Invalid domains may result in log noise

[marcbradshaw]

We see occasional log entries suggesting that null domains are being checked against

dns: new_dns_packet (domain=..zrd.dq.spamhaus.net. type=A class=IN) failed: a domain name contains a null label

zrd and dbl both appear

[jwpemail]

I have 2 msg's that I've identified as producing the "null label" error, but when I re-process them via spamc I do not get the error. :(

[ricalfieri]

This could be a spamassassin bug, but to be sure can you try running

spamassassin -t -D < a.eml 2>&1 | grep SHPlugin

and check the output? Every lookup done by the plugin is there and if you can identify the function I may be able to fix it.

In case you find the bug please paste the .eml on pastebin so I can reproduce the bug locally

[jwpemail]

I have not witnessed this occurring since it originally did 3 days ago. I'm going to guess that something in SA rules 3.004005 was fixed.

[jwpemail]

This has been happening again for about 2 weeks now and I've finally gotten around to capturing some data.

Here's the relevant SA logs:

Apr 24 00:38:15 cf spamd[3294]: spamd: connection from ::1 [::1]:47854 to port 783, fd 5
Apr 24 00:38:15 cf spamd[3294]: spamd: processing message <004501d738aa$060859ab$4fb84599@dotcf> for dl:65534
Apr 24 00:38:15 cf spamd[3294]: dns: new_dns_packet (domain=.REDACTED.zrd.dq.spamhaus.net. type=A class=IN) failed: a domain name contains a null label
Apr 24 00:38:15 cf spamd[3294]: dns: new_dns_packet (domain=.REDACTED.dbl.dq.spamhaus.net. type=A class=IN) failed: a domain name contains a null label
Apr 24 00:38:15 cf spamd[3294]: spamd: identified spam (110.3/5.0) for dl:65534 in 0.0 seconds, 3762 bytes.
Apr 24 00:38:15 cf spamd[3294]: spamd: result: Y 110 - RCVD_IN_RP_RNBL,RCVD_IN_XBL,RCVD_IN_ZEN_LASTEXTERNAL,SHORTCIRCUIT scantime=0.0,size=3762,user=dl,uid=65534,required_score=5.0,rhost=::1,raddr=::1,rport=47854,mid=<004501d738aa$060859ab$4fb84599@dotcf>,autolearn=disabled,shortcircuit=spam

Here's the slightly redacted email that caused this:

From koyama@sanko-kagaku.co.jp  Sat Apr 24 00:38:15 2021
Return-Path: <koyama@sanko-kagaku.co.jp>
X-Original-To: REDACTED@REDACTED.TLD
Delivered-To: jimpop@localhost.localdomain
X-Client-Addr: 41.75.82.218
Received: from [41.75.82.218] (unknown [41.75.82.218])
    by mx1.domainmail.net (Postfix) with ESMTP id 4FRshQ546xz41TS
    for <REDACTED@REDACTED.TLD>; Sat, 24 Apr 2021 00:38:11 +0000 (UTC)
Message-ID: <004501d738aa$060859ab$4fb84599@dotcf>
From: <koyama@sanko-kagaku.co.jp>
To: <REDACTED@REDACTED.TLD>
Subject: Hackers have access to your device. Check details ASAP!
Date: 24 Apr 2021 01:01:01 +0000
MIME-Version: 1.0
Content-Type: text/plain;
    charset="ibm852"
Content-Transfer-Encoding: 8bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.3674
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.3674
X-Virus-Scanned: clamav-milter 0.103.2 at cf.domainmail.net
X-Virus-Status: Clean
X-Spam-Flag: YES
X-Spam-Status: Yes, score=110.3 required=5.0 tests=RCVD_IN_RP_RNBL,RCVD_IN_XBL,
    RCVD_IN_ZEN_LASTEXTERNAL,SHORTCIRCUIT shortcircuit=spam
    autolearn=disabled version=3.4.5-pre1
X-Spam-Report: 
    *  1.0 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL
    *      [41.75.82.218 listed in REDACTED.zen.dq.spamhaus.net]
    *  1.3 RCVD_IN_RP_RNBL RBL: Relay in RNBL,
    *      https://senderscore.org/blacklistlookup/
    *      [41.75.82.218 listed in bl.score.senderscore.com]
    *  100 SHORTCIRCUIT Not all rules were run, due to a shortcircuited
    *      rule
    *  8.0 RCVD_IN_ZEN_LASTEXTERNAL The last untrusted relay is listed in
    *      Spamhaus ZEN
X-Spam-Level: **************************************************
X-Spam-Checker-Version: SpamAssassin 3.4.5-pre1 (2020-06-20) on
    cf.domainmail.net

Hello there
Let me introduce myself first - I am a professional programmer, who specializes in hacking during my free time.
This time you were unlucky to become my next victim and I have just hacked the Operating System and your device.

I have been observing you for several months.
To put things in a simple way, I have infected your device with my virus while you were visiting your favorite adult website.

I will try to explain the situation in more details, if you are not really familiar with this kind of situations.
Trojan virus grants me with full access as well as control of your device.
Hence, I can see and access anything on your screen, switch on the camera and microphone and do other stuff, while you don't even know that.

In addition, I also accessed your whole contacts list at social networks and your device too.

You may be questioning yourself - why didn't your antivirus detect any malicious software until now?

- Well, my spyware uses a special driver, which has a signature that is updated on a frequent basis, hereby your antivirus simply cannot catch it.

I have created a videoclip exposing the way you are playing with yourself on the left screen section, while the right section shows the porn video that you were watching at that point of time.
Few clicks of my mouse would be sufficient to forward this video to all your contacts list and social media friends.
You will be surprised to discover that I can even upload it to online platforms for public access.

The good news is that you can still prevent this from happening:
All you need to do is transfer $1350 (USD) of bitcoin equivalent to my BTC wallet (if you don't know how to get it done, 
do some search online - there are plenty of articles describing the step-by-step process).

My bitcoin wallet is (BTC Wallet): 1NToziZKcJfyxHpwkcxbafwghGasme4NUf

Once I receive your payment, I will delete your kinky video right away, and can promise that is the last time you hear from.
You have 48 hours (2 days exactly) to complete the payment.
The read notification will be automatically sent to me, once you open this email, so the timer will start automatically from that moment.

Don't bother trying to reply my email, because it won't change anything (the sender's email address has been generated automatically and taken from internet).
Don't try to complain or report me either, because all my personal information and my bitcoin address are encrypted as part of blockchain system.
I have done my homework.

If I discover that you have tried forwarding this email to anyone, I will right away share your kinky video to public.

Let's be reasonable and don't make any stupid mistakes anymore. I have provided a clear step-by-step guide for you.
All you need to do is simply follow the steps and get rid of this uncomfortable situation once and for all.

Best regards and good luck.

[ricalfieri]

I ran a local test with SpamAssassin 3.4.6 and cannot reproduce. What version are you running?

[jwpemail]

spamassassin 3.4.5~pre1-3 (Debian/Bullseye)

[ricalfieri]

if you run spamassassin -D -t < youremail.eml does the error occurs?

[jwpemail]

no :( Unfortunately I only kept the redacted copy, so that is what I ran the -D test with. I'm siphoning a new one off the mail flow and will run -D against it.

[jwpemail]

I captured a new one, and it did not-reproduce the same errors. I searched the -D output for the word "null" and did not find it. Riccardo, is it ok to email you the unredacted version?

[ricalfieri]

Sure you can mail me the sample, but my wild guess is that is a SA bug. If scanning with spamassassin -D doesn't show null queries then it may be something related to spamd.

[jwpemail]

I guess I'll focus on spamass-milter's logs to see what it is sending spamd.