You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Martin Lee <ml...@messagelabs.com> on 2005/07/01 17:10:44 UTC
RFKINDY false positives on faxes
We've had some false positives with the X_LIBRARY, MIME_BOUND_RKFINDY
rules being tripped on e-faxes received through www.myvfm.com. Fairly
obviously the service has been built using the Indy.Sockets library
(www.indyproject.org).
The Indyproject knowledge base admits that headers similar to those
produced by their library have been found in worms and spams sent with
some spamware.
Has anyone else experienced this problem ? I could create a rule to
decrease the score for emails generated by myvfm.com, but do the format
of emails from this service change ? How likely is it for spammers to
spoof mails from this service in order to reduce their SA scores using
such a rule ?
Thanks,
Martin
Martin Lee
Senior Software Engineer
Anti-spam team
MessageLabs
Tel: +44 (1452) 627 042
mlee@messagelabs.com
www.messagelabs.com <http://www.messagelabs.com/>
MessageLabs - Be certain
__________________________
______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email
______________________________________________________________________
Re: RFKINDY false positives on faxes
Posted by Bjorn Jensen <bj...@info-connect.dk>.
Martin Lee wrote:
> We've had some false positives with the X_LIBRARY, MIME_BOUND_RKFINDY
> rules being tripped on e-faxes received through www.myvfm.com. Fairly
> obviously the service has been built using the Indy.Sockets library
> (www.indyproject.org).
> The Indyproject knowledge base admits that headers similar to those
> produced by their library have been found in worms and spams sent with
> some spamware.
>
> Has anyone else experienced this problem ? I could create a rule to
> decrease the score for emails generated by myvfm.com, but do the format
> of emails from this service change ? How likely is it for spammers to
> spoof mails from this service in order to reduce their SA scores using
> such a rule ?
FYI I have handled an email today that hit these 2 rules as well (being
ham) with this header:
X-Library: Indy 9.00.10
So it looks like those rules needs to be adjusted down in the score
quite alot as this is already 3.7
2.3 MIME_BOUND_RKFINDY Spam tool pattern in MIME boundary (rfkindy)
1.4 X_LIBRARY Message has X-Library header
Regards
Bjorn Jensen
--
A: Because it messes up the order in which people normally read text.
Q: Why is it such a bad thing?
A: Top-posting