Bug 1475 - False positive: Juno relay
Summary: False positive: Juno relay
Status: RESOLVED FIXED
Alias: None
Product: Spamassassin
Classification: Unclassified
Component: Rules (show other bugs)
Version: 2.43
Hardware: Other AIX
: P3 normal
Target Milestone: 2.60
Assignee: SpamAssassin Developer Mailing List
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2003-02-11 20:20 UTC by Brian Orlick
Modified: 2003-05-24 09:44 UTC (History)
0 users


Attachment Type Modified Status Actions Submitter/CLA Status
redacted copy of msg that triggered Juno test falsely text/plain None chris [NoCLA]
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Brian Orlick 2003-02-11 20:20:51 UTC 
Received an e-mail from user of Juno.  Most likely sent message utilizing 
webmail.juno.com  Message was mistakenly identified as being sent via a forged 
Juno relay.  Full headers follow.

Received: from webmail1.wlv.untd.com (outbound-16.wlv.untd.com [64.136.16.100])
     by slate.Mines.EDU (8.12.5/8.12.5) with SMTP id h15N2Y0u121562
     for <xxxxxxx@Mines.EDU>; Wed, 5 Feb 2003 16:02:34 -0700
Received: from cookie.juno.com by cookie.juno.com for 
<"K8bQIcH/5F84kCa+a5YOmR4GSd+PEpmETm8TgM9jIAa4M3w2CxSL9Q==">
Received: (from xxxxxxxxx@juno.com)
     by webmail1.wlv.untd.com (jqueuemail) id HQASNN23; Wed, 05 Feb 2003 
15:02:17 PST
X-Original-From: xxxxxxxxx@juno.com
Date: Wed, 5 Feb 2003 23:01:48 GMT
To: xxxxxxx@mines.edu
Subject: *****SPAM***** Re:Re: Keeping Life Together
X-Mailer: Juno Webmail Version 1.0
Received: from [12.84.119.204] by webmail1.wlv.untd.com
X-Originating-IP: [12.84.119.204]
From: xxxxxxxxx@juno.com
Message-ID: <20030205.150217.531.92208@webmail1.wlv.untd.com>
X-MailScanner: No currently known viruses detected (postmaster@Mines.EDU)
X-Spam-Status: Yes, hits=9.3 required=5.0
     tests=DEAR_SOMEBODY,FORGED_JUNO_RCVD,FORGED_RCVD_FOUND,
     FORGED_RCVD_TRAIL,FROM_ENDS_IN_NUMS,NO_REAL_NAME,ONLY_COST,
     SPAM_PHRASE_05_08,SUPERLONG_LINE
     version=2.43
X-Spam-Flag: YES
X-Spam-Level: *********
X-Spam-Checker-Version: SpamAssassin 2.43 (1.115.2.20-2002-10-15-exp)
X-Spam-Report: 9.30 hits, 5 required;
     * 1.3 -- From: does not include a real name
     * 0.9 -- From: ends in numbers
     * 0.8 -- Possibly-forged 'Received:' header found
     * 0.2 -- BODY: Only $$$
     * 0.1 -- BODY: Contains 'Dear Somebody'
     * 1.6 -- BODY: Spam phrases score is 05 to 08 (medium)
     [score: 6]
     * 0.0 -- BODY: Contains a line >=199 characters long
     * 2.4 -- 'From' juno.com does not match 'Received' headers
     * 2.0 -- trail of Received: headers seems to be forged
Comment 1 Daniel Quinlan 2003-03-06 15:58:21 UTC 
It definitely appears to be a forged message.  It looks like juno.com can't
configure the mail servers to add Received: headers that make sense.

a juno.com user -> webmail1.wlv.untd.com
missing step ???
cookie.juno.com -> cookie.juno.com
webmail1.wlv.untd.com -> slate.Mines.EDU

untd.com appears to be the same company as juno.com

Also, next time, please attach a complete example instead of cut-and-paste of
headers.  If you have additional examples, please attach them, they could be
useful trying to figure out a work-around.
Comment 2 chris 2003-04-17 12:10:48 UTC 
Created attachment 895 [details]
redacted copy of msg that triggered Juno test falsely
Comment 3 Theo Van Dinter 2003-05-24 17:44:09 UTC 
added untd.com to the forged re.