You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Tony Finch <do...@dotat.at> on 2006/04/04 23:47:25 UTC
false positive on FORGED_MUA_OUTLOOK (v.3.1)
The following headers come from a legitimate message - I have obscured the
sender's name, but that's all. The "SlipStream SP Server" seems to have
appended the client username and IP address to the message-ID, causing the
FP. See also:
http://mail-archives.apache.org/mod_mbox/spamassassin-users/200509.mbox/%3C432FD074.1050501@as2594.net%3E
and about halfway down
http://list-archive.xemacs.org/xemacs-design/xemacs-design.200603
(search for SlipStream)
Tony.
--
f.a.n.finch <do...@dotat.at> http://dotat.at/
HEBRIDES BAILEY: WEST 5 TO 7, OCCASIONALLY GALE 8 IN BAILEY AND PERHAPS LATER
IN HEBRIDES. OCCASIONAL RAIN. MODERATE OR GOOD.
Return-Path: <us...@virgin.net>
Received: from ppsw-0-intramail.csi.cam.ac.uk ([192.168.128.130])
by cyrus-10.csi.private.cam.ac.uk (Cyrus v2.1.16-HERMES)
with LMTP; Mon, 03 Apr 2006 14:37:45 +0100
X-Sieve: CMU Sieve 2.2
X-Cam-SpamScore: ssssss
X-Cam-SpamDetails: scanned, SpamAssassin (score=6.434,
DNS_FROM_RFC_ABUSE 0.48, DNS_FROM_RFC_POST 1.44,
DNS_FROM_RFC_WHOIS 0.88, FORGED_MUA_OUTLOOK 3.36,
MAILTO_TO_SPAM_ADDR 0.28)
X-Cam-AntiVirus: No virus found
X-Cam-ScannerInfo: http://www.cam.ac.uk/cs/email/scanner/
Received: from nitrogen.onspeed.com ([212.100.250.212]:55229)
by ppsw-0.csi.cam.ac.uk (mx.cam.ac.uk [131.111.8.140]:25)
with esmtp (csa=unknown) id 1FQPFR-0006Du-2j (Exim 4.54) for
editor@caths.cam.ac.uk
(return-path <us...@virgin.net>); Mon, 03 Apr 2006 14:37:37 +0100
Received: from computername (localhost [127.0.0.1])
by nitrogen.onspeed.com (8.12.11.20060308/8.12.11) with SMTP id
k33DoZ6L011014
for <ed...@caths.cam.ac.uk>; Mon, 3 Apr 2006 14:50:36 +0100
Received: from m40-mp4.cvx3-c.bre.dial.ntli.net
(username@m40-mp4.cvx3-c.bre.dial.ntli.net [62.255.104.40])
by nitrogen.onspeed.com (SlipStream SP Server 5.0.59
built 2006/01/10 01:01:33 -0500 (EST)); Mon,
03 Apr 2006 14:50:36 +0100 (BST)
X-Originating-IP: [62.255.104.40]
X-Originating-User: [username]
Message-ID:
<us...@computername>
From: "Real name" <us...@virgin.net>
To: "Magazine Editor" <ed...@caths.cam.ac.uk>
References:
<us...@computername>
<Pi...@hermes-2.csi.cam.ac.uk>
<us...@computername>
<Pi...@hermes-2.csi.cam.ac.uk>
Subject: Re: Fw: College Magazine
Date: Mon, 3 Apr 2006 14:37:29 +0100
MIME-Version: 1.0
Content-Type: text/plain;
format=flowed;
charset="iso-8859-1";
reply-type=response
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2180
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
Re: false positive on FORGED_MUA_OUTLOOK (v.3.1)
Posted by Paolo Cravero as2594 <pc...@as2594.net>.
Tony Finch wrote:
> The following headers come from a legitimate message - I have obscured the
> sender's name, but that's all. The "SlipStream SP Server" seems to have
> appended the client username and IP address to the message-ID, causing the
> FP. See also:
> http://mail-archives.apache.org/mod_mbox/spamassassin-users/200509.mbox/%3C432FD074.1050501@as2594.net%3E
Yep! That was me! :-)
I investigated with the sender of that message, and since he's a friend,
I could ask him all sorts of questions.
Turned out that he used a dialup connection *and* a "dialup connection
accelerator" offered by the provider itself. I don't know how that d@mn
thing works, but it probably re-routes all IP traffic through a
software-compressed tunnel established between the PC and provider's
servers. Don't know where, Message-IDs are altered, but not by the
client itself.
I tried the same dialup without compression software and everything went
fine.
So, the FORGED rule triggers correctly. Someone deals improperly with
Message-IDs!
Paolo