> -----Original Message----- > From: Bob Apthorpe [mailto:[EMAIL PROTECTED] > Sent: 23 March 2004 14:21 > To: [EMAIL PROTECTED] > Subject: Re: False positive on FAKED_HOTMAIL_DAV? > > > Hi, > > On Tue, 23 Mar 2004 08:10:21 -0000 "Hall J D (ISeLS)" > <[EMAIL PROTECTED]> wrote: > > > I've started getting a few messages that are getting pushed > into the spam > > zone by what I think are false positives on the > FAKED_HOTMAIL_DAV rule. > > > > We're running 2.63 and I've taken a quick look at the rule for > > FAKED_HOTMAIL_DAV and while I'm a beginner as far as REGEX > goes it looks > > like it shouldn't have triggered. > > > > Below are a couple of examples. > > > > If anyone can offer some insight as to why > FAKED_HOTMAIL_DAV hit on these > > I'd be grateful. > > Here are the relevant rules in > /usr/share/spamassassin/20_head_tests.cf, > gathered by > > `egrep -h '__HAS_MSN_|FAKED_HOTMAIL' /usr/share/spamassassin/*.cf \ > | egrep -v 'describe|score'` > > header __HAS_MSN_RCVD_DAV Received =~ / by > \S+\.(?:hotmail|msn)\.com with (?:HTTP|DAV)\;/ > header __HAS_MSN_ORIG_EMAIL X-Originating-Email =~ > /(?:hotmail|msn)\.com\b/ > header __HAS_MSN_FROM From =~ /(?:hotmail|msn)\.com\b/ > meta FAKED_HOTMAIL_DAV (__HAS_MSN_RCVD_DAV && > __HAS_MSN_ORIG_EMAIL && !__HAS_MSN_FROM) > > Looking at the From: header in Example 1 we find: > > > From: Andy Gray <[EMAIL PROTECTED]> > > and in Example 2: > > > From: "Ibrahim Hasan (hotmail)" <[EMAIL PROTECTED]> > > The problem is that the __HAS_MSN_FROM test is case-sensitive > and is failing to match either From: header, causing > FAKED_HOTMAIL_DAV to trip. The fix is to change > > header __HAS_MSN_FROM From =~ /(?:hotmail|msn)\.com\b/ > > to > > header __HAS_MSN_FROM From =~ /(?:hotmail|msn)\.com\b/i > > but I wonder then what that does to the accuracy of FAKED_HOTMAIL_DAV. > > Normally I'd suggest submitting this as a bug, but it appears that > FAKED_HOTMAIL_DAV has been removed from SA 3.0, though there are still > references to it in 30_text_de.cf, 30_text_fr.cf and 30_text_pl.cf in > the current Subversion snapshot. > > hth, > > -- Bob >
I've added the i and that has fixed it. Thanks Bob. Jonathan
