You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Jari Fredriksson <ja...@iki.fi> on 2008/05/17 14:22:17 UTC
FORGED_MUA_OUTLOOK is a nuisance
I received something like this from my email to a list
>Sorry for the inconvinience, but we have started to fight against spam.
>
>Content analysis details: (4.3 points, 4.0 required)
>
> pts rule name description
>---- ---------------------- --------------------------------------------------
> 0.1 FORGED_RCVD_HELO Received: contains a forged HELO
>-1.1 BAYES_05 BODY: Bayesian spam probability is 1 to 5%
> [score: 0.0276]
> 0.2 DNS_FROM_RFC_ABUSE RBL: Envelope sender in abuse.rfc-ignorant.org
> 1.0 GUZMAN_STOCKALERT02 looks like contains a Symbol Name
> 4.1 FORGED_MUA_OUTLOOK Forged mail pretending to be from MS Outlook
Apparently the list operator is using SpamAssasin, which I, too, happily use.
I can understand
FORGED_RCVD_HELO
Maybe it is from my internal handouts? I have a LAN but also a Smart Host to send my email out.
BAYES_05
All good.
DNS_FROM_RFC_ABUSE
No idea. iki.fi is my email-provider and they should me ok. But they provide for a lot of folks... Dunno
GUZMAN_STOCKALERT02
Absolutely no idea. I used capital letters, because I was talking about a C language application and its #defined VALUES.
FORGED_MUA_OUTLOOK
This!! I posted that from Windows XP SP3 with default Outlook Express. !!! Oh my. Whatta heck! Oh my.
Can we get rid of this Outlook problem, so many ppl have reported problems already? Or is it fixed? Good. Thanks.
Re: FORGED_MUA_OUTLOOK is a nuisance
Posted by Jeff Koch <je...@intersessions.com>.
mouss - Last week I sent you and the list full headers from the false
positives I got on this item. Let's not go around and around. This has been
reported numerous times.
At 08:51 AM 5/17/2008, mouss wrote:
>Jari Fredriksson wrote:
>>
>>I received something like this from my email to a list
>>
>>
>>>Sorry for the inconvinience, but we have started to fight against spam.
>>>
>>>Content analysis details: (4.3 points, 4.0 required)
>>>
>>>pts rule name description
>>>---- ----------------------
>>>--------------------------------------------------
>>>0.1 FORGED_RCVD_HELO Received: contains a forged HELO
>>>-1.1 BAYES_05 BODY: Bayesian spam probability is 1 to 5%
>>> [score: 0.0276]
>>>0.2 DNS_FROM_RFC_ABUSE RBL: Envelope sender in abuse.rfc-ignorant.org
>>>1.0 GUZMAN_STOCKALERT02 looks like contains a Symbol Name
>>>4.1 FORGED_MUA_OUTLOOK Forged mail pretending to be from MS Outlook
>>>
>>
>>
>>Apparently the list operator is using SpamAssasin, which I, too, happily use.
>>
>>I can understand
>>FORGED_RCVD_HELO
>>Maybe it is from my internal handouts? I have a LAN but also a Smart Host
>>to send my email out.
>>
>>
>>BAYES_05
>>All good.
>>
>>
>>DNS_FROM_RFC_ABUSE
>>No idea. iki.fi is my email-provider and they should me ok. But they
>>provide for a lot of folks... Dunno
>>
>>
>>GUZMAN_STOCKALERT02
>>Absolutely no idea. I used capital letters, because I was talking about a
>>C language application and its #defined VALUES.
>>
>>
>>FORGED_MUA_OUTLOOK
>>This!! I posted that from Windows XP SP3 with default Outlook
>>Express. !!! Oh my. Whatta heck! Oh my.
>>
>>Can we get rid of this Outlook problem, so many ppl have reported
>>problems already? Or is it fixed? Good. Thanks.
>>
>
>
>Please show full headers of the message.
>
>
>
Best Regards,
Jeff Koch, Intersessions
Re: FORGED_MUA_OUTLOOK is a nuisance
Posted by mouss <mo...@netoyen.net>.
Jari Fredriksson wrote:
>> Jari Fredriksson wrote:
>>
>>>> mouss wrote:
>>>>
>>>>
>>>>> Please show full headers of the message.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>> actually, you don't need to. your message to the list
>>>> has the same "pattern".
>>>>
>>>> the question is whether something is (re)writing the
>>>> message-id or if this a new outlook message-id format?
>>>>
>>>>
>
> I'm suggesting that OE uses this simple format now, and SA should adapt. I have no anti-virus or other software besides what windows delivers to edit my messages. OE sends the message to my postfix, which sends it to the configured smarthost.
>
> No antivirus whatsoever. My posfix handles that with Amavis. Amavis is there, but I don't think it edits my Message-ID's.. I have not upgraded that for ages.
>
>
>
>
I installed SP3 and tried with OE (default configuration, as I don't use
it). The message-id is indeed similar to those posted on the list
before. see copy of message below.
A quick & dirty fix is to cancel the score of FORGED_MUA_OUTLOOK with:
header __OE_MSGID_5 MESSAGEID =~ /^<[A-Fa-f0-9]{32}\@/m
meta TEMP_FIX_OE_FORGED (__FORGED_OE && __OE_MSGID_5)
score TEMP_FIX_OE_FORGED -4.199 -4.199 -2.963 -3.116
A cleaner way is to update 20_ratware:
# Outlook Express 4, 5, and
6
...
header __OE_MSGID_5 MESSAGEID =~ /^<[A-Fa-f0-9]{32}\@/m
meta __FORGED_OE (__OE_MUA && !__OE_MSGID_1 &&
!__OE_MSGID_2 && !__OE_MSGID_3 && !__OE_MSGID_4 && !__OE_MSGID_5 &&
!__UNUSABLE_MSGID)
Jari, you should open a PR on
https://issues.apache.org/SpamAssassin/
----------------- copy of message generated by OE (win xp, SP3).
Return-Path: <mo...@netoyen.net>
Delivered-To: mouss@netoyen.net
X-Virus-Scanned: amavisd-new at netoyen.net
X-Spam-Flag: NO
X-Spam-Score: 4.211
X-Spam-Level: ****
X-Spam-Status: No, score=4.211 required=5 tests=[COUNTRY_FR=0.01,
DK_POLICY_TESTING=0.001, FORGED_MUA_OUTLOOK=4.199, HTML_MESSAGE=0.001]
Received: from smtp4-g19.free.fr (smtp4-g19.free.fr [212.27.42.30])
by imlil.netoyen.net (Postfix) with ESMTP id 768113ACDB37
for <mo...@netoyen.net>; Sun, 18 May 2008 14:33:15 +0200 (CEST)
Received: from smtp4-g19.free.fr (localhost.localdomain [127.0.0.1])
by smtp4-g19.free.fr (Postfix) with ESMTP id 3B9913EA0CC
for <mo...@netoyen.net>; Sun, 18 May 2008 14:33:12 +0200 (CEST)
Received: from DADES (ouzoud.netoyen.net [82.239.111.75])
by smtp4-g19.free.fr (Postfix) with SMTP id 0CCF43EA0AC
for <mo...@netoyen.net>; Sun, 18 May 2008 14:33:12 +0200 (CEST)
Message-ID: <EB...@DADES>
From: "mouss" <mo...@netoyen.net>
To: <mo...@netoyen.net>
Subject: test OE SP3
Date: Sun, 18 May 2008 14:33:11 +0200
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0003_01C8B8F4.197A36F0"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.5512
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5512
This is a multi-part message in MIME format.
------=_NextPart_000_0003_01C8B8F4.197A36F0
Content-Type: text/plain;
charset="windows-1256"
Content-Transfer-Encoding: quoted-printable
OE SP3 test
------=_NextPart_000_0003_01C8B8F4.197A36F0
Content-Type: text/html;
charset="windows-1256"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Dwindows-1256">
<META content=3D"MSHTML 6.00.6000.16640" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2>OE SP3 test</FONT></DIV></BODY></HTML>
------=_NextPart_000_0003_01C8B8F4.197A36F0--
Re: FORGED_MUA_OUTLOOK is a nuisance
Posted by Jari Fredriksson <ja...@iki.fi>.
> Jari Fredriksson wrote:
>>> mouss wrote:
>>>
>>>> Please show full headers of the message.
>>>>
>>>>
>>>>
>>>>
>>> actually, you don't need to. your message to the list
>>> has the same "pattern".
>>>
>>> the question is whether something is (re)writing the
>>> message-id or if this a new outlook message-id format?
>>>
I'm suggesting that OE uses this simple format now, and SA should adapt. I have no anti-virus or other software besides what windows delivers to edit my messages. OE sends the message to my postfix, which sends it to the configured smarthost.
No antivirus whatsoever. My posfix handles that with Amavis. Amavis is there, but I don't think it edits my Message-ID's.. I have not upgraded that for ages.
Re: FORGED_MUA_OUTLOOK is a nuisance
Posted by mouss <mo...@netoyen.net>.
Jari Fredriksson wrote:
>> mouss wrote:
>>
>>> Please show full headers of the message.
>>>
>>>
>>>
>>>
>> actually, you don't need to. your message to the list has
>> the same "pattern".
>>
>> the question is whether something is (re)writing the
>> message-id or if this a new outlook message-id format?
>>
>
> Thanks;) Dunno. I have upgraded Windows XP to SP3 and upgraded postfix to the latest www.backports.org has for Debian Linux.
>
> What does it look like, there, my message-id?
>
>
Message-ID: <FF...@mosquito>
it is not added by your postfix (postfix uses ...@myhostname which would
be willington.... in your case).
So either something (anti-virus, plugin, ...) is adding it, or it is
really OE using this format.
anyway, it gets caught by __FORGED_OE:
# Outlook Express 4, 5, and 6
header __OE_MUA X-Mailer =~ /\bOutlook Express [456]\./
header __OE_MSGID_1 MESSAGEID =~ /^<[A-Za-z0-9-]{7}[A-Za-z0-9]{20}\@hotmail\.com>$/m
header __OE_MSGID_2 MESSAGEID =~ /^<(?:[0-9a-f]{8}|[0-9a-f]{12})\$[0-9a-f]{8}\$[0-9a-f]{8}\@\S+>$/m
header __OE_MSGID_3 MESSAGEID =~ /^<BAY\d+-DAV\d+[A-Z0-9]{25}\@phx\.gbl>$/m
header __OE_MSGID_4 MESSAGEID =~ /^<BAYC\d+-PASMTP\d+[A-Z0-9]{25}\@CEZ\.ICE>$/m
meta __FORGED_OE (__OE_MUA && !__OE_MSGID_1 && !__OE_MSGID_2 && !__OE_MSGID_3 && !__OE_MSGID_4 && !__UNUSABLE_MSGID)
because it doesn't match any of thee _OE_MSGID_x rules.
Re: FORGED_MUA_OUTLOOK is a nuisance
Posted by Benny Pedersen <me...@junc.org>.
On Sat, May 17, 2008 15:28, Jari Fredriksson wrote:
> What does it look like, there, my message-id?
X-Spam-Status: No, score=-8.329 tagged_above=-10 required=5 tests=[AWL=0.171,
BAYES_00=-2.599, MAILLISTS=-1.9, RCVD_IN_DNSWL_MED=-4,
SPF_PASS=-0.001]
no forged here
Benny Pedersen
Need more webspace ? http://www.servage.net/?coupon=cust37098
Re: FORGED_MUA_OUTLOOK is a nuisance
Posted by Jari Fredriksson <ja...@iki.fi>.
> mouss wrote:
>>
>> Please show full headers of the message.
>>
>>
>>
>
> actually, you don't need to. your message to the list has
> the same "pattern".
>
> the question is whether something is (re)writing the
> message-id or if this a new outlook message-id format?
Thanks;) Dunno. I have upgraded Windows XP to SP3 and upgraded postfix to the latest www.backports.org has for Debian Linux.
What does it look like, there, my message-id?
Re: FORGED_MUA_OUTLOOK is a nuisance
Posted by mouss <mo...@netoyen.net>.
mouss wrote:
> Jari Fredriksson wrote:
>>
>> I received something like this from my email to a list
>>
>>
>>> Sorry for the inconvinience, but we have started to fight against spam.
>>>
>>> Content analysis details: (4.3 points, 4.0 required)
>>>
>>> pts rule name description
>>> ---- ----------------------
>>> --------------------------------------------------
>>> 0.1 FORGED_RCVD_HELO Received: contains a forged HELO
>>> -1.1 BAYES_05 BODY: Bayesian spam probability is 1 to 5%
>>> [score: 0.0276]
>>> 0.2 DNS_FROM_RFC_ABUSE RBL: Envelope sender in
>>> abuse.rfc-ignorant.org
>>> 1.0 GUZMAN_STOCKALERT02 looks like contains a Symbol Name
>>> 4.1 FORGED_MUA_OUTLOOK Forged mail pretending to be from MS Outlook
>>>
>>
>>
>> Apparently the list operator is using SpamAssasin, which I, too,
>> happily use.
>>
>> I can understand
>> FORGED_RCVD_HELO
>> Maybe it is from my internal handouts? I have a LAN but also a Smart
>> Host to send my email out.
>>
>>
>> BAYES_05
>> All good.
>>
>>
>> DNS_FROM_RFC_ABUSE
>> No idea. iki.fi is my email-provider and they should me ok. But they
>> provide for a lot of folks... Dunno
>>
>>
>> GUZMAN_STOCKALERT02
>> Absolutely no idea. I used capital letters, because I was talking
>> about a C language application and its #defined VALUES.
>>
>>
>> FORGED_MUA_OUTLOOK
>> This!! I posted that from Windows XP SP3 with default Outlook
>> Express. !!! Oh my. Whatta heck! Oh my.
>>
>> Can we get rid of this Outlook problem, so many ppl have reported
>> problems already? Or is it fixed? Good. Thanks.
>>
>
>
> Please show full headers of the message.
>
>
>
actually, you don't need to. your message to the list has the same
"pattern".
the question is whether something is (re)writing the message-id or if
this a new outlook message-id format?
Re: FORGED_MUA_OUTLOOK is a nuisance
Posted by mouss <mo...@netoyen.net>.
Jari Fredriksson wrote:
>
> I received something like this from my email to a list
>
>
>> Sorry for the inconvinience, but we have started to fight against spam.
>>
>> Content analysis details: (4.3 points, 4.0 required)
>>
>> pts rule name description
>> ---- ---------------------- --------------------------------------------------
>> 0.1 FORGED_RCVD_HELO Received: contains a forged HELO
>> -1.1 BAYES_05 BODY: Bayesian spam probability is 1 to 5%
>> [score: 0.0276]
>> 0.2 DNS_FROM_RFC_ABUSE RBL: Envelope sender in abuse.rfc-ignorant.org
>> 1.0 GUZMAN_STOCKALERT02 looks like contains a Symbol Name
>> 4.1 FORGED_MUA_OUTLOOK Forged mail pretending to be from MS Outlook
>>
>
>
> Apparently the list operator is using SpamAssasin, which I, too, happily use.
>
> I can understand
>
> FORGED_RCVD_HELO
> Maybe it is from my internal handouts? I have a LAN but also a Smart Host to send my email out.
>
>
> BAYES_05
> All good.
>
>
> DNS_FROM_RFC_ABUSE
> No idea. iki.fi is my email-provider and they should me ok. But they provide for a lot of folks... Dunno
>
>
> GUZMAN_STOCKALERT02
> Absolutely no idea. I used capital letters, because I was talking about a C language application and its #defined VALUES.
>
>
> FORGED_MUA_OUTLOOK
> This!! I posted that from Windows XP SP3 with default Outlook Express. !!! Oh my. Whatta heck! Oh my.
>
> Can we get rid of this Outlook problem, so many ppl have reported problems already? Or is it fixed? Good. Thanks.
>
Please show full headers of the message.
Re: FORGED_MUA_OUTLOOK is a nuisance
Posted by Jeff Koch <je...@intersessions.com>.
I agree - let's get rid of it until it can be fixed. We've had to manually
drop the score to zero because of so many complaints.
At 08:22 AM 5/17/2008, Jari Fredriksson wrote:
>
>I received something like this from my email to a list
>
> >Sorry for the inconvinience, but we have started to fight against spam.
> >
> >Content analysis details: (4.3 points, 4.0 required)
> >
> > pts rule name description
> >---- ----------------------
> --------------------------------------------------
> > 0.1 FORGED_RCVD_HELO Received: contains a forged HELO
> >-1.1 BAYES_05 BODY: Bayesian spam probability is 1 to 5%
> > [score: 0.0276]
> > 0.2 DNS_FROM_RFC_ABUSE RBL: Envelope sender in abuse.rfc-ignorant.org
> > 1.0 GUZMAN_STOCKALERT02 looks like contains a Symbol Name
> > 4.1 FORGED_MUA_OUTLOOK Forged mail pretending to be from MS Outlook
>
>
>Apparently the list operator is using SpamAssasin, which I, too, happily use.
>
>I can understand
>
>FORGED_RCVD_HELO
>Maybe it is from my internal handouts? I have a LAN but also a Smart Host
>to send my email out.
>
>
>BAYES_05
>All good.
>
>
>DNS_FROM_RFC_ABUSE
>No idea. iki.fi is my email-provider and they should me ok. But they
>provide for a lot of folks... Dunno
>
>
>GUZMAN_STOCKALERT02
>Absolutely no idea. I used capital letters, because I was talking about a
>C language application and its #defined VALUES.
>
>
>FORGED_MUA_OUTLOOK
>This!! I posted that from Windows XP SP3 with default Outlook
>Express. !!! Oh my. Whatta heck! Oh my.
>
>Can we get rid of this Outlook problem, so many ppl have reported problems
>already? Or is it fixed? Good. Thanks.
Best Regards,
Jeff Koch, Intersessions