Hello Fred, Wednesday, August 11, 2004, 11:40:25 AM, you wrote:
FWB> We got a troubling false positive today. A message from a potential FWB> business partner in Korea was marked as spam because the message FWB> matched the rules FORGED_MUA_OUTLOOK, FORGED_OUTLOOK_TAGS and FWB> MIME_BASE64_TEXT. IMO, SA 2.5x and 2.6x have significant problems dealing with some variations of base-64 encoding. I suspect you've run into one of those variations. Best bet is to lower the score for the MIME_BASE64_TEXT rule until you can migrate to 3.0 FWB> ... What troubles me is that the decoded message shouldn't FWB> have matched the FORGED_OUTLOOK_TAGS meta rule. When I looked at the FWB> definition of the meta rule in 20_ratware.cf, there didn't seem to be FWB> any reason that FORGED_OUTLOOK_TAGS should have matched. All of the FWB> required tags (meta,head,html, and body) are present in the decoded FWB> message. It is as though the rule is being checked against the base64 FWB> encoded text rather than the decoded message. Is this true? Is there a FWB> simple way to fix this? I expect the fix is to migrate to version 3.0. The devs have completely rewritten the handling of encoded emails, and it should work much, much better. I've got 3.0 running privately on my PC here -- if you want to send me the original message complete, with the original encoding, I can test it for you. Bob Menschel
