BTW, I don't want to hear any complaints about headers pasted not attached.

This should be fixed by adding a check in check_messageid_not_usable, for
X-Mailing-List or X-Grupos or X-Grupos-Retornadas or something.

Bug #2239 confirms this for Outlook 2003 Beta 2:

  X-Mailer: Microsoft Outlook, Build 11.0.4920
  X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106

And I confirm it for Outlook 2003 Beta 2 Technical Refresh (yeah, doesn't *that*
look like a typical Microsoft naming):

  X-Mailer: Microsoft Office Outlook, Build 11.0.5329
  X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165

In addtion to:

  *  3.5 -- Forged mail pretending to be from MS Outlook

Outlook 2003 Beta 2 Technical Refresh gets yet another score:

  *  0.6 -- Message looks like Outlook, but isn't

Which is because in "20_head_tests.cf":

  header __HAS_OUTLOOK_IN_MAILER X-Mailer =~ /Microsoft (CDO|Outlook)\b/

which should obviously be changed to something like:

  header __HAS_OUTLOOK_IN_MAILER X-Mailer =~
    /Microsoft (CDO|(Office )?Outlook))\b/

*** Bug 2239 has been marked as a duplicate of this bug. ***

a) Outlook 2003 seems to follow a new X-Mailer pattern. 
b) Some list softwares can't keep their fingers from the Message-Id. 
c) This might be fixed in 2.60-cvs as these rules have changed. 
d) Could somebody *please* attach a sample mail to test against? 
e) Bug 2239 has some more information though not very much ;-) 

Created attachment 1181 [details]
Additional outlook 2003beta2 (NOT tecnical refresh 2!) headers via another account

Dear Malte and his colleagues,

I've attached another headers on your request.
please notice there's no message-id. 
Maybe the Auto- line is added by Communigate? 

I hope you will manage to fix it for TR2.
I'm going to technically refresh-2 soon :)

many thanks to your help!!!!

Andy.

Huh? No Message-Id at all?? I guess the beta 2 is pretty buggy :-/ (Jepp, 
those auto- header was most probably added by CommuniGate because it didn't 
detect one.) Sorry, without Outlook producing valid e-mails, we can't write or 
modify any rules. I hope the TR2 behaves better... 

I'm pretty sure this bug is a dupe.  and yes, Outlook 2003 really does
not generate a Message-ID header for some reason!  it's psychotic!!

Bug 2107 is also about missing Message-Ids but with Outlook 9. I think I 
remember a bug or commit which was about Outlook not doing something when you 
switch from the Exchange-mode to IMO but I can't find it again... 

spamassassin-contrib@msquadrat.de: my bug 2239 is not about MsgIDs. The problem
is that MS has changed the product ID for unknown reason.

I'm sure rules can be changed now (and believe they should be) to prevent
massive problems for Office 2003 users in near future. TR2 is an official
pre-release version (afaik it's about a month till the final release). 

This is now my primary e-mail client and I do experience serious problems with
false ratings. Besides that, it's far more convinient and easy to deal with tons
of messages. I'm sure they will be plenty of users right after the release.

I did it! Technical Refresh 2 loads and works faster. 
here I include the part of 2003-TR2 outlook-specific headers.

bye-bye, message IDs!
welcome, Thread-Index!
seems like that.

Subject: =?koi8-r?B?1MXT1A==?=
Date: Wed, 23 Jul 2003 23:29:09 +0400
MIME-Version: 1.0
Content-Type: text/plain;
	charset="koi8-r"
Content-Transfer-Encoding: base64
X-Mailer: Microsoft Outlook, Build 11.0.4920
Thread-Index: AcNRULBakAEUaBPTRNG+7TSohX36Kw==
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106

Andy.

I've posted an OBSOLETE code in my previous post. I'm sorry.
here goes the actual TR2 part:

Subject: =?koi8-r?B?1MXT1A==?=
Date: Thu, 24 Jul 2003 19:39:55 +0400
MIME-Version: 1.0
Content-Type: text/plain;
	charset="koi8-r"
Content-Transfer-Encoding: base64
X-Mailer: Microsoft Office Outlook, Build 11.0.5329
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
Thread-Index: AcNR+dSIxujVhyv/SrWH2nISdGI94w==

anyways, Thread-Index is used instead of msgids.

Andy.

no, Thread-Index is not a replacement for Message-Ids -- it's an
Exchange-specific threading header which AFAIK the entire thread of replies will
share. (not sure why they had to invent a new header given that the technology
to do threading without it is available, but hey).

Outlook 2003-TR2 really is not generating Message-Ids.   This is valid
behaviour, technically; RFC 2822 states:

 3.6.4. Identification fields

   Though optional, every message SHOULD have a "Message-ID:" field.

unfortunately it breaks our outlook-forgery tests, will cause FPs, will cause
Outlook messages to be dropped by many ISPs using their own antispam filters, 
and it's unclear why they did this.  But we have to support it ;)

Suggest to change the bug summary to:

  FORGED_MUA_OUTLOOK, MISSING_OUTLOOK_NAME false positives

or something alike.

Subject: Re: [SAdev]  FORGED_MUA_OUTLOOK test detects legitimate mail 
 sent with Outlook 2003 (v11)

> ------- Additional Comments From jm@jmason.org  2003-07-24 10:55 -------
> no, Thread-Index is not a replacement for Message-Ids -- it's an
> Exchange-specific threading header which AFAIK the entire thread of replies will
> share. (not sure why they had to invent a new header given that the technology
> to do threading without it is available, but hey).

Has anybody written to Microsoft telling them that the change they are
making will cause Outlook mail to be "rejected as spam by X% of the world's
email"?  Perhaps they might consider fixing it if it will cause there users
some grief.  One can always hope, anyway.

                                          Brian
                                 ( bcwhite@precidia.com )

-------------------------------------------------------------------------------
 ... was no trading on the NYSE today; everybody was happy with what they had.

I tried to contact the Outlook developers via [1] (found via [5,6]) and it 
seems like they really try to keep in touch with the beta testers. Yes, a real 
developer, Jeff Stephenson, responded to my posting [2] (you see how surprised 
I am/was ;-) and said [3,4]: 
 
| Neo's right (I'm the developer he refers to).  We made this change because 
| we've had a number of complaints about revealing internal machine names in 
| the Message-IDs we generated.  As you know, a message id has an ID portion 
| preceeding the '@' sign, followed by the name of the machine that generated 
| that ID.  So if, for example, you're sending mail via your ISP or Hotmail 
| from your work machine, your work machine's name would be in the Message-ID. 
|  
| A number of people have objected to this for two major reasons: 
|  
| 1) Revealing internal machine names provides information that hackers can 
| potentially use to compromise the network. 
| 2) They don't want to reveal their employer when sending mail via their ISP 
| from work, and a message id generated by Outlook would contain the domain 
| name of their employer. 
|  
| We felt that the requests to change this were very valid, and thus changed 
| Outlook so that it relies on the SMTP server to generate the message id. 
 
So, whatever problems this brings us and probably the future Outlook 2003 
users (I think about rejected mails etc.), this step has obviously taken 
deliberately. 
 
[1]nntp://news.microsoft.com/microsoft.public.outlook.general 
[2]news:1456203.UzchhEFHTG@malte.stretz.eu.org 
[3]http://communities.microsoft.com/newsgroups/previewFrame.asp?ICP=Prod_officebeta&sLCID=us&sgroupURL=microsoft.public.outlook.general&sMessageID=%253C%2523LvON%2523TVDHA.2164@TK2MSFTNGP09.phx.gbl%253E 
[4]news:#LvON#TVDHA.2164@TK2MSFTNGP09.phx.gbl 
[4]http://www.microsoft.com/office/Preview/editions/default.asp 
[5]http://communities.microsoft.com/newsgroups/default.asp?icp=Prod_officebeta&slcid=us 
 

whoa, nice one Malte ;)   I didn't realise one could do that without being on
the beta program, officially.

any chance you could post a suggestion that they hash the real site name into
something unrecognisable, and generate a MID using that, just so that a
Message-Id header with *some* data *will* appear?  I'm pretty sure there's a lot
of spamfilters out there -- not just SA -- that will FP like crazy on this.

I have seen three false positives from an MUA that identifies itself with
X-Mailer: Microsoft Outlook Express for Macintosh - 4.01 (295)

This also relies on the MTA to generate the message-ID (I've seen an Exim M-ID
and two kinds of Sendmail M-ID).

I'll have to ask the users concerned for permission to post the full headers here.

Verified:

--- cut here ----
Return-Path: <sebastian@xxxx>
Received: from obelix.xxxx ([217.160.134.148]) by mailin03.xxxx
	with esmtp id 19hmQa-28qGsC0; Wed, 30 Jul 2003 10:35:20 +0200
[....]
Received: from [80.142.3.205] (helo=dtp1)
	by mrvdomng.xxxx with esmtp (Exim 3.35 #1)
	id 19hmQM-0006wW-00
	for sebastian@xxxx; Wed, 30 Jul 2003 10:35:06 +0200
Return-Receipt-To: "kathrin zzzz" <kathrin.zzzz@xxxx>
From: "kathrin stein" <kathrin.stein@xxxx>
To: <sebastian@xxxx>
Subject: Kino & co
Date: Wed, 30 Jul 2003 10:30:25 +0200
Message-ID:
<!~!UENERkVCMDkAAQACAAAAAAAAAAAAAAAAABgAAAAAAAAAxLg62a4REkesc/XNhIOkKcKAAAAQAAAAmMmlsWcs7EWkvRsrMkjGDwEAAAAA@scopeone.de>
MIME-Version: 1.0
Content-Type: multipart/mixed;
	boundary="----=_NextPart_000_0000_01C35685.9755FD60"
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook, Build 10.0.2616
Importance: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400
Disposition-Notification-To: "kathrin zzzz" <kathrin.zzzz@xxxx>
X-Spam-Status: No, hits=0.7 required=5.0
	tests=BAYES_20,FORGED_MUA_OUTLOOK,MSGID_CHARS_SPAM,RCVD_IN_NJABL
	version=2.55
X-Spam-Level: 
X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp)
X-Seen: false
--- cut here ----

Created attachment 1197 [details]
Another legitimate Outlook mail detected as forged

I've added a mail by OE 4.x detected as forged (Forged_Mua_Outlook).

*** Bug 2309 has been marked as a duplicate of this bug. ***

I think we've gotta fix (or axe) this test in the 2.6x branch... 

This is caused by the presense of the 
Disposition-Notification-To: "User" <user@domain>
header.
This is obtained by composing a message and under View->Options, 
checking "Request read receipt for this message"

*** Bug 2318 has been marked as a duplicate of this bug. ***

Heise just reported [6] that Office 2003 will be officially released on 
October 21st. Corporate licensees will get it already sometime in September. 
Guess I'll have a look at these rules next weekend... 
 
[6]http://www.heise.de/newsticker/data/hps-20.08.03-000/ 

Hm. I just discovere bug 1717 which says this is fixed... (But obviously it 
isn't) 

*** Bug 2471 has been marked as a duplicate of this bug. ***

regarding comment#17, Here is an example of a positive for a legitimate message 
from "X-Mailer: Microsoft Outlook Express for Macintosh - 4.01 (295)":
The header (with senders name and IP concealed):

Return-Path: <sendersname@telus.net>
Received: from priv-edtnes10-hme0.telusplanet.net (outbound02.telus.net [199.
185.220.221]) by star3.baremetal.com (8.12.9/8.12.9) with ESMTP id 
h8G2GhkV003817 for <systems@haven.ca>; Mon, 15 Sep 2003 19:16:43 -0700
Received: from [209.53.xxx.xxx] by priv-edtnes10-hme0.telusplanet.net (InterMail 
vM.5.01.05.17 201-253-122-126-117-20021021) with ESMTP id <20030916021705.
SDAX14255.priv-edtnes10-hme0.telusplanet.net@[209.53.xxx.xxx]> for 
<systems@haven.ca>; Mon, 15 Sep 2003 20:17:05 -0600
X-Mailer: Microsoft Outlook Express for Macintosh - 4.01 (295) 
Date: Mon, 15 Sep 2003 19:18:08 -0700
Subject: Re: spam bouncing fixed
From: Senders Name <sendersname@telus.net>
To: Bill Leuze <systems@haven.ca>
Mime-version: 1.0
X-Priority: 3
Content-type: multipart/alternative; boundary=
"MS_Mac_OE_3146498288_45056_MIME_Part"
Message-Id: <20030916021705.SDAX14255.priv-edtnes10-hme0.telusplanet.net@[209.
53.245.29]>
X-Scanned-By: MIMEDefang 2.36
X-Spam-Status: No, hits=-94.7 required=5.0 tests=FORGED_MUA_OUTLOOK,HTML_10_20,
HTML_FONT_COLOR_BLUE, HTML_MESSAGE,MIME_LONG_LINE_QP,USER_IN_WHITELIST 
version=2.55
X-Spam-Level: 
X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp)
X-Envelope-To: systems@haven.ca
X-UIDL: 7d25fb7527b86057a6fce909449c3314
Status: U
X-Evolution-Source: pop://systems@haven.ca/

*** Bug 1192 has been marked as a duplicate of this bug. ***

Obviously, this bug is about one effect (Outlook mails mistreated as fakes) of
multiple, partially unrelated causes. It covers (or merely *tries* to cover)
codes at different places that needs to be fixed. Since many of those fixes are
independant from each other, I think this is rather a meta bug, and it may be
better if we split it.

One of those fixes is very easy, and I suggested a fix in comment #2. Please,
can someone with CVS commit access make this simple fix as soon as possible?

merging into meta bug 2538

*** This bug has been marked as a duplicate of 2538 ***

*** Bug 2627 has been marked as a duplicate of this bug. ***

*** Bug 3355 has been marked as a duplicate of this bug. ***

*** Bug 3281 has been marked as a duplicate of this bug. ***