[milters] Archive

Lists Index Date Thread Search

Article: 80
From: Frank Heydlauf
Date: 2004-09-23 05:10:03 -0400
Subject: [SIQ] 013 Re: Re: [LFN14080312] milter-spamc setup generating false positives

Removal...........: milters-request@milter.info?subject=remove
More information..: http://www.milter.info/#Support

On Thu, Sep 23, 2004 at 10:01:27AM +0200, Anthony Howe wrote:
> > This is to prevent a spammer from setting "X-Spam-Flag: no" 
> > by himself and bypass client side filters.
> > The clients (as we and probably many others do) filter for
> > the existens of X-Spam-Flag. If it's set - with "Yes" or
> > or whatever - the message is treated as spam.
> I disagreed with this then as I do now. Filtering based on the presence 
> or absence of a header is totally WRONG and naive. When a header is 
> defined to have a value, such as boolean for X-Spam-Flag, its those 
> values that should be tested for, not the existance of a header.
> The X-Spam-Flag, if already present, is always overridden by 
> milter-spamc, so a spammer attempting to slip by milter-spamc and 
> SpamAssassin by setting it to "NO" would not gain from this. I'm not 
> familar with all of SpamAssassin's rules, but if it skipped scanning a 
> message that was already marked with X-Spam-Flag: NO, then it would be 
> very brain damaged filter IMHO.

if the world would be such easy, we would not have a single spam :-}
I think assuming a spammer would not set "X-Spam-Flag: no" in his
mail would be naive.
And why should I scan a message again if it's already marked as 
spam (here: containing X-Spam-Flag:)?
Setting X-Spam-Flag to "YES" or another value is only a hack because
empty headers would be removed by some (all?) MTAs.

There seems to be a big difference between milter and exim installations.
Exim in the recommended setup
does *not* alter or delete existing X-Spam-Flag Header nor does it append
new ones - ist's just not necessary!

But fully regardless if it's wrong or naive - there are countless 
exim installations with the setup mentioned above and the inherent
danger of causing false positives if they receive mails already
filtered by a milter setup in the way you recommend.
That's what I wanted to tell you. 

Regards Frank

Lists Index Date Thread Search