Hi Matus:
Here's the header. We're seeing a lot of these now:
Received: from unknown (HELO jade.xxxxxx.com) (216.99.193.136)
by 0 with ESMTPS (DHE-RSA-AES256-SHA encrypted); 6 May 2008 19:13:06 -0000
Received: from server (216-99-214-161.dsl.aracnet.com [216.99.214.161])
by jade.xxxxxx.com (8.13.6/8.12.8) with SMTP id m46JD528000907
for <[EMAIL PROTECTED]>; Tue, 6 May 2008 12:13:05 -0700
Message-ID: <[EMAIL PROTECTED]>
From: "Aindrea" <[EMAIL PROTECTED]>
To: "warehouse" <[EMAIL PROTECTED]>
Subject: Camden Grey order 373
Date: Tue, 6 May 2008 12:13:04 -0700
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0039_01C8AF72.8920CD60"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.3790.3959
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.4133
This is a multi-part message in MIME format.
At 01:05 PM 5/9/2008, Matus UHLAR - fantomas wrote:
On 09.05.08 12:08, Jeff Koch wrote:
> Our users are getting false positives with hits on
>
> 4.2 FORGED_MUA_OUTLOOK
>
> and are saying they are 100% certain that the email was sent from MS
> Outlook Express. Is this a known problem or are these users doing
something
> wrong?
may be... can you show us headers of such e-mail?
meta __FORGED_OE (__OE_MUA && !__OE_MSGID_1 &&
!__OE_MSGID_2 && !__OE_MSGID_3 && !__OE_MSGID_4 && !__UNUSABLE_MSGID)
meta __FORGED_OUTLOOK_DOLLARS (__OUTLOOK_DOLLARS_MUA && !__OE_MSGID_2 &&
!__OUTLOOK_DOLLARS_OTHER && !__VISTA_MSGID && !__IMS_MSGID &&
!__UNUSABLE_MSGID)
meta FORGED_MUA_OUTLOOK (__FORGED_OE || __FORGED_OUTLOOK_DOLLARS)
at least Message-Id and X-Mailer...
btw do do you update rules periodically?
--
Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"They say when you play that M$ CD backward you can hear satanic messages."
"That's nothing. If you play it forward it will install Windows."
Best Regards,
Jeff Koch, Intersessions
