Jump to content

Spamassassin false positive on FORGED_MUA_OUTLOOK


Recommended Posts

Hi, Mails from my genuine sender in Cyprus addressed to my virgin.net account are consistently getting a **** level and 4.2 hits from SpamAssasin, apparently from a false FORGED_MUA_OUTLOOK positive. I have whitelisted this genuine sender, so his messages no longer go into my Spamcop spam folder, but we are concerned that genuine sender's mails to other recipients are still liable to false blocking.

I understand from looking at Spamassassin blogs that there have been some false positive FORGED_MUA_OUTLOOK issues in the past resulting from changes to the format of Outlook Express's Message ID that Spamassasin didn't recognise, but which are supposed to now be resolved.

Note in the example below that cytanet first send genuine.sender's mail to emaildefenseservices.com who apparently do a rules hit check of their own on behalf of virgin.net. It then goes on to my virgin.net mailbox from whence Spamcop collect it (this latter part of the routing is not shown in my example). I have changed the names in the example below for security reasons, but the Message ID remains intact as sent.

genuine.sender has sent me three seperate mails in the last few days, all with quite short innocuous text only bodies, and each time the result has shown exactly the same **** level, 4.2 hits, FORGED_MUA_OUTLOOK, and Blocked SpamAssassin=4

How can we stop this false blocking?

------EXAMPLE-----

X-spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on filter7

X-spam-Level: ****

X-spam-Status: hits=4.2 tests=FORGED_MUA_OUTLOOK version=3.2.4

Received: from sc1-in13.emaildefenseservice.com (64.97.203.94) by n024.sc1.he.tucows.com (7.2.069.1)

id 47693081032C35B1 for sleepy.john[at]virgin.net; Sat, 26 Apr 2008 04:26:56 +0000

X-SpamScore: 2

X-Spamcatcher-Summary: 2,0,0,9f8b517d95129fa8,7e7d9b78463223a7,genuine.sender[at]cytanet.com.cy,-,RULES_HIT:355:379:539:540:541:542:543:567:728:988:989:1155:1260:1277:1311:1313:1314:1345:1437:1515:1516:1518:1533:1534:1536:1587:1593:1594:1711:1714:1730:1747:1766:1792:2073:2076:2393:2559:2562:2828:3867:3869:3873:5007:6261,0,RBL:none,CacheIP:none,Bayesian:0.5,0.5,0.5,Netcheck:none,DomainCache:0,MSF:not bulk,SPF:,MSBL:none,DNSBL:none,TSO:0

X-Spamcatcher-Explanation:

X-Virus-Scanned: By virus scanner at Cytanet

Message-ID: <8B6BF60ACA1C4DEBB006F5EC1628A69C[at]dill99f99894d7>

From: "My Correspondent" <genuine.sender[at]cytanet.com.cy>

To: "My.address" <sleepy.john[at]virgin.net>

Subject: Rejection

Date: Sat, 26 Apr 2008 07:26:46 +0300

X-Mailer: Microsoft Outlook Express 6.00.2900.3311

X-SpamCop-Checked:

X-SpamCop-Disposition: Blocked SpamAssassin=4

X-SpamCop-Whitelisted: genuine.sender[at]cytanet.com.cy

-------

Link to comment
Share on other sites

... genuine.sender has sent me three seperate mails in the last few days, all with quite short innocuous text only bodies, and each time the result has shown exactly the same **** level, 4.2 hits, FORGED_MUA_OUTLOOK, and Blocked SpamAssassin=4

How can we stop this false blocking?...

Well, if the issue is the need to update the SA version as indicated in http://wiki.apache.org/spamassassin/FORGED_MUA_OUTLOOK then someone needs to talk to JT (the owner). Since you have identified the issue, that someone would best be you. One way would be to use the contact form at

http://mail.spamcop.net/contact.php

and select "Other account problems". There have been reports in the past of different versions of SA in use on different servers at the same time so it may be that your problem is not consistent over time (but obviously version types do need to be current).

Link to comment
Share on other sites

FWIW, I'm not seeing *any* hits on "FORGED_MUA_OUTLOOK" in the headers of messages I've downloaded from my SpamCop account.

I would agree. I haven't noticed many either, but we've got this one reproducible false positive one coming from my genuine correspondent that up to now we can't explain.

Anyway, I raised the issue on the contact form last Monday as you recommended, so now waiting to see what response comes from that.

Tks, + Sleepy J

Link to comment
Share on other sites

I would agree. I haven't noticed many either, but we've got this one reproducible false positive one coming from my genuine correspondent that up to now we can't explain.

Comparing your sample to several test e-mails I've got, there is an amazing difference in the Message-ID: content. The major difference .. your sample is all caps. Next .. the data following the [at] sign is the computer name as seen on the network. Do you believe (and can the user confirm) that this user's computer is 'named' dill99f99894d7 ?????? (Just attempting to imagine the network map of the system that this computer would be a part of and trying to keep the computers involved identifiable using such a strange code ..never mind trying to type in this kind of a sequence while trying to connect to this machine from another)

Possibly some kind of Proxy involved?????

Link to comment
Share on other sites

Next .. the data following the [at] sign is the computer name as seen on the network. Do you believe (and can the user confirm) that this user's computer is 'named' dill99f99894d7 ?????? (Just attempting to imagine the network map of the system that this computer would be a part of and trying to keep the computers involved identifiable using such a strange code ..never mind trying to type in this kind of a sequence while trying to connect to this machine from another)

Wazoo: Easy is not always in the minds of the implementation "team".

At my current place of work they decided long ago to name machines based on the internal inventory number or by the Dell Service ID tag (they seem to have been worried about keeping them unique). When user X calls up, we have no way of determining other than walking them through a bunch of clicks what machine they are using.

Link to comment
Share on other sites

At my current place of work they decided long ago to name machines based on the internal inventory number or by the Dell Service ID tag (they seem to have been worried about keeping them unique). When user X calls up, we have no way of determining other than walking them through a bunch of clicks what machine they are using.

Been there, seen that <g> You even had me doing flashbacks of something along the same line. At a particular assignment to a Navy-run outfit, there was the 'need' to epoxy a 2"x1.5"x1/8" engraved brass tag to each identifiable piece of high-dollar gear. According to the Officer-in-Charge, this included things like the huge plug-in circuit cards in the main and mini-mainframe computers. Lemme see, one side of the card is basically nothing but the soldered connection points of all the components inserted from the other side .... the top-side of each card is a maze of different height components, all needing that forced air cooling, and of course, when inserted, almost touching the back of the next card in the box. Big choice I offered him ... short-circuit this card, short-circuit the next card, force this set of components to need replacing on a daily, perhaps hourly rate, etc. He next volunteered that I could epoxy the tags to the cabinet of the computer. After my next question, he spent over an hour trying to come up with just where there was enough room for all the tags involved. When I mentioned that circuit cards had a way of moving between computers and the storage shelves back in the shop when they were being worked on or considered spares .... he finally caught on as to why I had issues with his 'plan' <g>

Rambling . just rememberd where I was ....

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...