You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Martin Lee <ml...@messagelabs.com> on 2005/07/01 17:10:44 UTC

RFKINDY false positives on faxes

We've had some false positives with the X_LIBRARY, MIME_BOUND_RKFINDY
rules being tripped on e-faxes received through www.myvfm.com. Fairly
obviously the service has been built using the Indy.Sockets library
(www.indyproject.org). 
The Indyproject knowledge base admits that headers similar to those
produced by their library have been found in worms and spams sent with
some spamware.
 
Has anyone else experienced this problem ? I could create a rule to
decrease the score for emails generated by myvfm.com, but do the format
of emails from this service change ? How likely is it for spammers to
spoof mails from this service in order to reduce their SA scores using
such a rule ?
 
Thanks,
 
Martin
 
 
Martin Lee
Senior Software Engineer
Anti-spam team
MessageLabs 
 
Tel: +44  (1452) 627 042
mlee@messagelabs.com
 
www.messagelabs.com <http://www.messagelabs.com/> 
MessageLabs - Be certain
__________________________    

 

______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
______________________________________________________________________

Re: RFKINDY false positives on faxes

Posted by Bjorn Jensen <bj...@info-connect.dk>.

Martin Lee wrote:
> We've had some false positives with the X_LIBRARY, MIME_BOUND_RKFINDY
> rules being tripped on e-faxes received through www.myvfm.com. Fairly
> obviously the service has been built using the Indy.Sockets library
> (www.indyproject.org). 
> The Indyproject knowledge base admits that headers similar to those
> produced by their library have been found in worms and spams sent with
> some spamware.
>  
> Has anyone else experienced this problem ? I could create a rule to
> decrease the score for emails generated by myvfm.com, but do the format
> of emails from this service change ? How likely is it for spammers to
> spoof mails from this service in order to reduce their SA scores using
> such a rule ?

FYI I have handled an email today that hit these 2 rules as well (being 
ham) with this header:

X-Library: Indy 9.00.10

So it looks like those rules needs to be adjusted down in the score 
quite alot as this is already 3.7

  2.3 MIME_BOUND_RKFINDY     Spam tool pattern in MIME boundary (rfkindy)
  1.4 X_LIBRARY              Message has X-Library header


Regards
Bjorn Jensen

-- 

A: Because it messes up the order in which people normally read text.
Q: Why is it such a bad thing?
A: Top-posting