You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Jeff Koch <je...@intersessions.com> on 2008/05/09 18:08:26 UTC
False positive on forged_mua_outlook
Hi:
Our users are getting false positives with hits on
4.2 FORGED_MUA_OUTLOOK
and are saying they are 100% certain that the email was sent from MS
Outlook Express. Is this a known problem or are these users doing something
wrong?
Best Regards,
Jeff Koch
Re: False positive on forged_mua_outlook
Posted by mouss <mo...@netoyen.net>.
Jeff Koch wrote:
>
> That part (i.e. the top part of the header) was generated by qmail.
> Please look at the bottom part of the header after the spam scoring
> which shows the header from the user's email which was mistakenly
> scored as a forged_mua_outlook.
The message-id is the same, but anyway, I actually checked the headers
inside the report.
Re: False positive on forged_mua_outlook
Posted by Jeff Koch <je...@intersessions.com>.
That part (i.e. the top part of the header) was generated by qmail. Please
look at the bottom part of the header after the spam scoring which shows
the header from the user's email which was mistakenly scored as a
forged_mua_outlook.
At 04:13 AM 5/10/2008, mouss wrote:
>Randy Ramsdell wrote:
>>[snip]
>>Scratch that and reverse it. If it does match, then it will score the
>>message header as fake. oops :) sorry. Let me check some more things.
>
>Did outlook really generate this message-id:
>
> Message-ID: <74...@server>
>
>?
>
>
>
>
Best Regards,
Jeff Koch, Intersessions
Re: False positive on forged_mua_outlook
Posted by mouss <mo...@netoyen.net>.
Jeff Koch wrote:
>
> If you guys are going to keep looking at the wrong part of the header
> information that I sent in nothing will get done.
What makes you believe we are looking at the wrong part? see below.
> Please look at the section below the spam scoring. Here's the header
> from the user's email and it was sent from Outlook Express:
>
> Received: from unknown (HELO jade.xxxxxx.com) (216.99.193.136)
> by 0 with ESMTPS (DHE-RSA-AES256-SHA encrypted); 6 May 2008 19:13:06
> -0000
> Received: from server (216-99-214-161.dsl.araxxx.com [216.99.214.161])
> by jade.aracnet.com (8.13.6/8.12.8) with SMTP id m46JD528000907
> for <wa...@xxxx.com>; Tue, 6 May 2008 12:13:05 -0700
> Message-ID: <74...@server>
This is the header I was talking about
> From: "Aindrea" <ai...@xxx.com>
> To: "warehouse" <wa...@xxx.com>
> Subject: Camden Grey order 373
> Date: Tue, 6 May 2008 12:13:04 -0700
> MIME-Version: 1.0
> Content-Type: multipart/mixed;
> boundary="----=_NextPart_000_0039_01C8AF72.8920CD60"
> X-Priority: 3
> X-MSMail-Priority: Normal
> X-Mailer: Microsoft Outlook Express 6.00.3790.3959
> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.4133
>
Re: False positive on forged_mua_outlook
Posted by Jeff Koch <je...@intersessions.com>.
If you guys are going to keep looking at the wrong part of the header
information that I sent in nothing will get done. Please look at the
section below the spam scoring. Here's the header from the user's email and
it was sent from Outlook Express:
Received: from unknown (HELO jade.xxxxxx.com) (216.99.193.136)
by 0 with ESMTPS (DHE-RSA-AES256-SHA encrypted); 6 May 2008 19:13:06 -0000
Received: from server (216-99-214-161.dsl.araxxx.com [216.99.214.161])
by jade.aracnet.com (8.13.6/8.12.8) with SMTP id m46JD528000907
for <wa...@xxxx.com>; Tue, 6 May 2008 12:13:05 -0700
Message-ID: <74...@server>
From: "Aindrea" <ai...@xxx.com>
To: "warehouse" <wa...@xxx.com>
Subject: Camden Grey order 373
Date: Tue, 6 May 2008 12:13:04 -0700
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0039_01C8AF72.8920CD60"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.3790.3959
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.4133
At 09:09 AM 5/10/2008, D Hill wrote:
>On Sat, 10 May 2008 at 10:13 +0200, mouss@netoyen.net confabulated:
>
>>Randy Ramsdell wrote:
>>>[snip]
>>>Scratch that and reverse it. If it does match, then it will score the
>>>message header as fake. oops :) sorry. Let me check some more things.
>>
>>Did outlook really generate this message-id:
>>
>> Message-ID: <74...@server>
>
>I just sent myself a test message from Outlook Express 6.00.2900.2180:
>
> Message-ID: <00...@meme>
>
>The message ID's part before the '@' and is two characters less than what
>you show. 'meme' is the name of my computer. Outlook and Outlook Express
>use the name of the computer in the message ID after the '@'. I don't have
>access to Outlook for testing.
>
>On a side note, Outlook and Outlook Express also HELO with the computer's
>name when sending a message through an email server.
Best Regards,
Jeff Koch, Intersessions
Re: False positive on forged_mua_outlook
Posted by Benny Pedersen <me...@junc.org>.
On Sat, May 10, 2008 15:09, D Hill wrote:
> On a side note, Outlook and Outlook Express also HELO with the computer's
> name when sending a message through an email server.
yes windows mailclients can say helo with a dot in the helo either, so thay
cant do a fqdn in the helo unless its a spambot or server that dont have that
limith
that is olso why its important to mail server to accept non fqdn in helo on
smtp authed clients, so it only apply to non smtp authed client with reject
non fqdn in helo
Benny Pedersen
Need more webspace ? http://www.servage.net/?coupon=cust37098
Re: False positive on forged_mua_outlook
Posted by D Hill <d....@yournetplus.com>.
On Sat, 10 May 2008 at 10:13 +0200, mouss@netoyen.net confabulated:
> Randy Ramsdell wrote:
>> [snip]
>> Scratch that and reverse it. If it does match, then it will score the
>> message header as fake. oops :) sorry. Let me check some more things.
>
> Did outlook really generate this message-id:
>
> Message-ID: <74...@server>
I just sent myself a test message from Outlook Express 6.00.2900.2180:
Message-ID: <00...@meme>
The message ID's part before the '@' and is two characters less than what
you show. 'meme' is the name of my computer. Outlook and Outlook Express
use the name of the computer in the message ID after the '@'. I don't have
access to Outlook for testing.
On a side note, Outlook and Outlook Express also HELO with the computer's
name when sending a message through an email server.
Re: False positive on forged_mua_outlook
Posted by mouss <mo...@netoyen.net>.
Randy Ramsdell wrote:
> [snip]
> Scratch that and reverse it. If it does match, then it will score the
> message header as fake. oops :) sorry. Let me check some more things.
Did outlook really generate this message-id:
Message-ID: <74...@server>
?
Re: False positive on forged_mua_outlook
Posted by Randy Ramsdell <rr...@livedatagroup.com>.
Randy Ramsdell wrote:
> Jeff Koch wrote:
>>
>> Hi Randy - here's the whole thing:
>>
>> Return-Path: <ai...@xx.com>
>> Delivered-To: xx.com-warehouse@xx.com
>> Received: (qmail 26003 invoked by uid 89); 6 May 2008 19:13:09 -0000
>> Received: by simscan 1.3.1 ppid: 25931, pid: 25942, t: 2.6786s
>> scanners: clamav: 0.88/m:45/d:5939 spam: 3.2.4
>> Received: from localhost by libra.xxxx.com
>> with SpamAssassin (version 3.2.4);
>> Tue, 06 May 2008 15:13:09 -0400
>> From: "Aindrea" <ai...@xx.com>
>> To: "warehouse" <wa...@xx.com>
>> Subject: *****SPAM***** Camden Grey order 373
>> Date: Tue, 6 May 2008 12:13:04 -0700
>> Message-Id: <74...@server>
>> X-Spam-Flag: YES
>> X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on
>> libra.xxxx.com
>> X-Spam-Level: *****
>> X-Spam-Status: Yes, score=5.3 required=3.0
>> tests=FORGED_MUA_OUTLOOK,RDNS_NONE,
>> TVD_PDF_FINGER01 autolearn=no version=3.2.4
>> X-Spam-Report:
>> * 0.1 RDNS_NONE Delivered to trusted network by a host with
>> no rDNS
>> * 1.0 TVD_PDF_FINGER01 Mail matches standard pdf spam
>> fingerprint
>> * 4.2 FORGED_MUA_OUTLOOK Forged mail pretending to be from
>> MS Outlook
>> MIME-Version: 1.0
>> Content-Type: multipart/mixed; boundary="----------=_4820ADC5.A4580A7F"
>>
>> This is a multi-part message in MIME format.
>>
>> ------------=_4820ADC5.A4580A7F
>> Content-Type: text/plain; charset=iso-8859-1
>> Content-Disposition: inline
>> Content-Transfer-Encoding: 8bit
>>
>> Spam detection software, running on the system "libra.xxx.com", has
>> identified this incoming email as possible spam. The original message
>> has been attached to this so you can view it (if it isn't spam) or label
>> similar future email. If you have any questions, see
>> admin@avspamfilter.com for details.
>>
>> Content preview: [...]
>>
>> Content analysis details: (5.3 points, 3.0 required)
>>
>> pts rule name description
>> ---- ----------------------
>> --------------------------------------------------
>> 0.1 RDNS_NONE Delivered to trusted network by a host
>> with no rDNS
>> 1.0 TVD_PDF_FINGER01 Mail matches standard pdf spam fingerprint
>> 4.2 FORGED_MUA_OUTLOOK Forged mail pretending to be from MS Outlook
>>
>> The original message was not completely plain text, and may be unsafe to
>> open with some email clients; in particular, it may contain a virus,
>> or confirm that your address can receive spam. If you wish to view
>> it, it may be safer to save it to a file and open it with an editor.
>>
>>
>> ------------=_4820ADC5.A4580A7F
>> Content-Type: message/rfc822; x-spam-type=original
>> Content-Description: original message before SpamAssassin
>> Content-Disposition: attachment
>> Content-Transfer-Encoding: 8bit
>>
>> Received: from unknown (HELO jade.xxxxxx.com) (216.99.193.136)
>> by 0 with ESMTPS (DHE-RSA-AES256-SHA encrypted); 6 May 2008
>> 19:13:06 -0000
>> Received: from server (216-99-214-161.dsl.araxxx.com [216.99.214.161])
>> by jade.aracnet.com (8.13.6/8.12.8) with SMTP id m46JD528000907
>> for <wa...@xxxx.com>; Tue, 6 May 2008 12:13:05 -0700
>> Message-ID: <74...@server>
>> From: "Aindrea" <ai...@xxx.com>
>> To: "warehouse" <wa...@xxx.com>
>> Subject: Camden Grey order 373
>> Date: Tue, 6 May 2008 12:13:04 -0700
>> MIME-Version: 1.0
>> Content-Type: multipart/mixed;
>> boundary="----=_NextPart_000_0039_01C8AF72.8920CD60"
>> X-Priority: 3
>> X-MSMail-Priority: Normal
>> X-Mailer: Microsoft Outlook Express 6.00.3790.3959
>> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.4133
>>
>> This is a multi-part message in MIME format.
>>
>> ------=_NextPart_000_0039_01C8AF72.8920CD60
>> Content-Type: text/plain;
>> format=flowed;
>> charset="iso-8859-1";
>> reply-type=original
>> Content-Transfer-Encoding: 7bit
>>
>>
>> ------=_NextPart_000_0039_01C8AF72.8920CD60
>>
>>
>>
>> At 04:29 PM 5/9/2008, Randy Ramsdell wrote:
>>> Jeff Koch wrote:
>>>>
>>>> Hi Matus:
>>>>
>>>>
>>>> Here's the header. We're seeing a lot of these now:
>>>>
>>>>
>>>> Received: from unknown (HELO jade.xxxxxx.com) (216.99.193.136)
>>>> by 0 with ESMTPS (DHE-RSA-AES256-SHA encrypted); 6 May 2008
>>>> 19:13:06 -0000
>>>> Received: from server (216-99-214-161.dsl.aracnet.com
>>>> [216.99.214.161])
>>>> by jade.xxxxxx.com (8.13.6/8.12.8) with SMTP id m46JD528000907
>>>> for <wa...@xxxxx.com>; Tue, 6 May 2008 12:13:05 -0700
>>>> Message-ID: <74...@server>
>>>> From: "Aindrea" <ai...@xxxxxxx.com>
>>>> To: "warehouse" <wa...@xxxxxxxx.com>
>>>> Subject: Camden Grey order 373
>>>> Date: Tue, 6 May 2008 12:13:04 -0700
>>>> MIME-Version: 1.0
>>>> Content-Type: multipart/mixed;
>>>> boundary="----=_NextPart_000_0039_01C8AF72.8920CD60"
>>>> X-Priority: 3
>>>> X-MSMail-Priority: Normal
>>>> X-Mailer: Microsoft Outlook Express 6.00.3790.3959
>>>> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.4133
>>>>
>>>> This is a multi-part message in MIME format.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> At 01:05 PM 5/9/2008, Matus UHLAR - fantomas wrote:
>>>>> On 09.05.08 12:08, Jeff Koch wrote:
>>>>> > Our users are getting false positives with hits on
>>>>> >
>>>>> > 4.2 FORGED_MUA_OUTLOOK
>>>>> >
>>>>> > and are saying they are 100% certain that the email was sent
>>>>> from MS
>>>>> > Outlook Express. Is this a known problem or are these users
>>>>> doing something
>>>>> > wrong?
>>>>>
>>>>> may be... can you show us headers of such e-mail?
>>>>>
>>>>> meta __FORGED_OE (__OE_MUA && !__OE_MSGID_1 &&
>>>>> !__OE_MSGID_2 && !__OE_MSGID_3 && !__OE_MSGID_4 && !__UNUSABLE_MSGID)
>>>>> meta __FORGED_OUTLOOK_DOLLARS (__OUTLOOK_DOLLARS_MUA &&
>>>>> !__OE_MSGID_2 && !__OUTLOOK_DOLLARS_OTHER && !__VISTA_MSGID &&
>>>>> !__IMS_MSGID && !__UNUSABLE_MSGID)
>>>>> meta FORGED_MUA_OUTLOOK (__FORGED_OE ||
>>>>> __FORGED_OUTLOOK_DOLLARS)
>>>>>
>>>>> at least Message-Id and X-Mailer...
>>>>>
>>>>> btw do do you update rules periodically?
>>>>> --
>>>>> Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
>>>>> Warning: I wish NOT to receive e-mail advertising to this address.
>>>>> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
>>>>> "They say when you play that M$ CD backward you can hear satanic
>>>>> messages."
>>>>> "That's nothing. If you play it forward it will install Windows."
>>>>
>>>> Best Regards,
>>>>
>>>> Jeff Koch, Intersessions
>>> Could you include the whole complete header including the spam
>>> report because this looks like a valid M$ outlook/express header?
>>
>> Best Regards,
>>
>> Jeff Koch, Intersessions
> I am not sure about version 3.2.4, but I am fairly sure the rule in
> "/var/lib/spamassassin/*/*/*" 20_ratware.cf would not match this
> header and thus give the false positive.
>
> ratware.cf:
>
> # use new meta rules to implement FORGED_MUA_OUTLOOK rule from 2.60
> meta FORGED_MUA_OUTLOOK (__FORGED_OE || __FORGED_OUTLOOK_DOLLARS)
> describe FORGED_MUA_OUTLOOK Forged mail pretending to be from MS
> Outlook
>
>
> ---> __FORGED_OE
>
> # Outlook Express 4, 5, and 6
> header __OE_MUA X-Mailer =~ /\bOutlook Express [456]\./
> header __OE_MSGID_1 MESSAGEID =~
> /^<[A-Za-z0-9-]{7}[A-Za-z0-9]{20}\@hotmail\.com>$/m
> header __OE_MSGID_2 MESSAGEID =~
> /^<(?:[0-9a-f]{8}|[0-9a-f]{12})\$[0-9a-f]{8}\$[0-9a-f]{8}\@\S+>$/m
> header __OE_MSGID_3 MESSAGEID =~
> /^<BAY\d+-DAV\d+[A-Z0-9]{25}\@phx\.gbl>$/m
> meta __FORGED_OE (__OE_MUA && !__OE_MSGID_1 &&
> !__OE_MSGID_2 && !__OE_MSGID_3 && !__UNUSABLE_MSGID)
>
> None of these match the message id
> "74BC081D12754719AD817A909757BB09@server."
>
> I might have missed something, but this appears to be accurate.
Scratch that and reverse it. If it does match, then it will score the
message header as fake. oops :) sorry. Let me check some more things.
Re: False positive on forged_mua_outlook
Posted by Randy Ramsdell <rr...@livedatagroup.com>.
Jeff Koch wrote:
>
> Hi Randy - here's the whole thing:
>
> Return-Path: <ai...@xx.com>
> Delivered-To: xx.com-warehouse@xx.com
> Received: (qmail 26003 invoked by uid 89); 6 May 2008 19:13:09 -0000
> Received: by simscan 1.3.1 ppid: 25931, pid: 25942, t: 2.6786s
> scanners: clamav: 0.88/m:45/d:5939 spam: 3.2.4
> Received: from localhost by libra.xxxx.com
> with SpamAssassin (version 3.2.4);
> Tue, 06 May 2008 15:13:09 -0400
> From: "Aindrea" <ai...@xx.com>
> To: "warehouse" <wa...@xx.com>
> Subject: *****SPAM***** Camden Grey order 373
> Date: Tue, 6 May 2008 12:13:04 -0700
> Message-Id: <74...@server>
> X-Spam-Flag: YES
> X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on
> libra.xxxx.com
> X-Spam-Level: *****
> X-Spam-Status: Yes, score=5.3 required=3.0
> tests=FORGED_MUA_OUTLOOK,RDNS_NONE,
> TVD_PDF_FINGER01 autolearn=no version=3.2.4
> X-Spam-Report:
> * 0.1 RDNS_NONE Delivered to trusted network by a host with
> no rDNS
> * 1.0 TVD_PDF_FINGER01 Mail matches standard pdf spam
> fingerprint
> * 4.2 FORGED_MUA_OUTLOOK Forged mail pretending to be from MS
> Outlook
> MIME-Version: 1.0
> Content-Type: multipart/mixed; boundary="----------=_4820ADC5.A4580A7F"
>
> This is a multi-part message in MIME format.
>
> ------------=_4820ADC5.A4580A7F
> Content-Type: text/plain; charset=iso-8859-1
> Content-Disposition: inline
> Content-Transfer-Encoding: 8bit
>
> Spam detection software, running on the system "libra.xxx.com", has
> identified this incoming email as possible spam. The original message
> has been attached to this so you can view it (if it isn't spam) or label
> similar future email. If you have any questions, see
> admin@avspamfilter.com for details.
>
> Content preview: [...]
>
> Content analysis details: (5.3 points, 3.0 required)
>
> pts rule name description
> ---- ----------------------
> --------------------------------------------------
> 0.1 RDNS_NONE Delivered to trusted network by a host
> with no rDNS
> 1.0 TVD_PDF_FINGER01 Mail matches standard pdf spam fingerprint
> 4.2 FORGED_MUA_OUTLOOK Forged mail pretending to be from MS Outlook
>
> The original message was not completely plain text, and may be unsafe to
> open with some email clients; in particular, it may contain a virus,
> or confirm that your address can receive spam. If you wish to view
> it, it may be safer to save it to a file and open it with an editor.
>
>
> ------------=_4820ADC5.A4580A7F
> Content-Type: message/rfc822; x-spam-type=original
> Content-Description: original message before SpamAssassin
> Content-Disposition: attachment
> Content-Transfer-Encoding: 8bit
>
> Received: from unknown (HELO jade.xxxxxx.com) (216.99.193.136)
> by 0 with ESMTPS (DHE-RSA-AES256-SHA encrypted); 6 May 2008 19:13:06
> -0000
> Received: from server (216-99-214-161.dsl.araxxx.com [216.99.214.161])
> by jade.aracnet.com (8.13.6/8.12.8) with SMTP id m46JD528000907
> for <wa...@xxxx.com>; Tue, 6 May 2008 12:13:05 -0700
> Message-ID: <74...@server>
> From: "Aindrea" <ai...@xxx.com>
> To: "warehouse" <wa...@xxx.com>
> Subject: Camden Grey order 373
> Date: Tue, 6 May 2008 12:13:04 -0700
> MIME-Version: 1.0
> Content-Type: multipart/mixed;
> boundary="----=_NextPart_000_0039_01C8AF72.8920CD60"
> X-Priority: 3
> X-MSMail-Priority: Normal
> X-Mailer: Microsoft Outlook Express 6.00.3790.3959
> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.4133
>
> This is a multi-part message in MIME format.
>
> ------=_NextPart_000_0039_01C8AF72.8920CD60
> Content-Type: text/plain;
> format=flowed;
> charset="iso-8859-1";
> reply-type=original
> Content-Transfer-Encoding: 7bit
>
>
> ------=_NextPart_000_0039_01C8AF72.8920CD60
>
>
>
> At 04:29 PM 5/9/2008, Randy Ramsdell wrote:
>> Jeff Koch wrote:
>>>
>>> Hi Matus:
>>>
>>>
>>> Here's the header. We're seeing a lot of these now:
>>>
>>>
>>> Received: from unknown (HELO jade.xxxxxx.com) (216.99.193.136)
>>> by 0 with ESMTPS (DHE-RSA-AES256-SHA encrypted); 6 May 2008
>>> 19:13:06 -0000
>>> Received: from server (216-99-214-161.dsl.aracnet.com [216.99.214.161])
>>> by jade.xxxxxx.com (8.13.6/8.12.8) with SMTP id m46JD528000907
>>> for <wa...@xxxxx.com>; Tue, 6 May 2008 12:13:05 -0700
>>> Message-ID: <74...@server>
>>> From: "Aindrea" <ai...@xxxxxxx.com>
>>> To: "warehouse" <wa...@xxxxxxxx.com>
>>> Subject: Camden Grey order 373
>>> Date: Tue, 6 May 2008 12:13:04 -0700
>>> MIME-Version: 1.0
>>> Content-Type: multipart/mixed;
>>> boundary="----=_NextPart_000_0039_01C8AF72.8920CD60"
>>> X-Priority: 3
>>> X-MSMail-Priority: Normal
>>> X-Mailer: Microsoft Outlook Express 6.00.3790.3959
>>> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.4133
>>>
>>> This is a multi-part message in MIME format.
>>>
>>>
>>>
>>>
>>>
>>> At 01:05 PM 5/9/2008, Matus UHLAR - fantomas wrote:
>>>> On 09.05.08 12:08, Jeff Koch wrote:
>>>> > Our users are getting false positives with hits on
>>>> >
>>>> > 4.2 FORGED_MUA_OUTLOOK
>>>> >
>>>> > and are saying they are 100% certain that the email was sent from MS
>>>> > Outlook Express. Is this a known problem or are these users doing
>>>> something
>>>> > wrong?
>>>>
>>>> may be... can you show us headers of such e-mail?
>>>>
>>>> meta __FORGED_OE (__OE_MUA && !__OE_MSGID_1 &&
>>>> !__OE_MSGID_2 && !__OE_MSGID_3 && !__OE_MSGID_4 && !__UNUSABLE_MSGID)
>>>> meta __FORGED_OUTLOOK_DOLLARS (__OUTLOOK_DOLLARS_MUA &&
>>>> !__OE_MSGID_2 && !__OUTLOOK_DOLLARS_OTHER && !__VISTA_MSGID &&
>>>> !__IMS_MSGID && !__UNUSABLE_MSGID)
>>>> meta FORGED_MUA_OUTLOOK (__FORGED_OE ||
>>>> __FORGED_OUTLOOK_DOLLARS)
>>>>
>>>> at least Message-Id and X-Mailer...
>>>>
>>>> btw do do you update rules periodically?
>>>> --
>>>> Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
>>>> Warning: I wish NOT to receive e-mail advertising to this address.
>>>> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
>>>> "They say when you play that M$ CD backward you can hear satanic
>>>> messages."
>>>> "That's nothing. If you play it forward it will install Windows."
>>>
>>> Best Regards,
>>>
>>> Jeff Koch, Intersessions
>> Could you include the whole complete header including the spam report
>> because this looks like a valid M$ outlook/express header?
>
> Best Regards,
>
> Jeff Koch, Intersessions
I am not sure about version 3.2.4, but I am fairly sure the rule in
"/var/lib/spamassassin/*/*/*" 20_ratware.cf would not match this header
and thus give the false positive.
ratware.cf:
# use new meta rules to implement FORGED_MUA_OUTLOOK rule from 2.60
meta FORGED_MUA_OUTLOOK (__FORGED_OE || __FORGED_OUTLOOK_DOLLARS)
describe FORGED_MUA_OUTLOOK Forged mail pretending to be from MS Outlook
---> __FORGED_OE
# Outlook Express 4, 5, and 6
header __OE_MUA X-Mailer =~ /\bOutlook Express [456]\./
header __OE_MSGID_1 MESSAGEID =~
/^<[A-Za-z0-9-]{7}[A-Za-z0-9]{20}\@hotmail\.com>$/m
header __OE_MSGID_2 MESSAGEID =~
/^<(?:[0-9a-f]{8}|[0-9a-f]{12})\$[0-9a-f]{8}\$[0-9a-f]{8}\@\S+>$/m
header __OE_MSGID_3 MESSAGEID =~
/^<BAY\d+-DAV\d+[A-Z0-9]{25}\@phx\.gbl>$/m
meta __FORGED_OE (__OE_MUA && !__OE_MSGID_1 &&
!__OE_MSGID_2 && !__OE_MSGID_3 && !__UNUSABLE_MSGID)
None of these match the message id
"74BC081D12754719AD817A909757BB09@server."
I might have missed something, but this appears to be accurate.
Re: False positive on forged_mua_outlook
Posted by Jeff Koch <je...@intersessions.com>.
Hi Randy - here's the whole thing:
Return-Path: <ai...@xx.com>
Delivered-To: xx.com-warehouse@xx.com
Received: (qmail 26003 invoked by uid 89); 6 May 2008 19:13:09 -0000
Received: by simscan 1.3.1 ppid: 25931, pid: 25942, t: 2.6786s
scanners: clamav: 0.88/m:45/d:5939 spam: 3.2.4
Received: from localhost by libra.xxxx.com
with SpamAssassin (version 3.2.4);
Tue, 06 May 2008 15:13:09 -0400
From: "Aindrea" <ai...@xx.com>
To: "warehouse" <wa...@xx.com>
Subject: *****SPAM***** Camden Grey order 373
Date: Tue, 6 May 2008 12:13:04 -0700
Message-Id: <74...@server>
X-Spam-Flag: YES
X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on
libra.xxxx.com
X-Spam-Level: *****
X-Spam-Status: Yes, score=5.3 required=3.0 tests=FORGED_MUA_OUTLOOK,RDNS_NONE,
TVD_PDF_FINGER01 autolearn=no version=3.2.4
X-Spam-Report:
* 0.1 RDNS_NONE Delivered to trusted network by a host with no rDNS
* 1.0 TVD_PDF_FINGER01 Mail matches standard pdf spam fingerprint
* 4.2 FORGED_MUA_OUTLOOK Forged mail pretending to be from MS Outlook
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----------=_4820ADC5.A4580A7F"
This is a multi-part message in MIME format.
------------=_4820ADC5.A4580A7F
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
Spam detection software, running on the system "libra.xxx.com", has
identified this incoming email as possible spam. The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email. If you have any questions, see
admin@avspamfilter.com for details.
Content preview: [...]
Content analysis details: (5.3 points, 3.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
0.1 RDNS_NONE Delivered to trusted network by a host with no
rDNS
1.0 TVD_PDF_FINGER01 Mail matches standard pdf spam fingerprint
4.2 FORGED_MUA_OUTLOOK Forged mail pretending to be from MS Outlook
The original message was not completely plain text, and may be unsafe to
open with some email clients; in particular, it may contain a virus,
or confirm that your address can receive spam. If you wish to view
it, it may be safer to save it to a file and open it with an editor.
------------=_4820ADC5.A4580A7F
Content-Type: message/rfc822; x-spam-type=original
Content-Description: original message before SpamAssassin
Content-Disposition: attachment
Content-Transfer-Encoding: 8bit
Received: from unknown (HELO jade.xxxxxx.com) (216.99.193.136)
by 0 with ESMTPS (DHE-RSA-AES256-SHA encrypted); 6 May 2008 19:13:06 -0000
Received: from server (216-99-214-161.dsl.araxxx.com [216.99.214.161])
by jade.aracnet.com (8.13.6/8.12.8) with SMTP id m46JD528000907
for <wa...@xxxx.com>; Tue, 6 May 2008 12:13:05 -0700
Message-ID: <74...@server>
From: "Aindrea" <ai...@xxx.com>
To: "warehouse" <wa...@xxx.com>
Subject: Camden Grey order 373
Date: Tue, 6 May 2008 12:13:04 -0700
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0039_01C8AF72.8920CD60"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.3790.3959
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.4133
This is a multi-part message in MIME format.
------=_NextPart_000_0039_01C8AF72.8920CD60
Content-Type: text/plain;
format=flowed;
charset="iso-8859-1";
reply-type=original
Content-Transfer-Encoding: 7bit
------=_NextPart_000_0039_01C8AF72.8920CD60
At 04:29 PM 5/9/2008, Randy Ramsdell wrote:
>Jeff Koch wrote:
>>
>>Hi Matus:
>>
>>
>>Here's the header. We're seeing a lot of these now:
>>
>>
>>Received: from unknown (HELO jade.xxxxxx.com) (216.99.193.136)
>> by 0 with ESMTPS (DHE-RSA-AES256-SHA encrypted); 6 May 2008 19:13:06 -0000
>>Received: from server (216-99-214-161.dsl.aracnet.com [216.99.214.161])
>> by jade.xxxxxx.com (8.13.6/8.12.8) with SMTP id m46JD528000907
>> for <wa...@xxxxx.com>; Tue, 6 May 2008 12:13:05 -0700
>>Message-ID: <74...@server>
>>From: "Aindrea" <ai...@xxxxxxx.com>
>>To: "warehouse" <wa...@xxxxxxxx.com>
>>Subject: Camden Grey order 373
>>Date: Tue, 6 May 2008 12:13:04 -0700
>>MIME-Version: 1.0
>>Content-Type: multipart/mixed;
>> boundary="----=_NextPart_000_0039_01C8AF72.8920CD60"
>>X-Priority: 3
>>X-MSMail-Priority: Normal
>>X-Mailer: Microsoft Outlook Express 6.00.3790.3959
>>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.4133
>>
>>This is a multi-part message in MIME format.
>>
>>
>>
>>
>>
>>At 01:05 PM 5/9/2008, Matus UHLAR - fantomas wrote:
>>>On 09.05.08 12:08, Jeff Koch wrote:
>>> > Our users are getting false positives with hits on
>>> >
>>> > 4.2 FORGED_MUA_OUTLOOK
>>> >
>>> > and are saying they are 100% certain that the email was sent from MS
>>> > Outlook Express. Is this a known problem or are these users doing
>>> something
>>> > wrong?
>>>
>>>may be... can you show us headers of such e-mail?
>>>
>>>meta __FORGED_OE (__OE_MUA && !__OE_MSGID_1 &&
>>>!__OE_MSGID_2 && !__OE_MSGID_3 && !__OE_MSGID_4 && !__UNUSABLE_MSGID)
>>>meta __FORGED_OUTLOOK_DOLLARS (__OUTLOOK_DOLLARS_MUA && !__OE_MSGID_2
>>>&& !__OUTLOOK_DOLLARS_OTHER && !__VISTA_MSGID && !__IMS_MSGID &&
>>>!__UNUSABLE_MSGID)
>>>meta FORGED_MUA_OUTLOOK (__FORGED_OE || __FORGED_OUTLOOK_DOLLARS)
>>>
>>>at least Message-Id and X-Mailer...
>>>
>>>btw do do you update rules periodically?
>>>--
>>>Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
>>>Warning: I wish NOT to receive e-mail advertising to this address.
>>>Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
>>>"They say when you play that M$ CD backward you can hear satanic messages."
>>>"That's nothing. If you play it forward it will install Windows."
>>
>>Best Regards,
>>
>>Jeff Koch, Intersessions
>Could you include the whole complete header including the spam report
>because this looks like a valid M$ outlook/express header?
Best Regards,
Jeff Koch, Intersessions
Re: False positive on forged_mua_outlook
Posted by Randy Ramsdell <rr...@livedatagroup.com>.
Jeff Koch wrote:
>
> Hi Matus:
>
>
> Here's the header. We're seeing a lot of these now:
>
>
> Received: from unknown (HELO jade.xxxxxx.com) (216.99.193.136)
> by 0 with ESMTPS (DHE-RSA-AES256-SHA encrypted); 6 May 2008 19:13:06
> -0000
> Received: from server (216-99-214-161.dsl.aracnet.com [216.99.214.161])
> by jade.xxxxxx.com (8.13.6/8.12.8) with SMTP id m46JD528000907
> for <wa...@xxxxx.com>; Tue, 6 May 2008 12:13:05 -0700
> Message-ID: <74...@server>
> From: "Aindrea" <ai...@xxxxxxx.com>
> To: "warehouse" <wa...@xxxxxxxx.com>
> Subject: Camden Grey order 373
> Date: Tue, 6 May 2008 12:13:04 -0700
> MIME-Version: 1.0
> Content-Type: multipart/mixed;
> boundary="----=_NextPart_000_0039_01C8AF72.8920CD60"
> X-Priority: 3
> X-MSMail-Priority: Normal
> X-Mailer: Microsoft Outlook Express 6.00.3790.3959
> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.4133
>
> This is a multi-part message in MIME format.
>
>
>
>
>
> At 01:05 PM 5/9/2008, Matus UHLAR - fantomas wrote:
>> On 09.05.08 12:08, Jeff Koch wrote:
>> > Our users are getting false positives with hits on
>> >
>> > 4.2 FORGED_MUA_OUTLOOK
>> >
>> > and are saying they are 100% certain that the email was sent from MS
>> > Outlook Express. Is this a known problem or are these users doing
>> something
>> > wrong?
>>
>> may be... can you show us headers of such e-mail?
>>
>> meta __FORGED_OE (__OE_MUA && !__OE_MSGID_1 &&
>> !__OE_MSGID_2 && !__OE_MSGID_3 && !__OE_MSGID_4 && !__UNUSABLE_MSGID)
>> meta __FORGED_OUTLOOK_DOLLARS (__OUTLOOK_DOLLARS_MUA &&
>> !__OE_MSGID_2 && !__OUTLOOK_DOLLARS_OTHER && !__VISTA_MSGID &&
>> !__IMS_MSGID && !__UNUSABLE_MSGID)
>> meta FORGED_MUA_OUTLOOK (__FORGED_OE ||
>> __FORGED_OUTLOOK_DOLLARS)
>>
>> at least Message-Id and X-Mailer...
>>
>> btw do do you update rules periodically?
>> --
>> Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
>> Warning: I wish NOT to receive e-mail advertising to this address.
>> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
>> "They say when you play that M$ CD backward you can hear satanic
>> messages."
>> "That's nothing. If you play it forward it will install Windows."
>
> Best Regards,
>
> Jeff Koch, Intersessions
Could you include the whole complete header including the spam report
because this looks like a valid M$ outlook/express header?
Re: False positive on forged_mua_outlook
Posted by Jeff Koch <je...@intersessions.com>.
Hi Matus:
Here's the header. We're seeing a lot of these now:
Received: from unknown (HELO jade.xxxxxx.com) (216.99.193.136)
by 0 with ESMTPS (DHE-RSA-AES256-SHA encrypted); 6 May 2008 19:13:06 -0000
Received: from server (216-99-214-161.dsl.aracnet.com [216.99.214.161])
by jade.xxxxxx.com (8.13.6/8.12.8) with SMTP id m46JD528000907
for <wa...@xxxxx.com>; Tue, 6 May 2008 12:13:05 -0700
Message-ID: <74...@server>
From: "Aindrea" <ai...@xxxxxxx.com>
To: "warehouse" <wa...@xxxxxxxx.com>
Subject: Camden Grey order 373
Date: Tue, 6 May 2008 12:13:04 -0700
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0039_01C8AF72.8920CD60"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.3790.3959
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.4133
This is a multi-part message in MIME format.
At 01:05 PM 5/9/2008, Matus UHLAR - fantomas wrote:
>On 09.05.08 12:08, Jeff Koch wrote:
> > Our users are getting false positives with hits on
> >
> > 4.2 FORGED_MUA_OUTLOOK
> >
> > and are saying they are 100% certain that the email was sent from MS
> > Outlook Express. Is this a known problem or are these users doing
> something
> > wrong?
>
>may be... can you show us headers of such e-mail?
>
>meta __FORGED_OE (__OE_MUA && !__OE_MSGID_1 &&
>!__OE_MSGID_2 && !__OE_MSGID_3 && !__OE_MSGID_4 && !__UNUSABLE_MSGID)
>meta __FORGED_OUTLOOK_DOLLARS (__OUTLOOK_DOLLARS_MUA && !__OE_MSGID_2 &&
>!__OUTLOOK_DOLLARS_OTHER && !__VISTA_MSGID && !__IMS_MSGID &&
>!__UNUSABLE_MSGID)
>meta FORGED_MUA_OUTLOOK (__FORGED_OE || __FORGED_OUTLOOK_DOLLARS)
>
>at least Message-Id and X-Mailer...
>
>btw do do you update rules periodically?
>--
>Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
>Warning: I wish NOT to receive e-mail advertising to this address.
>Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
>"They say when you play that M$ CD backward you can hear satanic messages."
>"That's nothing. If you play it forward it will install Windows."
Best Regards,
Jeff Koch, Intersessions
Re: False positive on forged_mua_outlook
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
On 09.05.08 12:08, Jeff Koch wrote:
> Our users are getting false positives with hits on
>
> 4.2 FORGED_MUA_OUTLOOK
>
> and are saying they are 100% certain that the email was sent from MS
> Outlook Express. Is this a known problem or are these users doing something
> wrong?
may be... can you show us headers of such e-mail?
meta __FORGED_OE (__OE_MUA && !__OE_MSGID_1 && !__OE_MSGID_2 && !__OE_MSGID_3 && !__OE_MSGID_4 && !__UNUSABLE_MSGID)
meta __FORGED_OUTLOOK_DOLLARS (__OUTLOOK_DOLLARS_MUA && !__OE_MSGID_2 && !__OUTLOOK_DOLLARS_OTHER && !__VISTA_MSGID && !__IMS_MSGID && !__UNUSABLE_MSGID)
meta FORGED_MUA_OUTLOOK (__FORGED_OE || __FORGED_OUTLOOK_DOLLARS)
at least Message-Id and X-Mailer...
btw do do you update rules periodically?
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"They say when you play that M$ CD backward you can hear satanic messages."
"That's nothing. If you play it forward it will install Windows."