You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by 岩崎洋佑 <iw...@seraku.co.jp> on 2013/10/01 04:57:14 UTC
Re: False positive?
Karsten,Thank you for your reply.
Maybe I shouldn't have modified the domain names and some other
information for security purposes...
Below is the same one with real information.
Something wrong with the domain or possibly with the content of the message?
********************************************
Return-Path: <xx...@acche.co.jp>
X-Spam-Flag: YES
X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on
ladybird.seraku.co.jp
X-Spam-Level: ****************
X-Spam-Status: Yes, score=17.0 required=13.0
tests=AISHOU,CONTENT_TYPE_PRESENT,
DAIHYOU,DEETO,DIRECTUNKNOWN,DIRECTVECTANTDYN,DYN_AISHOU,DYN_DAIHYOU,DYN_DEETO,
DYN_FUAN,DYN_ONEGAI,DYN_RENRAKU,DYN_SUPPORT,FUAN,ISO2022JP_BODY,MIMEQENC,
NO_RECEIVED,OBSCURED_EMAIL,ONEGAI,ONLY1HOPDIRECT,QENCPTR1,QENCPTR2,RDNS_NONE,
RENRAKU,SUPPORT,THREAD_INDEX,X_CHINESE_RELAY autolearn=spam version=3.2.4
X-Spam-Report:
* -0.1 CONTENT_TYPE_PRESENT exists:Content-Type
* 1.0 ONLY1HOPDIRECT ONLY1HOPDIRECT
* 1.5 DIRECTVECTANTDYN directly received spam from vectant.ne.jp
* 0.3 DIRECTUNKNOWN directly received spam from suspicious dynamic IP
* 0.3 THREAD_INDEX thread-index: AcO7Y8iR61tzADqsRmmc5wNiFHEOig==
* 0.1 OBSCURED_EMAIL BODY: Message seems to contain rot13ed address
* 0.1 X_CHINESE_RELAY RBL: Received via a relay in China
* [202.215.74.215 listed in cn.rbl.cluecentral.net]
* 0.2 RENRAKU RAW: renraku
* 0.1 DEETO RAW: deeto
* 0.2 AISHOU RAW: aishou
* 0.2 DAIHYOU RAW: daihyou
* -0.1 ISO2022JP_BODY RAW: ISO-2022-JP message
* 0.2 FUAN RAW: fuan
* 0.1 SUPPORT RAW: sapo-to
* 0.2 ONEGAI RAW: onegai
* 0.2 MIMEQENC FULL: Quoted-Printable mime definition
* 0.2 QENCPTR2 FULL: Quoted-Printable mime pattern
* 0.2 QENCPTR1 FULL: Quoted-Printable mime pattern
* 0.1 RDNS_NONE Delivered to trusted network by a host with no rDNS
* -0.0 NO_RECEIVED Informational: message has no Received headers
* 2.0 DYN_ONEGAI DYN_ONEGAI
* 2.0 DYN_DAIHYOU DYN_DAIHYOU
* 2.0 DYN_SUPPORT DYN_SUPPORT
* 1.0 DYN_DEETO DYN_DEETO
* 2.0 DYN_RENRAKU DYN_RENRAKU
* 1.0 DYN_AISHOU DYN_AISHOU
* 2.0 DYN_FUAN DYN_FUAN
X-Original-To: xxx@seraku.co.jp
Delivered-To: xxx@seraku.co.jp
From: =?iso-2022-jp?B?GyRCOWI6ZRsoQiAbJEJBRzBsTzobKEI=?=
<xx...@acche.co.jp>
To: =?iso-2022-jp?B?GyRCODshIUQ+OSgbKEI=?= <xx...@seraku.co.jp>
Subject: ***SPAM*** =?iso-2022-jp?B?UkU6IBskQjg9PnUkTkpzOXAbKEI=?=
Thread-Topic: =?iso-2022-jp?B?GyRCOD0+dSROSnM5cBsoQg==?=
Thread-Index:
Ac6ukfV5fR3KhI+0TAqZtmZa+kTFyQAJu+MAAAAV78AAAV0bAAG7KlBgAAEKaQAABipeMAAMvYcAAOpnXYA=
Date: Wed, 25 Sep 2013 04:27:44 +0000
Message-ID:
<aa...@HKNPR03MB164.apcprd03.prod.outlook.com>
References:
<0b...@HKNPR03MB164.apcprd03.prod.outlook.com>
<00...@seraku.co.jp>
<b5...@HKNPR03MB164.apcprd03.prod.outlook.com>
<00...@seraku.co.jp>
<18...@HKNPR03MB164.apcprd03.prod.outlook.com>
<01...@seraku.co.jp>
<b8...@HKNPR03MB164.apcprd03.prod.outlook.com>
<00...@seraku.co.jp>
In-Reply-To: <00...@seraku.co.jp>
Accept-Language: ja-JP, en-US
Content-Language: ja-JP
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [202.215.74.215]
x-forefront-prvs: 098076C36C
x-forefront-antispam-report:
SFV:NSPM;SFS:(189002)(199002)(13464003)(51704005)(377454003)(76796001)(76576001)(76786001)(66066001)(74502001)(74662001)(74876001)(19300405004)(19273905006)(81342001)(80022001)(56816003)(83072001)(56776001)(77096001)(59766001)(81542001)(19580395003)(77982001)(54356001)(76482001)(74366001)(54316002)(83322001)(19580405001)(53806001)(63696002)(74482001)(31966008)(69226001)(47446002)(74316001)(79102001)(33646001)(4396001)(47736001)(47976001)(49866001)(50986001)(80976001)(81686001)(46102001)(65816001)(51856001)(15202345003)(74706001)(15975445006)(81816001)(24736002)(562404015)(579004)(559001)(569005);DIR:OUT;SFP:;SCL:1;SRVR:HKNPR03MB162;H:HKNPR03MB164.apcprd03.prod.outlook.com;CLIP:202.215.74.215;FPR:;RD:InfoNoRecords;MX:3;A:1;LANG:ja;
Content-Type: multipart/mixed;
boundary="_002_aa0baeb366ae4afcba76ab64e6268ce2HKNPR03MB164apcprd03pro_"
MIME-Version: 1.0
X-OriginatorOrg: acche.co.jp
X-Spam-Prev-Subject: =?iso-2022-jp?B?UkU6IBskQjg9PnUkTkpzOXAbKEI=?=
********************************************
Regards
Iwasaki
(2013/09/27 11:21), Karsten Bräckelmann wrote:
> On Fri, 2013-09-27 at 10:47 +0900, 岩崎洋佑 wrote:
>> Some e-mails sent from my account are recognized as spam mails.
>> Could anyone tell me the cause?
>>
>> Below is the header information of one of those spam mails.
>
>> Return-Path: <xx...@example.co.jp>
>> X-Spam-Flag: YES
>> X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on example.co.jp
>
> Is that domain munging consistent? Does the Return-Path domain equal the
> domain in the X-Spam-Checker-Version header? In other words, is it
> *your* domain's outgoing SMTP classifying the mail as spam?
>
> Or is that a badly munged, external recipient domain and server?
>
>
>> X-Spam-Level: ****************
>> X-Spam-Status: Yes, score=17.0 required=13.0 tests=AISHOU,CONTENT_TYPE_PRESENT,
>> DAIHYOU,DEETO,DIRECTUNKNOWN,DIRECTVECTANTDYN,DYN_AISHOU,DYN_DAIHYOU,DYN_DEETO,
>> DYN_FUAN,DYN_ONEGAI,DYN_RENRAKU,DYN_SUPPORT,FUAN,ISO2022JP_BODY,MIMEQENC,
>> NO_RECEIVED,OBSCURED_EMAIL,ONEGAI,ONLY1HOPDIRECT,QENCPTR1,QENCPTR2,RDNS_NONE,
>> RENRAKU,SUPPORT,THREAD_INDEX,X_CHINESE_RELAY autolearn=spam version=3.2.4
>> X-Spam-Report:
>> * -0.1 CONTENT_TYPE_PRESENT exists:Content-Type
>> * 1.0 ONLY1HOPDIRECT ONLY1HOPDIRECT
>> * 1.5 DIRECTVECTANTDYN directly received spam from vectant.ne.jp
>
> Lots of low-ish scoring custom rules snipped.
>
>> * 2.0 DYN_ONEGAI DYN_ONEGAI
>> * 2.0 DYN_DAIHYOU DYN_DAIHYOU
>> * 2.0 DYN_SUPPORT DYN_SUPPORT
>> * 1.0 DYN_DEETO DYN_DEETO
>> * 2.0 DYN_RENRAKU DYN_RENRAKU
>> * 1.0 DYN_AISHOU DYN_AISHOU
>> * 2.0 DYN_FUAN DYN_FUAN
>
> These rules are almost exclusively custom, third-party rules defined by
> whoever runs the SA instance. Thus, the system administrator of that
> machine / domain is the one you need to contact.
>
> Stock SA rules did not classify your mail spam. The custom rules did.
>
>
>> X-Original-To: xxx1@example.co.jp
>> Delivered-To: xxx1@example.co.jp
>
> Either bad domain munging, or internal mail.
>
>> X-OriginatorOrg: example1.co.jp
> ^
> Well, probably bad domain munging...
>
>
Re: False positive?
Posted by Benny Pedersen <me...@junc.eu>.
Kevin A. McGrail skrev den 2013-10-01 06:19:
> On 9/30/2013 11:37 PM, Karsten Bräckelmann wrote:
>> See below for the important part of my previous reply. Your message
>> was being classified spam due to custom rules -- rules, think of it as
>> patterns matching a message, that have been written by the recipient's
>> mail admin. We don't know what these rules target. Again, in order to
>> settle this, you will have to contact the recipient of the message or
>> recipient's system administrator -- possibly by other means than
>> email.
> http://www.nishnet.ne.jp/AntiSpam/user_prefs looks like it might be
> helpful...
uhu whitelist_from
should we keep it ?
Re: False positive?
Posted by "Kevin A. McGrail" <KM...@PCCC.com>.
On 9/30/2013 11:37 PM, Karsten Bräckelmann wrote:
> See below for the important part of my previous reply. Your message
> was being classified spam due to custom rules -- rules, think of it as
> patterns matching a message, that have been written by the recipient's
> mail admin. We don't know what these rules target. Again, in order to
> settle this, you will have to contact the recipient of the message or
> recipient's system administrator -- possibly by other means than email.
http://www.nishnet.ne.jp/AntiSpam/user_prefs looks like it might be
helpful...
Regards,
KAM
Re: False positive?
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Tue, 2013-10-01 at 11:57 +0900, 岩崎洋佑 wrote:
> Karsten,Thank you for your reply.
>
> Maybe I shouldn't have modified the domain names and some other
> information for security purposes...
> Below is the same one with real information.
Heh. Masking information like names, accounts and domains is totally
acceptable. If it is done consistently, i.e. different domains are still
recognizable. It was not, unfortunately.
However, in your case, it was not a big deal. Other than being slightly
confusing, it boiled down to the question whether the SA report was done
on the originating or receiving part.
The un-munged version confirms, receiving end.
> Something wrong with the domain or possibly with the content of the message?
According to the rules hit, there is nothing wrong with the content of
that message.
See below for the important part of my previous reply. Your message was
being classified spam due to custom rules -- rules, think of it as
patterns matching a message, that have been written by the recipient's
mail admin. We don't know what these rules target.
Again, in order to settle this, you will have to contact the recipient
of the message or recipient's system administrator -- possibly by other
means than email.
> (2013/09/27 11:21), Karsten Bräckelmann wrote:
> > On Fri, 2013-09-27 at 10:47 +0900, 岩崎洋佑 wrote:
> >> X-Spam-Status: Yes, score=17.0 required=13.0 tests=AISHOU,CONTENT_TYPE_PRESENT,
> >> DAIHYOU,DEETO,DIRECTUNKNOWN,DIRECTVECTANTDYN,DYN_AISHOU,DYN_DAIHYOU,DYN_DEETO,
> >> DYN_FUAN,DYN_ONEGAI,DYN_RENRAKU,DYN_SUPPORT,FUAN,ISO2022JP_BODY,MIMEQENC,
> >> NO_RECEIVED,OBSCURED_EMAIL,ONEGAI,ONLY1HOPDIRECT,QENCPTR1,QENCPTR2,RDNS_NONE,
> >> RENRAKU,SUPPORT,THREAD_INDEX,X_CHINESE_RELAY autolearn=spam version=3.2.4
> >> X-Spam-Report:
> >> * -0.1 CONTENT_TYPE_PRESENT exists:Content-Type
> >> * 1.0 ONLY1HOPDIRECT ONLY1HOPDIRECT
> >> * 1.5 DIRECTVECTANTDYN directly received spam from vectant.ne.jp
> >
> > Lots of low-ish scoring custom rules snipped.
> >
> >> * 2.0 DYN_ONEGAI DYN_ONEGAI
> >> * 2.0 DYN_DAIHYOU DYN_DAIHYOU
> >> * 2.0 DYN_SUPPORT DYN_SUPPORT
> >> * 1.0 DYN_DEETO DYN_DEETO
> >> * 2.0 DYN_RENRAKU DYN_RENRAKU
> >> * 1.0 DYN_AISHOU DYN_AISHOU
> >> * 2.0 DYN_FUAN DYN_FUAN
> >
> > These rules are almost exclusively custom, third-party rules defined by
> > whoever runs the SA instance. Thus, the system administrator of that
> > machine / domain is the one you need to contact.
> >
> > Stock SA rules did not classify your mail spam. The custom rules did.
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}