Hi Randy - here's the whole thing:
Return-Path: <[EMAIL PROTECTED]>
Delivered-To: [EMAIL PROTECTED]
Received: (qmail 26003 invoked by uid 89); 6 May 2008 19:13:09 -0000
Received: by simscan 1.3.1 ppid: 25931, pid: 25942, t: 2.6786s
scanners: clamav: 0.88/m:45/d:5939 spam: 3.2.4
Received: from localhost by libra.xxxx.com
with SpamAssassin (version 3.2.4);
Tue, 06 May 2008 15:13:09 -0400
From: "Aindrea" <[EMAIL PROTECTED]>
To: "warehouse" <[EMAIL PROTECTED]>
Subject: *****SPAM***** Camden Grey order 373
Date: Tue, 6 May 2008 12:13:04 -0700
Message-Id: <[EMAIL PROTECTED]>
X-Spam-Flag: YES
X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on
libra.xxxx.com
X-Spam-Level: *****
X-Spam-Status: Yes, score=5.3 required=3.0
tests=FORGED_MUA_OUTLOOK,RDNS_NONE,
TVD_PDF_FINGER01 autolearn=no version=3.2.4
X-Spam-Report:
* 0.1 RDNS_NONE Delivered to trusted network by a host with
no rDNS
* 1.0 TVD_PDF_FINGER01 Mail matches standard pdf spam
fingerprint
* 4.2 FORGED_MUA_OUTLOOK Forged mail pretending to be from
MS Outlook
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----------=_4820ADC5.A4580A7F"
This is a multi-part message in MIME format.
------------=_4820ADC5.A4580A7F
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
Spam detection software, running on the system "libra.xxx.com", has
identified this incoming email as possible spam. The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email. If you have any questions, see
[EMAIL PROTECTED] for details.
Content preview: [...]
Content analysis details: (5.3 points, 3.0 required)
pts rule name description
---- ----------------------
--------------------------------------------------
0.1 RDNS_NONE Delivered to trusted network by a host
with no rDNS
1.0 TVD_PDF_FINGER01 Mail matches standard pdf spam fingerprint
4.2 FORGED_MUA_OUTLOOK Forged mail pretending to be from MS Outlook
The original message was not completely plain text, and may be unsafe to
open with some email clients; in particular, it may contain a virus,
or confirm that your address can receive spam. If you wish to view
it, it may be safer to save it to a file and open it with an editor.
------------=_4820ADC5.A4580A7F
Content-Type: message/rfc822; x-spam-type=original
Content-Description: original message before SpamAssassin
Content-Disposition: attachment
Content-Transfer-Encoding: 8bit
Received: from unknown (HELO jade.xxxxxx.com) (216.99.193.136)
by 0 with ESMTPS (DHE-RSA-AES256-SHA encrypted); 6 May 2008
19:13:06 -0000
Received: from server (216-99-214-161.dsl.araxxx.com [216.99.214.161])
by jade.aracnet.com (8.13.6/8.12.8) with SMTP id m46JD528000907
for <[EMAIL PROTECTED]>; Tue, 6 May 2008 12:13:05 -0700
Message-ID: <[EMAIL PROTECTED]>
From: "Aindrea" <[EMAIL PROTECTED]>
To: "warehouse" <[EMAIL PROTECTED]>
Subject: Camden Grey order 373
Date: Tue, 6 May 2008 12:13:04 -0700
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0039_01C8AF72.8920CD60"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.3790.3959
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.4133
This is a multi-part message in MIME format.
------=_NextPart_000_0039_01C8AF72.8920CD60
Content-Type: text/plain;
format=flowed;
charset="iso-8859-1";
reply-type=original
Content-Transfer-Encoding: 7bit
------=_NextPart_000_0039_01C8AF72.8920CD60
At 04:29 PM 5/9/2008, Randy Ramsdell wrote:
Jeff Koch wrote:
Hi Matus:
Here's the header. We're seeing a lot of these now:
Received: from unknown (HELO jade.xxxxxx.com) (216.99.193.136)
by 0 with ESMTPS (DHE-RSA-AES256-SHA encrypted); 6 May 2008
19:13:06 -0000
Received: from server (216-99-214-161.dsl.aracnet.com
[216.99.214.161])
by jade.xxxxxx.com (8.13.6/8.12.8) with SMTP id m46JD528000907
for <[EMAIL PROTECTED]>; Tue, 6 May 2008 12:13:05 -0700
Message-ID: <[EMAIL PROTECTED]>
From: "Aindrea" <[EMAIL PROTECTED]>
To: "warehouse" <[EMAIL PROTECTED]>
Subject: Camden Grey order 373
Date: Tue, 6 May 2008 12:13:04 -0700
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0039_01C8AF72.8920CD60"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.3790.3959
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.4133
This is a multi-part message in MIME format.
At 01:05 PM 5/9/2008, Matus UHLAR - fantomas wrote:
On 09.05.08 12:08, Jeff Koch wrote:
> Our users are getting false positives with hits on
>
> 4.2 FORGED_MUA_OUTLOOK
>
> and are saying they are 100% certain that the email was sent
from MS
> Outlook Express. Is this a known problem or are these users
doing something
> wrong?
may be... can you show us headers of such e-mail?
meta __FORGED_OE (__OE_MUA && !__OE_MSGID_1 &&
!__OE_MSGID_2 && !__OE_MSGID_3 && !__OE_MSGID_4 && !__UNUSABLE_MSGID)
meta __FORGED_OUTLOOK_DOLLARS (__OUTLOOK_DOLLARS_MUA &&
!__OE_MSGID_2 && !__OUTLOOK_DOLLARS_OTHER && !__VISTA_MSGID &&
!__IMS_MSGID && !__UNUSABLE_MSGID)
meta FORGED_MUA_OUTLOOK (__FORGED_OE ||
__FORGED_OUTLOOK_DOLLARS)
at least Message-Id and X-Mailer...
btw do do you update rules periodically?
--
Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"They say when you play that M$ CD backward you can hear satanic
messages."
"That's nothing. If you play it forward it will install Windows."
Best Regards,
Jeff Koch, Intersessions
Could you include the whole complete header including the spam
report because this looks like a valid M$ outlook/express header?
Best Regards,
Jeff Koch, Intersessions
