http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5830
Summary: MSGID_OUTLOOK_INVALID and BROKEN
Product: Spamassassin
Version: 3.2.4
Platform: Other
OS/Version: other
Status: NEW
Severity: normal
Priority: P5
Component: Rules
AssignedTo: [email protected]
ReportedBy: [EMAIL PROTECTED]
I noticed a particular Message-Id pattern, that seems to be *unique* to spam.
Well, at least by grepping through a lot of ham (own corpus and some mailing
list archives), this pattern never seems to be used legitimately.
If anyone of you guys finds even a *single* hit in ham for the following
Message-Id pattern, regardless of the X-Mailer, please let me know. Just egrep
for '<.{8}\$.{8}\$.{8}@' in your ham's Message-Ids.
Oh, right, the Summary. :) Well, the pattern seems to be a broken Outlook
forgery, where the first 4 hex chars are missing. The time token seems to be
quite right most of the time, though. Hence the Summary. This is about a BROKEN
Outlook style Message-Id.
Now, while MSGID_OUTLOOK_INVALID thoroughly checks the time token for validity,
this rule is about a BROKEN Outlook Message-Id header, actually invalid, too.
header __MSGID_OUTLOOK_888 Message-Id =~ /^<[0-9a-f]{8}(\$[0-9a-f]{8}){2}\@/
header __KB_OUTLOOK_MUA X-Mailer =~ /^Microsoft (Office )?Outlook\b/
meta MSGID_OUTLOOK_BROKEN __MSGID_OUTLOOK_888 && __KB_OUTLOOK_MUA
The special __KB_OUTLOOK_MUA would not be necessary, if bug 5774 be fixed.
Ijust went through some months spam corpus, and it seems about 99.99% of this
particular broken Message-Id does hit the X-Mailer rule, too. Hence the meta
rule -- it probably wouldn't be necessary, though.
Some quickly gathered results: NO hits in ham found for __MSGID_OUTLOOK_888,
whereas both this rule as well as the safety-net meta rule triggers on 25% or
more of spam in my corpora of the last months.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
