You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@spamassassin.apache.org by bu...@issues.apache.org on 2010/04/19 17:03:47 UTC
[Bug 6417] New: HK_FAKENAME_MICROSOFT FP with score of 3.7
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6417
Summary: HK_FAKENAME_MICROSOFT FP with score of 3.7
Product: Spamassassin
Version: 3.3.1
Platform: All
OS/Version: All
Status: NEW
Severity: major
Priority: P2
Component: Rules
AssignedTo: dev@spamassassin.apache.org
ReportedBy: jason@i6ix.com
Response to abuse report to MSN triggered this rule.
Return-Path: <ab...@msn.com>
Received: from BAY0-XMR-010.phx.gbl (bay0-xmr-010.hotmail.com [65.54.241.66])
by mail-bsv.electronet.net (8.14.3/8.14.3) with ESMTP id o3JEHYaY025458
for <us...@example.com>; Mon, 19 Apr 2010 10:17:34 -0400
Received: from mail pickup service by BAY0-XMR-010.phx.gbl with Microsoft
SMTPSVC;
Mon, 19 Apr 2010 07:17:33 -0700
To: user@example.com
From: MSN Hotmail <ab...@msn.com>
Subject: 154724 Secure 5 NMO E-mail Template
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----------=_1271686655-15819-12"
References: <00...@net>
Message-ID: <BA...@BAY0-XMR-010.phx.gbl>
X-OriginalArrivalTime: 19 Apr 2010 14:17:33.0877 (UTC)
FILETIME=[0DF18E50:01CADFCB]
Date: 19 Apr 2010 07:17:33 -0700
X-Spam-Score: 5.198 (*****) BAYES_60,HK_FAKENAME_MICROSOFT,SPF_PASS
Thank you for reporting abuse to the MSN Support Team. This is an
auto-generated response to inform you that we have received your submission.
Please note that you will not receive a reply if you respond directly to this
message.
MSN takes abusive e-mails very seriously. A Support Representative will review
your report and will take appropriate actions.
If you are reporting Unsolicited Commercial E-Mail (also known as Spam or Junk
E-Mail), please resubmit your report to report_spam@hotmail.com or
report_spam@msn.com depending on the spammer’s domain. Appropriate actions will
be taken.
Abuse@msn.com do NOT process spam reports. These accounts only process abusive
e-mails in, but not limited, to the following categories:
• Child exploitation/pornography threats
• Harassment
• Impersonation of an institution or trademark (like a bank or government
agency or charity) also known as Phishing
• Issues relating to account credentials being compromised (hacked)
If you suspect a crime is being committed, report it directly to your local
police authorities.
If you need information about how to configure and take more advantage of your
MSN Junk E-Mail Filters, please visit the following website:
http://help.msn.com/help.aspx?mkt=en-us&project=hotmailpimv10&querytype=topic&query=pim_proc_SetUpJMF.htm
If you need further information about MSN's efforts and technologies used to
fight spam and abusive e-mails please visit:
http://postmaster.msn.com/cgi-bin/dasp/postmaster.asp?ContextNav=FightJunkEmail
--
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
[Bug 6417] HK_FAKENAME_MICROSOFT FP with score of 3.7
Posted by bu...@issues.apache.org.
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6417
--- Comment #14 from Michael Scheidell <sc...@secnap.net> 2010-07-08 15:08:00 EDT ---
God Bless microsoft:
(not marketing email, its a security mailing list)
Received: from xtinmta02-30.exacttarget.com (xtinmta02-30.exacttarget.com
[207.67.38.30])
by mx1.secnap.com.ionspam.net (Postfix) with ESMTP id 60BF52B7C6F
for <li...@secnap.com>; Thu, 8 Jul 2010 14:17:36 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=200608;
d=e-mail.microsoft.com;
h=From:To:Subject:Date:MIME-Version:Reply-To:Message-ID:Content-Type:Content-Transfer-Encoding;
i=securitynotifications@e-mail.microsoft.com;
bh=m6K2gT4AeY67hO1e0/XErkeFfZE=;
b=wuVds8QiwQl1PLART7zgjK4GK+6eSHR98VMKR5TwKCcA2BArjndk5x5jQetHAuYRHrZXHhiE6phB
fl/qMgfaFla0/PsRLa+Sk8bye2ZXj1LoV5zhB8+uwjYZYiFZli16hdrmGGDUSXugWcWXCzI0ALpb
aDshiDbwvDyODphTJbY=
Received: by xtinmta02-30.exacttarget.com (PowerMTA(TM) v3.5r15) id
h6ob400ie1s1 for <li...@secnap.com>; Thu, 8 Jul 2010 12:17:34 -0600
(envelope-from
<bo...@bounce.email.microsoftemail.com>)
From: "Microsoft" <se...@e-mail.microsoft.com>
--
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
[Bug 6417] HK_FAKENAME_MICROSOFT FP with score of 3.7
Posted by bu...@issues.apache.org.
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6417
--- Comment #4 from John Wilcock <jo...@tradoc.fr> 2010-04-27 14:47:09 EDT ---
I continue to find false hits (saved by other rules, so not false positives as
such) from genuine microsoft mail, and also for example, a genuine paypal
notification from a nameless msn user:
From: "xxxxxx@msn.com" <xx...@msn.com>
Sender: sendmail@paypal.com
This paypal FP would not have hit the proposed SPF version of the rule, since
paypal has correct SPF records.
Something needs to be done. At the very least, the proposed SPF version should
be adopted with a score somewhat lower than the current 3.7 IMO.
On the other hand, the only recent actual spam hit I've seen recently that hit
the rule would not have hit the proposed SPF version of the rule either, as it
was sent via a bulk mail service that has correct SPF records.
Envelope-From: bounce2@edt02.net
Received: from mailflip55.edt02.net (mailflip55.edt02.net [82.138.77.250])
by xxxxxxx.yyy.zz (Postfix) with ESMTP id 6939B334032
for <ww...@yyy.zz>; Thu, 22 Apr 2010 05:31:43 +0200 (CEST)
From: "Microsoft par deltamailing" <ph...@datafnx.com>
Are others still seeing many spam hits for this rule? If not, perhaps it should
be dropped altogether?
--
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
[Bug 6417] HK_FAKENAME_MICROSOFT FP with score of 3.7
Posted by bu...@issues.apache.org.
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6417
John Wilcock <jo...@tradoc.fr> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |john@tradoc.fr
--- Comment #1 from John Wilcock <jo...@tradoc.fr> 2010-04-19 11:41:11 EDT ---
Another FP (saved by Bayes) on a genuine Microsoft Security Bulletin
Content analysis details: (3.2 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
-1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
[score: 0.0000]
-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
author's
domain
1.5 DCC_CHECK Listed in DCC (http://rhyolite.com/anti-spam/dcc/)
-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily
valid
3.7 HK_FAKENAME_MICROSOFT From name mentions Microsoft, but not relayed
from there
Headers relevant to the subtests:
Received: from xtinmta01-20.exacttarget.com (xtinmta01-20.exacttarget.com
[207.67.38.20])
by xxxxx.yyyyy.zzz (Postfix) with ESMTP id D34D533400A
for <ww...@yyyyy.zzz>; Wed, 14 Apr 2010 03:27:06 +0200 (CEST)
From: "Microsoft" <se...@e-mail.microsoft.com>
--
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
[Bug 6417] HK_FAKENAME_MICROSOFT FP with score of 3.7
Posted by bu...@issues.apache.org.
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6417
--- Comment #8 from John Hardin <jh...@impsec.org> 2010-07-05 15:20:23 EDT ---
Jason, John:
The "&& !SPF_PASS" change for HK_FAKENAME_MICROSOFT went live a while ago. Is
the behavior enough better that this bug can be closed?
--
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
[Bug 6417] HK_FAKENAME_MICROSOFT FP with score of 3.7
Posted by bu...@issues.apache.org.
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6417
--- Comment #13 from Jason Bertoch <ja...@i6ix.com> 2010-07-06 11:40:25 EDT ---
The "&& !SPF_PASS" change for HK_FAKENAME_MICROSOFT fixed the FPs on my mail
flow.
--
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
[Bug 6417] HK_FAKENAME_MICROSOFT FP with score of 3.7
Posted by bu...@issues.apache.org.
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6417
Jason Bertoch <ja...@i6ix.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |jason@i6ix.com
--- Comment #6 from Jason Bertoch <ja...@i6ix.com> 2010-04-28 09:08:15 EDT ---
I'm seeing FP's almost exclusively, and the SPF check should fix the issues
with my mail flow.
--
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
[Bug 6417] HK_FAKENAME_MICROSOFT FP with score of 3.7
Posted by bu...@issues.apache.org.
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6417
--- Comment #15 from John Hardin <jh...@impsec.org> 2010-07-08 18:15:32 EDT ---
...so, add "&& !DKIM_VALID_AU" to it as well? That should have been done in
response to comment #1 - sorry.
--
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
[Bug 6417] HK_FAKENAME_MICROSOFT FP with score of 3.7
Posted by bu...@issues.apache.org.
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6417
Adam Katz <an...@khopis.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |antispam@khopis.com
--- Comment #2 from Adam Katz <an...@khopis.com> 2010-04-19 22:18:46 EDT ---
Looks like MS just started outsourcing to an ESP.
>From trunk (as promoted from rulesrc/sandbox/hege),
> meta HK_FAKENAME_MICROSOFT __HK_NAME_MICROSOFT && !__HK_HELO_MICROSOFT
> header __HK_HELO_MICROSOFT X-Spam-Relays-External =~
> / helo=\S+\.(?:microsoft(?:email)?|msn)\.com /
> header __HK_NAME_MICROSOFT From:name =~ /(microsoft|\bmsn\b)/i
This is solvable via spf unless we trying to avoid the plugin as much as
possible.
ifplugin SpamAssassin::SPF
meta HK_FAKENAME_MICROSOFT __HK_NAME_MICROSOFT && !SPF_PASS
endif
Alternatively, we could scratch the rule.
--
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
[Bug 6417] HK_FAKENAME_MICROSOFT FP with score of 3.7
Posted by bu...@issues.apache.org.
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6417
--- Comment #17 from Michael Scheidell <sc...@secnap.net> 2010-07-11 08:41:24 EDT ---
then again, just because its dkim signed, doesn't mean its legit.
just because its spf_pass doesn't mean its legit :-)
forged ms email, spam attached, '®Microsoft Notification.rtf' sent through
yahoo (who signed it)
dkim passed.
Received: from web83806.mail.sp1.yahoo.com (web83806.mail.sp1.yahoo.com
[69.147.85.75])
by mx1.secnap.com.ionspam.net (Postfix) with SMTP id BC0032B7C5D
for <sc...@secnap.net>; Sat, 10 Jul 2010 16:48:00 -0400 (EDT)
Received: (qmail 71677 invoked by uid 60001); 10 Jul 2010 20:47:59 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=btinternet.com;
s=s1024; t=1278794879;
From: =?iso-8859-1?Q?Microsoft=A9_Corporation?= <pi...@btinternet.com>
Reply-To: =?iso-8859-1?Q?Microsoft=A9_Corporation?= <pi...@btinternet.com>
Subject: [SPAM]***Your Payment {donwload attached file}***
Content-Type: application/rtf;
name="=?utf-8?B?wq5NaWNyb3NvZnQgTm90aWZpY2F0aW9uLnJ0Zg==?="
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="=?utf-8?B?wq5NaWNyb3NvZnQgTm90aWZpY2F0aW9uLnJ0Zg==?="
--
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
[Bug 6417] HK_FAKENAME_MICROSOFT FP with score of 3.7
Posted by bu...@issues.apache.org.
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6417
--- Comment #10 from John Wilcock <jo...@tradoc.fr> 2010-07-06 10:38:05 EDT ---
I haven't seen any FPs since the change, though we get very little genuine mail
from Microsoft.
However, Michael's proposed && (SPF_SOFTFAIL | SPF_FAIL) would miss much of the
spam that I suspect this rule was originally designed to hit. Spam with
subjects such as the following, purportedly from domains owned by Microsoft but
with no published SPF:
From: "Microsoft Corporation Inc"<no...@microsoft-uk.com>
From: Microsoft Corporation <in...@microsoft.co.uk>
Then again, on the basis of my small corpus the rule could be dropped entirely
as the spam samples I have would have scored highly even without it. But my
mail feed is very low volume and fairly heavily filtered at SMTP time. Grepping
quickly through the SMTP-time rejects I see plenty of envelope senders that are
clear Microsoft fakes, so I suspect that I'm only seeing a very small portion
of the spam that the rule was designed to hit.
--
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
[Bug 6417] HK_FAKENAME_MICROSOFT FP with score of 3.7
Posted by bu...@issues.apache.org.
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6417
John Hardin <jh...@impsec.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |jhardin@impsec.org
--- Comment #5 from John Hardin <jh...@impsec.org> 2010-04-27 15:54:40 EDT ---
(In reply to comment #3)
> Feel free to modify it into SPF, I think I've lost my SVN password and I've a
> bit busy with other things now..
svn commit -m 'add !SPF_PASS to HK_FAKENAME_MICROSOFT per bug 6417 (temporarily
at least)'
Sending hege/20_hk.cf
Transmitting file data .
Committed revision 938622.
--
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
[Bug 6417] HK_FAKENAME_MICROSOFT FP with score of 3.7
Posted by bu...@issues.apache.org.
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6417
--- Comment #9 from Michael Scheidell <sc...@secnap.net> 2010-07-06 09:12:08 EDT ---
Still get FP's
iv experimented with !SPF_PASS, and I think you should rethink:
#1, NO rule should be > 2.5 points. NO RILE
#2, if DNS is missing, and, or, as I have seen in the field, MS does not
publish SPF records for all of their technical lists, I think we should reverse
that test.
instead of !_SPF_PASS && HK_FAKENAME_MICROSOFT
I Propose:
HK_FAKENAME_MICROSOFT && (SPF_SOFTFAIL | SPF_FAIL)
This takes care of bad, pore, slow, missing dns records, as well as legit MS
lists that publish SPF records.
instead of limiting this rule to only MS groups that publish SPF, this will
only trigger on forgeries of lists that DO publish SPF.
(and please, set score to 2.5!)
--
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
[Bug 6417] HK_FAKENAME_MICROSOFT FP with score of 3.7
Posted by bu...@issues.apache.org.
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6417
--- Comment #12 from John Wilcock <jo...@tradoc.fr> 2010-07-06 10:58:31 EDT ---
Michael, would adding the original helo subrule (or an improved helo check if
necessary) back into the meta eliminate your FPs?
meta HK_FAKENAME_MICROSOFT __HK_NAME_MICROSOFT && !__HK_HELO_MICROSOFT &&
!SPF_FAIL
For that matter, we could also add && !DKIM_VALID if there are any cases of
genuine microsoft senders which use DKIM but not SPF.
If none of this is enough to alleviate the FPs, maybe the rule should be
dropped altogether.
--
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
[Bug 6417] HK_FAKENAME_MICROSOFT FP with score of 3.7
Posted by bu...@bugzilla.spamassassin.org.
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6417
Henrik Krohns <he...@hege.li> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |FIXED
--- Comment #18 from Henrik Krohns <he...@hege.li> 2011-05-01 22:12:50 UTC ---
I guess this was fixed and working. I also added spf&dkim checks for rest of
the fakename tests.
--
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
[Bug 6417] HK_FAKENAME_MICROSOFT FP with score of 3.7
Posted by bu...@issues.apache.org.
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6417
Michael Scheidell <sc...@secnap.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |scheidell@secnap.net
--- Comment #7 from Michael Scheidell <sc...@secnap.net> 2010-05-08 10:09:10 EDT ---
(In reply to comment #6)
> I'm seeing FP's almost exclusively, and the SPF check should fix the issues
> with my mail flow.
I second and third the motion. WAY too high a score, WAY too many FP's
lots of legit blogs, email services, sharepoint, frontbridge security and tech
emails from MS triggering this.
--
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
[Bug 6417] HK_FAKENAME_MICROSOFT FP with score of 3.7
Posted by bu...@issues.apache.org.
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6417
--- Comment #11 from Michael Scheidell <sc...@secnap.net> 2010-07-06 10:43:51 EDT ---
other option is this:
meta HK_CREDIT_FAKENAME (HK_FAKENAME_MICROSOFT && (SPF_PASS || DKIM_VALID))
tflags HK_CREDIT_FAKENAME nice net
score HK_CREDIT_FAKENAME -3.5
since SA 3.30's stated rescoring mantra is 'less FP's because FP's cost more',
I believe this above meets those goals.
(or credit for whatever the fakename score is)
is this safer?
still, MS has lots of lists with no SPF and no DKIM.
lots of technical lists in fact.
we sell through VARS who are also MS VARS and this does catch lots of FP's
--
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
[Bug 6417] HK_FAKENAME_MICROSOFT FP with score of 3.7
Posted by bu...@issues.apache.org.
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6417
--- Comment #16 from Michael Scheidell <sc...@secnap.net> 2010-07-09 09:54:29 EDT ---
mostly, just an example of legit (non marketing, 100% opt-in) mailing list run
by MS that doesn't have SPF, doesn't have any *microsoft' in the hostname.
Still say, by convention, no positive rule should account for more than 50% of
the score, eg: cap each rule to 2.5 points max.
--
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
[Bug 6417] HK_FAKENAME_MICROSOFT FP with score of 3.7
Posted by bu...@issues.apache.org.
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6417
Henrik Krohns <he...@hege.li> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |hege@hege.li
--- Comment #3 from Henrik Krohns <he...@hege.li> 2010-04-20 06:41:48 EDT ---
Feel free to modify it into SPF, I think I've lost my SVN password and I've a
bit busy with other things now..
--
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.