/alternative;
          boundary="--9732829393768024"
  X-Priority: 3
  X-MSMail-Priority: Normal 
  X-IP:78.75.63.56
  ----9732829393768024
  Content-Type: text/plain;
  Content-Transfer-Encoding: quoted-printable

Naturally X-Bogosity was added after all this text i.e. even after 
what was supposed to be a MIME header of the 1st part.

On the other I have also seen multiple messages where an unexpected empty
line (I mean a real empty line; plus some silly text like a line 
containing a date or a small decimal number in some cases) interrupted
the message header in the middle.

I am not sure whether these corruptions were intentional or whether the
messages were crippled by a braindead spamming software and/or a braindead
mail relay.

I ponder plugging some kind of sanity checker into my SMTP server to make 
it refuse as much of this junk as possible.


--Pavel Kankovsky aka Peak  [ Boycott Microsoft--http://www.vcnet.com/bms ]
"Resistance is futile. Open your source code and prepare for assimilation."

More information about the Bogofilter mailing list