Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. SpamAssassin>
  3. users
What is the status of Outlook 2003 false positives?
osnut at pacbell
Mar 6, 2004, 10:57 AM
Post #1 of 5 (447 views)
Permalink
subject says it all -- I've got a friend who has confirmed he is using Outlook
2003 on a winXP machine; since this goes to a mailing list, the hits I get
for this guy are:

---- Start SpamAssassin results
5.00 points, 5 required;
* -0.5 -- Has a In-Reply-To header
*  1.4 -- trail of Received: headers seems to be forged
*  3.7 -- Forged mail pretending to be from MS Outlook
*  0.1 -- Message looks like Outlook, but isn't
*  0.3 -- AWL: Auto-whitelist adjustment

---- End of SpamAssassin results

Since there are two hits for "looks like outlook", this is getting
double-whammy'd. Further, this guy has a mindspring account, so the "first"
received header in the chain is:

Received: from pool0458.cvx34-bradley.dialup.earthlink.net ([216.244.7.203]
helo=delzell) by blount.mail.mindspring.net [...]

I suspect that "helo=delzell" bit is what is tripping the "seems to be forged"
rule, or else it is the mailing list itself due to this one:

Received: from ROCKETEERS.COM by ROCKETEERS.COM (LISTSERV-TCP/IP release 1.8e)

either way, this guy is right on the edge, so sometimes his stuff makes it,
others not...

NOTE: I have not yet "trained" SA yet, so this is with out-of-the-box rules,
weights, and training. I've just now amassed the neccessary 1000 spam mails
to make this a worthwhile training session, so I'll probably be doing that
later today or tomorrow -- I suspect it would be a "good thing to do..." to
include the mailing list that this guy is on as "ham", right? :)
--
Yet another Blog: http://osnut.homelinux.net
Re: What is the status of Outlook 2003 false positives? [ In reply to ]
mailings02 at ttlexceeded
Mar 6, 2004, 8:13 PM
Post #2 of 5 (449 views)
Permalink
Tom Emerson wrote:

>subject says it all -- I've got a friend who has confirmed he is using Outlook
>2003 on a winXP machine; since this goes to a mailing list, the hits I get
>for this guy are:
>
>---- Start SpamAssassin results
>5.00 points, 5 required;
>* -0.5 -- Has a In-Reply-To header
>* 1.4 -- trail of Received: headers seems to be forged
>* 3.7 -- Forged mail pretending to be from MS Outlook
>* 0.1 -- Message looks like Outlook, but isn't
>* 0.3 -- AWL: Auto-whitelist adjustment
>
>---- End of SpamAssassin results
>
>Since there are two hits for "looks like outlook", this is getting
>double-whammy'd.
>
Is it something specific to going to a list? I sent a message from MS
Outlook 2003 under XP at work to my home system, and got:

X-Spam-Report: * -1.5 BAYES_01 BODY: Bayesian spam probability is 1 to 10%
* [score: 0.0994]
* 0.1 HTML_MESSAGE BODY: HTML included in message
* 0.1 HTML_70_80 BODY: Message is 70% to 80% HTML

So are outlook 2003 messages being treated differently by list software in some way?

> Further, this guy has a mindspring account, so the "first"
>received header in the chain is:
>
>Received: from pool0458.cvx34-bradley.dialup.earthlink.net ([216.244.7.203]
> helo=delzell) by blount.mail.mindspring.net [...]
>
>I suspect that "helo=delzell" bit is what is tripping the "seems to be forged"
>rule, or else it is the mailing list itself due to this one:
>
>Received: from ROCKETEERS.COM by ROCKETEERS.COM (LISTSERV-TCP/IP release 1.8e)
>
>either way, this guy is right on the edge, so sometimes his stuff makes it,
>others not...
>
>
You might fix his AWL entry on your system. Since he's so close, that
does push him over. You don't need to necessarily whitelist him, but at
least delete the entry for his address.

>NOTE: I have not yet "trained" SA yet, so this is with out-of-the-box rules,
>weights, and training. I've just now amassed the neccessary 1000 spam mails
>to make this a worthwhile training session, so I'll probably be doing that
>later today or tomorrow -- I suspect it would be a "good thing to do..." to
>include the mailing list that this guy is on as "ham", right? :)
>
>
I started bayes immediately, and although it didn't kick in until I hit
the 200 mark for ham and spam, it was helpful once it did start scoring.

Definitely train that list mail, yes.

- Bob
Re: What is the status of Outlook 2003 false positives? [ In reply to ]
maillists at conactive
Mar 7, 2004, 2:31 PM
Post #3 of 5 (445 views)
Permalink
Tom Emerson wrote on Sat, 6 Mar 2004 09:57:35 -0800:

> subject says it all -- I've got a friend who has confirmed he is using Outlook
> 2003 on a winXP machine; since this goes to a mailing list, the hits I get
> for this guy are:
>

Tom, you should submit this to Bugzilla.


Kai

--

Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com
IE-Center: http://ie5.de & http://msie.winware.org
RE: What is the status of Outlook 2003 false positives? [ In reply to ]
rl at belacove
Mar 8, 2004, 11:24 AM
Post #4 of 5 (441 views)
Permalink
What version of spamassassin do you use ?

/robert

-----Original Message-----
From: Kai Schaetzl [mailto:maillists@conactive.com]
Sent: Sunday, March 07, 2004 10:32 PM
To: spamassassin-users@incubator.apache.org
Subject: Re: What is the status of Outlook 2003 false positives?

Tom Emerson wrote on Sat, 6 Mar 2004 09:57:35 -0800:

> subject says it all -- I've got a friend who has confirmed he is using
> Outlook
> 2003 on a winXP machine; since this goes to a mailing list, the hits I
> get for this guy are:
>

Tom, you should submit this to Bugzilla.


Kai

--

Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com
IE-Center: http://ie5.de & http://msie.winware.org

Attached Files:

Re: What is the status of Outlook 2003 false positives? [ In reply to ]
osnut at pacbell
Mar 11, 2004, 9:03 AM
Post #5 of 5 (442 views)
Permalink
On Monday 08 March 2004 10:24 am, Robert Lacroix wrote:
> What version of spamassassin do you use ?

<doh> I had meant to mention this, but seems it slipped my mind -- this is
from a pre-compiled RPM for SuSE 9.0, which per the tags appears to be
version 2.55. I think this is a "known problem" for this version, so really
I was asking whether this was still true for "the current" version or if it's
been fixed
 
--
Yet another Blog: http://osnut.homelinux.net

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal