Blacklist Filter bugs

Antwort erstellen

Bestätigungscode
Gib den Code genau so ein, wie du ihn siehst; Groß- und Kleinschreibung wird nicht unterschieden.
Smilies
:D :) :( :o :shock: :? 8) :lol: :x :P :oops: :cry: :evil: :twisted: :roll: :wink: :!: :?: :idea: :arrow: :| :mrgreen:
BBCode ist eingeschaltet
[img] ist eingeschaltet
[flash] ist ausgeschaltet
[url] ist eingeschaltet
Smilies sind eingeschaltet
Die letzten Beiträge des Themas
   

Ansicht erweitern Die letzten Beiträge des Themas: Blacklist Filter bugs

Fixed!

Beitrag von Gast » 3. Dez 2006, 05:15

These are fixed. Thanks MarkC !

Mark Edwards

Beitrag von Chactory » 22. Okt 2006, 13:07

Thank you very much for your engagement (I hope this isn't mistakeful english ... :?)!

For every plugin programmer is only working in his free time due to fame and glory, it is only possible to hope that some of them want to resume their splendid programming!

Beitrag von MarkC » 22. Okt 2006, 00:08

Quellcore hat geschrieben:Did you see the email adresse that is provided on the webpage?

Yes I did.
I've sent emails to:
blacklistfilter [at] yahoo [dot] com
blacklistfilter [at] thinbrowser [dot] net
mark [at] edwards [dot] org
... and another guessed email address, with no reply so far.

Thanks

(Edit below)
Once I got the right 'magic' tag in the subject, I got this reply:
> Thanks a bunch for those reports. I'll get them fixed relatively soon.

Good, good!

Beitrag von Quellcore » 21. Okt 2006, 19:13

Hallo MarkC!
Did you see the email adresse that is provided on the webpage?

blacklistfilter [at] yahoo [dot] com

You could try to contact him through that one!


Gruß
Quellcore

Beitrag von MarkC » 21. Okt 2006, 12:56

I too am very much hoping that the programmer of the plugin will read this!

I may as well include some more detail:

Bug 1:

Some spam that should have been DNSBL blocked actually got through the Blacklist Filter without being marked.
I looked through the Blacklists2.log file, and noted the following, which indicates a parsing problem:

--- Begin log
Received: from 89.1.xxx.yyy.dynamic.barak-online.net (89.1.xxx.yyy.dynamic.barak-online.net [89.1.xxx.yyy]) by smtp-1.myisp.net (Postfix) with ESMTP id 4D22462273F for <MarkC@myisp.net>; Mon, 16 Oct 2006 16:15:57

Getting IPs...
Checking string: 89.1.xxx.yyy by
Not a valid IP address
--- End log

Note: between the text "[89.1.xxx.yyy])" and the text "by smtp-1" in the original log is a TAB character (not a space).
Also, between the text "Checking string: 89.1.200.35" and the text "by" is also a single TAB character (not a space).

It looks like the TAB is *not* being treated as equivalent to whitespace, which is confusing the parsing.

The filter should be checking IP "89.1.xxx.yyy".
BUT the TAB character confuses it and it decides the text is not a valid IP address and it does not bother.
(I looked up that IP address on a web-based DNSBL, and the IP was actually blocked.)

RFC2822 (and RFC2234) allow email headers to contain TAB characters (defined as "WSP") and the headers inserted by my ISPs email server do often contain TAB characters.


Bug 2:

Sometimes emails contain RFC1918 IPs.

The headers for a recent email included this:

Received: from unknown (172.16.0.16) by 0 with QMTP; Mon, 16 Oct 2006 09:20:14 +0000

IP 172.16.0.16 is an RFC1918 non-routable/private IP address, similar to 10.0.0.1 & 192.168.0.1.

It likely indicates an internal hand-off or transfer of the email between mail systems within an ISP or organisation.

However, Blacklist Filter is attempting the do an DNSBL lookup on that IP, and blackholes.five-ten-sg.com is returning a result which is being interpreted as positive, resulting in the email being filtered/blocked.

(See this dnstuff.com DNSBL lookup for 172.16.0.16)

The presence of an RFC1918 IP in the headers implies nothing at all regarding spam sources.

A manual lookup at http://www.five-ten-sg.com/blackhole.php for 172.16.0.16 shows this message:

"IP address 172.16.0.16 is listed here as rfc1918 misc.
RFC1918 addresses are not globally unique. They are reserved for internal
use in private networks. There is no point in asking any sort of ip address
based public reputation system about the spam reputation of such an address.
Such dns queries are simply extra noise."

It would be good if Blacklist Filter did not check RFC1918 private IPs.

Thanks.

Beitrag von Chactory » 21. Okt 2006, 00:49

Thank you very much for analyzing this so competently.
I hope that the programmer of the plugin and of the main program will read this.

Blacklist Filter bugs

Beitrag von MarkC » 17. Okt 2006, 05:03

Blacklist Filter has two bugs.

(Mark Edwards, are you still following this forum?)

Summary:
- Email headers with embedded TAB characters confuse the parsing of IP addresses
- RFC1918 private IPs are being tested against DNSBL when they should be ignored.

More details on request.

Nach oben

cron

 industrious-southeast