[Bug 6844] Almost-overlapping rules for "bad" OE version causing FP

Wed, 26 Sep 2012 15:14:16 -0700 

https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6844

Kris Deugau <kdeu...@vianet.ca> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |kdeu...@vianet.ca

--- Comment #3 from Kris Deugau <kdeu...@vianet.ca> ---
(In reply to comment #1)
> Apparently the sender is using an ancient (insecure) OE version and should
> be upgraded. Iirc this version was EOL in 2002.
> 
> OE msg should include both headers as:
> 
> X-Mailer: Microsoft Outlook Express 6.00.2600.0000
> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
> 
> Something removed the X-Mailer header or it was intentionaly forged.

Both headers are there, but as noted the attachment was extracted from a
Request Tracker instance, and for reasons beyond my understanding RT does not
preserve RFC822 attachments intact and unaltered - it rewrites the character
set and reorders the headers to various degrees.  X-Mailer is the second header
in the attachment, X-MimeOLE is in between Date: and To:.

> I don't see this as a bug but more as a warning to the user that he/she
> should update, urgently

Not under my control (user is an ISP customer), or it wouldn't have been a
problem in the first place.

Looking more closely at the rules, FSL_UA and FSL_XM_419 will almost always
trigger together;  one subrule in FSL_UA is almost identical to FSL_XM_419:

meta     FSL_UA       (__FSL_UA_1 || __FSL_UA_2)
header   __FSL_UA_1   User-Agent =~ /6\.00\.2600\.000/
header   __FSL_UA_2   X-Mailer   =~ /6\.00\.2600\.000/
header   FSL_XM_419   X-Mailer   =~ /\s+6\.00\.2600\.0000$/

The other subrule in FSL_UA triggers on the same version string in the
User-Agent header - which header I don't remember ever seeing in legitimate OE
mail.  That alone might make a better rule to keep (assuming it hits anything
at all;  a search through my archive of spam reports shows *no* examples of a
User-Agent header with that version number in it).

The AXB_XMAILER_MIMEOLE_OL_024C2 subrules are much more specific in matching on
the complete header value rather than just the version string, and require both
X-Mailer and X-MimeOLE headers to trigger the scored rule instead of one or the
other.

-- 
You are receiving this mail because:
You are the assignee for the bug.

Reply via email to