Re: FORGED_MUA_MOZILLA & FORGED_YAHOO_RCVD
On Fri, 26 May 2017, RW wrote: On Thu, 25 May 2017 17:29:00 -0700 (PDT) John Hardin wrote: On Thu, 25 May 2017, RW wrote: Message-ID: <74e85e8d-2495-665b-372f-0144bcb2c...@mcgrail.com> header __MOZILLA_MSGID MESSAGEID =~ /^<[A-F\d]{8}\.[A-F1-9][A-F\d]{0,7}\@\S+>$/m Message-ID: So it looks like Mozilla has changed Message-ID values from 8hex.8hex uppercase-only to a lowercase GUID. That's a simple enough change to make to that rule. The pattern seems to be consistently 8-4-4-4-12. Ready for working masschecks and new release: https://svn.apache.org/viewvc?view=revision&revision=1796722 https://svn.apache.org/viewvc?view=revision&revision=1796723 -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- The world has enough Mouse Clicking System Engineers. -- Dave Pooser --- Today: Memorial Day - honor those who sacrificed for our liberty
Re: FORGED_MUA_MOZILLA & FORGED_YAHOO_RCVD
On Thu, 25 May 2017 17:29:00 -0700 (PDT) John Hardin wrote: > On Thu, 25 May 2017, RW wrote: > > > Actually it does look like there is another problem. This is another > > Thunderbird header from this list with the same format: > > > > Message-ID: <74e85e8d-2495-665b-372f-0144bcb2c...@mcgrail.com> > > > >>> header __MOZILLA_MSGID MESSAGEID =~ > >>> /^<[A-F\d]{8}\.[A-F1-9][A-F\d]{0,7}\@\S+>$/m > >>> > >>> Message-ID: > >>> > > So it looks like Mozilla has changed Message-ID values from 8hex.8hex > uppercase-only to a lowercase GUID. That's a simple enough change to > make to that rule. The pattern seems to be consistently 8-4-4-4-12. It looks like old versions of Aqua Mail had User-Agent headers that started with Mozilla, with its own Message-Id format. This wont cause FPs on new mail, but it may affect the stats on corpora that contain ham that's more than a year old.
Re: FORGED_MUA_MOZILLA & FORGED_YAHOO_RCVD
And Dave had things working for rule publishing as well. I need to qa some output and turn on Dns so if you get this into svn, we are almost ready. We are fighting a lot of fronts at once but they are all moving forward. Regards, KAM On May 25, 2017 8:29:00 PM EDT, John Hardin wrote: >On Thu, 25 May 2017, RW wrote: > >> Actually it does look like there is another problem. This is another >> Thunderbird header from this list with the same format: >> >> Message-ID: <74e85e8d-2495-665b-372f-0144bcb2c...@mcgrail.com> >> header __MOZILLA_MSGID MESSAGEID =~ /^<[A-F\d]{8}\.[A-F1-9][A-F\d]{0,7}\@\S+>$/m Message-ID: > >So it looks like Mozilla has changed Message-ID values from 8hex.8hex >uppercase-only to a lowercase GUID. That's a simple enough change to >make >to that rule. > > >-- > John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ > jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org > key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 >--- > Where are my space habitats? Where is my flying car? > It's 2010 and all I got from the SF books of my youth > is the lousy dystopian government. -- perlhaqr >--- > 4 days until Memorial Day - honor those who sacrificed for our liberty
Re: FORGED_MUA_MOZILLA & FORGED_YAHOO_RCVD
On Thu, 25 May 2017, RW wrote: Actually it does look like there is another problem. This is another Thunderbird header from this list with the same format: Message-ID: <74e85e8d-2495-665b-372f-0144bcb2c...@mcgrail.com> header __MOZILLA_MSGID MESSAGEID =~ /^<[A-F\d]{8}\.[A-F1-9][A-F\d]{0,7}\@\S+>$/m Message-ID: So it looks like Mozilla has changed Message-ID values from 8hex.8hex uppercase-only to a lowercase GUID. That's a simple enough change to make to that rule. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Where are my space habitats? Where is my flying car? It's 2010 and all I got from the SF books of my youth is the lousy dystopian government. -- perlhaqr --- 4 days until Memorial Day - honor those who sacrificed for our liberty
Re: FORGED_MUA_MOZILLA & FORGED_YAHOO_RCVD
On Thu, 25 May 2017 21:50:08 +0100 RW wrote: > On Thu, 25 May 2017 16:29:06 -0400 > Alex wrote: > > > > I have an email that hit __MOZILLA_MUA, but failed > > FORGED_MUA_MOZILLA because it didn't match __MOZILLA_MSGID. > > The rule is > > meta FORGED_MUA_MOZILLA (__MOZILLA_MUA && !__UNUSABLE_MSGID > && !__MOZILLA_MSGID) > > so the rule requires __MOZILLA_MSGID *not* to match. So presumably > it did match __UNUSABLE_MSGID. Actually it does look like there is another problem. This is another Thunderbird header from this list with the same format: Message-ID: <74e85e8d-2495-665b-372f-0144bcb2c...@mcgrail.com> It was let-off FORGED_MUA_MOZILLA because __LYRIS_EZLM_REMAILER is part of __UNUSABLE_MSGID, but the list isn't rewriting message-ids (AFAIK). > > header __MOZILLA_MSGID MESSAGEID =~ > > /^<[A-F\d]{8}\.[A-F1-9][A-F\d]{0,7}\@\S+>$/m > > > > The email is most definitely not spam. This is the Message-ID that > > didn't match: Message-ID: > > > > > > Is it possible this is an FP? > > > > Thanks, > > Alex
Re: FORGED_MUA_MOZILLA & FORGED_YAHOO_RCVD
On Thu, 25 May 2017 16:29:06 -0400 Alex wrote: > I have an email that hit __MOZILLA_MUA, but failed FORGED_MUA_MOZILLA > because it didn't match __MOZILLA_MSGID. The rule is meta FORGED_MUA_MOZILLA (__MOZILLA_MUA && !__UNUSABLE_MSGID && !__MOZILLA_MSGID) so the rule requires __MOZILLA_MSGID *not* to match. So presumably it did match __UNUSABLE_MSGID. > header __MOZILLA_MSGID MESSAGEID =~ > /^<[A-F\d]{8}\.[A-F1-9][A-F\d]{0,7}\@\S+>$/m > > The email is most definitely not spam. This is the Message-ID that > didn't match: Message-ID: > > > Is it possible this is an FP? > > Thanks, > Alex
Re: FORGED_MUA_MOZILLA & FORGED_YAHOO_RCVD
On Thu, 25 May 2017, Alex wrote: You can add the fix to your local SA config file: header __MOZILLA_MUAUser-Agent =~ /^mozilla\b/i I have an email that hit __MOZILLA_MUA, The current published __MOZILLA_MUA, or the fixed version above? but failed FORGED_MUA_MOZILLA because it didn't match __MOZILLA_MSGID. header __MOZILLA_MSGID MESSAGEID =~ /^<[A-F\d]{8}\.[A-F1-9][A-F\d]{0,7}\@\S+>$/m The email is most definitely not spam. This is the Message-ID that didn't match: Message-ID: Please also provide the User-Agent header. Is it possible this is an FP? Was its final score high enough to be considered spam? -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- The Tea Party wants to remove the Crony from Crony Capitalism. OWS wants to remove Capitalism from Crony Capitalism. -- Astaghfirullah --- 4 days until Memorial Day - honor those who sacrificed for our liberty
Re: FORGED_MUA_MOZILLA & FORGED_YAHOO_RCVD
Hi, On Thu, May 25, 2017 at 3:29 PM, John Hardin wrote: > On Thu, 25 May 2017, Abhishek Tiwari wrote: > >> Hello, >> >> I have no backgroud about . >> I am working on product which is mailserver >> >> I see a complaint online about a false positive, >> >> 1.FORGED_MUA_MOZILLA: 2.309, FORGED_YAHOO_RCVD: 1.63, HTML_MESSAGE: 0.001, >> NO_RDNS_DOTCOM_HELO: 0.823, TOTAL_SCORE: 8.702,autolearn=no >> >> 2. >> -0.000, BAYES_50: 1.567, FORGED_YAHOO_RCVD: 1.63, >> URIBL_BLOCKED: 0.001, CUSTOM_BODY_RULE_NUMBER_715: 0.1, TOTAL_SCORE: >> 3.298,autolearn=no >> X-Spam-Level: *** >> >> Any suggestions, how these could be resolved > > > It has already been reported that the FORGED_MUA_MOZILLA rule has FP > problems with Yahoo. Please search the mailing list archives for "False > Positives from yahoo due to FORGED_MUA_MOZILLA". > > At the moment the rule scoring and publication process is down for hardware > replacement, so the fixed rules won't be available for a while. > > You can add the fix to your local SA config file: > > header __MOZILLA_MUAUser-Agent =~ /^mozilla\b/i > > ...then remember to remove it when rule updates resume. I have an email that hit __MOZILLA_MUA, but failed FORGED_MUA_MOZILLA because it didn't match __MOZILLA_MSGID. header __MOZILLA_MSGID MESSAGEID =~ /^<[A-F\d]{8}\.[A-F1-9][A-F\d]{0,7}\@\S+>$/m The email is most definitely not spam. This is the Message-ID that didn't match: Message-ID: Is it possible this is an FP? Thanks, Alex
Re: FORGED_MUA_MOZILLA & FORGED_YAHOO_RCVD
On Thu, 25 May 2017, Abhishek Tiwari wrote: Hello, I have no backgroud about . I am working on product which is mailserver I see a complaint online about a false positive, 1.FORGED_MUA_MOZILLA: 2.309, FORGED_YAHOO_RCVD: 1.63, HTML_MESSAGE: 0.001, NO_RDNS_DOTCOM_HELO: 0.823, TOTAL_SCORE: 8.702,autolearn=no 2. -0.000, BAYES_50: 1.567, FORGED_YAHOO_RCVD: 1.63, URIBL_BLOCKED: 0.001, CUSTOM_BODY_RULE_NUMBER_715: 0.1, TOTAL_SCORE: 3.298,autolearn=no X-Spam-Level: *** Any suggestions, how these could be resolved It has already been reported that the FORGED_MUA_MOZILLA rule has FP problems with Yahoo. Please search the mailing list archives for "False Positives from yahoo due to FORGED_MUA_MOZILLA". At the moment the rule scoring and publication process is down for hardware replacement, so the fixed rules won't be available for a while. You can add the fix to your local SA config file: header __MOZILLA_MUAUser-Agent =~ /^mozilla\b/i ...then remember to remove it when rule updates resume. For the "URIBL_BLOCKED", you need to set up a local NON-FORWARDING DNS server for your mail system (MTA + SA) to use. Please see https://wiki.apache.org/spamassassin/CachingNameserver For the "BAYES_50": if that message is ham, train it as ham. If it is spam, train it as spam. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- For those who are being swayed by Microsoft's whining about the GPL, consider how aggressively viral their Shared Source license is: If you've *ever* seen *any* MS code covered by the Shared Source license, you're infected for life. MS can sue you for Intellectual Property misappropriation whenever they like, so you'd better not come up with any Innovative Ideas that they want to Embrace... --- 4 days until Memorial Day - honor those who sacrificed for our liberty
Re: FORGED_MUA_MOZILLA & FORGED_YAHOO_RCVD
On Thursday 25 May 2017 at 18:35:34, Abhishek Tiwari wrote: > Hello, > > I have no backgroud about . About what? > I am working on product which is mailserver What sort of mailserver (or, which product)? > I see a complaint online about a false positive, > > 1.FORGED_MUA_MOZILLA: 2.309, FORGED_YAHOO_RCVD: 1.63, HTML_MESSAGE: 0.001, > NO_RDNS_DOTCOM_HELO: 0.823, TOTAL_SCORE: 8.702,autolearn=no > > 2. -0.000, BAYES_50: 1.567, FORGED_YAHOO_RCVD: 1.63, > URIBL_BLOCKED: 0.001, CUSTOM_BODY_RULE_NUMBER_715: 0.1, TOTAL_SCORE: > 3.298,autolearn=no > X-Spam-Level: *** > > Any suggestions, how these could be resolved You'll need to give us a whole load more information for us to have a clue about what the "problem" is. For example: 1. What MTA are you using, and how is SpamAssassin being called? 2. What are the full headers of the "false positive" emails in question? 3. Which version of SpamAssassin are you using? 4. How do you know these are false positives? 5. Which aspect of the spam score is being claimed as the "false positive"? In the first email it could be the Mozilla MUA or the Yahoo RCVD header - I guess in the second case it's the Yahoo RCVD header? 6. What score have you omitted to tell us about and why? In the first email the scores you've shown add up to 4.75, yet the total shown is 8.7; in the second email there';s clearly something missing before the "-0.000", although the values of the scores add up this time. Summary: the more information you give us, the more likely we are to be able to help, without simply guessing or offering general and dubiously useful advice. Antony. -- Is it venison for dinner again? Oh deer. Please reply to the list; please *don't* CC me.
FORGED_MUA_MOZILLA & FORGED_YAHOO_RCVD
Hello, I have no backgroud about . I am working on product which is mailserver I see a complaint online about a false positive, 1.FORGED_MUA_MOZILLA: 2.309, FORGED_YAHOO_RCVD: 1.63, HTML_MESSAGE: 0.001, NO_RDNS_DOTCOM_HELO: 0.823, TOTAL_SCORE: 8.702,autolearn=no 2. -0.000, BAYES_50: 1.567, FORGED_YAHOO_RCVD: 1.63, URIBL_BLOCKED: 0.001, CUSTOM_BODY_RULE_NUMBER_715: 0.1, TOTAL_SCORE: 3.298,autolearn=no X-Spam-Level: *** Any suggestions, how these could be resolved Regards Abhishek