subject says it all -- I've got a friend who has confirmed he is using Outlook
2003 on a winXP machine; since this goes to a mailing list, the hits I get
for this guy are:
---- Start SpamAssassin results
5.00 points, 5 required;
* -0.5 -- Has a In-Reply-To header
* 1.4 -- trail of Received: headers seems to be forged
* 3.7 -- Forged mail pretending to be from MS Outlook
* 0.1 -- Message looks like Outlook, but isn't
* 0.3 -- AWL: Auto-whitelist adjustment
---- End of SpamAssassin results
Since there are two hits for "looks like outlook", this is getting
double-whammy'd. Further, this guy has a mindspring account, so the "first"
received header in the chain is:
Received: from pool0458.cvx34-bradley.dialup.earthlink.net ([216.244.7.203]
helo=delzell) by blount.mail.mindspring.net [...]
I suspect that "helo=delzell" bit is what is tripping the "seems to be forged"
rule, or else it is the mailing list itself due to this one:
Received: from ROCKETEERS.COM by ROCKETEERS.COM (LISTSERV-TCP/IP release 1.8e)
either way, this guy is right on the edge, so sometimes his stuff makes it,
others not...
NOTE: I have not yet "trained" SA yet, so this is with out-of-the-box rules,
weights, and training. I've just now amassed the neccessary 1000 spam mails
to make this a worthwhile training session, so I'll probably be doing that
later today or tomorrow -- I suspect it would be a "good thing to do..." to
include the mailing list that this guy is on as "ham", right? :)
--
Yet another Blog: http://osnut.homelinux.net
2003 on a winXP machine; since this goes to a mailing list, the hits I get
for this guy are:
---- Start SpamAssassin results
5.00 points, 5 required;
* -0.5 -- Has a In-Reply-To header
* 1.4 -- trail of Received: headers seems to be forged
* 3.7 -- Forged mail pretending to be from MS Outlook
* 0.1 -- Message looks like Outlook, but isn't
* 0.3 -- AWL: Auto-whitelist adjustment
---- End of SpamAssassin results
Since there are two hits for "looks like outlook", this is getting
double-whammy'd. Further, this guy has a mindspring account, so the "first"
received header in the chain is:
Received: from pool0458.cvx34-bradley.dialup.earthlink.net ([216.244.7.203]
helo=delzell) by blount.mail.mindspring.net [...]
I suspect that "helo=delzell" bit is what is tripping the "seems to be forged"
rule, or else it is the mailing list itself due to this one:
Received: from ROCKETEERS.COM by ROCKETEERS.COM (LISTSERV-TCP/IP release 1.8e)
either way, this guy is right on the edge, so sometimes his stuff makes it,
others not...
NOTE: I have not yet "trained" SA yet, so this is with out-of-the-box rules,
weights, and training. I've just now amassed the neccessary 1000 spam mails
to make this a worthwhile training session, so I'll probably be doing that
later today or tomorrow -- I suspect it would be a "good thing to do..." to
include the mailing list that this guy is on as "ham", right? :)
--
Yet another Blog: http://osnut.homelinux.net