http://bugzilla.spamassassin.org/show_bug.cgi?id=3173
------- Additional Comments From sidney@sidney.com 2004-03-14 13:05 -------
Ok, now there's an appropriate place to talk about this :-)
If it is possible to craft such a message, then our code is identifying text as
invisible when it is not invisible. That would be a bug in our code, which can
be fixed. The correct approach is to attach such a message to a bug report.
I would not consider any solution acceptible if it allows a spammer to create a
message with 20,000 unique random 4-letter combinations that would be processed
by Bayes and not visible in a mail reader, unless someone comes up with a way
for that not to be a DoS attack on SpamAssassin with Bayes. That doesn't mean do
nothing to fix a problem, but it is a security issue that cannot be ignored.
I don't see introducing a vulnerability in order to fix a problem that has not
been demonstrated. Where is this message that is labeled invisible but isn't and
for which there is no fix in the invisibility detector code? If there is no such
example after some time, I'll be closing this bug as a WONTFIX. Of course if I
do that and an example shows up in the future, I would be happy to see this
reopened.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
------- Additional Comments From sidney@sidney.com 2004-03-14 13:05 -------
Ok, now there's an appropriate place to talk about this :-)
If it is possible to craft such a message, then our code is identifying text as
invisible when it is not invisible. That would be a bug in our code, which can
be fixed. The correct approach is to attach such a message to a bug report.
I would not consider any solution acceptible if it allows a spammer to create a
message with 20,000 unique random 4-letter combinations that would be processed
by Bayes and not visible in a mail reader, unless someone comes up with a way
for that not to be a DoS attack on SpamAssassin with Bayes. That doesn't mean do
nothing to fix a problem, but it is a security issue that cannot be ignored.
I don't see introducing a vulnerability in order to fix a problem that has not
been demonstrated. Where is this message that is labeled invisible but isn't and
for which there is no fix in the invisibility detector code? If there is no such
example after some time, I'll be closing this bug as a WONTFIX. Of course if I
do that and an example shows up in the future, I would be happy to see this
reopened.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.