You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@spamassassin.apache.org by bu...@bugzilla.spamassassin.org on 2009/02/11 15:09:56 UTC

[Bug 6064] New: false positive: el-al e-ticket

https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6064

           Summary: false positive: el-al e-ticket
           Product: Spamassassin
           Version: 3.2.5
          Platform: Other
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P5
         Component: Rules
        AssignedTo: dev@spamassassin.apache.org
        ReportedBy: dot@dotat.at


Created an attachment (id=4433)
 --> (https://issues.apache.org/SpamAssassin/attachment.cgi?id=4433)
El-Al e-ticket

This airline e-ticket is particularly egregiously malformed, and at the same
time rather important for the recipient. It scores

score 10.7 from SpamAssassin-3.2.5-730418
* -4.0 RCVD_IN_DNSWL_MED RBL: Sender listed at http://www.dnswl.org/,
*      medium trust
*      [82.150.225.79 listed in list.dnswl.org]
*  1.2 LOW_PRICE BODY: Lowest Price
*  1.8 SUBJ_ALL_CAPS Subject is all capitals
*  0.8 HTML_TAG_BALANCE_BODY BODY: HTML has unbalanced "body" tags
*  2.7 HTML_OBFUSCATE_20_30 BODY: Message is 20% to 30% HTML obfuscation
*  0.0 HTML_MESSAGE BODY: HTML included in message
*  2.8 MIME_BASE64_TEXT RAW: Message text disguised using base64 encoding
*  2.0 ADVANCE_FEE_2 Appears to be advance fee fraud (Nigerian 419)
*  1.9 UPPERCASE_75_100 message body is 75-100% uppercase
*  1.4 ADVANCE_FEE_3 Appears to be advance fee fraud (Nigerian 419)

It seems that amadeus.net provide e-ticket services for more airlines than just
el-al and their messages' filthy encoding means they frequently score more than
5. From my logs...

HTML_MESSAGE,HTML_NONELEMENT_30_40,HTML_TAG_BALANCE_BODY,MIME_BASE64_TEXT,RCVD_IN_DNSWL_MED,SUBJ_ALL_CAPS,UPPERCASE_75_100
HTML_MESSAGE,HTML_OBFUSCATE_10_20,HTML_TAG_BALANCE_BODY,MIME_BASE64_TEXT,RCVD_IN_DNSWL_MED,SUBJ_ALL_CAPS,UPPERCASE_75_100
HTML_MESSAGE,HTML_TAG_BALANCE_BODY,MIME_BASE64_TEXT,RCVD_IN_DNSWL_LOW,SUBJ_ALL_CAPS,UPPERCASE_75_100
ADVANCE_FEE_2,ADVANCE_FEE_3,HTML_MESSAGE,HTML_OBFUSCATE_20_30,HTML_TAG_BALANCE_BODY,LOW_PRICE,MIME_BASE64_TEXT,SUBJ_ALL_CAPS,UPPERCASE_75_100

I'm not sure whether the best solution is to whitelist them or if the
collective wisdom of the SA developers and users has a better idea


-- 
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

[Bug 6064] false positive: el-al e-ticket

Posted by bu...@bugzilla.spamassassin.org.

https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6064


Justin Mason <jm...@jmason.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Depends on|                            |5553




-- 
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

[Bug 6064] false positive: el-al e-ticket

Posted by bu...@bugzilla.spamassassin.org.

https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6064


eriker-sa@f-secure.com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |eriker-sa@f-secure.com




--- Comment #2 from eriker-sa@f-secure.com  2009-04-29 02:03:48 PST ---
+1 on adding a whitelisting for amadeus.net; we are already doing that locally.

Many airlines at least in Europe are using Amadeus, and obviously airline
e-tickets are the kind of email which simply should never get eaten by a spam
filter.

All the ones I've seen have been from *@*.amadeus.net (and specifically I think
pop3.amadeus.net) so the second whitelisting entry might be superfluous.

If somebody knows how to persuade the people at Amadeus to generate less broken
email, the world could be a better place, but yes, perhaps this is a lost
cause.  (I left a note at
http://amadeusnet.wordpress.com/2008/04/02/20/#comment-349 but don't really
expect a reply.)

MIME_BASE64_TEXT should not be triggering on this message IMHO; I think this is
bug #5553

This sample message takes several seconds to scan -- somebody should look into
that as well.


-- 
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

[Bug 6064] false positive: el-al e-ticket

Posted by bu...@bugzilla.spamassassin.org.

https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6064





--- Comment #1 from Mark Martinec <Ma...@ijs.si>  2009-02-11 07:03:28 PST ---
I'd suggest to just whitelist them, the message looks like a lost cause:

whitelist_from_rcvd *@*.amadeus.net   amadeus.net
whitelist_from_rcvd *@amadeus.net     amadeus.net


-- 
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

[Bug 6064] false positive: el-al e-ticket

Posted by bu...@bugzilla.spamassassin.org.

https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6064

Kevin A. McGrail <km...@pccc.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
                 CC|                            |kmcgrail@pccc.com
         Resolution|                            |WONTFIX

--- Comment #3 from Kevin A. McGrail <km...@pccc.com> 2011-12-13 01:28:35 UTC ---
The only issue in this ticket that is an issue with SA has been resolved. 
While the content is important, the email is very badly crafted.

-- 
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

[Bug 6064] false positive: el-al e-ticket

Posted by bu...@bugzilla.spamassassin.org.

https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6064


Bug 6064 depends on bug 5553, which changed state.

Bug 5553 Summary: MIME_BASE64_TEXT does not handle charset properly
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=5553

           What    |Old Value                   |New Value
----------------------------------------------------------------------------
             Status|NEW                         |ASSIGNED
             Status|ASSIGNED                    |RESOLVED
         Resolution|                            |FIXED



-- 
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.