Seite 1 von 1

Blacklist Filter bugs

BeitragVerfasst: 17. Okt 2006, 05:03
von MarkC
Blacklist Filter has two bugs.

(Mark Edwards, are you still following this forum?)

Summary:
- Email headers with embedded TAB characters confuse the parsing of IP addresses
- RFC1918 private IPs are being tested against DNSBL when they should be ignored.

More details on request.

BeitragVerfasst: 21. Okt 2006, 00:49
von Chactory
Thank you very much for analyzing this so competently.
I hope that the programmer of the plugin and of the main program will read this.

BeitragVerfasst: 21. Okt 2006, 12:56
von MarkC
I too am very much hoping that the programmer of the plugin will read this!

I may as well include some more detail:

Bug 1:

Some spam that should have been DNSBL blocked actually got through the Blacklist Filter without being marked.
I looked through the Blacklists2.log file, and noted the following, which indicates a parsing problem:

--- Begin log
Received: from 89.1.xxx.yyy.dynamic.barak-online.net (89.1.xxx.yyy.dynamic.barak-online.net [89.1.xxx.yyy]) by smtp-1.myisp.net (Postfix) with ESMTP id 4D22462273F for <MarkC@myisp.net>; Mon, 16 Oct 2006 16:15:57

Getting IPs...
Checking string: 89.1.xxx.yyy by
Not a valid IP address
--- End log

Note: between the text "[89.1.xxx.yyy])" and the text "by smtp-1" in the original log is a TAB character (not a space).
Also, between the text "Checking string: 89.1.200.35" and the text "by" is also a single TAB character (not a space).

It looks like the TAB is *not* being treated as equivalent to whitespace, which is confusing the parsing.

The filter should be checking IP "89.1.xxx.yyy".
BUT the TAB character confuses it and it decides the text is not a valid IP address and it does not bother.
(I looked up that IP address on a web-based DNSBL, and the IP was actually blocked.)

RFC2822 (and RFC2234) allow email headers to contain TAB characters (defined as "WSP") and the headers inserted by my ISPs email server do often contain TAB characters.


Bug 2:

Sometimes emails contain RFC1918 IPs.

The headers for a recent email included this:

Received: from unknown (172.16.0.16) by 0 with QMTP; Mon, 16 Oct 2006 09:20:14 +0000

IP 172.16.0.16 is an RFC1918 non-routable/private IP address, similar to 10.0.0.1 & 192.168.0.1.

It likely indicates an internal hand-off or transfer of the email between mail systems within an ISP or organisation.

However, Blacklist Filter is attempting the do an DNSBL lookup on that IP, and blackholes.five-ten-sg.com is returning a result which is being interpreted as positive, resulting in the email being filtered/blocked.

(See this dnstuff.com DNSBL lookup for 172.16.0.16)

The presence of an RFC1918 IP in the headers implies nothing at all regarding spam sources.

A manual lookup at http://www.five-ten-sg.com/blackhole.php for 172.16.0.16 shows this message:

"IP address 172.16.0.16 is listed here as rfc1918 misc.
RFC1918 addresses are not globally unique. They are reserved for internal
use in private networks. There is no point in asking any sort of ip address
based public reputation system about the spam reputation of such an address.
Such dns queries are simply extra noise."

It would be good if Blacklist Filter did not check RFC1918 private IPs.

Thanks.

BeitragVerfasst: 21. Okt 2006, 19:13
von Quellcore
Hallo MarkC!
Did you see the email adresse that is provided on the webpage?

blacklistfilter [at] yahoo [dot] com

You could try to contact him through that one!


Gruß
Quellcore

BeitragVerfasst: 22. Okt 2006, 00:08
von MarkC
Quellcore hat geschrieben:Did you see the email adresse that is provided on the webpage?

Yes I did.
I've sent emails to:
blacklistfilter [at] yahoo [dot] com
blacklistfilter [at] thinbrowser [dot] net
mark [at] edwards [dot] org
... and another guessed email address, with no reply so far.

Thanks

(Edit below)
Once I got the right 'magic' tag in the subject, I got this reply:
> Thanks a bunch for those reports. I'll get them fixed relatively soon.

Good, good!

BeitragVerfasst: 22. Okt 2006, 13:07
von Chactory
Thank you very much for your engagement (I hope this isn't mistakeful english ... :?)!

For every plugin programmer is only working in his free time due to fame and glory, it is only possible to hope that some of them want to resume their splendid programming!

Fixed!

BeitragVerfasst: 3. Dez 2006, 05:15
von Gast
These are fixed. Thanks MarkC !

Mark Edwards