[Spambayes] Forged header?
Tim Stone - Four Stones Expressions
tim at fourstonesExpressions.com
Wed Feb 12 23:13:28 EST 2003
2/12/2003 11:06:11 PM, Frank Horowitz <frank.horowitz at csiro.au> wrote:
>On Thu, 2003-02-13 at 12:43, Tim Stone - Four Stones Expressions wrote:
>> 2/12/2003 10:36:35 PM, Frank Horowitz <frank.horowitz at csiro.au> wrote:
>>
>> >Folks,
>> >
>> >It occurs to me that for a spammer to get past the entire filtering
>> >process, they simply need to include the
>> ><X-Spambayes-Classification: ham; 0.00> header.
>> >
>> >Even if the classifier runs, it's still 50-50 whether the further
>> >downstream processing (e.g. procmail) matches the "real" header or the
>> >bogus one. While pop3proxy.py has a "remove any
>> >X-Spambayes-Classification headers in the incoming mail" item in the
>> >TODO list, is there some equivalent in hammie/outlook land?
>>
>> The tokenizer will ignore most of the headers in an email, including that
one.
>> This is not only for the reason you state, but also that they add no value
to
>> the classification. The classification is extremely accurate, and most all
of
>> the tweaking/twiddling/scheming around such things that was done during the
>> research phase proved to either have no effect on the outcome, or to add
>> expense to it in terms of performance and/or false positive/negative.
>
>Umm, that's not quite what I meant (perhaps I was unclear).
>
>I understand that the classifier does its job irrespective of any
>(potential) bogus headers. I also (now) understand from Tony Meyer's
>separate reply that the Outlook plugin is not vulnerable to the trivial
>spoofing that I suggested. Further, pop3proxy seems to have plans to
>incorporate a protection against such a spoof.
>
>I guess what my question now boils down to is whether or not
>hammiefilter *overwrites* any X-Spambayes-Classification header or
>merely "appends" such a header to a notional list of headers. If it's
>the former, all *should be* cool against this spoof. If it's the latter,
>hammiefilter is vulnerable. Not true???
from hammie.py:
def filter(self, msg, header=None, spam_cutoff=None,
ham_cutoff=None, debugheader=None,
debug=None, train=None):
.....
if header == None:
header = options.hammie_header_name
.....
del msg[header]
msg.add_header(header, disp)
.....
>
>>
>> What we are now watching closely is how spam will evolve. Certainly
spammers
>> will try to come up with schemes to defeat bayesian filtering. Let the
real
>> war commence! - TimS
>
>Agreed. And I was pointing out what I perceived to be a slight chink in
>the armor!
>
> Cheers,
> Frank
>
>
>
>_______________________________________________
>Spambayes mailing list
>Spambayes at python.org
>http://mail.python.org/mailman/listinfo/spambayes
>
>
c'est moi - TimS
http://www.fourstonesExpressions.com
http://wecanstopspam.org
More information about the Spambayes
mailing list