Jeff Koch wrote:
Hi Randy - here's the whole thing:
Return-Path: <[EMAIL PROTECTED]>
Delivered-To: [EMAIL PROTECTED]
Received: (qmail 26003 invoked by uid 89); 6 May 2008 19:13:09 -0000
Received: by simscan 1.3.1 ppid: 25931, pid: 25942, t: 2.6786s
scanners: clamav: 0.88/m:45/d:5939 spam: 3.2.4
Received: from localhost by libra.xxxx.com
with SpamAssassin (version 3.2.4);
Tue, 06 May 2008 15:13:09 -0400
From: "Aindrea" <[EMAIL PROTECTED]>
To: "warehouse" <[EMAIL PROTECTED]>
Subject: *****SPAM***** Camden Grey order 373
Date: Tue, 6 May 2008 12:13:04 -0700
Message-Id: <[EMAIL PROTECTED]>
X-Spam-Flag: YES
X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on
libra.xxxx.com
X-Spam-Level: *****
X-Spam-Status: Yes, score=5.3 required=3.0
tests=FORGED_MUA_OUTLOOK,RDNS_NONE,
TVD_PDF_FINGER01 autolearn=no version=3.2.4
X-Spam-Report:
* 0.1 RDNS_NONE Delivered to trusted network by a host with
no rDNS
* 1.0 TVD_PDF_FINGER01 Mail matches standard pdf spam
fingerprint
* 4.2 FORGED_MUA_OUTLOOK Forged mail pretending to be from MS
Outlook
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----------=_4820ADC5.A4580A7F"
This is a multi-part message in MIME format.
------------=_4820ADC5.A4580A7F
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
Spam detection software, running on the system "libra.xxx.com", has
identified this incoming email as possible spam. The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email. If you have any questions, see
[EMAIL PROTECTED] for details.
Content preview: [...]
Content analysis details: (5.3 points, 3.0 required)
pts rule name description
---- ----------------------
--------------------------------------------------
0.1 RDNS_NONE Delivered to trusted network by a host
with no rDNS
1.0 TVD_PDF_FINGER01 Mail matches standard pdf spam fingerprint
4.2 FORGED_MUA_OUTLOOK Forged mail pretending to be from MS Outlook
The original message was not completely plain text, and may be unsafe to
open with some email clients; in particular, it may contain a virus,
or confirm that your address can receive spam. If you wish to view
it, it may be safer to save it to a file and open it with an editor.
------------=_4820ADC5.A4580A7F
Content-Type: message/rfc822; x-spam-type=original
Content-Description: original message before SpamAssassin
Content-Disposition: attachment
Content-Transfer-Encoding: 8bit
Received: from unknown (HELO jade.xxxxxx.com) (216.99.193.136)
by 0 with ESMTPS (DHE-RSA-AES256-SHA encrypted); 6 May 2008 19:13:06
-0000
Received: from server (216-99-214-161.dsl.araxxx.com [216.99.214.161])
by jade.aracnet.com (8.13.6/8.12.8) with SMTP id m46JD528000907
for <[EMAIL PROTECTED]>; Tue, 6 May 2008 12:13:05 -0700
Message-ID: <[EMAIL PROTECTED]>
From: "Aindrea" <[EMAIL PROTECTED]>
To: "warehouse" <[EMAIL PROTECTED]>
Subject: Camden Grey order 373
Date: Tue, 6 May 2008 12:13:04 -0700
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0039_01C8AF72.8920CD60"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.3790.3959
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.4133
This is a multi-part message in MIME format.
------=_NextPart_000_0039_01C8AF72.8920CD60
Content-Type: text/plain;
format=flowed;
charset="iso-8859-1";
reply-type=original
Content-Transfer-Encoding: 7bit
------=_NextPart_000_0039_01C8AF72.8920CD60
At 04:29 PM 5/9/2008, Randy Ramsdell wrote:
Jeff Koch wrote:
Hi Matus:
Here's the header. We're seeing a lot of these now:
Received: from unknown (HELO jade.xxxxxx.com) (216.99.193.136)
by 0 with ESMTPS (DHE-RSA-AES256-SHA encrypted); 6 May 2008
19:13:06 -0000
Received: from server (216-99-214-161.dsl.aracnet.com [216.99.214.161])
by jade.xxxxxx.com (8.13.6/8.12.8) with SMTP id m46JD528000907
for <[EMAIL PROTECTED]>; Tue, 6 May 2008 12:13:05 -0700
Message-ID: <[EMAIL PROTECTED]>
From: "Aindrea" <[EMAIL PROTECTED]>
To: "warehouse" <[EMAIL PROTECTED]>
Subject: Camden Grey order 373
Date: Tue, 6 May 2008 12:13:04 -0700
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0039_01C8AF72.8920CD60"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.3790.3959
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.4133
This is a multi-part message in MIME format.
At 01:05 PM 5/9/2008, Matus UHLAR - fantomas wrote:
On 09.05.08 12:08, Jeff Koch wrote:
> Our users are getting false positives with hits on
>
> 4.2 FORGED_MUA_OUTLOOK
>
> and are saying they are 100% certain that the email was sent from MS
> Outlook Express. Is this a known problem or are these users doing
something
> wrong?
may be... can you show us headers of such e-mail?
meta __FORGED_OE (__OE_MUA && !__OE_MSGID_1 &&
!__OE_MSGID_2 && !__OE_MSGID_3 && !__OE_MSGID_4 && !__UNUSABLE_MSGID)
meta __FORGED_OUTLOOK_DOLLARS (__OUTLOOK_DOLLARS_MUA &&
!__OE_MSGID_2 && !__OUTLOOK_DOLLARS_OTHER && !__VISTA_MSGID &&
!__IMS_MSGID && !__UNUSABLE_MSGID)
meta FORGED_MUA_OUTLOOK (__FORGED_OE ||
__FORGED_OUTLOOK_DOLLARS)
at least Message-Id and X-Mailer...
btw do do you update rules periodically?
--
Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"They say when you play that M$ CD backward you can hear satanic
messages."
"That's nothing. If you play it forward it will install Windows."
Best Regards,
Jeff Koch, Intersessions
Could you include the whole complete header including the spam report
because this looks like a valid M$ outlook/express header?
Best Regards,
Jeff Koch, Intersessions
I am not sure about version 3.2.4, but I am fairly sure the rule in
"/var/lib/spamassassin/*/*/*" 20_ratware.cf would not match this header
and thus give the false positive.
ratware.cf:
# use new meta rules to implement FORGED_MUA_OUTLOOK rule from 2.60
meta FORGED_MUA_OUTLOOK (__FORGED_OE || __FORGED_OUTLOOK_DOLLARS)
describe FORGED_MUA_OUTLOOK Forged mail pretending to be from MS Outlook
---> __FORGED_OE
# Outlook Express 4, 5, and 6
header __OE_MUA X-Mailer =~ /\bOutlook Express [456]\./
header __OE_MSGID_1 MESSAGEID =~
/^<[EMAIL PROTECTED]>$/m
header __OE_MSGID_2 MESSAGEID =~
/^<(?:[0-9a-f]{8}|[0-9a-f]{12})[EMAIL PROTECTED]>$/m
header __OE_MSGID_3 MESSAGEID =~
/^<[EMAIL PROTECTED]>$/m
meta __FORGED_OE (__OE_MUA && !__OE_MSGID_1 &&
!__OE_MSGID_2 && !__OE_MSGID_3 && !__UNUSABLE_MSGID)
None of these match the message id
"[EMAIL PROTECTED]"
I might have missed something, but this appears to be accurate.
