A couple of days ago I suggested ignoring the whitelist if the headers appeared
forged. Now I've been bitten by doing exactly that,
one of our suppliers sends me legitimate e-mail that always gets flagged with
FORGED_MUA_OUTLOOK (2.2), the fact he sends e-mail high priority (1.9 + 0.4)
and it was discussing a legitimate marketing partnership (2.1) blew it out of
the water. However all
would have been saved by the whitelist except for the fact I have a rule that
undoes whitelisting due to FORGED_MUA_OUTLOOK. How does SpamAssassin
determine the header is forged, and any ideas why this would happen
on a legitimate e-mail? Perhaps because it originated in Germany? Headers
follow with some e-mail addresses removed for
privacy.
Ragnar
Return-Path: <[EMAIL PROTECTED]>
Received: from xxxx.xxxxx.com (xxxx.xxxxx.com [ipaddress])
by ns2.wanware.com (8.11.6p2/8.11.6) with ESMTP id i4D8O4505876;
Thu, 13 May 2004 04:24:05 -0400
Received: from localhost (unknown [127.0.0.1])
by xxxx.xxxxx.com (XXXXX Postfix) with ESMTP
id E61108BC8D; Thu, 13 May 2004 10:23:52 +0200 (CEST)
Received: from XXXXXXXX (xxxxxxxxxx.de [ipaddress])
(using TLSv1 with cipher RC4-MD5 (128/128 bits))
(No client certificate requested)
by xxxx.xxxxx.com (XXXXX Postfix) with ESMTP
id 1CFC48BC8D; Thu, 13 May 2004 10:23:51 +0200 (CEST)
From: "Name" <[EMAIL PROTECTED]>
To: "'Ragnar Paulson'" <[EMAIL PROTECTED]>
Subject: FW: Distributor Contract
Date: Thu, 13 May 2004 10:23:55 +0200
Organization:
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_001E_01C438D4.65D33820"
X-Priority: 1 (Highest)
X-MSMail-Priority: High
X-Mailer: Microsoft Office Outlook, Build 11.0.5510
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409
Thread-Index: AcQx9eDxPOifNvOoQ/Cd04r3rGFRcgGzOEUA
Importance: High
Message-Id: <[EMAIL PROTECTED]>
X-AntiVirus: checked by AntiVir Milter 1.0.6; AVE 6.25.0.3; VDF 6.25.0.61
X-Spam-Status: Yes, hits=5.7 required=3.0
tests=BAYES_30,FORGED_MUA_OUTLOOK,MARKETING_PARTNERS,
MISSING_OUTLOOK_NAME,TSG_UNWHITELIST,USER_IN_WHITELIST,
X_MSMAIL_PRIORITY_HIGH,X_PRIORITY_HIGH
version=2.54-sentinet
X-Spam-Level: *****
X-Spam-Checker-Version: SpamAssassin 2.54-sentinet (1.174.2.17-2003-05-11-exp)
X-Spam-Report: This mail is probably spam. The original message has been
attached
along with this report, so you can recognize or block similar unwanted
mail in future. See http://spamassassin.org/tag/ for more details.
Content preview: Dear Ragnar, We thank you for your decision
to become our official partner in Canada. It is a pleasure for us to do
business with your company and we are sure that the future will show
the mutual benefit resulted from our contract. [...]
Content analysis details: (5.70 points, 3 required)
X_MSMAIL_PRIORITY_HIGH (0.4 points) Sent with 'X-Msmail-Priority' set to high
X_PRIORITY_HIGH (1.9 points) Sent with 'X-Priority' set to high
MARKETING_PARTNERS (2.1 points) BODY: Claims you registered with some kind
of partner
BAYES_30 (-0.9 points) BODY: Bayesian classifier says spam
probability is 30 to 40%
[score: 0.3753]
USER_IN_WHITELIST (-100.0 points)From: address is in the user's white-list
FORGED_MUA_OUTLOOK (2.2 points) Forged mail pretending to be from MS Outlook
MISSING_OUTLOOK_NAME (0.0 points) Message looks like Outlook, but isn't
TSG_UNWHITELIST (100.0 points)Undo SpamAssassin Whitelisting
X-Spam-Flag: YES
