You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Jolly ArrRoger <Ar...@RoLin.US> on 2004/11/27 21:36:40 UTC
False Positives: CONFIRMED_FORGED from yahoo.com
Can someone please explain why SA declares forgery on the attached message?
Seem to be getting an excessive number of false positives from legitimate
yahoo.com email addresses that are delivered through YahooGroups.com. I've
been "whitelisting" each one I find but wonder if there is a specific
anomaly occurring with this combination. Group subscribers who use their
comcast.com or aol.com, etc. email addresses seem to not trigger the
CONFIRMED_FORGED and FORGED_YAHOO_RCVD messages.
Please advise.
--Roger
__________ Original Header <modified by Yours Truly> ________________
Return-Path:
<se...@returns.groups.yahoo.com>
Delivered-To: <YoursTruly>
X-Envelope-To: <YoursTruly>
Received: (qmail 43883 invoked from network); 25 Nov 2004 16:52:46 -0000
Received: from n22a.bulk.scd.yahoo.com (66.94.237.51)
by ainaz.pair.com with SMTP; 25 Nov 2004 16:52:46 -0000
Received: from [66.218.69.1] by n22.bulk.scd.yahoo.com with NNFMP; 25 Nov
2004 16:52:46 -0000
Received: from [66.218.66.30] by mailer1.bulk.scd.yahoo.com with NNFMP; 25
Nov 2004 16:52:46 -0000
X-Yahoo-Newman-Property: groups-email
Received: (qmail 52933 invoked from network); 25 Nov 2004 16:52:44 -0000
Received: from unknown (66.218.66.216)
by m24.grp.scd.yahoo.com with QMQP; 25 Nov 2004 16:52:44 -0000
Received: from unknown (HELO n3a.bulk.scd.yahoo.com) (66.94.237.37)
by mta1.grp.scd.yahoo.com with SMTP; 25 Nov 2004 16:52:44 -0000
Received: from [66.218.69.2] by n3.bulk.scd.yahoo.com with NNFMP; 25 Nov
2004 16:52:34 -0000
Received: from [66.218.67.163] by mailer2.bulk.scd.yahoo.com with NNFMP; 25
Nov 2004 16:52:34 -0000
X-Sender: newuser1@yahoo.com
X-Apparently-To: NWFS@yahoogroups.com
Received: (qmail 18949 invoked from network); 25 Nov 2004 10:16:52 -0000
Received: from unknown (66.218.66.218)
by m22.grp.scd.yahoo.com with QMQP; 25 Nov 2004 10:16:52 -0000
Received: from unknown (HELO n8a.bulk.scd.yahoo.com) (66.94.237.42)
by mta3.grp.scd.yahoo.com with SMTP; 25 Nov 2004 10:16:51 -0000
Received: from [66.218.69.3] by n8.bulk.scd.yahoo.com with NNFMP; 25 Nov
2004 10:16:47 -0000
Received: from [66.218.67.164] by mailer3.bulk.scd.yahoo.com with NNFMP; 25
Nov 2004 10:16:47 -0000
To: NWFS@yahoogroups.com
Message-ID: <co...@eGroups.com>
User-Agent: eGroups-EW/0.82
X-Mailer: Yahoo Groups Message Poster
X-eGroups-Remote-IP: 66.94.237.42
From: "" <ne...@yahoo.com>
X-Originating-IP: 67.51.204.140
X-Yahoo-Profile: newuser
X-eGroups-Edited-By: nwfs <pc...@yahoo.com>
X-eGroups-Approved-By: nwfs <pc...@yahoo.com> via web; 25 Nov 2004
16:52:31 -0000
X-eGroups-Remote-IP: 66.94.237.37
MIME-Version: 1.0
Mailing-List: list NWFS@yahoogroups.com; contact NWFS-owner@yahoogroups.com
Delivered-To: mailing list NWFS@yahoogroups.com
Precedence: bulk
List-Unsubscribe: <ma...@yahoogroups.com>
Date: Thu, 25 Nov 2004 10:16:39 -0000
Subject: **JUNK** [NWFS] A New Member saying "Hi"
Reply-To: NWFS@yahoogroups.com
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
X-Spam-Filtered: 27d8e8c12adf38f84030330200646532
X-Spam-Status: Yes, hits=6.6 required=4.0
tests=MIME_HTML_ONLY,CONFIRMED_FORGED,HTML_IMAGE_ONLY_10,HTML_MESSAGE,HTML_50_60,FORGED_YAHOO_RCVD,HTML_IMAGE_RATIO_14,HTML_FONTCOLOR_BLUE,CLICK_BELOW
X-Spam-Flag: YES
X-Spam-Level: ******
SPAM: -------------------- Start SpamAssassin results ----------------------
SPAM: This mail is probably junk. The original message has been altered
SPAM: so you can recognise or block similar unwanted mail in future.
SPAM: See http://spamassassin.org/tag/ for more details.
SPAM:
SPAM: Content analysis details: (6.6 points, 4.0 required)
SPAM: 0.3 HTML_IMAGE_RATIO_14 BODY: HTML has a low ratio of text to
image area
SPAM: 0.1 HTML_FONTCOLOR_BLUE BODY: HTML font color is blue
SPAM: 0.0 HTML_MESSAGE BODY: HTML included in message
SPAM: 1.1 HTML_IMAGE_ONLY_10 BODY: HTML: images with 800-1000 bytes of
words
SPAM: 0.1 MIME_HTML_ONLY BODY: Message only has text/html MIME
parts
SPAM: 0.2 HTML_50_60 BODY: Message is 50% to 60% HTML
SPAM: 0.5 FORGED_YAHOO_RCVD 'From' yahoo.com does not match 'Received'
headers
SPAM: 0.0 CLICK_BELOW Asks you to click below
SPAM: 4.3 CONFIRMED_FORGED Received headers are forged
SPAM:
SPAM: -------------------- End of SpamAssassin results ---------------------
Re: False Positives: CONFIRMED_FORGED from yahoo.com
Posted by Jolly ArrRoger <Ar...@RoLin.US>.
Thanks again J, your comments makes sense so far. Maybe someone will
know how a consistent SLD hopped admittedly through too many machines
but appeared to be received(2) by my email server on ainaz.pair.com.
This just does not make sense and I can produce at least a half dozen more
"CONFIRMED_FORGED" FP messages just like this one.
--Roger
----- Original Message -----
From: "jdow" <jd...@earthlink.net>
To: <us...@spamassassin.apache.org>
Sent: Saturday, November 27, 2004 1:47 PM
Subject: Re: False Positives: CONFIRMED_FORGED from yahoo.com
At this point you're stuck reading the "FORGED_YAHOO_RCVD" tests in
the 20_headers.cf file (at least on 2.63.) On my machine this is in
/usr/share/spamassassin. On closer look it appears this is a web mail
posting via yahoo to a yahoo group that fribbles is way around way more
yahoo machines than makes sense. It appears there may be a name that
shows up in the headers that triggers the above rule somehow.
(Of course, barring EXTREME emergencies it'd be easier to commit
honorable seppuku than use web mail, IMAO. {^_-})
{^_^}
----- Original Message -----
From: "Jolly ArrRoger" <Ar...@RoLin.US>
> Thanks jdow. The reason I believe it is because I know "newuser1" to be
> legitimate however the path the message takes getting to me through SA
> generates FP's consistently. Can someone familiar with what causes
> SA to confirm forgery, identify the specific cause?
>
> --Roger
>
> ----- Original Message -----
> From: "jdow" <jd...@earthlink.net>
>
> Er, Roger, one might ask you what makes you think for a picosecond
> that the message is not forged. Trace the headers backwards starting
> at the top. I see nothing there to inspire belief in the headers below
> the second "Received:" header.
>
> {^_^}
> ----- Original Message -----
> From: "Jolly ArrRoger" <Ar...@RoLin.US>
> >
> > Can someone please explain why SA declares forgery on the attached
> message?
> > Seem to be getting an excessive number of false positives from
legitimate
> > yahoo.com email addresses that are delivered through YahooGroups.com.
> I've
> > been "whitelisting" each one I find but wonder if there is a specific
> > anomaly occurring with this combination. Group subscribers who use
their
> > comcast.com or aol.com, etc. email addresses seem to not trigger the
> > CONFIRMED_FORGED and FORGED_YAHOO_RCVD messages.
> > Please advise.
> >
> > --Roger
> >
> > __________ Original Header <modified by Yours Truly> ________________
> > Return-Path:
> > <se...@returns.groups.yahoo.com>
> > Delivered-To: <YoursTruly>
> > X-Envelope-To: <YoursTruly>
> > Received: (qmail 43883 invoked from network); 25 Nov 2004 16:52:46 -0000
> > Received: from n22a.bulk.scd.yahoo.com (66.94.237.51)
> > by ainaz.pair.com with SMTP; 25 Nov 2004 16:52:46 -0000
> > Received: from [66.218.69.1] by n22.bulk.scd.yahoo.com with NNFMP; 25
Nov
> > 2004 16:52:46 -0000
> > Received: from [66.218.66.30] by mailer1.bulk.scd.yahoo.com with NNFMP;
25
> > Nov 2004 16:52:46 -0000
> > X-Yahoo-Newman-Property: groups-email
> > Received: (qmail 52933 invoked from network); 25 Nov 2004 16:52:44 -0000
> > Received: from unknown (66.218.66.216)
> > by m24.grp.scd.yahoo.com with QMQP; 25 Nov 2004 16:52:44 -0000
> > Received: from unknown (HELO n3a.bulk.scd.yahoo.com) (66.94.237.37)
> > by mta1.grp.scd.yahoo.com with SMTP; 25 Nov 2004 16:52:44 -0000
> > Received: from [66.218.69.2] by n3.bulk.scd.yahoo.com with NNFMP; 25 Nov
> > 2004 16:52:34 -0000
> > Received: from [66.218.67.163] by mailer2.bulk.scd.yahoo.com with NNFMP;
> 25
> > Nov 2004 16:52:34 -0000
> > X-Sender: newuser1@yahoo.com
> > X-Apparently-To: NWFS@yahoogroups.com
> > Received: (qmail 18949 invoked from network); 25 Nov 2004 10:16:52 -0000
> > Received: from unknown (66.218.66.218)
> > by m22.grp.scd.yahoo.com with QMQP; 25 Nov 2004 10:16:52 -0000
> > Received: from unknown (HELO n8a.bulk.scd.yahoo.com) (66.94.237.42)
> > by mta3.grp.scd.yahoo.com with SMTP; 25 Nov 2004 10:16:51 -0000
> > Received: from [66.218.69.3] by n8.bulk.scd.yahoo.com with NNFMP; 25 Nov
> > 2004 10:16:47 -0000
> > Received: from [66.218.67.164] by mailer3.bulk.scd.yahoo.com with NNFMP;
> 25
> > Nov 2004 10:16:47 -0000
> > To: NWFS@yahoogroups.com
> > Message-ID: <co...@eGroups.com>
> > User-Agent: eGroups-EW/0.82
> > X-Mailer: Yahoo Groups Message Poster
> > X-eGroups-Remote-IP: 66.94.237.42
> > From: "" <ne...@yahoo.com>
> > X-Originating-IP: 67.51.204.140
> > X-Yahoo-Profile: newuser
> > X-eGroups-Edited-By: nwfs <pc...@yahoo.com>
> > X-eGroups-Approved-By: nwfs <pc...@yahoo.com> via web; 25 Nov 2004
> > 16:52:31 -0000
> > X-eGroups-Remote-IP: 66.94.237.37
> > MIME-Version: 1.0
> > Mailing-List: list NWFS@yahoogroups.com; contact
> NWFS-owner@yahoogroups.com
> > Delivered-To: mailing list NWFS@yahoogroups.com
> > Precedence: bulk
> > List-Unsubscribe: <ma...@yahoogroups.com>
> > Date: Thu, 25 Nov 2004 10:16:39 -0000
> > Subject: **JUNK** [NWFS] A New Member saying "Hi"
> > Reply-To: NWFS@yahoogroups.com
> > Content-Type: text/html; charset=ISO-8859-1
> > Content-Transfer-Encoding: 7bit
> > X-Spam-Filtered: 27d8e8c12adf38f84030330200646532
> > X-Spam-Status: Yes, hits=6.6 required=4.0
> >
>
tests=MIME_HTML_ONLY,CONFIRMED_FORGED,HTML_IMAGE_ONLY_10,HTML_MESSAGE,HTML_5
> 0_60,FORGED_YAHOO_RCVD,HTML_IMAGE_RATIO_14,HTML_FONTCOLOR_BLUE,CLICK_BELOW
> > X-Spam-Flag: YES
> > X-Spam-Level: ******
> >
> > SPAM: -------------------- Start SpamAssassin
> results ----------------------
> > SPAM: This mail is probably junk. The original message has been altered
> > SPAM: so you can recognise or block similar unwanted mail in future.
> > SPAM: See http://spamassassin.org/tag/ for more details.
> > SPAM:
> > SPAM: Content analysis details: (6.6 points, 4.0 required)
> > SPAM: 0.3 HTML_IMAGE_RATIO_14 BODY: HTML has a low ratio of text to
> > image area
> > SPAM: 0.1 HTML_FONTCOLOR_BLUE BODY: HTML font color is blue
> > SPAM: 0.0 HTML_MESSAGE BODY: HTML included in message
> > SPAM: 1.1 HTML_IMAGE_ONLY_10 BODY: HTML: images with 800-1000 bytes
> of
> > words
> > SPAM: 0.1 MIME_HTML_ONLY BODY: Message only has text/html MIME
> > parts
> > SPAM: 0.2 HTML_50_60 BODY: Message is 50% to 60% HTML
> > SPAM: 0.5 FORGED_YAHOO_RCVD 'From' yahoo.com does not match
> 'Received'
> > headers
> > SPAM: 0.0 CLICK_BELOW Asks you to click below
> > SPAM: 4.3 CONFIRMED_FORGED Received headers are forged
> > SPAM:
> > SPAM: -------------------- End of SpamAssassin
> results ---------------------
Re: False Positives: CONFIRMED_FORGED from yahoo.com
Posted by jdow <jd...@earthlink.net>.
At this point you're stuck reading the "FORGED_YAHOO_RCVD" tests in
the 20_headers.cf file (at least on 2.63.) On my machine this is in
/usr/share/spamassassin. On closer look it appears this is a web mail
posting via yahoo to a yahoo group that fribbles is way around way more
yahoo machines than makes sense. It appears there may be a name that
shows up in the headers that triggers the above rule somehow.
(Of course, barring EXTREME emergencies it'd be easier to commit
honorable seppuku than use web mail, IMAO. {^_-})
{^_^}
----- Original Message -----
From: "Jolly ArrRoger" <Ar...@RoLin.US>
> Thanks jdow. The reason I believe it is because I know "newuser1" to be
> legitimate however the path the message takes getting to me through SA
> generates FP's consistently. Can someone familiar with what causes
> SA to confirm forgery, identify the specific cause?
>
> --Roger
>
> ----- Original Message -----
> From: "jdow" <jd...@earthlink.net>
>
> Er, Roger, one might ask you what makes you think for a picosecond
> that the message is not forged. Trace the headers backwards starting
> at the top. I see nothing there to inspire belief in the headers below
> the second "Received:" header.
>
> {^_^}
> ----- Original Message -----
> From: "Jolly ArrRoger" <Ar...@RoLin.US>
> >
> > Can someone please explain why SA declares forgery on the attached
> message?
> > Seem to be getting an excessive number of false positives from
legitimate
> > yahoo.com email addresses that are delivered through YahooGroups.com.
> I've
> > been "whitelisting" each one I find but wonder if there is a specific
> > anomaly occurring with this combination. Group subscribers who use
their
> > comcast.com or aol.com, etc. email addresses seem to not trigger the
> > CONFIRMED_FORGED and FORGED_YAHOO_RCVD messages.
> > Please advise.
> >
> > --Roger
> >
> > __________ Original Header <modified by Yours Truly> ________________
> > Return-Path:
> > <se...@returns.groups.yahoo.com>
> > Delivered-To: <YoursTruly>
> > X-Envelope-To: <YoursTruly>
> > Received: (qmail 43883 invoked from network); 25 Nov 2004 16:52:46 -0000
> > Received: from n22a.bulk.scd.yahoo.com (66.94.237.51)
> > by ainaz.pair.com with SMTP; 25 Nov 2004 16:52:46 -0000
> > Received: from [66.218.69.1] by n22.bulk.scd.yahoo.com with NNFMP; 25
Nov
> > 2004 16:52:46 -0000
> > Received: from [66.218.66.30] by mailer1.bulk.scd.yahoo.com with NNFMP;
25
> > Nov 2004 16:52:46 -0000
> > X-Yahoo-Newman-Property: groups-email
> > Received: (qmail 52933 invoked from network); 25 Nov 2004 16:52:44 -0000
> > Received: from unknown (66.218.66.216)
> > by m24.grp.scd.yahoo.com with QMQP; 25 Nov 2004 16:52:44 -0000
> > Received: from unknown (HELO n3a.bulk.scd.yahoo.com) (66.94.237.37)
> > by mta1.grp.scd.yahoo.com with SMTP; 25 Nov 2004 16:52:44 -0000
> > Received: from [66.218.69.2] by n3.bulk.scd.yahoo.com with NNFMP; 25 Nov
> > 2004 16:52:34 -0000
> > Received: from [66.218.67.163] by mailer2.bulk.scd.yahoo.com with NNFMP;
> 25
> > Nov 2004 16:52:34 -0000
> > X-Sender: newuser1@yahoo.com
> > X-Apparently-To: NWFS@yahoogroups.com
> > Received: (qmail 18949 invoked from network); 25 Nov 2004 10:16:52 -0000
> > Received: from unknown (66.218.66.218)
> > by m22.grp.scd.yahoo.com with QMQP; 25 Nov 2004 10:16:52 -0000
> > Received: from unknown (HELO n8a.bulk.scd.yahoo.com) (66.94.237.42)
> > by mta3.grp.scd.yahoo.com with SMTP; 25 Nov 2004 10:16:51 -0000
> > Received: from [66.218.69.3] by n8.bulk.scd.yahoo.com with NNFMP; 25 Nov
> > 2004 10:16:47 -0000
> > Received: from [66.218.67.164] by mailer3.bulk.scd.yahoo.com with NNFMP;
> 25
> > Nov 2004 10:16:47 -0000
> > To: NWFS@yahoogroups.com
> > Message-ID: <co...@eGroups.com>
> > User-Agent: eGroups-EW/0.82
> > X-Mailer: Yahoo Groups Message Poster
> > X-eGroups-Remote-IP: 66.94.237.42
> > From: "" <ne...@yahoo.com>
> > X-Originating-IP: 67.51.204.140
> > X-Yahoo-Profile: newuser
> > X-eGroups-Edited-By: nwfs <pc...@yahoo.com>
> > X-eGroups-Approved-By: nwfs <pc...@yahoo.com> via web; 25 Nov 2004
> > 16:52:31 -0000
> > X-eGroups-Remote-IP: 66.94.237.37
> > MIME-Version: 1.0
> > Mailing-List: list NWFS@yahoogroups.com; contact
> NWFS-owner@yahoogroups.com
> > Delivered-To: mailing list NWFS@yahoogroups.com
> > Precedence: bulk
> > List-Unsubscribe: <ma...@yahoogroups.com>
> > Date: Thu, 25 Nov 2004 10:16:39 -0000
> > Subject: **JUNK** [NWFS] A New Member saying "Hi"
> > Reply-To: NWFS@yahoogroups.com
> > Content-Type: text/html; charset=ISO-8859-1
> > Content-Transfer-Encoding: 7bit
> > X-Spam-Filtered: 27d8e8c12adf38f84030330200646532
> > X-Spam-Status: Yes, hits=6.6 required=4.0
> >
>
tests=MIME_HTML_ONLY,CONFIRMED_FORGED,HTML_IMAGE_ONLY_10,HTML_MESSAGE,HTML_5
> 0_60,FORGED_YAHOO_RCVD,HTML_IMAGE_RATIO_14,HTML_FONTCOLOR_BLUE,CLICK_BELOW
> > X-Spam-Flag: YES
> > X-Spam-Level: ******
> >
> > SPAM: -------------------- Start SpamAssassin
> results ----------------------
> > SPAM: This mail is probably junk. The original message has been altered
> > SPAM: so you can recognise or block similar unwanted mail in future.
> > SPAM: See http://spamassassin.org/tag/ for more details.
> > SPAM:
> > SPAM: Content analysis details: (6.6 points, 4.0 required)
> > SPAM: 0.3 HTML_IMAGE_RATIO_14 BODY: HTML has a low ratio of text to
> > image area
> > SPAM: 0.1 HTML_FONTCOLOR_BLUE BODY: HTML font color is blue
> > SPAM: 0.0 HTML_MESSAGE BODY: HTML included in message
> > SPAM: 1.1 HTML_IMAGE_ONLY_10 BODY: HTML: images with 800-1000 bytes
> of
> > words
> > SPAM: 0.1 MIME_HTML_ONLY BODY: Message only has text/html MIME
> > parts
> > SPAM: 0.2 HTML_50_60 BODY: Message is 50% to 60% HTML
> > SPAM: 0.5 FORGED_YAHOO_RCVD 'From' yahoo.com does not match
> 'Received'
> > headers
> > SPAM: 0.0 CLICK_BELOW Asks you to click below
> > SPAM: 4.3 CONFIRMED_FORGED Received headers are forged
> > SPAM:
> > SPAM: -------------------- End of SpamAssassin
> results ---------------------
Re: False Positives: CONFIRMED_FORGED from yahoo.com
Posted by Jolly ArrRoger <Ar...@RoLin.US>.
Thanks jdow. The reason I believe it is because I know "newuser1" to be
legitimate however the path the message takes getting to me through SA
generates FP's consistently. Can someone familiar with what causes
SA to confirm forgery, identify the specific cause?
--Roger
----- Original Message -----
From: "jdow" <jd...@earthlink.net>
To: <us...@spamassassin.apache.org>
Sent: Saturday, November 27, 2004 12:48 PM
Subject: Re: False Positives: CONFIRMED_FORGED from yahoo.com
Er, Roger, one might ask you what makes you think for a picosecond
that the message is not forged. Trace the headers backwards starting
at the top. I see nothing there to inspire belief in the headers below
the second "Received:" header.
{^_^}
----- Original Message -----
From: "Jolly ArrRoger" <Ar...@RoLin.US>
>
> Can someone please explain why SA declares forgery on the attached
message?
> Seem to be getting an excessive number of false positives from legitimate
> yahoo.com email addresses that are delivered through YahooGroups.com.
I've
> been "whitelisting" each one I find but wonder if there is a specific
> anomaly occurring with this combination. Group subscribers who use their
> comcast.com or aol.com, etc. email addresses seem to not trigger the
> CONFIRMED_FORGED and FORGED_YAHOO_RCVD messages.
> Please advise.
>
> --Roger
>
> __________ Original Header <modified by Yours Truly> ________________
> Return-Path:
> <se...@returns.groups.yahoo.com>
> Delivered-To: <YoursTruly>
> X-Envelope-To: <YoursTruly>
> Received: (qmail 43883 invoked from network); 25 Nov 2004 16:52:46 -0000
> Received: from n22a.bulk.scd.yahoo.com (66.94.237.51)
> by ainaz.pair.com with SMTP; 25 Nov 2004 16:52:46 -0000
> Received: from [66.218.69.1] by n22.bulk.scd.yahoo.com with NNFMP; 25 Nov
> 2004 16:52:46 -0000
> Received: from [66.218.66.30] by mailer1.bulk.scd.yahoo.com with NNFMP; 25
> Nov 2004 16:52:46 -0000
> X-Yahoo-Newman-Property: groups-email
> Received: (qmail 52933 invoked from network); 25 Nov 2004 16:52:44 -0000
> Received: from unknown (66.218.66.216)
> by m24.grp.scd.yahoo.com with QMQP; 25 Nov 2004 16:52:44 -0000
> Received: from unknown (HELO n3a.bulk.scd.yahoo.com) (66.94.237.37)
> by mta1.grp.scd.yahoo.com with SMTP; 25 Nov 2004 16:52:44 -0000
> Received: from [66.218.69.2] by n3.bulk.scd.yahoo.com with NNFMP; 25 Nov
> 2004 16:52:34 -0000
> Received: from [66.218.67.163] by mailer2.bulk.scd.yahoo.com with NNFMP;
25
> Nov 2004 16:52:34 -0000
> X-Sender: newuser1@yahoo.com
> X-Apparently-To: NWFS@yahoogroups.com
> Received: (qmail 18949 invoked from network); 25 Nov 2004 10:16:52 -0000
> Received: from unknown (66.218.66.218)
> by m22.grp.scd.yahoo.com with QMQP; 25 Nov 2004 10:16:52 -0000
> Received: from unknown (HELO n8a.bulk.scd.yahoo.com) (66.94.237.42)
> by mta3.grp.scd.yahoo.com with SMTP; 25 Nov 2004 10:16:51 -0000
> Received: from [66.218.69.3] by n8.bulk.scd.yahoo.com with NNFMP; 25 Nov
> 2004 10:16:47 -0000
> Received: from [66.218.67.164] by mailer3.bulk.scd.yahoo.com with NNFMP;
25
> Nov 2004 10:16:47 -0000
> To: NWFS@yahoogroups.com
> Message-ID: <co...@eGroups.com>
> User-Agent: eGroups-EW/0.82
> X-Mailer: Yahoo Groups Message Poster
> X-eGroups-Remote-IP: 66.94.237.42
> From: "" <ne...@yahoo.com>
> X-Originating-IP: 67.51.204.140
> X-Yahoo-Profile: newuser
> X-eGroups-Edited-By: nwfs <pc...@yahoo.com>
> X-eGroups-Approved-By: nwfs <pc...@yahoo.com> via web; 25 Nov 2004
> 16:52:31 -0000
> X-eGroups-Remote-IP: 66.94.237.37
> MIME-Version: 1.0
> Mailing-List: list NWFS@yahoogroups.com; contact
NWFS-owner@yahoogroups.com
> Delivered-To: mailing list NWFS@yahoogroups.com
> Precedence: bulk
> List-Unsubscribe: <ma...@yahoogroups.com>
> Date: Thu, 25 Nov 2004 10:16:39 -0000
> Subject: **JUNK** [NWFS] A New Member saying "Hi"
> Reply-To: NWFS@yahoogroups.com
> Content-Type: text/html; charset=ISO-8859-1
> Content-Transfer-Encoding: 7bit
> X-Spam-Filtered: 27d8e8c12adf38f84030330200646532
> X-Spam-Status: Yes, hits=6.6 required=4.0
>
tests=MIME_HTML_ONLY,CONFIRMED_FORGED,HTML_IMAGE_ONLY_10,HTML_MESSAGE,HTML_5
0_60,FORGED_YAHOO_RCVD,HTML_IMAGE_RATIO_14,HTML_FONTCOLOR_BLUE,CLICK_BELOW
> X-Spam-Flag: YES
> X-Spam-Level: ******
>
> SPAM: -------------------- Start SpamAssassin
results ----------------------
> SPAM: This mail is probably junk. The original message has been altered
> SPAM: so you can recognise or block similar unwanted mail in future.
> SPAM: See http://spamassassin.org/tag/ for more details.
> SPAM:
> SPAM: Content analysis details: (6.6 points, 4.0 required)
> SPAM: 0.3 HTML_IMAGE_RATIO_14 BODY: HTML has a low ratio of text to
> image area
> SPAM: 0.1 HTML_FONTCOLOR_BLUE BODY: HTML font color is blue
> SPAM: 0.0 HTML_MESSAGE BODY: HTML included in message
> SPAM: 1.1 HTML_IMAGE_ONLY_10 BODY: HTML: images with 800-1000 bytes
of
> words
> SPAM: 0.1 MIME_HTML_ONLY BODY: Message only has text/html MIME
> parts
> SPAM: 0.2 HTML_50_60 BODY: Message is 50% to 60% HTML
> SPAM: 0.5 FORGED_YAHOO_RCVD 'From' yahoo.com does not match
'Received'
> headers
> SPAM: 0.0 CLICK_BELOW Asks you to click below
> SPAM: 4.3 CONFIRMED_FORGED Received headers are forged
> SPAM:
> SPAM: -------------------- End of SpamAssassin
results ---------------------
>
Re: False Positives: CONFIRMED_FORGED from yahoo.com
Posted by jdow <jd...@earthlink.net>.
Er, Roger, one might ask you what makes you think for a picosecond
that the message is not forged. Trace the headers backwards starting
at the top. I see nothing there to inspire belief in the headers below
the second "Received:" header.
{^_^}
----- Original Message -----
From: "Jolly ArrRoger" <Ar...@RoLin.US>
>
> Can someone please explain why SA declares forgery on the attached
message?
> Seem to be getting an excessive number of false positives from legitimate
> yahoo.com email addresses that are delivered through YahooGroups.com.
I've
> been "whitelisting" each one I find but wonder if there is a specific
> anomaly occurring with this combination. Group subscribers who use their
> comcast.com or aol.com, etc. email addresses seem to not trigger the
> CONFIRMED_FORGED and FORGED_YAHOO_RCVD messages.
> Please advise.
>
> --Roger
>
> __________ Original Header <modified by Yours Truly> ________________
> Return-Path:
> <se...@returns.groups.yahoo.com>
> Delivered-To: <YoursTruly>
> X-Envelope-To: <YoursTruly>
> Received: (qmail 43883 invoked from network); 25 Nov 2004 16:52:46 -0000
> Received: from n22a.bulk.scd.yahoo.com (66.94.237.51)
> by ainaz.pair.com with SMTP; 25 Nov 2004 16:52:46 -0000
> Received: from [66.218.69.1] by n22.bulk.scd.yahoo.com with NNFMP; 25 Nov
> 2004 16:52:46 -0000
> Received: from [66.218.66.30] by mailer1.bulk.scd.yahoo.com with NNFMP; 25
> Nov 2004 16:52:46 -0000
> X-Yahoo-Newman-Property: groups-email
> Received: (qmail 52933 invoked from network); 25 Nov 2004 16:52:44 -0000
> Received: from unknown (66.218.66.216)
> by m24.grp.scd.yahoo.com with QMQP; 25 Nov 2004 16:52:44 -0000
> Received: from unknown (HELO n3a.bulk.scd.yahoo.com) (66.94.237.37)
> by mta1.grp.scd.yahoo.com with SMTP; 25 Nov 2004 16:52:44 -0000
> Received: from [66.218.69.2] by n3.bulk.scd.yahoo.com with NNFMP; 25 Nov
> 2004 16:52:34 -0000
> Received: from [66.218.67.163] by mailer2.bulk.scd.yahoo.com with NNFMP;
25
> Nov 2004 16:52:34 -0000
> X-Sender: newuser1@yahoo.com
> X-Apparently-To: NWFS@yahoogroups.com
> Received: (qmail 18949 invoked from network); 25 Nov 2004 10:16:52 -0000
> Received: from unknown (66.218.66.218)
> by m22.grp.scd.yahoo.com with QMQP; 25 Nov 2004 10:16:52 -0000
> Received: from unknown (HELO n8a.bulk.scd.yahoo.com) (66.94.237.42)
> by mta3.grp.scd.yahoo.com with SMTP; 25 Nov 2004 10:16:51 -0000
> Received: from [66.218.69.3] by n8.bulk.scd.yahoo.com with NNFMP; 25 Nov
> 2004 10:16:47 -0000
> Received: from [66.218.67.164] by mailer3.bulk.scd.yahoo.com with NNFMP;
25
> Nov 2004 10:16:47 -0000
> To: NWFS@yahoogroups.com
> Message-ID: <co...@eGroups.com>
> User-Agent: eGroups-EW/0.82
> X-Mailer: Yahoo Groups Message Poster
> X-eGroups-Remote-IP: 66.94.237.42
> From: "" <ne...@yahoo.com>
> X-Originating-IP: 67.51.204.140
> X-Yahoo-Profile: newuser
> X-eGroups-Edited-By: nwfs <pc...@yahoo.com>
> X-eGroups-Approved-By: nwfs <pc...@yahoo.com> via web; 25 Nov 2004
> 16:52:31 -0000
> X-eGroups-Remote-IP: 66.94.237.37
> MIME-Version: 1.0
> Mailing-List: list NWFS@yahoogroups.com; contact
NWFS-owner@yahoogroups.com
> Delivered-To: mailing list NWFS@yahoogroups.com
> Precedence: bulk
> List-Unsubscribe: <ma...@yahoogroups.com>
> Date: Thu, 25 Nov 2004 10:16:39 -0000
> Subject: **JUNK** [NWFS] A New Member saying "Hi"
> Reply-To: NWFS@yahoogroups.com
> Content-Type: text/html; charset=ISO-8859-1
> Content-Transfer-Encoding: 7bit
> X-Spam-Filtered: 27d8e8c12adf38f84030330200646532
> X-Spam-Status: Yes, hits=6.6 required=4.0
>
tests=MIME_HTML_ONLY,CONFIRMED_FORGED,HTML_IMAGE_ONLY_10,HTML_MESSAGE,HTML_5
0_60,FORGED_YAHOO_RCVD,HTML_IMAGE_RATIO_14,HTML_FONTCOLOR_BLUE,CLICK_BELOW
> X-Spam-Flag: YES
> X-Spam-Level: ******
>
> SPAM: -------------------- Start SpamAssassin
results ----------------------
> SPAM: This mail is probably junk. The original message has been altered
> SPAM: so you can recognise or block similar unwanted mail in future.
> SPAM: See http://spamassassin.org/tag/ for more details.
> SPAM:
> SPAM: Content analysis details: (6.6 points, 4.0 required)
> SPAM: 0.3 HTML_IMAGE_RATIO_14 BODY: HTML has a low ratio of text to
> image area
> SPAM: 0.1 HTML_FONTCOLOR_BLUE BODY: HTML font color is blue
> SPAM: 0.0 HTML_MESSAGE BODY: HTML included in message
> SPAM: 1.1 HTML_IMAGE_ONLY_10 BODY: HTML: images with 800-1000 bytes
of
> words
> SPAM: 0.1 MIME_HTML_ONLY BODY: Message only has text/html MIME
> parts
> SPAM: 0.2 HTML_50_60 BODY: Message is 50% to 60% HTML
> SPAM: 0.5 FORGED_YAHOO_RCVD 'From' yahoo.com does not match
'Received'
> headers
> SPAM: 0.0 CLICK_BELOW Asks you to click below
> SPAM: 4.3 CONFIRMED_FORGED Received headers are forged
> SPAM:
> SPAM: -------------------- End of SpamAssassin
results ---------------------
>
Re: False Positives: CONFIRMED_FORGED from yahoo.com
Posted by Jolly ArrRoger <Ar...@RoLin.US>.
Message from user inside www.pair.com:
>>>>>>>>>> Original message <<<<<<<<<<<<
Apparently Yahoo has slightly changed the routing of groups messages:
SA EvalTests.pm
/from \[$IP_ADDRESS\] by \S+\.(?:groups|grp\.scd)\.yahoo\.com with NNFMP/
Received headers with NNFMP:
from [66.218.69.1] by n22.bulk.scd.yahoo.com with NNFMP; 25 Nov
from [66.218.66.30] by mailer1.bulk.scd.yahoo.com with NNFMP; 25 (qmail
52933 invoked
from [66.218.69.2] by n3.bulk.scd.yahoo.com with NNFMP; 25 Nov
from [66.218.67.163] by mailer2.bulk.scd.yahoo.com with NNFMP; 25 (qmail
18949 invoked
from [66.218.69.3] by n8.bulk.scd.yahoo.com with NNFMP; 25 Nov
from [66.218.67.164] by mailer3.bulk.scd.yahoo.com with NNFMP; 25
The server names in the header lines with NNFMP now use bulk.scd instead
of group.scd, therefore they no longer match.
Proposed fix:
/from \[$IP_ADDRESS\] by \S+\.(?:groups|(grp|bulk)\.scd)\.yahoo\.com with
NNFMP/
I have filed a bug report at
http://bugzilla.spamassassin.org/show_bug.cgi?id=4005