Hi, On Tue, 23 Mar 2004 08:10:21 -0000 "Hall J D (ISeLS)" <[EMAIL PROTECTED]> wrote:
> I've started getting a few messages that are getting pushed into the spam > zone by what I think are false positives on the FAKED_HOTMAIL_DAV rule. > > We're running 2.63 and I've taken a quick look at the rule for > FAKED_HOTMAIL_DAV and while I'm a beginner as far as REGEX goes it looks > like it shouldn't have triggered. > > Below are a couple of examples. > > If anyone can offer some insight as to why FAKED_HOTMAIL_DAV hit on these > I'd be grateful. Here are the relevant rules in /usr/share/spamassassin/20_head_tests.cf, gathered by `egrep -h '__HAS_MSN_|FAKED_HOTMAIL' /usr/share/spamassassin/*.cf \ | egrep -v 'describe|score'` header __HAS_MSN_RCVD_DAV Received =~ / by \S+\.(?:hotmail|msn)\.com with (?:HTTP|DAV)\;/ header __HAS_MSN_ORIG_EMAIL X-Originating-Email =~ /(?:hotmail|msn)\.com\b/ header __HAS_MSN_FROM From =~ /(?:hotmail|msn)\.com\b/ meta FAKED_HOTMAIL_DAV (__HAS_MSN_RCVD_DAV && __HAS_MSN_ORIG_EMAIL && !__HAS_MSN_FROM) Looking at the From: header in Example 1 we find: > From: Andy Gray <[EMAIL PROTECTED]> and in Example 2: > From: "Ibrahim Hasan (hotmail)" <[EMAIL PROTECTED]> The problem is that the __HAS_MSN_FROM test is case-sensitive and is failing to match either From: header, causing FAKED_HOTMAIL_DAV to trip. The fix is to change header __HAS_MSN_FROM From =~ /(?:hotmail|msn)\.com\b/ to header __HAS_MSN_FROM From =~ /(?:hotmail|msn)\.com\b/i but I wonder then what that does to the accuracy of FAKED_HOTMAIL_DAV. Normally I'd suggest submitting this as a bug, but it appears that FAKED_HOTMAIL_DAV has been removed from SA 3.0, though there are still references to it in 30_text_de.cf, 30_text_fr.cf and 30_text_pl.cf in the current Subversion snapshot. hth, -- Bob > Example 1 > > Received: from parker.isd.glam.ac.uk ([192.168.244.9]) by > MAILSERV1.uni.glam.ac.uk with Microsoft SMTPSVC(6.0.3790.0); > Wed, 17 Mar 2004 14:15:20 +0000 > Received: from walter.glam.ac.uk ([193.63.147.60] helo=Walter) > by parker.isd.glam.ac.uk with esmtp (Exim 4.30) > id 1B3bnP-0005OH-1d; Wed, 17 Mar 2004 14:13:23 +0000 > Received: from smtp.jiscmail.ac.uk ([130.246.192.48]) > by Walter with esmtp (Exim 3.35 #2) > id 1B3bUt-0005yz-00; Wed, 17 Mar 2004 13:54:15 +0000 > Received: from LISTSERV.JISCMAIL.AC.UK (jiscmail.ac.uk) by > smtp.jiscmail.ac.uk (LSMTP for Windows NT v1.1b) with SMTP id > <[EMAIL PROTECTED]>; Wed, 17 Mar 2004 14:14:48 +0000 > Received: from JISCMAIL.AC.UK by JISCMAIL.AC.UK (LISTSERV-TCP/IP release > 1.8e) > with spool id 34518039 for [EMAIL PROTECTED]; > Wed, 17 Mar 2004 14:14:48 +0000 > Received: from 130.246.192.53 by JISCMAIL.AC.UK (SMTPL release 1.0i) with > TCP; > Wed, 17 Mar 2004 14:14:48 GMT > X-RAL-MFrom: <[EMAIL PROTECTED]> > X-RAL-Connect: <law10-f12.law10.hotmail.com [64.4.15.12]> > Received: from hotmail.com (law10-f12.law10.hotmail.com [64.4.15.12]) by > fili.jiscmail.ac.uk (8.12.8/8.12.8) with ESMTP id i2HEEPY8025897 > for > <[EMAIL PROTECTED]>; Wed, 17 Mar 2004 14:14:30 > GMT > Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; > Wed, > 17 Mar 2004 06:13:54 -0800 > Received: from 212.2.26.97 by lw10fd.law10.hotmail.msn.com with HTTP; Wed, > 17 > Mar 2004 14:13:54 GMT > X-Originating-IP: [212.2.26.97] > X-Originating-Email: [EMAIL PROTECTED] > X-Sender: [EMAIL PROTECTED] > Mime-Version: 1.0 > Content-Type: text/html > X-OriginalArrivalTime: 17 Mar 2004 14:13:54.0700 (UTC) > FILETIME=[1499CCC0:01C40C2A] > X-CCLRC-SPAM-report: -3.819 : > > BAYES_00,HTML_FONTCOLOR_BLUE,HTML_MESSAGE,MIME_HTML_NO_CHARSET,MIME_HTML_ONL > Y > X-Scanned-By: MIMEDefang 2.38 > Content-Transfer-Encoding: quoted-printable > X-MIME-Autoconverted: from 8bit to quoted-printable by fili.jiscmail.ac.uk > id > i2HEEPY8025897 > Message-ID: <[EMAIL PROTECTED]> > Date: Wed, 17 Mar 2004 14:13:54 +0000 > Reply-To: Discussion of the implications of FoI for FE and HE > institutions <[EMAIL PROTECTED]> > Sender: Discussion of the implications of FoI for FE and HE > institutions <[EMAIL PROTECTED]> > From: Andy Gray <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] > Precedence: list > X-SpamUoG-Score: 5.4 (+++++) > X-SpamUoG-Flag: YES > X-SpamUoG-Report: Below is a summary report from the University of > Glamorgan's UBE > detection system. If you have any questions or enquiries, > please e-mail Network UBE Feedback for further details. > ---- ---------------------- > -------------------------------------------------- > pts rule name description > ---- ---------------------- > -------------------------------------------------- > 0.5 HTML_20_30 BODY: Message is 20% to 30% HTML > 0.1 HTML_FONTCOLOR_BLUE BODY: HTML font color is blue > 0.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts > 0.0 HTML_MESSAGE BODY: HTML included in message > 0.7 MIME_HTML_NO_CHARSET RAW: Message text in HTML without charset > 1.3 RCVD_IN_NJABL_RELAY RBL: NJABL: sender is confirmed open relay > [212.2.26.97 listed in dnsbl.njabl.org] > 0.1 RCVD_IN_NJABL RBL: Received via a relay in dnsbl.njabl.org > [212.2.26.97 listed in dnsbl.njabl.org] > 2.6 FAKED_HOTMAIL_DAV X-Originating-Email header does not match > From > ---------------------- End of summary report --------------------- > Subject: ***SpamUoG*** Re: Address for Correspondence > Return-Path: [EMAIL PROTECTED] > > > Example 2 > > Received: from parker.isd.glam.ac.uk ([192.168.244.9]) by > MAILSERV1.uni.glam.ac.uk with Microsoft SMTPSVC(6.0.3790.0); > Sat, 13 Mar 2004 13:44:32 +0000 > Received: from walter.glam.ac.uk ([193.63.147.60] helo=Walter) > by parker.isd.glam.ac.uk with esmtp (Exim 4.30) > id 1B29QF-0002oa-JE; Sat, 13 Mar 2004 13:43:27 +0000 > Received: from smtp.jiscmail.ac.uk ([130.246.192.48]) > by Walter with esmtp (Exim 3.35 #2) > id 1B296v-0001N9-00; Sat, 13 Mar 2004 13:23:29 +0000 > Received: from LISTSERV.JISCMAIL.AC.UK (jiscmail.ac.uk) by > smtp.jiscmail.ac.uk (LSMTP for Windows NT v1.1b) with SMTP id > <[EMAIL PROTECTED]>; Sat, 13 Mar 2004 13:43:57 +0000 > Received: from JISCMAIL.AC.UK by JISCMAIL.AC.UK (LISTSERV-TCP/IP release > 1.8e) > with spool id 34317918 for [EMAIL PROTECTED]; > Sat, > 13 Mar 2004 13:43:57 +0000 > Received: from 130.246.192.52 by JISCMAIL.AC.UK (SMTPL release 1.0i) with > TCP; > Sat, 13 Mar 2004 13:43:57 GMT > X-RAL-MFrom: <[EMAIL PROTECTED]> > X-RAL-Connect: <law9-oe28.law9.hotmail.com [64.4.8.85]> > Received: from hotmail.com (law9-oe28.law9.hotmail.com [64.4.8.85]) by > kili.jiscmail.ac.uk (8.12.8/8.12.8) with ESMTP id i2DDhsxe005348 > for > <[EMAIL PROTECTED]>; Sat, 13 Mar 2004 13:43:55 > GMT > Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; > Sat, > 13 Mar 2004 05:31:53 -0800 > Received: from 62.252.96.4 by law9-oe28.law9.hotmail.com with DAV; Sat, 13 > Mar > 2004 13:31:52 +0000 > X-Originating-IP: [62.252.96.4] > X-Originating-Email: [EMAIL PROTECTED] > X-Sender: [EMAIL PROTECTED] > References: <[EMAIL PROTECTED]> > MIME-Version: 1.0 > Content-Type: text/plain; charset="iso-8859-1" > X-Priority: 3 > X-MSMail-Priority: Normal > X-Mailer: Microsoft Outlook Express 6.00.2800.1106 > X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 > X-OriginalArrivalTime: 13 Mar 2004 13:31:53.0108 (UTC) > FILETIME=[8BF66540:01C408FF] > X-CCLRC-SPAM-report: -3.207 : ACT_NOW_CAPS,BAYES_00,FROM_ENDS_IN_NUMS > X-Scanned-By: MIMEDefang 2.39 > Content-Transfer-Encoding: quoted-printable > X-MIME-Autoconverted: from 8bit to quoted-printable by kili.jiscmail.ac.uk > id > i2DDhsxe005348 > Message-ID: <[EMAIL PROTECTED]> > Date: Sat, 13 Mar 2004 13:45:47 -0000 > Reply-To: "Ibrahim Hasan (hotmail)" <[EMAIL PROTECTED]> > Sender: The UK Records Management mailing list > <[EMAIL PROTECTED]> > From: "Ibrahim Hasan (hotmail)" <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] > Precedence: list > X-SpamUoG-Score: 7.1 (+++++++) > X-SpamUoG-Flag: YES > X-SpamUoG-Report: Below is a summary report from the University of > Glamorgan's UBE > detection system. If you have any questions or enquiries, > please e-mail Network UBE Feedback for further details. > ---- ---------------------- > -------------------------------------------------- > pts rule name description > ---- ---------------------- > -------------------------------------------------- > 0.9 FROM_ENDS_IN_NUMS From: ends in numbers > 1.3 ACT_NOW_CAPS BODY: Talks about 'acting now' with capitals > 1.1 RCVD_IN_SORBS_HTTP RBL: SORBS: sender is open HTTP proxy server > [62.252.96.4 listed in dnsbl.sorbs.net] > 0.1 RCVD_IN_SORBS RBL: SORBS: sender is listed in SORBS > [62.252.96.4 listed in dnsbl.sorbs.net] > 1.1 RCVD_IN_DSBL RBL: Received via a relay in list.dsbl.org > [<http://dsbl.org/listing?ip=62.252.96.4>] > 2.6 FAKED_HOTMAIL_DAV X-Originating-Email header does not match > From > ---------------------- End of summary report --------------------- > Subject: ***SpamUoG*** RM Courses > Return-Path: [EMAIL PROTECTED]
