SA Bugzilla – Bug 6659
Empty Content-Type causes learning of binary file
Last modified: 2019-06-24 12:44:23 UTC
I'm receiving a few hundred mails a day with small attachments that are (afaik) correctly parsed and nothing happens with the attachments when checking the message to be spam. When autolearning the E-mails as spam, the attachments are being decoded and parsed by the bayes algorithm. The only strange thing I can find in the message (appart from the text content obviously being a phishing mail) is the header of the attachment part: ------=_NextPart_000_0006_01CC51AC.63F30F00 Content-Type: ; name="report_1609.pdf.zip" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="report_1609.pdf.zip" I suspect the empty content-type causes the attachment to be decoded. Running spamassassin in debug mode causes it to hang a the following lines: Sep 16 15:07:12.279 [8264] dbg: bayes: Using userid: 1 Sep 16 15:08:48.746 [8264] dbg: bayes: seen (bf76e190b8121487c91051758a402dd20b18eaa6@sa_generated) put Manually calling sa-learn hangs for a while at the "decoding base64" part: Sep 16 15:34:12.786 [18308] dbg: message: decoding base64 Forgot tokens from 1 message(s) (1 message(s) examined) Sep 16 15:35:49.764 [18308] dbg: plugin: Mail::SpamAssassin::Plugin::Bayes=HASH(0x3891ba0) implements 'learner_close', priority 0
Created attachment 4959 [details] One of the messages that "fail" !WARNING! The attachment is probably a virus!
Created attachment 4978 [details] Demo mail 2 !Warning! Attachment probably a virus!
It seems my theory was correct. I've received a set of E-mails with other characteristics that produces the same result (extremely long sa-learn times) These E-mails also contain an attachment with an empty content-type header: ------=_NextPart_000_0006_01CC519D.0905EB80 Content-Type: ; name="Uniform traffic ticket.zip" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="Uniform traffic ticket.zip"
Doesn't seem to be a problem in current version, closing.