You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Baltasar <ma...@inode.at> on 2005/05/25 11:19:18 UTC
false postives with html emails
Hello List!
I have a postfix(2.x) - amavisd-new (2.3.1) - spamasassin (3.0.3) - razor
- pyzor - dcc setup and have some troubles with html emails which where
marked as spam but are false positives. Even a blank html email with just
the signature added will be marked as spam. As you can see later they
where written in html with Outlook 2003/Word 2003.
I am not so experienced with spamassassin so i don't know what i have to
do. Train the bayes filter for ham doesn't seem to solve the problem. I am
grateful for any assistance.
Thank you in advance!
Thomas Antony
The mail header from the rejected mail looks like:
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_000E_01C55BE3.3DC14FB0"
X-Mailer: Microsoft Office Outlook, Build 11.0.6353
Thread-Index: AcVb0nmUvTBLgSHXSLuA5pR6w3UUXw==
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441
Message-Id: <20...@mx01.domain.com>
X-Spam-Status: Yes, hits=6.687 tag=3 tag2=6.31 kill=6.31 tests=HTML_70_80,
HTML_MESSAGE, MSGID_FROM_MTA_SHORT, RCVD_IN_DYNABLOCK, RCVD_IN_NJABL,
RCVD_IN_NJABL_DIALUP, RCVD_IN_SORBS
X-Spam-Level: ******
This is a multi-part message in MIME format.
------=_NextPart_000_000E_01C55BE3.3DC14FB0
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
----------------------------------------------------------------------------
HERE IS ONLY THE SIGNATURE
----------------------------------------------------------------------------
------=_NextPart_000_000E_01C55BE3.3DC14FB0
Content-Type: text/html;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
<html xmlns:o=3D"urn:schemas-microsoft-com:office:office" =
xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns=3D"http://www.w3.org/TR/REC-html40">
<head>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Dus-ascii">
<meta name=3DGenerator content=3D"Microsoft Word 11 (filtered medium)">
<style>
<!--
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman";}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{color:purple;
text-decoration:underline;}
span.E-MailFormatvorlage17
{mso-style-type:personal-compose;
font-family:Arial;
color:windowtext;}
@page Section1
{size:595.3pt 841.9pt;
margin:70.85pt 70.85pt 2.0cm 70.85pt;}
div.Section1
{page:Section1;}
-->
</style>
</head>
<body lang=3DDE link=3Dblue vlink=3Dpurple>
<div class=3DSection1>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=3DMsoNormal><strong><b><font size=3D2 face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial'>-----------------------------------------------=
------------------------------------</span></font></b></strong><o:p></o:p=
></p>
<p class=3DMsoNormal><strong><b><font size=3D2 face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial'>domain.com</span></font></b></strong><font =
size=3D2
face=3DArial><span style=3D'font-size:10.0pt;font-family:Arial'> - =
<strong><b><font
face=3DArial><span style=3D'font-family:Arial'>some text =
!</span></font></b></strong></span></font><o:p></o:p></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>city - postal code =
country</span></font><o:p></o:p></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>Tel: +01 1111111; Fax: +01 111 =
111111</span></font><o:p></o:p></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'><a =
href=3D"http://www.domain.com">www.domain.com</a>
; <a href=3D"mailto:info@domain.com">info@domain.com</a> =
</span></font><o:p></o:p></p>
<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'><o:p> </o:p></span></font></p>
</div>
</body>
</html>
------=_NextPart_000_000E_01C55BE3.3DC14FB0--
Re: false postives with html emails
Posted by Kevin Peuhkurinen <ke...@meridiancu.ca>.
Baltasar wrote:
>X-Spam-Status: Yes, hits=6.687 tag=3 tag2=6.31 kill=6.31 tests=HTML_70_80,
>HTML_MESSAGE, MSGID_FROM_MTA_SHORT, RCVD_IN_DYNABLOCK, RCVD_IN_NJABL,
>RCVD_IN_NJABL_DIALUP, RCVD_IN_SORBS
>
>
I'm not familiar with MSGID_FROM_MTA_SHORT because for some reason it
doesn't appear to be in my install of 3.03. However, if it is anything
like MSGID_FROM_MTA, it is scored at 3+ points and is only added because
the email was given a MessageID by one of your relays. This probably
just means that the email did not have a MessageID header when it was
received, which is not uncommon and in my opinion does not justify that
many points. I'd knock that down by adding a line like this to your
/etc/mail/spamassassin/local.cf file:
score MSGID_FROM_MTA_SHORT 1.0
Hope that helps.
Kevin
Re: false postives with html emails
Posted by Loren Wilton <lw...@earthlink.net>.
> I have a postfix(2.x) - amavisd-new (2.3.1) - spamasassin (3.0.3) - razor
> - pyzor - dcc setup and have some troubles with html emails which where
> marked as spam but are false positives. Even a blank html email with just
> the signature added will be marked as spam. As you can see later they
> where written in html with Outlook 2003/Word 2003.
> HTML_MESSAGE, MSGID_FROM_MTA_SHORT, RCVD_IN_DYNABLOCK, RCVD_IN_NJABL,
> RCVD_IN_NJABL_DIALUP, RCVD_IN_SORBS
All of these tests except HTML_MESSAGE (which has a very low score) hit
based on header fields, not body fields. Most of them are based on the
Received headers, which you didn't supply in the email you pasted into the
message.
Martin may well be right that the simplest solution is to disable the
dynablock and/or njabl tests. But without seeing the actual received
headers is it difficult to be sure if that is really the correct solution.
Loren
Re: false postives with html emails
Posted by Martin Hepworth <ma...@solid-state-logic.com>.
Thomas
you'll prob find the issue is the RCVD_IN_DYNABLOCK,
RCVD_IN_NJABL_DIALUP, RCVD_IN_NJABL and RCVD_IN_SORBS rules
I turn off the RCVD_IN_DYNABLOCK, RCVD_IN_NJABL_DIALUP, RCVD_IN_NJABL
off due to too many false positives like this. SORBS is normally quite
good and I use that along with the spamhause_XBL RBL.
To turn the rule off adjust to scrore to zero with something like the
following in /etc/mail/spamassassin/local.cf
score RCVD_IN_DYNABLOCK 0
--
Martin Hepworth
Snr Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300
Baltasar wrote:
> Hello List!
>
> I have a postfix(2.x) - amavisd-new (2.3.1) - spamasassin (3.0.3) - razor
> - pyzor - dcc setup and have some troubles with html emails which where
> marked as spam but are false positives. Even a blank html email with just
> the signature added will be marked as spam. As you can see later they
> where written in html with Outlook 2003/Word 2003.
> I am not so experienced with spamassassin so i don't know what i have to
> do. Train the bayes filter for ham doesn't seem to solve the problem. I am
> grateful for any assistance.
>
> Thank you in advance!
> Thomas Antony
>
>
>
> The mail header from the rejected mail looks like:
>
> MIME-Version: 1.0
> Content-Type: multipart/alternative;
> boundary="----=_NextPart_000_000E_01C55BE3.3DC14FB0"
> X-Mailer: Microsoft Office Outlook, Build 11.0.6353
> Thread-Index: AcVb0nmUvTBLgSHXSLuA5pR6w3UUXw==
> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441
> Message-Id: <20...@mx01.domain.com>
> X-Spam-Status: Yes, hits=6.687 tag=3 tag2=6.31 kill=6.31 tests=HTML_70_80,
> HTML_MESSAGE, MSGID_FROM_MTA_SHORT, RCVD_IN_DYNABLOCK, RCVD_IN_NJABL,
> RCVD_IN_NJABL_DIALUP, RCVD_IN_SORBS
> X-Spam-Level: ******
>
> This is a multi-part message in MIME format.
>
> ------=_NextPart_000_000E_01C55BE3.3DC14FB0
> Content-Type: text/plain;
> charset="us-ascii"
> Content-Transfer-Encoding: 7bit
>
> ----------------------------------------------------------------------------
>
> HERE IS ONLY THE SIGNATURE
>
> ----------------------------------------------------------------------------
>
>
> ------=_NextPart_000_000E_01C55BE3.3DC14FB0
> Content-Type: text/html;
> charset="us-ascii"
> Content-Transfer-Encoding: quoted-printable
>
> <html xmlns:o=3D"urn:schemas-microsoft-com:office:office" =
> xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
> xmlns=3D"http://www.w3.org/TR/REC-html40">
>
> <head>
> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
> charset=3Dus-ascii">
> <meta name=3DGenerator content=3D"Microsoft Word 11 (filtered medium)">
> <style>
> <!--
> /* Style Definitions */
> p.MsoNormal, li.MsoNormal, div.MsoNormal
> {margin:0cm;
> margin-bottom:.0001pt;
> font-size:12.0pt;
> font-family:"Times New Roman";}
> a:link, span.MsoHyperlink
> {color:blue;
> text-decoration:underline;}
> a:visited, span.MsoHyperlinkFollowed
> {color:purple;
> text-decoration:underline;}
> span.E-MailFormatvorlage17
> {mso-style-type:personal-compose;
> font-family:Arial;
> color:windowtext;}
> @page Section1
> {size:595.3pt 841.9pt;
> margin:70.85pt 70.85pt 2.0cm 70.85pt;}
> div.Section1
> {page:Section1;}
> -->
> </style>
>
> </head>
>
> <body lang=3DDE link=3Dblue vlink=3Dpurple>
>
> <div class=3DSection1>
>
> <p class=3DMsoNormal><font size=3D2 face=3DArial><span =
> style=3D'font-size:10.0pt;
> font-family:Arial'><o:p> </o:p></span></font></p>
>
> <p class=3DMsoNormal><font size=3D2 face=3DArial><span =
> style=3D'font-size:10.0pt;
> font-family:Arial'><o:p> </o:p></span></font></p>
>
> <p class=3DMsoNormal><strong><b><font size=3D2 face=3DArial><span =
> style=3D'font-size:
> 10.0pt;font-family:Arial'>-----------------------------------------------=
> ------------------------------------</span></font></b></strong><o:p></o:p=
>
>></p>
>
>
> <p class=3DMsoNormal><strong><b><font size=3D2 face=3DArial><span =
> style=3D'font-size:
> 10.0pt;font-family:Arial'>domain.com</span></font></b></strong><font =
> size=3D2
> face=3DArial><span style=3D'font-size:10.0pt;font-family:Arial'> - =
> <strong><b><font
> face=3DArial><span style=3D'font-family:Arial'>some text =
> !</span></font></b></strong></span></font><o:p></o:p></p>
>
> <p class=3DMsoNormal><font size=3D2 face=3DArial><span =
> style=3D'font-size:10.0pt;
> font-family:Arial'>city - postal code =
> country</span></font><o:p></o:p></p>
>
> <p class=3DMsoNormal><font size=3D2 face=3DArial><span =
> style=3D'font-size:10.0pt;
> font-family:Arial'>Tel: +01 1111111; Fax: +01 111 =
> 111111</span></font><o:p></o:p></p>
>
> <p class=3DMsoNormal><font size=3D2 face=3DArial><span =
> style=3D'font-size:10.0pt;
> font-family:Arial'><a =
> href=3D"http://www.domain.com">www.domain.com</a>
> ; <a href=3D"mailto:info@domain.com">info@domain.com</a> =
> </span></font><o:p></o:p></p>
>
> <p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
> style=3D'font-size:
> 12.0pt'><o:p> </o:p></span></font></p>
>
> </div>
>
> </body>
>
> </html>
>
> ------=_NextPart_000_000E_01C55BE3.3DC14FB0--
>
>
>
>
**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.
This footnote confirms that this email message has been swept
for the presence of computer viruses and is believed to be clean.
**********************************************************************