Re: False positive on forged_mua_outlook

Randy Ramsdell Fri, 09 May 2008 13:30:12 -0700

Jeff Koch wrote:


Hi Matus:


Here's the header. We're seeing a lot of these now:


Received: from unknown (HELO jade.xxxxxx.com) (216.99.193.136)

by 0 with ESMTPS (DHE-RSA-AES256-SHA encrypted); 6 May 2008 19:13:06-0000

Message-ID: <[EMAIL PROTECTED]>
From: "Aindrea" <[EMAIL PROTECTED]>
To: "warehouse" <[EMAIL PROTECTED]>
Subject: Camden Grey order 373
Date: Tue, 6 May 2008 12:13:04 -0700
MIME-Version: 1.0
Content-Type: multipart/mixed;
        boundary="----=_NextPart_000_0039_01C8AF72.8920CD60"

This is a multi-part message in MIME format.





At 01:05 PM 5/9/2008, Matus UHLAR - fantomas wrote:

On 09.05.08 12:08, Jeff Koch wrote:
> Our users are getting false positives with hits on
>
> 4.2 FORGED_MUA_OUTLOOK
>
> and are saying they are 100% certain that the email was sent from MS
> Outlook Express. Is this a known problem or are these users doingsomething
> wrong?

may be... can you show us headers of such e-mail?
meta __FORGED_OE (__OE_MUA && !__OE_MSGID_1 &&!__OE_MSGID_2 && !__OE_MSGID_3 && !__OE_MSGID_4 && !__UNUSABLE_MSGID)meta __FORGED_OUTLOOK_DOLLARS (__OUTLOOK_DOLLARS_MUA &&!__OE_MSGID_2 && !__OUTLOOK_DOLLARS_OTHER && !__VISTA_MSGID &&!__IMS_MSGID && !__UNUSABLE_MSGID)meta FORGED_MUA_OUTLOOK (__FORGED_OE ||__FORGED_OUTLOOK_DOLLARS)
at least Message-Id and X-Mailer...

btw do do you update rules periodically?
--
Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"They say when you play that M$ CD backward you can hear satanicmessages."
"That's nothing. If you play it forward it will install Windows."


Best Regards,

Jeff Koch, Intersessions

Could you include the whole complete header including the spam reportbecause this looks like a valid M$ outlook/express header?

Re: False positive on forged_mua_outlook

Reply via email to