[Spambayes] Forged header?

Tim Stone - Four Stones Expressions tim at fourstonesExpressions.com
Wed Feb 12 23:13:28 EST 2003 

2/12/2003 11:06:11 PM, Frank Horowitz <frank.horowitz at csiro.au> wrote:

>On Thu, 2003-02-13 at 12:43, Tim Stone - Four Stones Expressions wrote:
>> 2/12/2003 10:36:35 PM, Frank Horowitz <frank.horowitz at csiro.au> wrote:
>> 
>> >Folks,
>> >
>> >It occurs to me that for a spammer to get past the entire filtering
>> >process, they simply need to include the  
>> ><X-Spambayes-Classification: ham; 0.00> header.  
>> >
>> >Even if the classifier runs, it's still 50-50 whether the further
>> >downstream processing (e.g. procmail) matches the "real" header or the
>> >bogus one. While pop3proxy.py has a "remove any
>> >X-Spambayes-Classification headers in the incoming mail" item in the
>> >TODO list, is there some equivalent in hammie/outlook land?
>> 
>> The tokenizer will ignore most of the headers in an email, including that 
one.  
>> This is not only for the reason you state, but also that they add no value 
to 
>> the classification.  The classification is extremely accurate, and most all 
of  
>> the tweaking/twiddling/scheming around such things that was done during the 
>> research phase proved to either have no effect on the outcome, or to add 
>> expense to it in terms of performance and/or false positive/negative.
>
>Umm, that's not quite what I meant (perhaps I was unclear). 
>
>I understand that the classifier does its job irrespective of any
>(potential) bogus headers. I also (now) understand from Tony Meyer's
>separate reply that the Outlook plugin is not vulnerable to the trivial
>spoofing that I suggested. Further, pop3proxy seems to have plans to
>incorporate a protection against such a spoof. 
>
>I guess what my question now boils down to is whether or not
>hammiefilter *overwrites* any X-Spambayes-Classification header or
>merely "appends" such a header to a notional list of headers. If it's
>the former, all *should be* cool against this spoof. If it's the latter,
>hammiefilter is vulnerable. Not true???

from hammie.py:

    def filter(self, msg, header=None, spam_cutoff=None,
               ham_cutoff=None, debugheader=None,
               debug=None, train=None):
.....
        if header == None:
            header = options.hammie_header_name
.....
        del msg[header]
        msg.add_header(header, disp)
.....
>
>> 
>> What we are now watching closely is how spam will evolve.  Certainly 
spammers 
>> will try to come up with schemes to defeat bayesian filtering.  Let the 
real 
>> war commence!  - TimS
>
>Agreed. And I was pointing out what I perceived to be a slight chink in
>the armor!
>
>	Cheers,
>		Frank
>
>
>
>_______________________________________________
>Spambayes mailing list
>Spambayes at python.org
>http://mail.python.org/mailman/listinfo/spambayes
>
>


c'est moi - TimS
http://www.fourstonesExpressions.com
http://wecanstopspam.org

More information about the Spambayes mailing list