[Bug 8387] New: XM_RANDOM false positive

[bugzilla-daemon]

https://bz.apache.org/SpamAssassin/show_bug.cgi?id=8387

            Bug ID: 8387
           Summary: XM_RANDOM false positive
           Product: Spamassassin
           Version: 4.0.1
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Rules
          Assignee: dev@spamassassin.apache.org
          Reporter: vladislav.k...@webstep.net
  Target Milestone: Undefined

Hello,

I've noticed a false positive match on rule XM_RANDOM. The email has:
X-Mailer: SQL Anywhere External Library 17.0.11.7173

The rule appears to match the Q in SQL because of this regex:
header __XM_RANDOM X-Mailer =~ /q(?!(?:q|box|i\s)?mail|\d|[-\w]*=+;)[^u]/i

Could we add exception to this. Maybe [^ul] instead of [^u] at the end?

This contributes to overall spam score unexpectedly - and it was flagged as
suspicious. But it was an invoice from my appartment building, so totally legit
stuff I'd really not want to miss. Complete spam-report here:

Content analysis details:   (2.8 points, 3.0 required)

  pts rule name              description
 ---- ---------------------- --------------------------------------------------
 -0.0 SPF_PASS               SPF: sender matches SPF record
  0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
  0.1 DKIM_SIGNED            Message has a DKIM or DK signature, not
necessarily valid
  0.1 DKIM_INVALID           DKIM or DK signature exists, but is not valid
 -1.9 BAYES_00               BODY: Bayes spam probability is 0 to 1%
                             [score: 0.0000]
  1.5 HTML_IMAGE_ONLY_20     BODY: HTML: images with 1600-2000 bytes of words
  0.1 MIME_HTML_ONLY         BODY: Message only has text/html MIME parts
  0.0 HTML_MESSAGE           BODY: HTML included in message
  0.1 BASE64_LENGTH_78_79    BODY: No description available.
  0.1 HTML_SHORT_LINK_IMG_3  HTML is very short with a linked image
  2.5 XM_RANDOM              X-Mailer apparently random
  0.9 DMARC_NONE             DMARC none policy
 -1.0 AWL                    AWL: Adjusted score from AWL reputation of From:
address
  0.0 T_FREEMAIL_DOC_PDF     MS document or PDF attachment, from freemail
  0.0 T_REMOTE_IMAGE         Message contains an external image


These 3 were added due to forward (with SRS rewrite) from email.cz to another
mail server (running spamassassin)

  0.0 FREEMAIL_FROM          Sender email is commonly abused enduser mail
provider
                             [censored(at)email.cz]
  0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail
                             domains are different
  0.0 FREEMAIL_FORGED_FROMDOMAIN 2nd level domains in From and EnvelopeFrom
                              freemail headers are different

-- 
You are receiving this mail because:
You are the assignee for the bug.