RE: MID_14DIGITS_HEX will FP on any server running postfix?
> -Original Message- > From: Benny Pedersen [mailto:[EMAIL PROTECTED] > Sent: Sunday, December 24, 2006 5:09 AM > To: users@spamassassin.apache.org > Subject: Re: MID_14DIGITS_HEX will FP on any server running postfix? > > > > On Sat, December 23, 2006 23:14, Michael Scheidell wrote: > > > Message-Id: <[EMAIL PROTECTED]> > > > > Here is rule: > > > > header MID_14DIGITS_HEX Message-ID =~ > > /^<[EMAIL PROTECTED]/ > > updates_spamassassin_org/80_additional.cf:score > MID_14DIGITS_HEX 2.8 > > > > It also looks like you added it to CVS: > > what mua is createing this ? I don't think the client put any message id on it. Why exim didn't put a message-id on it, I don't know. Received: from 0.mail.spammertrap.net ([127.0.0.1]) by localhost (0.mail.spammertrap.net [127.0.0.1]) (amavisd-new, port 10024) with LMTP id VQzAT6V4ohWM for <[EMAIL PROTECTED]>; Sat, 23 Dec 2006 10:07:15 -0500 (EST) Received: from s11.s11avahost.net (s11.s11avahost.net [66.98.170.86]) by 0.mail.spammertrap.net (Postfix) with ESMTP id E842517017 for <[EMAIL PROTECTED]>; Sat, 23 Dec 2006 10:07:14 -0500 (EST) Received: from e9.fcbccf.client.atlantech.net ([207.188.252.233]:4214 helo=DCERT01) by s11.s11avahost.net with esmtpa (Exim 4.52) id 1GuQme-0001m1-UP for [EMAIL PROTECTED]; Wed, 13 Dec 2006 03:52:17 -0600 As per first email, the MUA left it blank. MY MTA (postfix 2.3.4) added the misssing message id, as per RFC's. > > http://www.postfix.org/postconf.5.html#remote_header_rewrite_domain > Not sure what the above has to do with it. postconf remote_header_rewrite_domain remote_header_rewrite_domain = Maybe I am dense. At issue is the regex expression used to decide that this is a forged email. It wasn't, its not, and neither is any email coming from my MTA.
Re: MID_14DIGITS_HEX will FP on any server running postfix?
On Sat, December 23, 2006 23:14, Michael Scheidell wrote: > Message-Id: <[EMAIL PROTECTED]> > > Here is rule: > > header MID_14DIGITS_HEX Message-ID =~ > /^<[EMAIL PROTECTED]/ > updates_spamassassin_org/80_additional.cf:score MID_14DIGITS_HEX 2.8 > > It also looks like you added it to CVS: what mua is createing this ? http://www.postfix.org/postconf.5.html#remote_header_rewrite_domain -- This message was sent using 100% recycled spam mails.
MID_14DIGITS_HEX will FP on any server running postfix?
Merry Christmas jm, please look at this rule after Christmas holiday. Not sure WHY 'MID_14DIGITS_HEX' if false positive on every postfix 2.3.4 (maybe more) (its in 3.7 updates: ../updates_spamassassin_org/80_additional.cf) Not sure if you know that a POSTFIX server produces this message id and ONLY this type of message id. Just because postfix produces this message id, doesn't mean its spam. Sample below: Message-Id: <[EMAIL PROTECTED]> Here is rule: header MID_14DIGITS_HEX Message-ID =~ /^<[EMAIL PROTECTED]/ updates_spamassassin_org/80_additional.cf:score MID_14DIGITS_HEX 2.8 It also looks like you added it to CVS: Author: jm Date: Wed Nov 1 05:35:54 2006 New Revision: 469903 So, every server running POSTFIX gets a 2.8 score added to it? Why is that? Ok, so you say 'sure, mike' just set the score to 0. Works fine here, but what about everyone who runs SA 3.17 and sa-update? They will score my email 2.8+ more than it should. This isn't one of those 'if you don't like how RFCI/SORBS/SARES/SPF score stuff, turn it off' That message id isn't non-compliant by RFC specs, so it should not be scored like that. If its looking for forged ms outlook stuff, maybe it should be a meta rule and also look for x-mailer outlook (but, guess what, if luser sends ME an email from outlook and his MTA doesn't add a message id, mine does. Not that I mind bouncing an email if the luser's MTA is non RFC compliant and doesn't add a message id, but I sure don't want MY outgoing email to bounce just because of a bad rule) -- Michael Scheidell, CTO SECNAP Network Security / www.secnap.com MediaPro Web based security and privacy training at www.secnap.com/training
