We got a troubling false positive today. A message from a potential
business partner in Korea was marked as spam because the message matched
the rules FORGED_MUA_OUTLOOK, FORGED_OUTLOOK_TAGS and MIME_BASE64_TEXT.
We're using spamassassin 2.63 called from a mimedefang milter.
The original message was encoded as base64, which isn't uncommon in
Asian locales. What troubles me is that the decoded message shouldn't
have matched the FORGED_OUTLOOK_TAGS meta rule. When I looked at the
definition of the meta rule in 20_ratware.cf, there didn't seem to be
any reason that FORGED_OUTLOOK_TAGS should have matched. All of the
required tags (meta,head,html, and body) are present in the decoded
message. It is as though the rule is being checked against the base64
encoded text rather than the decoded message. Is this true? Is there a
simple way to fix this?
I haven't checked the FORGED_MUA_OUTLOOK, but I suspect it is suffering
from the same base64 encoding issue.
I've attached a sanitized version of the message below.
--
Fred W. Bacon <[EMAIL PROTECTED]>
Aerodyne Research, Inc.
>>From [EMAIL PROTECTED] Tue Aug 10 02:58:52 2004
Return-Path: <[EMAIL PROTECTED]>
Received: from mailman.aerodyne.com ([unix socket]) by
mailman.aerodyne.com
(Cyrus v2.1.16-Invoca-RPM-2.1.16-2) with LMTP; Tue, 10 Aug 2004
02:58:52
-0400
X-Sieve: CMU Sieve 2.2
Received: from dauntless.cnchost.com (mailman.aerodyne.com [127.0.0.1])
by
mailman.aerodyne.com (8.12.10/8.12.10) with ESMTP id i7A6wo0X002703 for
<[EMAIL PROTECTED]>; Tue, 10 Aug 2004 02:58:51 -0400
Received: from sni17.hitel.net ([211.41.85.197]) by
dauntless.cnchost.com
(ConcentricHost SMTP MX 1.45) id CAA11806 for <[EMAIL PROTECTED]>; Tue,
10
Aug 2004 02:58:46 -0400 (EDT)
Errors-To: <[EMAIL PROTECTED]>
Received: from 211.41.85.198 (211.41.85.198) at KTMAIL with ESMTP
Hanmir
by sni17;Tue, 10 Aug 2004 15:58:34 +0900
X-MsgID: 1092121114795206.9.sni17
Message-ID: <[EMAIL PROTECTED]>
X-RECEIVED-IP: 211.217.207.62
Y-Message-ID: <[EMAIL PROTECTED]>
From: "hitel.net" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Subject: *****SPAM***** My visit to aerodyne on August 16, 2004
Date: Tue, 10 Aug 2004 15:57:04 +0900
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----------=_1092121132-4296-35"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1106
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
X-Spam-Score: =====
X-Spam-Tests: 5.1
BAYES_44,FORGED_MUA_OUTLOOK,FORGED_OUTLOOK_TAGS,MIME_BASE64_TEXT
X-Scanned-By: MIMEDefang 2.39
X-Evolution-Source: imap://bacon;[EMAIL PROTECTED]/
This is a multi-part message in MIME format...
------------=_1092121132-4296-35
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0161_01C47EF2.AE2EBAE0"
Content-Transfer-Encoding: binary
This is a multi-part message in MIME format...
------=_NextPart_000_0161_01C47EF2.AE2EBAE0
Content-Type: text/plain; charset="ks_c_5601-1987"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
<snipped actual message body>
------=_NextPart_000_0161_01C47EF2.AE2EBAE0
Content-Type: text/html; charset="ks_c_5601-1987"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html;
charset=ks_c_5601-1987">
<META content="MSHTML 6.00.2800.1106" name=GENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#ffffff>
removed actual message body
</BODY></HTML>
------=_NextPart_000_0161_01C47EF2.AE2EBAE0--
------------=_1092121132-4296-35
Content-Type: text/plain; name="SpamAssassinReport.txt"
Content-Disposition: inline; filename="SpamAssassinReport.txt"
Mime-Version: 1.0
X-Mailer: MIME-tools 5.411 (Entity 5.404)
Content-Transfer-Encoding: 8bit
Spam detection software, running on the system "mailman.aerodyne.com",
has
identified this incoming email as possible spam. The original message
has been attached to this so you can view it (if it isn't spam) or block
similar future email. If you have any questions, see
[EMAIL PROTECTED] for details.
Content preview: removed preview
Content analysis details: (5.1 points, 5.0 required)
pts rule name description
---- ----------------------
--------------------------------------------------
-0.0 BAYES_44 BODY: Bayesian spam probability is 44 to 50%
[score: 0.4996]
1.0 MIME_BASE64_TEXT RAW: Message text disguised using base64
encoding
1.0 FORGED_OUTLOOK_TAGS Outlook can't send HTML in this format
3.1 FORGED_MUA_OUTLOOK Forged mail pretending to be from MS Outlook
------------=_1092121132-4296-35--
