Blacklist Filter bugs

Haben Sie einen Fehler in einem Plugin entdeckt?

Moderator: Forum-Team

Blacklist Filter bugs

Beitragvon MarkC » 17. Okt 2006, 05:03

Blacklist Filter has two bugs.

(Mark Edwards, are you still following this forum?)

Summary:
- Email headers with embedded TAB characters confuse the parsing of IP addresses
- RFC1918 private IPs are being tested against DNSBL when they should be ignored.

More details on request.
MarkC
Power-User
Power-User
 
Beiträge: 7
Registriert: 17. Okt 2006, 00:55

Re: Blacklist Filter bugs

Beitragvon Chactory » 21. Okt 2006, 00:49

Thank you very much for analyzing this so competently.
I hope that the programmer of the plugin and of the main program will read this.
HilfeHelp «en»TippsAnbuva's FAQBob's FAQ «en»SpamwortlisteRegelfilterScreenshotsSSL/TLSSpami 1.6.0
Vostro 3450, Intel Core i5 2410M 2,3 GHz, 4 GB DDR3 SDRAM 1333 MHz, Windows 7 Pro 64 Bit SP1

Bild
Benutzeravatar
Chactory
Administrator
Administrator
 
Administration
Beta-Tester
Forum-Team
 
Beiträge: 9593
Registriert: 9. Jan 2004, 23:19
Wohnort: Kiel (D)

Re: Blacklist Filter bugs

Beitragvon MarkC » 21. Okt 2006, 12:56

I too am very much hoping that the programmer of the plugin will read this!

I may as well include some more detail:

Bug 1:

Some spam that should have been DNSBL blocked actually got through the Blacklist Filter without being marked.
I looked through the Blacklists2.log file, and noted the following, which indicates a parsing problem:

--- Begin log
Received: from 89.1.xxx.yyy.dynamic.barak-online.net (89.1.xxx.yyy.dynamic.barak-online.net [89.1.xxx.yyy]) by smtp-1.myisp.net (Postfix) with ESMTP id 4D22462273F for <MarkC@myisp.net>; Mon, 16 Oct 2006 16:15:57

Getting IPs...
Checking string: 89.1.xxx.yyy by
Not a valid IP address
--- End log

Note: between the text "[89.1.xxx.yyy])" and the text "by smtp-1" in the original log is a TAB character (not a space).
Also, between the text "Checking string: 89.1.200.35" and the text "by" is also a single TAB character (not a space).

It looks like the TAB is *not* being treated as equivalent to whitespace, which is confusing the parsing.

The filter should be checking IP "89.1.xxx.yyy".
BUT the TAB character confuses it and it decides the text is not a valid IP address and it does not bother.
(I looked up that IP address on a web-based DNSBL, and the IP was actually blocked.)

RFC2822 (and RFC2234) allow email headers to contain TAB characters (defined as "WSP") and the headers inserted by my ISPs email server do often contain TAB characters.


Bug 2:

Sometimes emails contain RFC1918 IPs.

The headers for a recent email included this:

Received: from unknown (172.16.0.16) by 0 with QMTP; Mon, 16 Oct 2006 09:20:14 +0000

IP 172.16.0.16 is an RFC1918 non-routable/private IP address, similar to 10.0.0.1 & 192.168.0.1.

It likely indicates an internal hand-off or transfer of the email between mail systems within an ISP or organisation.

However, Blacklist Filter is attempting the do an DNSBL lookup on that IP, and blackholes.five-ten-sg.com is returning a result which is being interpreted as positive, resulting in the email being filtered/blocked.

(See this dnstuff.com DNSBL lookup for 172.16.0.16)

The presence of an RFC1918 IP in the headers implies nothing at all regarding spam sources.

A manual lookup at http://www.five-ten-sg.com/blackhole.php for 172.16.0.16 shows this message:

"IP address 172.16.0.16 is listed here as rfc1918 misc.
RFC1918 addresses are not globally unique. They are reserved for internal
use in private networks. There is no point in asking any sort of ip address
based public reputation system about the spam reputation of such an address.
Such dns queries are simply extra noise."

It would be good if Blacklist Filter did not check RFC1918 private IPs.

Thanks.
MarkC
Power-User
Power-User
 
Beiträge: 7
Registriert: 17. Okt 2006, 00:55

Re: Blacklist Filter bugs

Beitragvon Quellcore » 21. Okt 2006, 19:13

Hallo MarkC!
Did you see the email adresse that is provided on the webpage?

blacklistfilter [at] yahoo [dot] com

You could try to contact him through that one!


Gruß
Quellcore
CPU:Intel Core i7-2700K Processor (@ 45*100 = 4500 MHz)
Board:ASRock P67 Extreme4 Gen3
Ram: 16GB G.SKILL Ripjaws X Series (4 x 4GB) DDR3 2133 (Timings 10-10-10-28 2T @ 1866 MHz)
SSD: Samsung 128GB 2.5-inch SSD 830 Series (Desktop)
HDD-1: WD Caviar® SE16 640 GB, SATA2, 16 MB Cache, 7200 RPM
HDD-2: SAMSUNG EcoGreen F4 ST2000DL004 2TB 32MB Cache
Graphic: ATI Radeon HD 5850 ASUS EAH5850/G/2DIS/1GD5

Win 7 Ultimate 64-Bit / ESET NOD32 Antivirus 8.0 / Firefox 34 / Thunderbird 31
Spamihilator 1.6.0
Benutzeravatar
Quellcore
Assistent
Assistent
 
Beta-Tester
 
Beiträge: 1706
Registriert: 8. Mai 2004, 13:03
Wohnort: Long Island / USA

Re: Blacklist Filter bugs

Beitragvon MarkC » 22. Okt 2006, 00:08

Quellcore hat geschrieben:Did you see the email adresse that is provided on the webpage?

Yes I did.
I've sent emails to:
blacklistfilter [at] yahoo [dot] com
blacklistfilter [at] thinbrowser [dot] net
mark [at] edwards [dot] org
... and another guessed email address, with no reply so far.

Thanks

(Edit below)
Once I got the right 'magic' tag in the subject, I got this reply:
> Thanks a bunch for those reports. I'll get them fixed relatively soon.

Good, good!
MarkC
Power-User
Power-User
 
Beiträge: 7
Registriert: 17. Okt 2006, 00:55

Re: Blacklist Filter bugs

Beitragvon Chactory » 22. Okt 2006, 13:07

Thank you very much for your engagement (I hope this isn't mistakeful english ... :?)!

For every plugin programmer is only working in his free time due to fame and glory, it is only possible to hope that some of them want to resume their splendid programming!
HilfeHelp «en»TippsAnbuva's FAQBob's FAQ «en»SpamwortlisteRegelfilterScreenshotsSSL/TLSSpami 1.6.0
Vostro 3450, Intel Core i5 2410M 2,3 GHz, 4 GB DDR3 SDRAM 1333 MHz, Windows 7 Pro 64 Bit SP1

Bild
Benutzeravatar
Chactory
Administrator
Administrator
 
Administration
Beta-Tester
Forum-Team
 
Beiträge: 9593
Registriert: 9. Jan 2004, 23:19
Wohnort: Kiel (D)

Fixed!

Beitragvon Gast » 3. Dez 2006, 05:15

These are fixed. Thanks MarkC !

Mark Edwards
Gast
 


Zurück zu Plugins: Bugs

Wer ist online?

Mitglieder in diesem Forum: 0 Mitglieder und 1 Gast

 industrious-southeast