You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@spamassassin.apache.org by bu...@bugzilla.spamassassin.org on 2007/07/24 11:48:29 UTC
[Bug 5571] New: False positive for FORGED_MUA_OUTLOOK
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5571
Summary: False positive for FORGED_MUA_OUTLOOK
Product: Spamassassin
Version: 3.2.1
Platform: Other
OS/Version: Linux
Status: NEW
Severity: normal
Priority: P5
Component: Rules
AssignedTo: dev@spamassassin.apache.org
ReportedBy: thomas.jarosch@intra2net.com
Hi,
I've one mail from Outlook XP (2002) with SP3 that triggers
FORGED_MUA_OUTLOOK. As far as I can tell the message ID is not modified.
Please have a look. Tested with SpamAssassin 3.2.1 + pattern update 556472.
Thanks in advance,
Thomas
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 5571] False positive for FORGED_MUA_OUTLOOK
Posted by bu...@bugzilla.spamassassin.org.
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5571
------- Additional Comments From sidney@sidney.com 2007-07-24 04:39 -------
Where does that Message-ID come from? I don't see haiberg.com mentioned anywhere
else except in the Message-ID.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 5571] False positive for FORGED_MUA_OUTLOOK
Posted by bu...@bugzilla.spamassassin.org.
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5571
------- Additional Comments From spamassassin@dostech.ca 2007-07-26 11:41 -------
> > Should this be added to the sa-update channel?
>
> I'm not sure we can override rules in the "rules" dir that way unfortunately.
Sure you can. Nearly all of the 3.2 updates so far have been to correct issues
with rules in the "rules" dir.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 5571] False positive for FORGED_MUA_OUTLOOK
Posted by bu...@bugzilla.spamassassin.org.
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5571
------- Additional Comments From thomas.jarosch@intra2net.com 2007-07-24 07:51 -------
Ok, haiberg.com is the windows domain. We used a packet sniffer to verify the
message ID is generated by Outlook. No local virus scanner is installed. The
only unusual thing I could find is that Outlook is running on a windows 2003
terminal server, but no Exchange server is installed.
I also checked our own mail archive for that particular Outlook build number
and found only message IDs either containing a $ sign or being 38 hex
characters wide. Nonetheless the 32 hex character ID is generate by Outlook.
Do other Outlook versions generate a 32 hex character ID?
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 5571] False positive for FORGED_MUA_OUTLOOK
Posted by bu...@bugzilla.spamassassin.org.
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5571
------- Additional Comments From sidney@sidney.com 2007-07-24 06:19 -------
I haven't seen message id in that format from Outlook before, and Google doesn't
show me any in a preliminary search. I've put in some test rules to see if there
is anything like that in our nightly test corpora. In the meantime, could you
see if you can find anything unusual about the installation of Outlook that
could result in the message ID being a different than we usually see? Most of
the time the message ID will have some '$' characters in it, or it will be
generated by Internet Mail Service and have at least 36 hex digits, not the 32
that your example has.
The build number in the Outlook Mailer header indicates Outlook 2002 SP3, so
this doesn't seem to be a case of some new version of Outlook doing things
differently than we expect.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 5571] False positive for FORGED_MUA_OUTLOOK
Posted by bu...@bugzilla.spamassassin.org.
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5571
------- Additional Comments From thomas.jarosch@intra2net.com 2007-07-24 08:40 -------
> can you find out if the box is running some Vista flavour?
Outlook is running remote on a windows 2003 terminal server. Maybe service
pack 2 contained similar MAPI code as the new MS Vista stuff uses (I suspected
something like this, that's why I've asked about other Outlook versions).
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 5571] False positive for FORGED_MUA_OUTLOOK
Posted by bu...@bugzilla.spamassassin.org.
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5571
------- Additional Comments From sidney@sidney.com 2007-07-24 13:20 -------
If the message ID format is determined by the MAPI code of the Windows OS
instead of the version of Outlook, that would explain this appearing now and not
being common yet. I didn't see anything matching either
MESSAGEID =~ /^<[A-F\d]{20,31}\@\S+>$/m
or
MESSAGEID =~ /^<[A-F\d]{20,31}\@\S+>$/m
in the preflight mass-checks, but have not yet got the results from a nightly
mass-check run.
If the nightly shows that first message ID format not matching any spam at all,
I think it would be a no-brainer to add a Vista ID rule in to the Outlook MUA
metarule that looks like
MESSAGEID =~ /^<[A-F\d]{32}\@\S+>$/m
That isn't exactly the same as the one in comment #6, but it is more consistent
with the existing rules and it achieves the same result.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 5571] False positive for FORGED_MUA_OUTLOOK
Posted by bu...@bugzilla.spamassassin.org.
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5571
sidney@sidney.com changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |FIXED
------- Additional Comments From sidney@sidney.com 2007-07-26 19:08 -------
Thanks.
Committed to branches/3.2/rules/20_ratware.cf revision 560059.
Committed to rules/branches/3.2/20_ratware.cf revision 560060.
Committed to rules/branches/3.1/20_ratware.cf revision 560063.
Committed to branches/3.1/rules/20_ratware.cf revision 560064.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 5571] False positive for FORGED_MUA_OUTLOOK
Posted by bu...@bugzilla.spamassassin.org.
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5571
------- Additional Comments From sidney@sidney.com 2007-07-26 17:15 -------
Committed to trunk/rules/20_ratware.cf revision 560034.
> Nearly all of the 3.2 updates so far have been to correct issues
> with rules in the "rules" dir.
What is the procedure for fixing rules in the branches so they get into the
update channels? Does any of it require a vote? Would this change in
20_ratware.cf go into /rules/branches/3.2/20_ratware.cf as well as
/branches/3.2/rules/20_ratware.cf? Or does it somehow go through a sandbox?
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 5571] False positive for FORGED_MUA_OUTLOOK
Posted by bu...@bugzilla.spamassassin.org.
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5571
------- Additional Comments From jm@jmason.org 2007-07-26 02:27 -------
(In reply to comment #9)
> 0.00000 4.0346 23421 of 580486 messages 0.0217 27 of 124360 messages
> 0.995 0.93 4.20 FORGED_MUA_OUTLOOK
> 0.00000 4.0346 23421 of 580486 messages 0.0217 27 of 124360 messages
> 0.995 0.93 0.01 T_SIDNEY_FORGED_MUA_OUTLOOK
>
> It looks like the results are identical on last night's mass check. Any
> objections to adding
>
> __VISTA_MSGID_0 MESSAGEID =~ /^<[A-F\d]{32}\@\S+>$/m
>
> to the rules and adding !_VISTA_MSGID_0 to the definition of FORGED_MUA_OUTLOOK?
+1
> Should this be added to the sa-update channel?
I'm not sure we can override rules in the "rules" dir that way unfortunately.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 5571] False positive for FORGED_MUA_OUTLOOK
Posted by bu...@bugzilla.spamassassin.org.
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5571
------- Additional Comments From thomas.jarosch@intra2net.com 2007-07-24 02:52 -------
Created an attachment (id=4059)
--> (http://issues.apache.org/SpamAssassin/attachment.cgi?id=4059&action=view)
Full email triggering the problem
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 5571] False positive for FORGED_MUA_OUTLOOK
Posted by bu...@bugzilla.spamassassin.org.
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5571
------- Additional Comments From thomas.jarosch@intra2net.com 2007-07-24 04:52 -------
Haiberg is the company name and I guess it's the name of their windows domain.
I can find that out if you want to. The message ID gets generated by Outlook.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 5571] False positive for FORGED_MUA_OUTLOOK
Posted by bu...@bugzilla.spamassassin.org.
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5571
------- Additional Comments From thomas.jarosch@intra2net.com 2007-07-27 01:04 -------
Thanks for investigating and fixing this issue,
everyone involved did a superb job!
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 5571] False positive for FORGED_MUA_OUTLOOK
Posted by bu...@bugzilla.spamassassin.org.
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5571
------- Additional Comments From alex.uribl@gmail.com 2007-07-24 08:33 -------
afaik this resembles Windows Vista's Mail (ex OE) Msg-ID format
been using the rule below for METAs
header __MID_VISTA Message-ID =~ /^\<[A-F0-9]{32}\@/
can you find out if the box is running some Vista flavour?
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 5571] False positive for FORGED_MUA_OUTLOOK
Posted by bu...@bugzilla.spamassassin.org.
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5571
sidney@sidney.com changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |r.epping@meteo.nl
------- Additional Comments From sidney@sidney.com 2007-08-16 15:21 -------
*** Bug 5600 has been marked as a duplicate of this bug. ***
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 5571] False positive for FORGED_MUA_OUTLOOK
Posted by bu...@bugzilla.spamassassin.org.
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5571
------- Additional Comments From sidney@sidney.com 2007-07-25 22:48 -------
0.00000 4.0346 23421 of 580486 messages 0.0217 27 of 124360 messages
0.995 0.93 4.20 FORGED_MUA_OUTLOOK
0.00000 4.0346 23421 of 580486 messages 0.0217 27 of 124360 messages
0.995 0.93 0.01 T_SIDNEY_FORGED_MUA_OUTLOOK
It looks like the results are identical on last night's mass check. Any
objections to adding
__VISTA_MSGID_0 MESSAGEID =~ /^<[A-F\d]{32}\@\S+>$/m
to the rules and adding !_VISTA_MSGID_0 to the definition of FORGED_MUA_OUTLOOK?
Should this be added to the sa-update channel?
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 5571] False positive for FORGED_MUA_OUTLOOK
Posted by bu...@bugzilla.spamassassin.org.
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5571
------- Additional Comments From felicity@apache.org 2007-07-26 17:39 -------
(In reply to comment #12)
> What is the procedure for fixing rules in the branches so they get into the
> update channels? Does any of it require a vote? Would this change in
> 20_ratware.cf go into /rules/branches/3.2/20_ratware.cf as well as
> /branches/3.2/rules/20_ratware.cf? Or does it somehow go through a sandbox?
At the moment, channel updates are CTR. Basically you'd want to update any
channel branches that are affected, and also update SA release branches for
those who don't use updates.
The channel updates are very straightforward as it's all scripted. :)
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.