You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@spamassassin.apache.org by Jari Fredriksson <ja...@iki.fi> on 2012/11/06 10:47:34 UTC
False positive
X-Spam-Report:
* -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at
http://www.dnswl.org/, low
* trust
* [208.99.185.53 listed in list.dnswl.org]
* -0.0 T_RP_MATCHES_RCVD Envelope sender domain matches handover
relay
* domain
* -0.0 SPF_PASS SPF: sender matches SPF record
* 0.0 HTML_MESSAGE BODY: HTML included in message
* -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature
from author's
* domain
* -0.0 DKIM_VERIFIED DKIM_VERIFIED
* -0.1 DKIM_VALID Message has at least one valid DKIM or DK
signature
* 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not
necessarily
* valid
* 0.6 FORGED_OUTLOOK_TAGS Outlook can't send HTML in this format
* 1.7 AXB_XMAILER_MIMEOLE_OL_4379D AXB_XMAILER_MIMEOLE_OL_4379D
* 2.8 FORGED_MUA_OUTLOOK Forged mail pretending to be from MS
Outlook
* 3.1 DOS_OE_TO_MX Delivered direct to MX with OE headers
This mail seems HAM to me, but Outlook traces seem to be invalid. I do
not want to publish this at least in unmangled format, so I though some
dev might be interest to analyze it.
If so, I can send off-list the mail for an analysis. The sample is
posted from Groups.ITtoolbox.com and the recipient apparenly has
subscribed to it, as I see lots of mail from that source to him.
The recipient is my Boss, and the servers in received headers are our
company servers, so I do not publish this to everyone.
Any volunteers?
--
You recoil from the crude; you tend naturally toward the exquisite.
Re: False positive
Posted by Axb <ax...@gmail.com>.
On 11/06/2012 10:47 AM, Jari Fredriksson wrote:
>
> X-Spam-Report:
> * -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at
> http://www.dnswl.org/, low
> * trust
> * [208.99.185.53 listed in list.dnswl.org]
> * -0.0 T_RP_MATCHES_RCVD Envelope sender domain matches handover
> relay
> * domain
> * -0.0 SPF_PASS SPF: sender matches SPF record
> * 0.0 HTML_MESSAGE BODY: HTML included in message
> * -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature
> from author's
> * domain
> * -0.0 DKIM_VERIFIED DKIM_VERIFIED
> * -0.1 DKIM_VALID Message has at least one valid DKIM or DK
> signature
> * 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not
> necessarily
> * valid
> * 0.6 FORGED_OUTLOOK_TAGS Outlook can't send HTML in this format
> * 1.7 AXB_XMAILER_MIMEOLE_OL_4379D AXB_XMAILER_MIMEOLE_OL_4379D
> * 2.8 FORGED_MUA_OUTLOOK Forged mail pretending to be from MS
> Outlook
> * 3.1 DOS_OE_TO_MX Delivered direct to MX with OE headers
>
> This mail seems HAM to me, but Outlook traces seem to be invalid. I do
> not want to publish this at least in unmangled format, so I though some
> dev might be interest to analyze it.
>
> If so, I can send off-list the mail for an analysis. The sample is
> posted from Groups.ITtoolbox.com and the recipient apparenly has
> subscribed to it, as I see lots of mail from that source to him.
>
> The recipient is my Boss, and the servers in received headers are our
> company servers, so I do not publish this to everyone.
>
> Any volunteers?
beam it over (as eml in an archive, please)
Axb
Re: False positive
Posted by Axb <ax...@gmail.com>.
On 11/06/2012 11:29 AM, Jari Fredriksson wrote:
> 06.11.2012 12:14, Axb kirjoitti:
>> On 11/06/2012 10:59 AM, Jari Fredriksson wrote:
>>> 06.11.2012 11:47, Jari Fredriksson kirjoitti:
>>>> X-Spam-Report:
>>>> * -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at
>>>> http://www.dnswl.org/, low
>>>> * trust
>>>> * [208.99.185.53 listed in list.dnswl.org]
>>>> * -0.0 T_RP_MATCHES_RCVD Envelope sender domain matches
>>>> handover
>>>> relay
>>>> * domain
>>>> * -0.0 SPF_PASS SPF: sender matches SPF record
>>>> * 0.0 HTML_MESSAGE BODY: HTML included in message
>>>> * -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature
>>>> from author's
>>>> * domain
>>>> * -0.0 DKIM_VERIFIED DKIM_VERIFIED
>>>> * -0.1 DKIM_VALID Message has at least one valid DKIM or DK
>>>> signature
>>>> * 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not
>>>> necessarily
>>>> * valid
>>>> * 0.6 FORGED_OUTLOOK_TAGS Outlook can't send HTML in this
>>>> format
>>>> * 1.7 AXB_XMAILER_MIMEOLE_OL_4379D
>>>> AXB_XMAILER_MIMEOLE_OL_4379D
>>>> * 2.8 FORGED_MUA_OUTLOOK Forged mail pretending to be from MS
>>>> Outlook
>>>> * 3.1 DOS_OE_TO_MX Delivered direct to MX with OE headers
>>>>
>>>> This mail seems HAM to me, but Outlook traces seem to be invalid. I do
>>>> not want to publish this at least in unmangled format, so I though some
>>>> dev might be interest to analyze it.
>>>>
>>>> If so, I can send off-list the mail for an analysis. The sample is
>>>> posted from Groups.ITtoolbox.com and the recipient apparenly has
>>>> subscribed to it, as I see lots of mail from that source to him.
>>>>
>>>> The recipient is my Boss, and the servers in received headers are our
>>>> company servers, so I do not publish this to everyone.
>>>>
>>>> Any volunteers?
>>>>
>>>
>>> The mail now passes as HAM (4.4 points) if I re-check it with current
>>> settings. I guess masscheck has adjusted the score of those rules
>>> triggered by this, as this false positive has been in my HAM corpus.
>>
>> This is an old version which shouldn't show up in ham unless the user
>> has made a point of not updating his OS
>>
>> X-Mailer: Microsoft Outlook Express 6.00.2900.2180
>>
>>
>>
> OK. Should I move that mail to my SPAM corpus, and treat it like that?
> The content sure looks hammy to me...
I'd leave it in HAM for the time being.
Axb
Re: False positive
Posted by Jari Fredriksson <ja...@iki.fi>.
06.11.2012 12:14, Axb kirjoitti:
> On 11/06/2012 10:59 AM, Jari Fredriksson wrote:
>> 06.11.2012 11:47, Jari Fredriksson kirjoitti:
>>> X-Spam-Report:
>>> * -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at
>>> http://www.dnswl.org/, low
>>> * trust
>>> * [208.99.185.53 listed in list.dnswl.org]
>>> * -0.0 T_RP_MATCHES_RCVD Envelope sender domain matches
>>> handover
>>> relay
>>> * domain
>>> * -0.0 SPF_PASS SPF: sender matches SPF record
>>> * 0.0 HTML_MESSAGE BODY: HTML included in message
>>> * -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature
>>> from author's
>>> * domain
>>> * -0.0 DKIM_VERIFIED DKIM_VERIFIED
>>> * -0.1 DKIM_VALID Message has at least one valid DKIM or DK
>>> signature
>>> * 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not
>>> necessarily
>>> * valid
>>> * 0.6 FORGED_OUTLOOK_TAGS Outlook can't send HTML in this
>>> format
>>> * 1.7 AXB_XMAILER_MIMEOLE_OL_4379D
>>> AXB_XMAILER_MIMEOLE_OL_4379D
>>> * 2.8 FORGED_MUA_OUTLOOK Forged mail pretending to be from MS
>>> Outlook
>>> * 3.1 DOS_OE_TO_MX Delivered direct to MX with OE headers
>>>
>>> This mail seems HAM to me, but Outlook traces seem to be invalid. I do
>>> not want to publish this at least in unmangled format, so I though some
>>> dev might be interest to analyze it.
>>>
>>> If so, I can send off-list the mail for an analysis. The sample is
>>> posted from Groups.ITtoolbox.com and the recipient apparenly has
>>> subscribed to it, as I see lots of mail from that source to him.
>>>
>>> The recipient is my Boss, and the servers in received headers are our
>>> company servers, so I do not publish this to everyone.
>>>
>>> Any volunteers?
>>>
>>
>> The mail now passes as HAM (4.4 points) if I re-check it with current
>> settings. I guess masscheck has adjusted the score of those rules
>> triggered by this, as this false positive has been in my HAM corpus.
>
> This is an old version which shouldn't show up in ham unless the user
> has made a point of not updating his OS
>
> X-Mailer: Microsoft Outlook Express 6.00.2900.2180
>
>
>
OK. Should I move that mail to my SPAM corpus, and treat it like that?
The content sure looks hammy to me...
--
Beware of a tall blond man with one black shoe.
Re: False positive
Posted by Axb <ax...@gmail.com>.
On 11/06/2012 10:59 AM, Jari Fredriksson wrote:
> 06.11.2012 11:47, Jari Fredriksson kirjoitti:
>> X-Spam-Report:
>> * -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at
>> http://www.dnswl.org/, low
>> * trust
>> * [208.99.185.53 listed in list.dnswl.org]
>> * -0.0 T_RP_MATCHES_RCVD Envelope sender domain matches handover
>> relay
>> * domain
>> * -0.0 SPF_PASS SPF: sender matches SPF record
>> * 0.0 HTML_MESSAGE BODY: HTML included in message
>> * -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature
>> from author's
>> * domain
>> * -0.0 DKIM_VERIFIED DKIM_VERIFIED
>> * -0.1 DKIM_VALID Message has at least one valid DKIM or DK
>> signature
>> * 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not
>> necessarily
>> * valid
>> * 0.6 FORGED_OUTLOOK_TAGS Outlook can't send HTML in this format
>> * 1.7 AXB_XMAILER_MIMEOLE_OL_4379D AXB_XMAILER_MIMEOLE_OL_4379D
>> * 2.8 FORGED_MUA_OUTLOOK Forged mail pretending to be from MS
>> Outlook
>> * 3.1 DOS_OE_TO_MX Delivered direct to MX with OE headers
>>
>> This mail seems HAM to me, but Outlook traces seem to be invalid. I do
>> not want to publish this at least in unmangled format, so I though some
>> dev might be interest to analyze it.
>>
>> If so, I can send off-list the mail for an analysis. The sample is
>> posted from Groups.ITtoolbox.com and the recipient apparenly has
>> subscribed to it, as I see lots of mail from that source to him.
>>
>> The recipient is my Boss, and the servers in received headers are our
>> company servers, so I do not publish this to everyone.
>>
>> Any volunteers?
>>
>
> The mail now passes as HAM (4.4 points) if I re-check it with current
> settings. I guess masscheck has adjusted the score of those rules
> triggered by this, as this false positive has been in my HAM corpus.
This is an old version which shouldn't show up in ham unless the user
has made a point of not updating his OS
X-Mailer: Microsoft Outlook Express 6.00.2900.2180
Re: False positive
Posted by Jari Fredriksson <ja...@iki.fi>.
06.11.2012 11:47, Jari Fredriksson kirjoitti:
> X-Spam-Report:
> * -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at
> http://www.dnswl.org/, low
> * trust
> * [208.99.185.53 listed in list.dnswl.org]
> * -0.0 T_RP_MATCHES_RCVD Envelope sender domain matches handover
> relay
> * domain
> * -0.0 SPF_PASS SPF: sender matches SPF record
> * 0.0 HTML_MESSAGE BODY: HTML included in message
> * -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature
> from author's
> * domain
> * -0.0 DKIM_VERIFIED DKIM_VERIFIED
> * -0.1 DKIM_VALID Message has at least one valid DKIM or DK
> signature
> * 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not
> necessarily
> * valid
> * 0.6 FORGED_OUTLOOK_TAGS Outlook can't send HTML in this format
> * 1.7 AXB_XMAILER_MIMEOLE_OL_4379D AXB_XMAILER_MIMEOLE_OL_4379D
> * 2.8 FORGED_MUA_OUTLOOK Forged mail pretending to be from MS
> Outlook
> * 3.1 DOS_OE_TO_MX Delivered direct to MX with OE headers
>
> This mail seems HAM to me, but Outlook traces seem to be invalid. I do
> not want to publish this at least in unmangled format, so I though some
> dev might be interest to analyze it.
>
> If so, I can send off-list the mail for an analysis. The sample is
> posted from Groups.ITtoolbox.com and the recipient apparenly has
> subscribed to it, as I see lots of mail from that source to him.
>
> The recipient is my Boss, and the servers in received headers are our
> company servers, so I do not publish this to everyone.
>
> Any volunteers?
>
The mail now passes as HAM (4.4 points) if I re-check it with current
settings. I guess masscheck has adjusted the score of those rules
triggered by this, as this false positive has been in my HAM corpus.
--
Q: What's yellow, and equivalent to the Axiom of Choice?
A: Zorn's Lemon.