[milters] Archive

Lists Index Date Thread Search

Article: 1829
From: Anthony Howe
Date: 2008-01-28 06:59:27 -0500
Subject: Re: POSSIBLE ATTACK from.... in milter-p0f

Removal...........: milters-request@milter.info?subject=remove
More information..: http://www.milter.info/#Support
--------------------------------------------------------

Ben Spencer wrote:
> Just installed milter-p0f (0.5.12). It seems as if there may be a formatting
> issue?
>>From the logs....
> 
> 2008 Jan 28 04:20:22 mailgw [mail.info] sendmail[27247]: m0SAKKWD027247:
> Milter add: header: X-milter-p0f-Report: mail3.crosswalkmail.com
> [208.123.68.10] (unknown) Linux 2.6, seldom 2.4 (older, 4) hops 13 link
> ethernet/modem up 2888 \r\n    by [66.185.255.136]; Mon, 28 Jan 2008
> 04:20:20 -0600\r\n
> .
> .
> .
> 2008 Jan 28 04:20:25 mailgw [mail.notice] sendmail[27247]: m0SAKKWD027247:
> POSSIBLE ATTACK from mail3.crosswalkmail.com: newline in string
> "mail3.crosswalkmail.com [208.123.68.10] (unknown) Linux 2.6, seldom 2.4
> (older, 4) hops 13 link ethernet/modem up 2888 \r     by [66.185.255.136];
> Mon, 28 Jan 2008 04:20:20 -0600\r "

This appears to be similar to a milter-spamc X-Spam-Report header bug I 
had previously due to a misunderstanding on my part concerning 
smfi_addheader() WRT multiline headers. I quote from the milter-spamc 
change log:

    !	libmilter smfi_addheader() API documentation states:

	 "... To make a multi-line header, insert a line feed (ASCII
	  0x0a, or \n in C) followed by at least one whitespace
	  character such as a space (ASCII 0x20) or tab (ASCII 0x09,
	  or \t in C). The line feed should NOT be preceded by a
	  carriage return (ASCII 0x0d); the MTA will add this
	  automatically.
	  	
	Therefore \r\n have been replaced by \n when generating the
	X-Spam-Report header.

Therefore, change line 329:

	(void) snprintf(data->report+length, sizeof (data->report)-length, 
"\r\n    by [%s]; %s\r\n", if_addr, timestamp);


to remove the \r:


	(void) snprintf(data->report+length, sizeof (data->report)-length, "\n 
    by [%s]; %s\n", if_addr, timestamp);


-- 
Anthony C Howe          Skype: SirWumpus                    SnertSoft
+33 6 11 89 73 78         ICQ: 7116561          BarricadeMX & Milters
http://www.snert.com/                 
     http://www.snertsoft.com/

Lists Index Date Thread Search