[Spambayes] Forged header?

Tim Stone - Four Stones Expressions tim at fourstonesExpressions.com
Wed Feb 12 23:13:28 EST 2003

2/12/2003 11:06:11 PM, Frank Horowitz <frank.horowitz at csiro.au> wrote:

>On Thu, 2003-02-13 at 12:43, Tim Stone - Four Stones Expressions wrote:
>> 2/12/2003 10:36:35 PM, Frank Horowitz <frank.horowitz at csiro.au> wrote:
>> >Folks,
>> >
>> >It occurs to me that for a spammer to get past the entire filtering
>> >process, they simply need to include the  
>> ><X-Spambayes-Classification: ham; 0.00> header.  
>> >
>> >Even if the classifier runs, it's still 50-50 whether the further
>> >downstream processing (e.g. procmail) matches the "real" header or the
>> >bogus one. While pop3proxy.py has a "remove any
>> >X-Spambayes-Classification headers in the incoming mail" item in the
>> >TODO list, is there some equivalent in hammie/outlook land?
>> The tokenizer will ignore most of the headers in an email, including that 
>> This is not only for the reason you state, but also that they add no value 
>> the classification.  The classification is extremely accurate, and most all 
>> the tweaking/twiddling/scheming around such things that was done during the 
>> research phase proved to either have no effect on the outcome, or to add 
>> expense to it in terms of performance and/or false positive/negative.
>Umm, that's not quite what I meant (perhaps I was unclear). 
>I understand that the classifier does its job irrespective of any
>(potential) bogus headers. I also (now) understand from Tony Meyer's
>separate reply that the Outlook plugin is not vulnerable to the trivial
>spoofing that I suggested. Further, pop3proxy seems to have plans to
>incorporate a protection against such a spoof. 
>I guess what my question now boils down to is whether or not
>hammiefilter *overwrites* any X-Spambayes-Classification header or
>merely "appends" such a header to a notional list of headers. If it's
>the former, all *should be* cool against this spoof. If it's the latter,
>hammiefilter is vulnerable. Not true???

from hammie.py:

    def filter(self, msg, header=None, spam_cutoff=None,
               ham_cutoff=None, debugheader=None,
               debug=None, train=None):
        if header == None:
            header = options.hammie_header_name
        del msg[header]
        msg.add_header(header, disp)
>> What we are now watching closely is how spam will evolve.  Certainly 
>> will try to come up with schemes to defeat bayesian filtering.  Let the 
>> war commence!  - TimS
>Agreed. And I was pointing out what I perceived to be a slight chink in
>the armor!
>	Cheers,
>		Frank
>Spambayes mailing list
>Spambayes at python.org

c'est moi - TimS

More information about the Spambayes mailing list