[Spambayes] Forged header?

Frank Horowitz frank.horowitz at csiro.au
Thu Feb 13 13:06:11 EST 2003 

On Thu, 2003-02-13 at 12:43, Tim Stone - Four Stones Expressions wrote:
> 2/12/2003 10:36:35 PM, Frank Horowitz <frank.horowitz at csiro.au> wrote:
> 
> >Folks,
> >
> >It occurs to me that for a spammer to get past the entire filtering
> >process, they simply need to include the  
> ><X-Spambayes-Classification: ham; 0.00> header.  
> >
> >Even if the classifier runs, it's still 50-50 whether the further
> >downstream processing (e.g. procmail) matches the "real" header or the
> >bogus one. While pop3proxy.py has a "remove any
> >X-Spambayes-Classification headers in the incoming mail" item in the
> >TODO list, is there some equivalent in hammie/outlook land?
> 
> The tokenizer will ignore most of the headers in an email, including that one.  
> This is not only for the reason you state, but also that they add no value to 
> the classification.  The classification is extremely accurate, and most all of  
> the tweaking/twiddling/scheming around such things that was done during the 
> research phase proved to either have no effect on the outcome, or to add 
> expense to it in terms of performance and/or false positive/negative.

Umm, that's not quite what I meant (perhaps I was unclear). 

I understand that the classifier does its job irrespective of any
(potential) bogus headers. I also (now) understand from Tony Meyer's
separate reply that the Outlook plugin is not vulnerable to the trivial
spoofing that I suggested. Further, pop3proxy seems to have plans to
incorporate a protection against such a spoof. 

I guess what my question now boils down to is whether or not
hammiefilter *overwrites* any X-Spambayes-Classification header or
merely "appends" such a header to a notional list of headers. If it's
the former, all *should be* cool against this spoof. If it's the latter,
hammiefilter is vulnerable. Not true???

> 
> What we are now watching closely is how spam will evolve.  Certainly spammers 
> will try to come up with schemes to defeat bayesian filtering.  Let the real 
> war commence!  - TimS

Agreed. And I was pointing out what I perceived to be a slight chink in
the armor!

	Cheers,
		Frank

More information about the Spambayes mailing list