rramsdell at livedatagroup
May 9, 2008, 2:22 PM
Post #7 of 14
(1758 views)
Permalink
|
Randy Ramsdell wrote:
> Jeff Koch wrote:
>>
>> Hi Randy - here's the whole thing:
>>
>> Return-Path: <aindrea[at]xx.com>
>> Delivered-To: xx.com-warehouse[at]xx.com
>> Received: (qmail 26003 invoked by uid 89); 6 May 2008 19:13:09 -0000
>> Received: by simscan 1.3.1 ppid: 25931, pid: 25942, t: 2.6786s
>> scanners: clamav: 0.88/m:45/d:5939 spam: 3.2.4
>> Received: from localhost by libra.xxxx.com
>> with SpamAssassin (version 3.2.4);
>> Tue, 06 May 2008 15:13:09 -0400
>> From: "Aindrea" <aindrea[at]xx.com>
>> To: "warehouse" <warehouse[at]xx.com>
>> Subject: *****SPAM***** Camden Grey order 373
>> Date: Tue, 6 May 2008 12:13:04 -0700
>> Message-Id: <74BC081D12754719AD817A909757BB09[at]server>
>> X-Spam-Flag: YES
>> X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on
>> libra.xxxx.com
>> X-Spam-Level: *****
>> X-Spam-Status: Yes, score=5.3 required=3.0
>> tests=FORGED_MUA_OUTLOOK,RDNS_NONE,
>> TVD_PDF_FINGER01 autolearn=no version=3.2.4
>> X-Spam-Report:
>> * 0.1 RDNS_NONE Delivered to trusted network by a host with
>> no rDNS
>> * 1.0 TVD_PDF_FINGER01 Mail matches standard pdf spam
>> fingerprint
>> * 4.2 FORGED_MUA_OUTLOOK Forged mail pretending to be from
>> MS Outlook
>> MIME-Version: 1.0
>> Content-Type: multipart/mixed; boundary="----------=_4820ADC5.A4580A7F"
>>
>> This is a multi-part message in MIME format.
>>
>> ------------=_4820ADC5.A4580A7F
>> Content-Type: text/plain; charset=iso-8859-1
>> Content-Disposition: inline
>> Content-Transfer-Encoding: 8bit
>>
>> Spam detection software, running on the system "libra.xxx.com", has
>> identified this incoming email as possible spam. The original message
>> has been attached to this so you can view it (if it isn't spam) or label
>> similar future email. If you have any questions, see
>> admin[at]avspamfilter.com for details.
>>
>> Content preview: [...]
>>
>> Content analysis details: (5.3 points, 3.0 required)
>>
>> pts rule name description
>> ---- ----------------------
>> --------------------------------------------------
>> 0.1 RDNS_NONE Delivered to trusted network by a host
>> with no rDNS
>> 1.0 TVD_PDF_FINGER01 Mail matches standard pdf spam fingerprint
>> 4.2 FORGED_MUA_OUTLOOK Forged mail pretending to be from MS Outlook
>>
>> The original message was not completely plain text, and may be unsafe to
>> open with some email clients; in particular, it may contain a virus,
>> or confirm that your address can receive spam. If you wish to view
>> it, it may be safer to save it to a file and open it with an editor.
>>
>>
>> ------------=_4820ADC5.A4580A7F
>> Content-Type: message/rfc822; x-spam-type=original
>> Content-Description: original message before SpamAssassin
>> Content-Disposition: attachment
>> Content-Transfer-Encoding: 8bit
>>
>> Received: from unknown (HELO jade.xxxxxx.com) (216.99.193.136)
>> by 0 with ESMTPS (DHE-RSA-AES256-SHA encrypted); 6 May 2008
>> 19:13:06 -0000
>> Received: from server (216-99-214-161.dsl.araxxx.com [216.99.214.161])
>> by jade.aracnet.com (8.13.6/8.12.8) with SMTP id m46JD528000907
>> for <warehouse[at]xxxx.com>; Tue, 6 May 2008 12:13:05 -0700
>> Message-ID: <74BC081D12754719AD817A909757BB09[at]server>
>> From: "Aindrea" <aindrea[at]xxx.com>
>> To: "warehouse" <warehouse[at]xxx.com>
>> Subject: Camden Grey order 373
>> Date: Tue, 6 May 2008 12:13:04 -0700
>> MIME-Version: 1.0
>> Content-Type: multipart/mixed;
>> boundary="----=_NextPart_000_0039_01C8AF72.8920CD60"
>> X-Priority: 3
>> X-MSMail-Priority: Normal
>> X-Mailer: Microsoft Outlook Express 6.00.3790.3959
>> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.4133
>>
>> This is a multi-part message in MIME format.
>>
>> ------=_NextPart_000_0039_01C8AF72.8920CD60
>> Content-Type: text/plain;
>> format=flowed;
>> charset="iso-8859-1";
>> reply-type=original
>> Content-Transfer-Encoding: 7bit
>>
>>
>> ------=_NextPart_000_0039_01C8AF72.8920CD60
>>
>>
>>
>> At 04:29 PM 5/9/2008, Randy Ramsdell wrote:
>>> Jeff Koch wrote:
>>>>
>>>> Hi Matus:
>>>>
>>>>
>>>> Here's the header. We're seeing a lot of these now:
>>>>
>>>>
>>>> Received: from unknown (HELO jade.xxxxxx.com) (216.99.193.136)
>>>> by 0 with ESMTPS (DHE-RSA-AES256-SHA encrypted); 6 May 2008
>>>> 19:13:06 -0000
>>>> Received: from server (216-99-214-161.dsl.aracnet.com
>>>> [216.99.214.161])
>>>> by jade.xxxxxx.com (8.13.6/8.12.8) with SMTP id m46JD528000907
>>>> for <warehouse[at]xxxxx.com>; Tue, 6 May 2008 12:13:05 -0700
>>>> Message-ID: <74BC081D12754719AD817A909757BB09[at]server>
>>>> From: "Aindrea" <aindrea[at]xxxxxxx.com>
>>>> To: "warehouse" <warehouse[at]xxxxxxxx.com>
>>>> Subject: Camden Grey order 373
>>>> Date: Tue, 6 May 2008 12:13:04 -0700
>>>> MIME-Version: 1.0
>>>> Content-Type: multipart/mixed;
>>>> boundary="----=_NextPart_000_0039_01C8AF72.8920CD60"
>>>> X-Priority: 3
>>>> X-MSMail-Priority: Normal
>>>> X-Mailer: Microsoft Outlook Express 6.00.3790.3959
>>>> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.4133
>>>>
>>>> This is a multi-part message in MIME format.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> At 01:05 PM 5/9/2008, Matus UHLAR - fantomas wrote:
>>>>> On 09.05.08 12:08, Jeff Koch wrote:
>>>>> > Our users are getting false positives with hits on
>>>>> >
>>>>> > 4.2 FORGED_MUA_OUTLOOK
>>>>> >
>>>>> > and are saying they are 100% certain that the email was sent
>>>>> from MS
>>>>> > Outlook Express. Is this a known problem or are these users
>>>>> doing something
>>>>> > wrong?
>>>>>
>>>>> may be... can you show us headers of such e-mail?
>>>>>
>>>>> meta __FORGED_OE (__OE_MUA && !__OE_MSGID_1 &&
>>>>> !__OE_MSGID_2 && !__OE_MSGID_3 && !__OE_MSGID_4 && !__UNUSABLE_MSGID)
>>>>> meta __FORGED_OUTLOOK_DOLLARS (__OUTLOOK_DOLLARS_MUA &&
>>>>> !__OE_MSGID_2 && !__OUTLOOK_DOLLARS_OTHER && !__VISTA_MSGID &&
>>>>> !__IMS_MSGID && !__UNUSABLE_MSGID)
>>>>> meta FORGED_MUA_OUTLOOK (__FORGED_OE ||
>>>>> __FORGED_OUTLOOK_DOLLARS)
>>>>>
>>>>> at least Message-Id and X-Mailer...
>>>>>
>>>>> btw do do you update rules periodically?
>>>>> --
>>>>> Matus UHLAR - fantomas, uhlar[at]fantomas.sk ; http://www.fantomas.sk/
>>>>> Warning: I wish NOT to receive e-mail advertising to this address.
>>>>> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
>>>>> "They say when you play that M$ CD backward you can hear satanic
>>>>> messages."
>>>>> "That's nothing. If you play it forward it will install Windows."
>>>>
>>>> Best Regards,
>>>>
>>>> Jeff Koch, Intersessions
>>> Could you include the whole complete header including the spam
>>> report because this looks like a valid M$ outlook/express header?
>>
>> Best Regards,
>>
>> Jeff Koch, Intersessions
> I am not sure about version 3.2.4, but I am fairly sure the rule in
> "/var/lib/spamassassin/*/*/*" 20_ratware.cf would not match this
> header and thus give the false positive.
>
> ratware.cf:
>
> # use new meta rules to implement FORGED_MUA_OUTLOOK rule from 2.60
> meta FORGED_MUA_OUTLOOK (__FORGED_OE || __FORGED_OUTLOOK_DOLLARS)
> describe FORGED_MUA_OUTLOOK Forged mail pretending to be from MS
> Outlook
>
>
> ---> __FORGED_OE
>
> # Outlook Express 4, 5, and 6
> header __OE_MUA X-Mailer =~ /\bOutlook Express [456]\./
> header __OE_MSGID_1 MESSAGEID =~
> /^<[A-Za-z0-9-]{7}[A-Za-z0-9]{20}\@hotmail\.com>$/m
> header __OE_MSGID_2 MESSAGEID =~
> /^<(?:[0-9a-f]{8}|[0-9a-f]{12})\$[0-9a-f]{8}\$[0-9a-f]{8}\@\S+>$/m
> header __OE_MSGID_3 MESSAGEID =~
> /^<BAY\d+-DAV\d+[A-Z0-9]{25}\@phx\.gbl>$/m
> meta __FORGED_OE (__OE_MUA && !__OE_MSGID_1 &&
> !__OE_MSGID_2 && !__OE_MSGID_3 && !__UNUSABLE_MSGID)
>
> None of these match the message id
> "74BC081D12754719AD817A909757BB09[at]server."
>
> I might have missed something, but this appears to be accurate.
Scratch that and reverse it. If it does match, then it will score the
message header as fake. oops :) sorry. Let me check some more things.
|
