[Mimedefang] Help with header checking

Andrea Venturoli ml at netfence.it
Thu Nov 26 11:55:50 EST 2020 

On 11/26/20 3:47 PM, Dianne Skoll via MIMEDefang wrote:

> You shouldn't really print "head = %$head" because you don't know the
> implementation details of Mail::Header.  Treat it as an opaque object.

So how do I know why/how it failed?



> I suggest calling action_quarantine_entire_message() if you get no
> received headers so you can preserve a copy of the original message for
> analysis.

Sorry, I think I wasn't clear: I have such messages!
They are spam getting through, so I've been able to examine them.
What I don't understand is why they weren't blocked, when, IMNSHO, there 
are more than a reason for them to be.



> It should be $head->{$key} and is unlikely to be useful; you're
> printing instance variables on the Mail::Header object, which most
> likely do not correspond to actual headers.
 > If you want to log @recheads, I would do it like this:
 >
 > md_syslog('warning', 'recheads = ' . join(', ', @recheads));

Thanks.
What I'm now getting is something like:
> mimedefang.pl[86009]: 0AQGZBmM087137: head = %Mail::Header=HASH(0x1617cac8)
> mimedefang.pl[86009]: 0AQGZBmM087137: mail_hdr_modify is 0
> mimedefang.pl[86009]: 0AQGZBmM087137: mail_hdr_foldlen is 79
> mimedefang.pl[86009]: 0AQGZBmM087137: mail_hdr_lengths is HASH(0x19404798)
> mimedefang.pl[86009]: 0AQGZBmM087137: mail_hdr_list is ARRAY(0x15e19060)
> mimedefang.pl[86009]: 0AQGZBmM087137: mail_hdr_hash is HASH(0x178b94b0)
> mimedefang.pl[86009]: 0AQGZBmM087137: mail_hdr_mail_from is KEEP
> mimedefang.pl[86009]: 0AQGZBmM087137: recheads = Mail::Field::Received=HASH(0x180a4630)

It's better than nothing.
Now I'm waiting for such spam to arrive, so I can see in what way it's 
different.
I think I first need to understand if it's Mail::Header (earlier) or 
Mail::Field (later) that is failing to parse.




> Anyway... you need to capture the message (or at least the headers)
> so we can analyze what's going on.

Here's a sample:
> Return-Path: <pagina at poeconomico.casa>
> Received: from soth.netfence.it ([unix socket])
> 	 by mailserver.netfence.it (Cyrus 3.0.14) with LMTPA;
> 	 Wed, 25 Nov 2020 03:45:44 +0100
> X-Cyrus-Session-Id: mailserver.netfence.it-557-1606272344-1-3657946293514545252
> X-Sieve: CMU Sieve 3.0
> Received: from poeconomico.casa (vds74451.mgn-host.ru [89.191.230.250] (may be forged))
> 	by soth.netfence.it (8.16.1/8.16.1) with ESMTPS id 0AP2jef2000844
> 	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO)
> 	for <andrea at netfence.it>; Wed, 25 Nov 2020 03:45:43 +0100 (CET)
> 	(envelope-from pagina at poeconomico.casa)
> Authentication-Results: soth.netfence.it;
> 	dkim=pass (2048-bit key) header.d=poeconomico.casa header.i=pagina at poeconomico.casa header.b=cGnTmyJh
> X-Authentication-Warning: soth.netfence.it: Host vds74451.mgn-host.ru [89.191.230.250] (may be forged) claimed to be poeconomico.casa
> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; s=key1; d=poeconomico.casa;
>  h=Message-ID:From:To:Subject:Date:MIME-Version:Content-Type;
>  i=pagina at poeconomico.casa;
>  bh=xbJLlOE1CWUnav77hJisuzISPwtefQrfatVm8E+8Sow=;
>  b=cGnTmyJh1B9VDyiBCFcRI2pVOQqJ+fw65kJL6vCU15L3GTJXXNxpgd0HHyeFDlXYj/1o+HHX3mkt
>    m1YEVxiN/83OcZzQGMRhFLk6rVtoTMARuN/uO1fYAaxcCLqpsM5YLyU6NPIwsYsCkZx0pz4vCtMo
>    Scl4h3E9zx52tto+NClcudYfpP+NW8QkC1J3Wu3ZkwGcBE2HkxsX7TOkR0OAk8ottDAu3OThcvCL
>    SCuDoaaZxBxok24KZUJ663tjzPFMPih+Lna0Gx7bmYi//3mvI+7vkwQNMztima+51SQiI+UI77Ro
>    H/M9ke7T0CNZfImI7dd+x4KluyNSe4dyH83DKQ==
> Message-ID: <2a3970dc95e4cec62a2f9935fd496366a1ebc7 at poeconomico.casa>
> From: accountant <pagina at poeconomico.casa>
> To: xxxxxx at netfence.it
> Subject: Ho trovata la tua email attraverso il servizio di appuntamenti "meetic.it".
> Date: Wed, 25 Nov 2020 02:44:07 +0100
> MIME-Version: 1.0
> Content-Type: multipart/related; boundary="2bd19889d80c22e13d3871e175a182d1cd7a"
> X-Scanned-By: MIMEDefang 2.83

As you can see:
_ there's no X-Spam-Score header: either SpamAssassin didn't detect this 
or it wasn't even launched;
_ if it ran, it should have added 100 points alone since "*.casa" is 
blacklisted; that alone should have been enough;
_ also 89.191.230.250 range is in my personal DNSBL and again this alone 
should have been enough.



N.B.
Running spamassassin on the command line effectively gives the score I 
expect, so I just *think* it's not called. What in the end I'm trying to 
see is why.
Calling spamassassin and the code I posted are two different things: but 
I see the latter is also failing and I thought that might give some hint.
If there's a better way to see why spamassassin fails it would probably 
enough (although curiosity... :).

  bye & Thanks
	av.

More information about the MIMEDefang mailing list