You are probably right about the case of the From line. FROM_NO_LOWER only triggers if no lowercase letters appear in the From: field, so it must have appeared as [EMAIL PROTECTED] when it hit SA.
header __HAS_MSN_FROM From =~ /(?:hotmail|msn)\.com\b/ This test would match [EMAIL PROTECTED] but not [EMAIL PROTECTED] since the test is case sensitive, right? Maybe it should be a case insensitive test, since [EMAIL PROTECTED] is a legal and deliverable address. Pierre Thomson BIC -----Original Message----- From: Matt Kettler [mailto:[EMAIL PROTECTED] Sent: Monday, August 30, 2004 12:39 PM To: Pierre Thomson; [email protected] Subject: Re: FP on FAKED_HOTMAIL_DAV ? At 11:02 AM 8/30/2004, Pierre Thomson wrote: >Got what looks like a false positive on this high-scoring rule (under >2.63). It is a personal email, a reply to a previous message, sent by an >MSN subscriber using MSN software. Here's the header, with only recipient >info and sender name altered: I tested those headers on my system (2.64) and did not get a match, however, that rule doesn't seem to have changed from 2.63 to 2.64. My suspicion is that your MDA or MUA modified the From: header when it delivered. Notice that FROM_NO_LOWER got matched, but clearly the email address has plenty of lower-case letters in it. I'm wondering if the original From: line did not contain an email address at all, but that was added from the envelope upon delivery since it was absent. Thus: From: LUCINDA THOMASON Becomes: From: "LUCINDA THOMASON" <[EMAIL PROTECTED]>
