Hello Robert, > Hello Mike, > > Tuesday, May 25, 2004, 10:47:32 AM, you wrote: > > MH> I have been seening a fair amount of the following in spam: > > MH> X-Authentication-Warning: ANdhzoll05 > MH> ... > > MH> It appears to be uppercase 2 to 5, lowercase 5 to 7, & 2 digits > > MH> header CSL_X_AUTH_WARN_1 exists:X-Authentication-Warning > MH> describe CSL_X_AUTH_WARN_1 X-Message-Info header found > MH> score CSL_X_AUTH_WARN_1 0.5 > > The X-Authentication-Warning itself is valid and common in ham. IMO this > Exists rule won't help.
Yes it is common, but, atleast for me, it appears in more spam than non-spam. I gave it a low score since it may be valid. I believe it is only (or most commonly) inserted by sendmail when run with arguments to set the sender address. Please correct me if I am wrong. I believe the format that is correct is : X-Authentication-Warning: host.dom.tld: username set sender to [EMAIL PROTECTED] using -f Can anyone suggest a better rule than, or comment on the following: header MFH_X_AUTH_WARN_INVALID X-Authentication-Warning =~ /using -[a-eg-z]/i describe MFH_X_AUTH_WARN_INVALID X-Authentication-Warning looks invalid score MFH_X_AUTH_WARN_INVALID <score to taste> or perhaps header MFH_X_AUTH_WARN_INVALID_2 X-Authentication-Warning !=~ /using -f/ describe MFH_X_AUTH_WARN_INVALID_2 X-Authentication-Warning looks invalid score MFH_X_AUTH_WARN_INVALID_2 <score to taste> Invalid looking header examples : X-Authentication-Warning: MXIUIialwlig69 X-Authentication-Warning: zfl90-adolphus4.ol0inp.billsfan.net: ngn51bluefish set sender to [EMAIL PROTECTED] using -e X-Authentication-Warning: DNLKhqcrzpb96 X-Authentication-Warning: VZMIilvlp49 X-Authentication-Warning: HMINlhcja72 X-Authentication-Warning: XO52-obdurate97.ZUX6oyxg.canada.com: z64necessity set sender to [EMAIL PROTECTED] using -q X-Authentication-Warning: KDJVqhrtxo69 X-Authentication-Warning: HRIYTadqpu51 X-Authentication-Warning: BWqkqlko47 X-Authentication-Warning: caroline grudge holdup ophthalmology X-Authentication-Warning: [EMAIL PROTECTED] X-Authentication-Warning: Q23-coat4.ZFF617l.prodigy.com: rws875inborn set sender to [EMAIL PROTECTED] using -j X-Authentication-Warning: q90-beseech18.zm7igq.express56.com: c8applicate set sender to [EMAIL PROTECTED] using -r X-Authentication-Warning: EG37-drunkard62.QE0diyk.netscape.com: x0scribners set sender to [EMAIL PROTECTED] using -a X-Authentication-Warning: bitch pinnacle upside hydrophobic X-Authentication-Warning: o73-briggs2.zee4d.tvnet.lt: zj1graphic set sender to [EMAIL PROTECTED] using -t X-Authentication-Warning: whack sunshiny X-Authentication-Warning: asocial becky injurious hedge X-Authentication-Warning: UMPAjetlp08 X-Authentication-Warning: nc74-havana79.zik87tuz.aplus.net: vqq938corpsmen set sender to [EMAIL PROTECTED] using -x
