Hello All,
I've started getting a few messages that are getting pushed into the spam
zone by what I think are false positives on the FAKED_HOTMAIL_DAV rule.
We're running 2.63 and I've taken a quick look at the rule for
FAKED_HOTMAIL_DAV and while I'm a beginner as far as REGEX goes it looks
like it shouldn't have triggered.
Below are a couple of examples.
If anyone can offer some insight as to why FAKED_HOTMAIL_DAV hit on these
I'd be grateful.
Thanks,
Jonathan
Example 1
Received: from parker.isd.glam.ac.uk ([192.168.244.9]) by
MAILSERV1.uni.glam.ac.uk with Microsoft SMTPSVC(6.0.3790.0);
Wed, 17 Mar 2004 14:15:20 +0000
Received: from walter.glam.ac.uk ([193.63.147.60] helo=Walter)
by parker.isd.glam.ac.uk with esmtp (Exim 4.30)
id 1B3bnP-0005OH-1d; Wed, 17 Mar 2004 14:13:23 +0000
Received: from smtp.jiscmail.ac.uk ([130.246.192.48])
by Walter with esmtp (Exim 3.35 #2)
id 1B3bUt-0005yz-00; Wed, 17 Mar 2004 13:54:15 +0000
Received: from LISTSERV.JISCMAIL.AC.UK (jiscmail.ac.uk) by
smtp.jiscmail.ac.uk (LSMTP for Windows NT v1.1b) with SMTP id
<[EMAIL PROTECTED]>; Wed, 17 Mar 2004 14:14:48 +0000
Received: from JISCMAIL.AC.UK by JISCMAIL.AC.UK (LISTSERV-TCP/IP release
1.8e)
with spool id 34518039 for [EMAIL PROTECTED];
Wed, 17 Mar 2004 14:14:48 +0000
Received: from 130.246.192.53 by JISCMAIL.AC.UK (SMTPL release 1.0i) with
TCP;
Wed, 17 Mar 2004 14:14:48 GMT
X-RAL-MFrom: <[EMAIL PROTECTED]>
X-RAL-Connect: <law10-f12.law10.hotmail.com [64.4.15.12]>
Received: from hotmail.com (law10-f12.law10.hotmail.com [64.4.15.12]) by
fili.jiscmail.ac.uk (8.12.8/8.12.8) with ESMTP id i2HEEPY8025897
for
<[EMAIL PROTECTED]>; Wed, 17 Mar 2004 14:14:30
GMT
Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC;
Wed,
17 Mar 2004 06:13:54 -0800
Received: from 212.2.26.97 by lw10fd.law10.hotmail.msn.com with HTTP; Wed,
17
Mar 2004 14:13:54 GMT
X-Originating-IP: [212.2.26.97]
X-Originating-Email: [EMAIL PROTECTED]
X-Sender: [EMAIL PROTECTED]
Mime-Version: 1.0
Content-Type: text/html
X-OriginalArrivalTime: 17 Mar 2004 14:13:54.0700 (UTC)
FILETIME=[1499CCC0:01C40C2A]
X-CCLRC-SPAM-report: -3.819 :
BAYES_00,HTML_FONTCOLOR_BLUE,HTML_MESSAGE,MIME_HTML_NO_CHARSET,MIME_HTML_ONL
Y
X-Scanned-By: MIMEDefang 2.38
Content-Transfer-Encoding: quoted-printable
X-MIME-Autoconverted: from 8bit to quoted-printable by fili.jiscmail.ac.uk
id
i2HEEPY8025897
Message-ID: <[EMAIL PROTECTED]>
Date: Wed, 17 Mar 2004 14:13:54 +0000
Reply-To: Discussion of the implications of FoI for FE and HE
institutions <[EMAIL PROTECTED]>
Sender: Discussion of the implications of FoI for FE and HE
institutions <[EMAIL PROTECTED]>
From: Andy Gray <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Precedence: list
X-SpamUoG-Score: 5.4 (+++++)
X-SpamUoG-Flag: YES
X-SpamUoG-Report: Below is a summary report from the University of
Glamorgan's UBE
detection system. If you have any questions or enquiries,
please e-mail Network UBE Feedback for further details.
---- ----------------------
--------------------------------------------------
pts rule name description
---- ----------------------
--------------------------------------------------
0.5 HTML_20_30 BODY: Message is 20% to 30% HTML
0.1 HTML_FONTCOLOR_BLUE BODY: HTML font color is blue
0.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
0.0 HTML_MESSAGE BODY: HTML included in message
0.7 MIME_HTML_NO_CHARSET RAW: Message text in HTML without charset
1.3 RCVD_IN_NJABL_RELAY RBL: NJABL: sender is confirmed open relay
[212.2.26.97 listed in dnsbl.njabl.org]
0.1 RCVD_IN_NJABL RBL: Received via a relay in dnsbl.njabl.org
[212.2.26.97 listed in dnsbl.njabl.org]
2.6 FAKED_HOTMAIL_DAV X-Originating-Email header does not match
From
---------------------- End of summary report ---------------------
Subject: ***SpamUoG*** Re: Address for Correspondence
Return-Path: [EMAIL PROTECTED]
Example 2
Received: from parker.isd.glam.ac.uk ([192.168.244.9]) by
MAILSERV1.uni.glam.ac.uk with Microsoft SMTPSVC(6.0.3790.0);
Sat, 13 Mar 2004 13:44:32 +0000
Received: from walter.glam.ac.uk ([193.63.147.60] helo=Walter)
by parker.isd.glam.ac.uk with esmtp (Exim 4.30)
id 1B29QF-0002oa-JE; Sat, 13 Mar 2004 13:43:27 +0000
Received: from smtp.jiscmail.ac.uk ([130.246.192.48])
by Walter with esmtp (Exim 3.35 #2)
id 1B296v-0001N9-00; Sat, 13 Mar 2004 13:23:29 +0000
Received: from LISTSERV.JISCMAIL.AC.UK (jiscmail.ac.uk) by
smtp.jiscmail.ac.uk (LSMTP for Windows NT v1.1b) with SMTP id
<[EMAIL PROTECTED]>; Sat, 13 Mar 2004 13:43:57 +0000
Received: from JISCMAIL.AC.UK by JISCMAIL.AC.UK (LISTSERV-TCP/IP release
1.8e)
with spool id 34317918 for [EMAIL PROTECTED];
Sat,
13 Mar 2004 13:43:57 +0000
Received: from 130.246.192.52 by JISCMAIL.AC.UK (SMTPL release 1.0i) with
TCP;
Sat, 13 Mar 2004 13:43:57 GMT
X-RAL-MFrom: <[EMAIL PROTECTED]>
X-RAL-Connect: <law9-oe28.law9.hotmail.com [64.4.8.85]>
Received: from hotmail.com (law9-oe28.law9.hotmail.com [64.4.8.85]) by
kili.jiscmail.ac.uk (8.12.8/8.12.8) with ESMTP id i2DDhsxe005348
for
<[EMAIL PROTECTED]>; Sat, 13 Mar 2004 13:43:55
GMT
Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC;
Sat,
13 Mar 2004 05:31:53 -0800
Received: from 62.252.96.4 by law9-oe28.law9.hotmail.com with DAV; Sat, 13
Mar
2004 13:31:52 +0000
X-Originating-IP: [62.252.96.4]
X-Originating-Email: [EMAIL PROTECTED]
X-Sender: [EMAIL PROTECTED]
References: <[EMAIL PROTECTED]>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1106
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
X-OriginalArrivalTime: 13 Mar 2004 13:31:53.0108 (UTC)
FILETIME=[8BF66540:01C408FF]
X-CCLRC-SPAM-report: -3.207 : ACT_NOW_CAPS,BAYES_00,FROM_ENDS_IN_NUMS
X-Scanned-By: MIMEDefang 2.39
Content-Transfer-Encoding: quoted-printable
X-MIME-Autoconverted: from 8bit to quoted-printable by kili.jiscmail.ac.uk
id
i2DDhsxe005348
Message-ID: <[EMAIL PROTECTED]>
Date: Sat, 13 Mar 2004 13:45:47 -0000
Reply-To: "Ibrahim Hasan (hotmail)" <[EMAIL PROTECTED]>
Sender: The UK Records Management mailing list
<[EMAIL PROTECTED]>
From: "Ibrahim Hasan (hotmail)" <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Precedence: list
X-SpamUoG-Score: 7.1 (+++++++)
X-SpamUoG-Flag: YES
X-SpamUoG-Report: Below is a summary report from the University of
Glamorgan's UBE
detection system. If you have any questions or enquiries,
please e-mail Network UBE Feedback for further details.
---- ----------------------
--------------------------------------------------
pts rule name description
---- ----------------------
--------------------------------------------------
0.9 FROM_ENDS_IN_NUMS From: ends in numbers
1.3 ACT_NOW_CAPS BODY: Talks about 'acting now' with capitals
1.1 RCVD_IN_SORBS_HTTP RBL: SORBS: sender is open HTTP proxy server
[62.252.96.4 listed in dnsbl.sorbs.net]
0.1 RCVD_IN_SORBS RBL: SORBS: sender is listed in SORBS
[62.252.96.4 listed in dnsbl.sorbs.net]
1.1 RCVD_IN_DSBL RBL: Received via a relay in list.dsbl.org
[<http://dsbl.org/listing?ip=62.252.96.4>]
2.6 FAKED_HOTMAIL_DAV X-Originating-Email header does not match
From
---------------------- End of summary report ---------------------
Subject: ***SpamUoG*** RM Courses
Return-Path: [EMAIL PROTECTED]
