FP on FAKED_HOTMAIL_DAV ?

Pierre Thomson 30 Aug 2004 15:03:31 -0000

Got what looks like a false positive on this high-scoring rule (under 2.63).  
It is a personal email, a reply to a previous message, sent by an MSN 
subscriber using MSN software.  Here's the header, with only recipient info and 
sender name altered:



Received: from hotmail.com (bay0-hmr08.bay0.hotmail.com [65.54.241.207])
        by mail1.domain.com (8.11.6/8.11.6) with ESMTP id i7U2Wau26444
        for <[EMAIL PROTECTED]>; Sun, 29 Aug 2004 22:32:36 -0400
Received: from hotmail.com ([65.54.168.118]) by hotmail.com with Microsoft 
SMTPSVC(5.0.2195.6713);
         Sun, 29 Aug 2004 19:32:30 -0700
Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC;
         Sun, 29 Aug 2004 19:32:30 -0700
Received: from 63.154.32.7 by bay3-dav14.bay3.hotmail.com with DAV;
        Mon, 30 Aug 2004 02:32:30 +0000
X-Originating-IP: [63.154.32.7]
X-Originating-Email: [EMAIL PROTECTED]
X-Sender: [EMAIL PROTECTED]
From: "LUCINDA THOMASON" <[EMAIL PROTECTED]>
To: "Joe User" <[EMAIL PROTECTED]>
References: <[EMAIL PROTECTED]>
Subject: Re: Price quote
Date: Sun, 29 Aug 2004 22:32:25 -0400
MIME-Version: 1.0
Content-Type: multipart/alternative;
        boundary="----=_NextPart_000_000F_01C48E18.0EC7F040"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: MSN 9
X-MimeOLE: Produced By MSN MimeOLE V9.10.0006.2205
Seal-Send-Time: Sun, 29 Aug 2004 22:32:25 -0400
Message-ID: <[EMAIL PROTECTED]>
X-OriginalArrivalTime: 30 Aug 2004 02:32:30.0898 (UTC) 
FILETIME=[9945B920:01C48E39]
X-Local-MailScanner: Found to be clean
X-Local-MailScanner-SpamCheck: spam, SpamAssassin (score=7.131, required 6,
        BAYES_44 -0.00, FAKED_HOTMAIL_DAV 3.94, FROM_ENDS_IN_NUMS 0.99,
        FROM_NO_LOWER 2.00, HTML_MESSAGE 0.10, MISSING_OUTLOOK_NAME 0.10)
X-MailScanner-From: [EMAIL PROTECTED]
Return-Path: [EMAIL PROTECTED]

The rule is a META combination of three parts:

# Hotmail's DAV interface uses this and it's heavily exploited right now.  As
# far as I can tell, it requires an msn.com or hotmail.com X-Originating-Email:
# but allows anything for From: so use that as a spamsign.
header __HAS_MSN_RCVD_DAV       Received =~ / by \S+\.(?:hotmail|msn)\.com with 
(?:HTTP|DAV)\;/
header __HAS_MSN_ORIG_EMAIL     X-Originating-Email =~ /(?:hotmail|msn)\.com\b/
header __HAS_MSN_FROM           From =~ /(?:hotmail|msn)\.com\b/
meta FAKED_HOTMAIL_DAV          (__HAS_MSN_RCVD_DAV && __HAS_MSN_ORIG_EMAIL && 
!__HAS_MSN_FROM)


As far as I can see, all three sub-tests should have been satisfied, and the 
META rule should not have triggered.  Any ideas?

Pierre Thomson
BIC

FP on FAKED_HOTMAIL_DAV ?

Reply via email to