Re: Multiple X-Envelope-From and SPF
On Fri, 2008-05-09 at 01:44 +0200, Benny Pedersen wrote: On Thu, May 8, 2008 23:19, mouss wrote: configure postfix to replace previous ones /^(X\-Envelope\-From:.*)/ REPLACE X-$1 envelope from can here be forged Precisely what I am afraid of. But the issue is whatever header I use for envelope-from all of them can be trivially forged I am trying replacing all the X-Envelope headers before sending them to scan servers Thanks Ram
Re: triplets.txt
Jeremy Fairbrass wrote: Hi, could someone kindly tell me what the file triplets.txt is used for, and if I need to have it in my rules directory or not? It's used for the TextCat plugin (which provides the ok_languages option). While you should have it in your rules directory, it won't break anything if you've got TextCat disabled.
Re: trusted mailing list subscriber spam
All a spam program would have to do is say [EMAIL PROTECTED] posts lots to that list. His address must be a trusted subscriber. Well, here's one more post from him, muhahaha. If Bob posts a lot to a list(s) and is respected within said list(s), then the other subs of that list will immediately recognize by the tone and the writing style of a fake message that it wasn't Bob that sent it. OK, I suppose that would be caught by SPF rules etc., if bob likes SPF. Not all mail systems actually block upon SPF breakage... Steve
Re: IE Parse bug olso in SpamAssassin ?
Kevin W. Gagel writes: - Original Message - Do you have a reference for discussion of this IE Parsing bug that led you to mention this oddball URI annotation format in the first place? There might be references in that to the definition of the format. John, I'm not sure if this is the bug Benny refers to but here is a link for info on what I think he is referring to: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1185 so does SpamAssassin parse the URI correctly, or not? --j.
Re: IE Parse bug olso in SpamAssassin ?
Benny Pedersen [EMAIL PROTECTED] wrote: i just started this thread to be sure IE parse bug is not in sa aswell since i could see domains not detecked in spam, but i got it now You know about it being an IE parse bug, and that seems to be news to the rest of us. How'd you hear about it? Joseph Brennan Columbia University Information Technology
Re: triplets.txt
On Fri, May 09, 2008 at 08:16:29AM -0400, Matt Kettler wrote: Hi, could someone kindly tell me what the file triplets.txt is used for, and if I need to have it in my rules directory or not? It's used for the TextCat plugin (which provides the ok_languages option). While you should have it in your rules directory, it won't break anything if you've got TextCat disabled. Just to be more specific -- it needs to be in the default rules directory. You don't need it in the local state dir, site rules dir, user preferences dir, etc. If it's not there already, your install would seem to have some issues. -- Randomly Selected Tagline: Remember the Unix philosophy: it's better to have two tools, each good at one thing, than one tool that is mediocre at two things... - H. Peter Anvin pgpwhuOeneGwd.pgp Description: PGP signature
False positive on forged_mua_outlook
Hi: Our users are getting false positives with hits on 4.2 FORGED_MUA_OUTLOOK and are saying they are 100% certain that the email was sent from MS Outlook Express. Is this a known problem or are these users doing something wrong? Best Regards, Jeff Koch
Re: Multiple X-Envelope-From and SPF
Benny Pedersen wrote: On Thu, May 8, 2008 23:19, mouss wrote: configure postfix to replace previous ones /^(X\-Envelope\-From:.*)/ REPLACE X-$1 envelope from can here be forged the header check above will rewrite any such header received from the internet. so forgery is not an issue. to be clear, the rule rewrites: X-Envelope-From = X-X-Envelope-From That said, I agree that Return-Path is a better choice. better for postfix is to add envelope_sender_header Return-Path in local.cf
Re: Multiple X-Envelope-From and SPF
ram wrote: On Fri, 2008-05-09 at 01:44 +0200, Benny Pedersen wrote: On Thu, May 8, 2008 23:19, mouss wrote: configure postfix to replace previous ones /^(X\-Envelope\-From:.*)/ REPLACE X-$1 envelope from can here be forged Precisely what I am afraid of. But the issue is whatever header I use for envelope-from all of them can be trivially forged I am trying replacing all the X-Envelope headers before sending them to scan servers Return-Path is unique, so if your postfix generates one (if you use a pipe transport, enable the flag to do so), it won't be a forged one. also, Return-Path is not supposed to be seen in the wire.
fractional scores and syntax
I am not sure how to ask this
We have a test URIBL
#
#
#
###
#
urirhssub URIBL_TEST uri.test.local.A 2
body URIBL_TEST eval:check_uridnsbl('URIBL_TEST')
describe URIBL_TEST Contains an URL listed in the TEST blacklist
tflags URIBL_TEST net
#reuse URIBL_TEST
#
score URIBL_TEST 0 1 0 1
this works... :-)
what do I need to look or search for regarding syntax so that I can change
the score from what you see above to have lower fractional score like
score URIBL_TEST 0 .1 0 .1
and get a good output from spamassassin --lint
thanks in advance
- rh
Re: fractional scores and syntax
On Fri, 9 May 2008 at 09:42 -0700, [EMAIL PROTECTED] confabulated:
I am not sure how to ask this
We have a test URIBL
#
#
#
###
#
urirhssub URIBL_TEST uri.test.local.A 2
body URIBL_TEST eval:check_uridnsbl('URIBL_TEST')
describe URIBL_TEST Contains an URL listed in the TEST blacklist
tflags URIBL_TEST net
#reuse URIBL_TEST
#
score URIBL_TEST 0 1 0 1
this works... :-)
what do I need to look or search for regarding syntax so that I can change
the score from what you see above to have lower fractional score like
score URIBL_TEST 0 .1 0 .1
and get a good output from spamassassin --lint
thanks in advance
If you are referring to this:
[42778] warn: config: SpamAssassin failed to parse line, test_rule .1 is
not valid for score, skipping: score test_rule .1
[42778] warn: lint: 1 issues detected, please rerun with debug enabled for
more information
You have to prefix all decimal score values with zero(0). So in your case:
score URIBL_TEST 0 0.1 0 0.1
RE: fractional scores and syntax
If you are referring to this: [42778] warn: config: SpamAssassin failed to parse line, test_rule .1 is not valid for score, skipping: score test_rule .1 [42778] warn: lint: 1 issues detected, please rerun with debug enabled for more information You have to prefix all decimal score values with zero(0). So in your case: score URIBL_TEST 0 0.1 0 0.1 Ohhh, duhsky! thank you! Grasshopper is grateful! - rh
Re: False positive on forged_mua_outlook
On 09.05.08 12:08, Jeff Koch wrote: Our users are getting false positives with hits on 4.2 FORGED_MUA_OUTLOOK and are saying they are 100% certain that the email was sent from MS Outlook Express. Is this a known problem or are these users doing something wrong? may be... can you show us headers of such e-mail? meta __FORGED_OE(__OE_MUA !__OE_MSGID_1 !__OE_MSGID_2 !__OE_MSGID_3 !__OE_MSGID_4 !__UNUSABLE_MSGID) meta __FORGED_OUTLOOK_DOLLARS (__OUTLOOK_DOLLARS_MUA !__OE_MSGID_2 !__OUTLOOK_DOLLARS_OTHER !__VISTA_MSGID !__IMS_MSGID !__UNUSABLE_MSGID) meta FORGED_MUA_OUTLOOK (__FORGED_OE || __FORGED_OUTLOOK_DOLLARS) at least Message-Id and X-Mailer... btw do do you update rules periodically? -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. They say when you play that M$ CD backward you can hear satanic messages. That's nothing. If you play it forward it will install Windows.
Re: triplets.txt
On Fri, May 09, 2008 at 11:21:01AM -0400, Theo Van Dinter wrote: On Fri, May 09, 2008 at 08:16:29AM -0400, Matt Kettler wrote: Hi, could someone kindly tell me what the file triplets.txt is used for, and if I need to have it in my rules directory or not? It's used for the TextCat plugin (which provides the ok_languages option). While you should have it in your rules directory, it won't break anything if you've got TextCat disabled. Just to be more specific -- it needs to be in the default rules directory. You don't need it in the local state dir, site rules dir, user preferences dir, etc. If it's not there already, your install would seem to have some issues. And what version are you talking about? I don't have triplets.txt in any of my 3.2.4 installations. There not a single mention of triplets.txt anywhere except Plugins/HeaderEval.pm. And only in check_for_unique_subject_id function that isn't even used. TextCat references languages file in rules, not triplets.txt.
Re: fractional scores and syntax
score URIBL_TEST 0 1 0 1 this works... :-) score URIBL_TEST 0 .1 0 .1 And the above presumably doesn't work. As far as the SA parser is concerned, a number needs to start with a digit, so .1 is invalid. score URIBL_TEST 0.0 0.1 0.0 0.1 Should work. Loren
Re: False positive on forged_mua_outlook
Hi Matus: Here's the header. We're seeing a lot of these now: Received: from unknown (HELO jade.xx.com) (216.99.193.136) by 0 with ESMTPS (DHE-RSA-AES256-SHA encrypted); 6 May 2008 19:13:06 - Received: from server (216-99-214-161.dsl.aracnet.com [216.99.214.161]) by jade.xx.com (8.13.6/8.12.8) with SMTP id m46JD528000907 for [EMAIL PROTECTED]; Tue, 6 May 2008 12:13:05 -0700 Message-ID: [EMAIL PROTECTED] From: Aindrea [EMAIL PROTECTED] To: warehouse [EMAIL PROTECTED] Subject: Camden Grey order 373 Date: Tue, 6 May 2008 12:13:04 -0700 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary==_NextPart_000_0039_01C8AF72.8920CD60 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.3790.3959 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.4133 This is a multi-part message in MIME format. At 01:05 PM 5/9/2008, Matus UHLAR - fantomas wrote: On 09.05.08 12:08, Jeff Koch wrote: Our users are getting false positives with hits on 4.2 FORGED_MUA_OUTLOOK and are saying they are 100% certain that the email was sent from MS Outlook Express. Is this a known problem or are these users doing something wrong? may be... can you show us headers of such e-mail? meta __FORGED_OE(__OE_MUA !__OE_MSGID_1 !__OE_MSGID_2 !__OE_MSGID_3 !__OE_MSGID_4 !__UNUSABLE_MSGID) meta __FORGED_OUTLOOK_DOLLARS (__OUTLOOK_DOLLARS_MUA !__OE_MSGID_2 !__OUTLOOK_DOLLARS_OTHER !__VISTA_MSGID !__IMS_MSGID !__UNUSABLE_MSGID) meta FORGED_MUA_OUTLOOK (__FORGED_OE || __FORGED_OUTLOOK_DOLLARS) at least Message-Id and X-Mailer... btw do do you update rules periodically? -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. They say when you play that M$ CD backward you can hear satanic messages. That's nothing. If you play it forward it will install Windows. Best Regards, Jeff Koch, Intersessions
Re: False positive on forged_mua_outlook
Jeff Koch wrote: Hi Matus: Here's the header. We're seeing a lot of these now: Received: from unknown (HELO jade.xx.com) (216.99.193.136) by 0 with ESMTPS (DHE-RSA-AES256-SHA encrypted); 6 May 2008 19:13:06 - Received: from server (216-99-214-161.dsl.aracnet.com [216.99.214.161]) by jade.xx.com (8.13.6/8.12.8) with SMTP id m46JD528000907 for [EMAIL PROTECTED]; Tue, 6 May 2008 12:13:05 -0700 Message-ID: [EMAIL PROTECTED] From: Aindrea [EMAIL PROTECTED] To: warehouse [EMAIL PROTECTED] Subject: Camden Grey order 373 Date: Tue, 6 May 2008 12:13:04 -0700 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary==_NextPart_000_0039_01C8AF72.8920CD60 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.3790.3959 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.4133 This is a multi-part message in MIME format. At 01:05 PM 5/9/2008, Matus UHLAR - fantomas wrote: On 09.05.08 12:08, Jeff Koch wrote: Our users are getting false positives with hits on 4.2 FORGED_MUA_OUTLOOK and are saying they are 100% certain that the email was sent from MS Outlook Express. Is this a known problem or are these users doing something wrong? may be... can you show us headers of such e-mail? meta __FORGED_OE(__OE_MUA !__OE_MSGID_1 !__OE_MSGID_2 !__OE_MSGID_3 !__OE_MSGID_4 !__UNUSABLE_MSGID) meta __FORGED_OUTLOOK_DOLLARS (__OUTLOOK_DOLLARS_MUA !__OE_MSGID_2 !__OUTLOOK_DOLLARS_OTHER !__VISTA_MSGID !__IMS_MSGID !__UNUSABLE_MSGID) meta FORGED_MUA_OUTLOOK (__FORGED_OE || __FORGED_OUTLOOK_DOLLARS) at least Message-Id and X-Mailer... btw do do you update rules periodically? -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. They say when you play that M$ CD backward you can hear satanic messages. That's nothing. If you play it forward it will install Windows. Best Regards, Jeff Koch, Intersessions Could you include the whole complete header including the spam report because this looks like a valid M$ outlook/express header?
Re: False positive on forged_mua_outlook
Hi Randy - here's the whole thing: Return-Path: [EMAIL PROTECTED] Delivered-To: [EMAIL PROTECTED] Received: (qmail 26003 invoked by uid 89); 6 May 2008 19:13:09 - Received: by simscan 1.3.1 ppid: 25931, pid: 25942, t: 2.6786s scanners: clamav: 0.88/m:45/d:5939 spam: 3.2.4 Received: from localhost by libra..com with SpamAssassin (version 3.2.4); Tue, 06 May 2008 15:13:09 -0400 From: Aindrea [EMAIL PROTECTED] To: warehouse [EMAIL PROTECTED] Subject: *SPAM* Camden Grey order 373 Date: Tue, 6 May 2008 12:13:04 -0700 Message-Id: [EMAIL PROTECTED] X-Spam-Flag: YES X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on libra..com X-Spam-Level: * X-Spam-Status: Yes, score=5.3 required=3.0 tests=FORGED_MUA_OUTLOOK,RDNS_NONE, TVD_PDF_FINGER01 autolearn=no version=3.2.4 X-Spam-Report: * 0.1 RDNS_NONE Delivered to trusted network by a host with no rDNS * 1.0 TVD_PDF_FINGER01 Mail matches standard pdf spam fingerprint * 4.2 FORGED_MUA_OUTLOOK Forged mail pretending to be from MS Outlook MIME-Version: 1.0 Content-Type: multipart/mixed; boundary=--=_4820ADC5.A4580A7F This is a multi-part message in MIME format. =_4820ADC5.A4580A7F Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit Spam detection software, running on the system libra.xxx.com, has identified this incoming email as possible spam. The original message has been attached to this so you can view it (if it isn't spam) or label similar future email. If you have any questions, see [EMAIL PROTECTED] for details. Content preview: [...] Content analysis details: (5.3 points, 3.0 required) pts rule name description -- -- 0.1 RDNS_NONE Delivered to trusted network by a host with no rDNS 1.0 TVD_PDF_FINGER01 Mail matches standard pdf spam fingerprint 4.2 FORGED_MUA_OUTLOOK Forged mail pretending to be from MS Outlook The original message was not completely plain text, and may be unsafe to open with some email clients; in particular, it may contain a virus, or confirm that your address can receive spam. If you wish to view it, it may be safer to save it to a file and open it with an editor. =_4820ADC5.A4580A7F Content-Type: message/rfc822; x-spam-type=original Content-Description: original message before SpamAssassin Content-Disposition: attachment Content-Transfer-Encoding: 8bit Received: from unknown (HELO jade.xx.com) (216.99.193.136) by 0 with ESMTPS (DHE-RSA-AES256-SHA encrypted); 6 May 2008 19:13:06 - Received: from server (216-99-214-161.dsl.araxxx.com [216.99.214.161]) by jade.aracnet.com (8.13.6/8.12.8) with SMTP id m46JD528000907 for [EMAIL PROTECTED]; Tue, 6 May 2008 12:13:05 -0700 Message-ID: [EMAIL PROTECTED] From: Aindrea [EMAIL PROTECTED] To: warehouse [EMAIL PROTECTED] Subject: Camden Grey order 373 Date: Tue, 6 May 2008 12:13:04 -0700 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary==_NextPart_000_0039_01C8AF72.8920CD60 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.3790.3959 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.4133 This is a multi-part message in MIME format. --=_NextPart_000_0039_01C8AF72.8920CD60 Content-Type: text/plain; format=flowed; charset=iso-8859-1; reply-type=original Content-Transfer-Encoding: 7bit --=_NextPart_000_0039_01C8AF72.8920CD60 At 04:29 PM 5/9/2008, Randy Ramsdell wrote: Jeff Koch wrote: Hi Matus: Here's the header. We're seeing a lot of these now: Received: from unknown (HELO jade.xx.com) (216.99.193.136) by 0 with ESMTPS (DHE-RSA-AES256-SHA encrypted); 6 May 2008 19:13:06 - Received: from server (216-99-214-161.dsl.aracnet.com [216.99.214.161]) by jade.xx.com (8.13.6/8.12.8) with SMTP id m46JD528000907 for [EMAIL PROTECTED]; Tue, 6 May 2008 12:13:05 -0700 Message-ID: [EMAIL PROTECTED] From: Aindrea [EMAIL PROTECTED] To: warehouse [EMAIL PROTECTED] Subject: Camden Grey order 373 Date: Tue, 6 May 2008 12:13:04 -0700 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary==_NextPart_000_0039_01C8AF72.8920CD60 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.3790.3959 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.4133 This is a multi-part message in MIME format. At 01:05 PM 5/9/2008, Matus UHLAR - fantomas wrote: On 09.05.08 12:08, Jeff Koch wrote: Our users are getting false positives with hits on 4.2 FORGED_MUA_OUTLOOK and are saying they are 100% certain that the email was sent from MS Outlook Express. Is this a known problem or are these users doing something wrong? may be... can you show us headers of such e-mail? meta __FORGED_OE(__OE_MUA !__OE_MSGID_1
Re: False positive on forged_mua_outlook
Jeff Koch wrote: Hi Randy - here's the whole thing: Return-Path: [EMAIL PROTECTED] Delivered-To: [EMAIL PROTECTED] Received: (qmail 26003 invoked by uid 89); 6 May 2008 19:13:09 - Received: by simscan 1.3.1 ppid: 25931, pid: 25942, t: 2.6786s scanners: clamav: 0.88/m:45/d:5939 spam: 3.2.4 Received: from localhost by libra..com with SpamAssassin (version 3.2.4); Tue, 06 May 2008 15:13:09 -0400 From: Aindrea [EMAIL PROTECTED] To: warehouse [EMAIL PROTECTED] Subject: *SPAM* Camden Grey order 373 Date: Tue, 6 May 2008 12:13:04 -0700 Message-Id: [EMAIL PROTECTED] X-Spam-Flag: YES X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on libra..com X-Spam-Level: * X-Spam-Status: Yes, score=5.3 required=3.0 tests=FORGED_MUA_OUTLOOK,RDNS_NONE, TVD_PDF_FINGER01 autolearn=no version=3.2.4 X-Spam-Report: * 0.1 RDNS_NONE Delivered to trusted network by a host with no rDNS * 1.0 TVD_PDF_FINGER01 Mail matches standard pdf spam fingerprint * 4.2 FORGED_MUA_OUTLOOK Forged mail pretending to be from MS Outlook MIME-Version: 1.0 Content-Type: multipart/mixed; boundary=--=_4820ADC5.A4580A7F This is a multi-part message in MIME format. =_4820ADC5.A4580A7F Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit Spam detection software, running on the system libra.xxx.com, has identified this incoming email as possible spam. The original message has been attached to this so you can view it (if it isn't spam) or label similar future email. If you have any questions, see [EMAIL PROTECTED] for details. Content preview: [...] Content analysis details: (5.3 points, 3.0 required) pts rule name description -- -- 0.1 RDNS_NONE Delivered to trusted network by a host with no rDNS 1.0 TVD_PDF_FINGER01 Mail matches standard pdf spam fingerprint 4.2 FORGED_MUA_OUTLOOK Forged mail pretending to be from MS Outlook The original message was not completely plain text, and may be unsafe to open with some email clients; in particular, it may contain a virus, or confirm that your address can receive spam. If you wish to view it, it may be safer to save it to a file and open it with an editor. =_4820ADC5.A4580A7F Content-Type: message/rfc822; x-spam-type=original Content-Description: original message before SpamAssassin Content-Disposition: attachment Content-Transfer-Encoding: 8bit Received: from unknown (HELO jade.xx.com) (216.99.193.136) by 0 with ESMTPS (DHE-RSA-AES256-SHA encrypted); 6 May 2008 19:13:06 - Received: from server (216-99-214-161.dsl.araxxx.com [216.99.214.161]) by jade.aracnet.com (8.13.6/8.12.8) with SMTP id m46JD528000907 for [EMAIL PROTECTED]; Tue, 6 May 2008 12:13:05 -0700 Message-ID: [EMAIL PROTECTED] From: Aindrea [EMAIL PROTECTED] To: warehouse [EMAIL PROTECTED] Subject: Camden Grey order 373 Date: Tue, 6 May 2008 12:13:04 -0700 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary==_NextPart_000_0039_01C8AF72.8920CD60 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.3790.3959 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.4133 This is a multi-part message in MIME format. --=_NextPart_000_0039_01C8AF72.8920CD60 Content-Type: text/plain; format=flowed; charset=iso-8859-1; reply-type=original Content-Transfer-Encoding: 7bit --=_NextPart_000_0039_01C8AF72.8920CD60 At 04:29 PM 5/9/2008, Randy Ramsdell wrote: Jeff Koch wrote: Hi Matus: Here's the header. We're seeing a lot of these now: Received: from unknown (HELO jade.xx.com) (216.99.193.136) by 0 with ESMTPS (DHE-RSA-AES256-SHA encrypted); 6 May 2008 19:13:06 - Received: from server (216-99-214-161.dsl.aracnet.com [216.99.214.161]) by jade.xx.com (8.13.6/8.12.8) with SMTP id m46JD528000907 for [EMAIL PROTECTED]; Tue, 6 May 2008 12:13:05 -0700 Message-ID: [EMAIL PROTECTED] From: Aindrea [EMAIL PROTECTED] To: warehouse [EMAIL PROTECTED] Subject: Camden Grey order 373 Date: Tue, 6 May 2008 12:13:04 -0700 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary==_NextPart_000_0039_01C8AF72.8920CD60 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.3790.3959 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.4133 This is a multi-part message in MIME format. At 01:05 PM 5/9/2008, Matus UHLAR - fantomas wrote: On 09.05.08 12:08, Jeff Koch wrote: Our users are getting false positives with hits on 4.2 FORGED_MUA_OUTLOOK and are saying they are 100% certain that the email was sent from MS Outlook Express. Is this a known problem or are these users doing something wrong? may be... can you show us headers of such e-mail? meta __FORGED_OE
Re: False positive on forged_mua_outlook
Randy Ramsdell wrote: Jeff Koch wrote: Hi Randy - here's the whole thing: Return-Path: [EMAIL PROTECTED] Delivered-To: [EMAIL PROTECTED] Received: (qmail 26003 invoked by uid 89); 6 May 2008 19:13:09 - Received: by simscan 1.3.1 ppid: 25931, pid: 25942, t: 2.6786s scanners: clamav: 0.88/m:45/d:5939 spam: 3.2.4 Received: from localhost by libra..com with SpamAssassin (version 3.2.4); Tue, 06 May 2008 15:13:09 -0400 From: Aindrea [EMAIL PROTECTED] To: warehouse [EMAIL PROTECTED] Subject: *SPAM* Camden Grey order 373 Date: Tue, 6 May 2008 12:13:04 -0700 Message-Id: [EMAIL PROTECTED] X-Spam-Flag: YES X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on libra..com X-Spam-Level: * X-Spam-Status: Yes, score=5.3 required=3.0 tests=FORGED_MUA_OUTLOOK,RDNS_NONE, TVD_PDF_FINGER01 autolearn=no version=3.2.4 X-Spam-Report: * 0.1 RDNS_NONE Delivered to trusted network by a host with no rDNS * 1.0 TVD_PDF_FINGER01 Mail matches standard pdf spam fingerprint * 4.2 FORGED_MUA_OUTLOOK Forged mail pretending to be from MS Outlook MIME-Version: 1.0 Content-Type: multipart/mixed; boundary=--=_4820ADC5.A4580A7F This is a multi-part message in MIME format. =_4820ADC5.A4580A7F Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit Spam detection software, running on the system libra.xxx.com, has identified this incoming email as possible spam. The original message has been attached to this so you can view it (if it isn't spam) or label similar future email. If you have any questions, see [EMAIL PROTECTED] for details. Content preview: [...] Content analysis details: (5.3 points, 3.0 required) pts rule name description -- -- 0.1 RDNS_NONE Delivered to trusted network by a host with no rDNS 1.0 TVD_PDF_FINGER01 Mail matches standard pdf spam fingerprint 4.2 FORGED_MUA_OUTLOOK Forged mail pretending to be from MS Outlook The original message was not completely plain text, and may be unsafe to open with some email clients; in particular, it may contain a virus, or confirm that your address can receive spam. If you wish to view it, it may be safer to save it to a file and open it with an editor. =_4820ADC5.A4580A7F Content-Type: message/rfc822; x-spam-type=original Content-Description: original message before SpamAssassin Content-Disposition: attachment Content-Transfer-Encoding: 8bit Received: from unknown (HELO jade.xx.com) (216.99.193.136) by 0 with ESMTPS (DHE-RSA-AES256-SHA encrypted); 6 May 2008 19:13:06 - Received: from server (216-99-214-161.dsl.araxxx.com [216.99.214.161]) by jade.aracnet.com (8.13.6/8.12.8) with SMTP id m46JD528000907 for [EMAIL PROTECTED]; Tue, 6 May 2008 12:13:05 -0700 Message-ID: [EMAIL PROTECTED] From: Aindrea [EMAIL PROTECTED] To: warehouse [EMAIL PROTECTED] Subject: Camden Grey order 373 Date: Tue, 6 May 2008 12:13:04 -0700 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary==_NextPart_000_0039_01C8AF72.8920CD60 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.3790.3959 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.4133 This is a multi-part message in MIME format. --=_NextPart_000_0039_01C8AF72.8920CD60 Content-Type: text/plain; format=flowed; charset=iso-8859-1; reply-type=original Content-Transfer-Encoding: 7bit --=_NextPart_000_0039_01C8AF72.8920CD60 At 04:29 PM 5/9/2008, Randy Ramsdell wrote: Jeff Koch wrote: Hi Matus: Here's the header. We're seeing a lot of these now: Received: from unknown (HELO jade.xx.com) (216.99.193.136) by 0 with ESMTPS (DHE-RSA-AES256-SHA encrypted); 6 May 2008 19:13:06 - Received: from server (216-99-214-161.dsl.aracnet.com [216.99.214.161]) by jade.xx.com (8.13.6/8.12.8) with SMTP id m46JD528000907 for [EMAIL PROTECTED]; Tue, 6 May 2008 12:13:05 -0700 Message-ID: [EMAIL PROTECTED] From: Aindrea [EMAIL PROTECTED] To: warehouse [EMAIL PROTECTED] Subject: Camden Grey order 373 Date: Tue, 6 May 2008 12:13:04 -0700 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary==_NextPart_000_0039_01C8AF72.8920CD60 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.3790.3959 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.4133 This is a multi-part message in MIME format. At 01:05 PM 5/9/2008, Matus UHLAR - fantomas wrote: On 09.05.08 12:08, Jeff Koch wrote: Our users are getting false positives with hits on 4.2 FORGED_MUA_OUTLOOK and are saying they are 100% certain that the email was sent from MS Outlook Express. Is this a known problem or are these users doing something wrong? may be... can you show us headers of such e-mail? meta
Re: Multiple X-Envelope-From and SPF
On Fri, May 9, 2008 08:55, ram wrote: Precisely what I am afraid of. But the issue is whatever header I use for envelope-from all of them can be trivially forged I am trying replacing all the X-Envelope headers before sending them to scan servers dont change headers on trusted routes, you will fail if you do it, but if you have diff mta's with diff envelope_sender_header one might need to have diff conetent scanners aswell envelope_sender_header in local.cf does not solve that imho Benny Pedersen Need more webspace ? http://www.servage.net/?coupon=cust37098
Re: IE Parse bug olso in SpamAssassin ?
On Fri, May 9, 2008 15:42, Joseph Brennan wrote: You know about it being an IE parse bug, and that seems to be news to the rest of us. How'd you hear about it? enabled spam_admin in amavisd-new and readed my logs :-) one SARE hit on IE bug Benny Pedersen Need more webspace ? http://www.servage.net/?coupon=cust37098
Re: IE Parse bug olso in SpamAssassin ?
On Fri, May 9, 2008 15:27, Justin Mason wrote: so does SpamAssassin parse the URI correctly, or not? as i can see it does, but just currently not pickup the uri in redir.html can webredirect plugin do this ? Benny Pedersen Need more webspace ? http://www.servage.net/?coupon=cust37098
