Hotmail DCC listed ???
This is the rule check for a 'normal' (non-spam) e-mail become from Hotmail: pts rule name description -- -- 1.0 SUBJ_ALL_CAPS Subject is all capitals 2.3 FORGED_HOTMAIL_RCVDForged hotmail.com 'Received:' header found 0.0 HTML_MESSAGE BODY: HTML included in message 0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60% [score: 0.4743] 0.2 MIME_BASE64_NO_NAMERAW: base64 attachment does not have a file name 2.2 DCC_CHECK Listed in DCC (http://rhyolite.com/anti-spam/dcc/) This FORGED_HOTMAIL_RCVD and DCC_CHECK are false positive???
Re: Hotmail DCC listed ???
we would need to see the full headers. Regards, -- --[ UxBoD ]-- // PGP Key: curl -s http://www.splatnix.net/uxbod.asc | gpg --import // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 SIP Phone: [EMAIL PROTECTED] - Rejaine Monteiro [EMAIL PROTECTED] wrote: This is the rule check for a 'normal' (non-spam) e-mail become from Hotmail: pts rule name description -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Re: Hotmail DCC listed ???
'hotmail' isn't listed in DCC. DCC only scored on fuzy checksums on the body and portions of the headers. Also, DCC is NOT a 100% 'spam score'. DCC is a 'bulk email' score. Even well run technical mailing list emails are SUPPOSED to score high with DCC. (its 'bulk'). Read The DCC documents on whitelisting your bulk email marketing lists. However, interestingly enough, you have FORGED_HOTMAIL_RCVD. Did someone send an email from non hotmail source using a hotmail email address? And, interestingly enough, SCREAMED AT YOU IN THE SUBJECT LINE? Was it 'spam', or was it a 'bulk' email? -- Michael Scheidell, CTO |SECNAP Network Security Winner 2008 Network Products Guide Hot Companies FreeBsd SpamAssassin Ports maintainer Charter member, ICSA labs anti-spam consortium _ This email has been scanned and certified safe by SpammerTrap(tm). For Information please see http://www.spammertrap.com _
Re: Hotmail DCC listed ???
Here is... === Received: from bay0-omc2-s37.bay0.hotmail.com (65.54.246.173) by myserver.mydomain with SMTP; 24 Feb 2008 20:34:41 -0300 Received-SPF: pass (myserver.mydomain: SPF record at spf-a.hotmail.com designates 65.54.246.173 as permitted sender) Received: from BAY136-W10 ([65.55.141.45]) by bay0-omc2-s37.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.3959); Sun, 24 Feb 2008 15:34:37 -0800 Message-ID: [EMAIL PROTECTED] Return-Path: [[EMAIL PROTECTED] Content-Type: multipart/mixed; boundary="_09a8dc75-6268-44df-9651-699be18c9064_" X-Originating-IP: [189.27.208.XXX] From: [SENDER] [EMAIL PROTECTED] To: [user]@mydomain Subject: Test 123 Date: Sun, 24 Feb 2008 23:34:36 + Importance: Normal MIME-Version: 1.0 X-OriginalArrivalTime: 24 Feb 2008 23:34:37.0480 (UTC) FILETIME=[D1B0E280:01C8773D] --_09a8dc75-6268-44df-9651-699be18c9064_ Content-Type: multipart/alternative; boundary="_15d4da47-3ecf-4c36-a260-a489d560834e_" --_15d4da47-3ecf-4c36-a260-a489d560834e_ Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable === --[ UxBoD ]-- escreveu: we would need to see the full headers. Regards,
Re: Hotmail DCC listed ???
Sorry, The original subject was "TESTE_CAXIAS" (in portuguese language and all capitals) Rejaine Monteiro escreveu: Here is... === Received: from bay0-omc2-s37.bay0.hotmail.com (65.54.246.173) by myserver.mydomain with SMTP; 24 Feb 2008 20:34:41 -0300 Received-SPF: pass (myserver.mydomain: SPF record at spf-a.hotmail.com designates 65.54.246.173 as permitted sender) Received: from BAY136-W10 ([65.55.141.45]) by bay0-omc2-s37.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.3959); Sun, 24 Feb 2008 15:34:37 -0800 Message-ID: [EMAIL PROTECTED] Return-Path: [[EMAIL PROTECTED] Content-Type: multipart/mixed; boundary="_09a8dc75-6268-44df-9651-699be18c9064_" X-Originating-IP: [189.27.208.XXX] From: [SENDER] [EMAIL PROTECTED] To: [user]@mydomain Subject: Test 123 Date: Sun, 24 Feb 2008 23:34:36 + Importance: Normal MIME-Version: 1.0 X-OriginalArrivalTime: 24 Feb 2008 23:34:37.0480 (UTC) FILETIME=[D1B0E280:01C8773D] --_09a8dc75-6268-44df-9651-699be18c9064_ Content-Type: multipart/alternative; boundary="_15d4da47-3ecf-4c36-a260-a489d560834e_" --_15d4da47-3ecf-4c36-a260-a489d560834e_ Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable ===
Re: Hotmail DCC listed ???
Michael Scheidell escreveu: 'However, interestingly enough, you have FORGED_HOTMAIL_RCVD. Did someone send an email from non hotmail source using a hotmail email address? No, the message was send from hotmail site (www.hotmail.com) And, interestingly enough, SCREAMED AT YOU IN THE SUBJECT LINE? Was it 'spam', or was it a 'bulk' email? Yes.. Subject is in capitals.. OK, I agree with 1.0 SUBJ_ALL_CAPS score.. But, I not agree with the 2.3 FORGED_HOTMAIL_RCVD score, because the message come from Hotmail...
Re: Hotmail DCC listed ???
Rejaine Monteiro wrote: But, I not agree with the 2.3 FORGED_HOTMAIL_RCVD score, because the message come from Hotmail... to to bugzilla for spamassassin. fill out a report for forged_hotmail_rcvd (posting to SA list won't help any) If you are NOT running SA 3.2.4, upgrade. if you are NOT running sa-update, run it. hotmail changes their servers like boy george changes eye liner. unless you keep up with them, you will get FP's If you can't upgrade, set score to 0. -- Michael Scheidell, CTO Main: 561-999-5000, Office: 561-939-7259 *| *SECNAP Network Security Corporation Winner 2008 Technosium hot company award. www.technosium.com/hotcompanies/ http://www.technosium.com/hotcompanies/ _ This email has been scanned and certified safe by SpammerTrap(tm). For Information please see http://www.spammertrap.com _
Re: Hotmail DCC listed ???
Michael Scheidell escreveu: hotmail changes their servers like boy george changes eye liner. unless you keep up with them, you will get FP's If you can't upgrade, set score to 0. I'm running spamassassin 3.1.7 and use sa-update, but upgrade is not possible for now ... So, I will score FORGED_HOTMAIL_RCVD to 0... Anyway, Hotmail have a SPF entry, will have to be enough. Thank you !