I did actually set up the BADHEADERS filter last night and I just
caught a false positive (though a BADHEADER positive). I don't have
the error being written to the E-mail headers, but I looked it up on
Scott's tool's page from the code in the log file and got back "This
E-mail has a made-up header that does not follow the standard RFC
format for an E-mail header." Any ideas??? Could it have barfed on
the ~50 addresses in the To line???
This is valid content and seems to have been sent through HotMail???
It doesn't look strange to me (but what do I know).
Thanks,
Matt
>From <[EMAIL PROTECTED]> Fri Aug 29 12:41:55 2003
Received: from hotmail.com [64.4.27.106] by peckspages.com with ESMTP
(SMTPD32-7.13) id A24F261D0150; Fri, 29 Aug 2003 12:41:51 -0400
Received: from mail pickup service by hotmail.com with Microsoft
SMTPSVC;
Fri, 29 Aug 2003 09:41:48 -0700
Received: from 129.130.205.148 by by8fd.bay8.hotmail.msn.com with HTTP;
Fri, 29 Aug 2003 16:41:32 GMT
X-Originating-IP: [129.130.205.148]
X-Originating-Email: [[EMAIL PROTECTED]]
From: "CBC News" <[EMAIL PROTECTED]>
To: (removed long list of E-mail addresses)
Subject: Last reminder
Date: Fri, 29 Aug 2003 16:41:32 +0000
Mime-Version: 1.0
Content-Type: text/plain; format=flowed
Message-ID: <[EMAIL PROTECTED]>
X-OriginalArrivalTime: 29 Aug 2003 16:41:48.0938 (UTC)
FILETIME=[71074EA0:01C36E4C]
X-Declude-Sender: [EMAIL PROTECTED] [64.4.27.106]
X-Note: This E-mail was scanned by iGaia Incorporated's E-mail service
(www.igaia.com) for spam.
X-Note: This E-mail was sent from bay8-f106.bay8.hotmail.com
([64.4.27.106]).
X-Spam-Tests-Failed: NOPOSTMASTER, BADHEADERS, IPNOTINMX, HEURISTICS-2
[4]
X-RCPT-TO: <[EMAIL PROTECTED]>
Status: R
X-UIDL: 362044561
Matthew Bramble wrote:
Could someone help me with a little more detail on this. I'm wondering
specifically about if this affects networks behind Webshield SMTP, or
E-mail coming from a network protected by Webshield SMTP...or something
else?
The message below seems to be generated by Webshield SMTP in response
to an E-mail with a virus in it, and it includes an improperly
formatted Date field (Date: Tue Aug 26 16:48:12 2003). Would this
affect anything besides automated notifications originating from
Webshield SMTP?
Scott, you also mentioned that you believed it was safe to fail
automatically on BADHEADERS because such E-mail will also be rejected
by other servers, not just a Declude protected one. I'm wondering if
these other such servers are common, and therefore enough of an issue
that non-complient products would be compelled to fix their code. I
would imagine that some of your tests in BADHEADERS are less serious
than others, possibly the date for instance, and those might be passed
by most mail servers.
I have found in the last 36 hours of monitoring that failing E-mail
based on BADHEADERS would clean up about 1/3 of the spam that is
getting through, and in that time, I haven't caught a legit E-mail that
failed this test, though I haven't set up a catch account for it
specifically, but will do momentarily. I can't remember what exactly
it was that made me reduce the score to just 3/10, but I'm sure it was
necessary in order to let something through that I believed was
important, though this might have been the result of the test catching
an automated notification from a firewall.
If others have more examples of BADHEADERS false positives, please send
them along, I would appreciate this greatly.
Thanks in advance for any insight.
Matt
Marc Catuogno wrote:
Scott-After reading your e-mail recommending that you can hold on bad
headers I tripled the weight. Although I really don't care much that this
was held right now if virus did really come through my server I would like
to get this. Any idea why a Webshield Alert would fail BADHEADERS? (if that
is where this is really from...)
Received: from ASSENTOR4.corp.isib.net [199.250.13.98] by
mail.prudentialrand.com with ESMTP
(SMTPD32-7.15) id A5AE450008A; Tue, 26 Aug 2003 17:48:30 -0400
Received: from MSMP2.corp.isib.net (unverified) by ASSENTOR4.corp.isib.net
(Content Technologies SMTPRS 4.2.10) with ESMTP id
<[EMAIL PROTECTED]> for
<[EMAIL PROTECTED]>;
Tue, 26 Aug 2003 16:48:11 -0500
Received: from SMTPAV2.corp.isib.net (unverified) by MSMP2.corp.isib.net
(Content Technologies SMTPRS 4.2.5) with SMTP id
<[EMAIL PROTECTED]> for <[EMAIL PROTECTED]>;
Tue, 26 Aug 2003 16:48:11 -0500
Message-ID: <[EMAIL PROTECTED]>
X-Mailer: Network Associates, Inc. Webshield SMTP, Version 4.5
Date: Tue Aug 26 16:48:12 2003
To: <[EMAIL PROTECTED]>
From: [EMAIL PROTECTED]
Subject: [SPAM]Virus Detected by Network Associates, Inc. Webshield SMTP
V4.5
X-RBL-Warning: BADHEADERS: This E-mail was sent from a broken mail client
[8010000e].
X-RBL-Warning: HELOBOGUS: Domain ASSENTOR4.corp.isib.net has no MX or A
records.
X-RBL-Warning: WEIGHT10: Weight of 20 reaches or exceeds the limit of 10.
X-Declude-Sender: [EMAIL PROTECTED] [199.250.13.98]
X-Declude-Spoolname: Dd5ae0450008aaab3.SMD
X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for
spam.
X-Spam-Tests-Failed: BADHEADERS, HELOBOGUS, IPNOTINMX, NOLEGITCONTENT,
WEIGHT10, WEIGHT20, WEIGHT15 [20]
X-Note: This E-mail was sent from mplfw2.dainrauscher.com ([199.250.13.98]).
SMTPAV1: Network Associates WebShield SMTP V4.5 on SMTPAV2 detected virus
W32/[EMAIL PROTECTED] in attachment thank_you.pif from <[EMAIL PROTECTED]>
and it was Cleaned and
Quarantined.
RBC Dain Rauscher does not accept buy, sell or cancel orders by e-mail, or
any instructions by e-mail that would require your signature. Information
contained in this communication is not considered an official record of your
account and does not supersede normal trade confirmations or statements.
Any information provided has been prepared from sources believed to be
reliable but is not guaranteed, does not represent all available data
necessary for making investment decisions and is for informational purposes
only.
This e-mail may be privileged and/or confidential, and the sender does not
waive any related rights and obligations. Any distribution, use or copying
of this e-mail or the information it contains by other than an intended
recipient is unauthorized. If you receive this e-mail in error, please
advise me (by return e-mail or otherwise) immediately.
Information received by or sent from this system is subject to review by
supervisory personnel, is retained and may be produced to regulatory
authorities or others with a legal right to the information.
---
[This E-mail scanned for viruses by Declude Virus]
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of R. Scott Perry
Sent: Tuesday, August 26, 2003 01:54 PM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail] [IMail Forum] Cannot receive messages
from Comcast.net accounts
I've found that automated mail including opt-in newsletters, E-commerce
receipts, and product notifications, and renewal notices commonly fail the
BADHEADERS, SPAMHEADERS and HELOBOGUS tests.
Just to clarify here for those that aren't aware -- the BADHEADERS and
SPAMHEADERS test both look for headers that are rare in mail sent from
legitimate mail clients, and are fairly common in spam. The difference in
that the BADHEADERS test includes non-RFC-compliant headers, whereas the
SPAMHEADERS test includes headers that are technically valid. So a
legitimate E-mail should NEVER fail the BADHEADERS test -- and it is
therefore normally safe to block on it (since it is not a valid E-mail, and
many mailserver will block the E-mail). However, the SPAMHEADERS test will
catch a fair amount of legitimate E-mail from poorly designed mail clients.
In this case, the weighting system helps out a lot, by only blocking E-mail
that fails multiple tests.
Note that we will work with any company that is sending out E-mails that
fail either test (at no charge) to help them fix their problems.
-Scott
|
