You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by "corpus.defero" <co...@idnet.com> on 2012/04/27 15:28:21 UTC
STOX_REPLY_TYPE_WITHOUT_QUOTES
I'm seeing this rule: STOX_REPLY_TYPE_WITHOUT_QUOTES
Catching on legitimate mail.
It's a meta rule and right enough it catches this line:
Content-Type: text/plain; format=flowed; charset="iso-8859-1";
reply-type=original
AND does NOT match either:
__HS_SUBJ_RE_FW Subject =~ /^(?i:re|fw):/
or
rawbody __HS_QUOTE /^>
SCORING.
0.2 STOX_REPLY_TYPE STOX_REPLY_TYPE
1.9 STOX_REPLY_TYPE_WITHOUT_QUOTES STOX_REPLY_TYPE_WITHOUT_QUOTES
As legitimate mail, it's picking up just over 2 points for this - and
I'm wondering what the sender is possibly doing wrong here?
Re: STOX_REPLY_TYPE_WITHOUT_QUOTES
Posted by RW <rw...@googlemail.com>.
On Sat, 28 Apr 2012 08:12:02 +0100
corpus.defero wrote:
> On Fri, 2012-04-27 at 18:41 +0100, RW wrote:
> > I think the intention is to look for spam where the headers say
> > it's a reply, but it doesn't look like a reply. reply-type seems to
> > be made-up by Microsoft so the rule is looking for spoofed headers.
> >
> > The problem is that, from a quick search though this list,
> > reply-type doesn't seem to specific to replies.
> >
> >
> It was a false positive for me too. I'm wondering if the sender used
> the 'reply to' button in error, cleared the content, and then put
> fresh content in?
The examples I saw started new threads, rather than hijack old ones, so
that doesn't seem to be neccessary.
Re: STOX_REPLY_TYPE_WITHOUT_QUOTES
Posted by "corpus.defero" <co...@idnet.com>.
On Fri, 2012-04-27 at 18:41 +0100, RW wrote:
> On Fri, 27 Apr 2012 14:28:21 +0100
> corpus.defero wrote:
>
> > I'm seeing this rule: STOX_REPLY_TYPE_WITHOUT_QUOTES
> > Catching on legitimate mail.
> >
> > It's a meta rule and right enough it catches this line:
> >
> > Content-Type: text/plain; format=flowed; charset="iso-8859-1";
> > reply-type=original
> >
> > AND does NOT match either:
> >
> > __HS_SUBJ_RE_FW Subject =~ /^(?i:re|fw):/
> > or
> > rawbody __HS_QUOTE /^>
> >
> > SCORING.
> > 0.2 STOX_REPLY_TYPE STOX_REPLY_TYPE
> > 1.9 STOX_REPLY_TYPE_WITHOUT_QUOTES STOX_REPLY_TYPE_WITHOUT_QUOTES
> >
> > As legitimate mail, it's picking up just over 2 points for this - and
> > I'm wondering what the sender is possibly doing wrong here?
>
> I think the intention is to look for spam where the headers say it's a
> reply, but it doesn't look like a reply. reply-type seems to be made-up
> by Microsoft so the rule is looking for spoofed headers.
>
> The problem is that, from a quick search though this list, reply-type
> doesn't seem to specific to replies.
>
>
It was a false positive for me too. I'm wondering if the sender used the
'reply to' button in error, cleared the content, and then put fresh
content in?
Re: STOX_REPLY_TYPE_WITHOUT_QUOTES
Posted by RW <rw...@googlemail.com>.
On Fri, 27 Apr 2012 14:28:21 +0100
corpus.defero wrote:
> I'm seeing this rule: STOX_REPLY_TYPE_WITHOUT_QUOTES
> Catching on legitimate mail.
>
> It's a meta rule and right enough it catches this line:
>
> Content-Type: text/plain; format=flowed; charset="iso-8859-1";
> reply-type=original
>
> AND does NOT match either:
>
> __HS_SUBJ_RE_FW Subject =~ /^(?i:re|fw):/
> or
> rawbody __HS_QUOTE /^>
>
> SCORING.
> 0.2 STOX_REPLY_TYPE STOX_REPLY_TYPE
> 1.9 STOX_REPLY_TYPE_WITHOUT_QUOTES STOX_REPLY_TYPE_WITHOUT_QUOTES
>
> As legitimate mail, it's picking up just over 2 points for this - and
> I'm wondering what the sender is possibly doing wrong here?
I think the intention is to look for spam where the headers say it's a
reply, but it doesn't look like a reply. reply-type seems to be made-up
by Microsoft so the rule is looking for spoofed headers.
The problem is that, from a quick search though this list, reply-type
doesn't seem to specific to replies.