SA Bugzilla – Bug 1970
Fix FORGED_MUA_OUTLOOK for Outlook 2003 till Sep/Oct 2003
Last modified: 2004-07-06 05:12:09 UTC
From: =?iso-8859-1?q?Joel_Franco_Guzm=E1n?= <joel@netlocal.com.br> To: Debian Bug Tracking System <submit@bugs.debian.org> Subject: spamassassin: FORGED_MUA_OUTLOOK test detects legitimate Outlook mail Date: Thu, 10 Apr 2003 14:05:02 -0300 Package: spamassassin Version: 2.53-1 Severity: minor The FORGED_MUA_OUTLOOK test have detected an email written by an Outlook Client like it could be forged. I don't know why it made it, bcoz i didn't find any documentation about that test. The relevant parts from the email is attached. Thank You, Content analysis details: (5.20 points, 5 required) NO_REAL_NAME (0.7 points) From: does not include a real name X_MAILING_LIST (-0.0 points) Has a X-Mailing-List header HTML_FONT_FACE_ODD (0.2 points) BODY: HTML font face is not a commonly used face HTML_WEB_BUGS (0.1 points) BODY: Image tag with an ID code to identify you HTML_TAG_BALANCE_BODY (0.6 points) BODY: HTML has unbalanced "body" tags HTML_MESSAGE (0.1 points) BODY: HTML included in message HTML_50_60 (0.2 points) BODY: Message is 50% to 60% HTML FORGED_MUA_OUTLOOK (3.3 points) Forged mail pretending to be from MS Outlook THE HEADER..... Return-path: retornadas-100038-1-joel.franco=3wt.com.br@retornadas.grupos.com.br Envelope-to: joel@localhost Delivery-date: Thu, 10 Apr 2003 09:24:56 -0300 Received: from localhost ([127.0.0.1]) by thor.gds with esmtp (Exim 3.36 #1 (Debian)) id 193b6u-0007sx-00 for <joel@localhost>; Thu, 10 Apr 2003 09:24:56 -0300 Received: from web2.3wt.com.br [200.201.129.101] by localhost with POP3 (fetchmail-6.1.2) for joel@localhost (single-drop); Thu, 10 Apr 2003 09:24:56 -0300 (BRT) Received: from out20.grupos.com.br (out20.grupos.com.br [66.227.104.181]) by mx1.3wt.com.br (Postfix) with SMTP id A7CA1367B6 for <joel.franco@3wt.com.br>; Thu, 10 Apr 2003 09:21:15 -0300 (BRT) Received: GruposMTA 16232 at out10.grupos.com.br; 10 Apr 2003 09:23:03 -0200 X-Grupos-Retornadas: <retornadas-100038-1-joel.franco=3wt.com.br@retornadas.grupos.com.br> Date: Thu, 10 Apr 2003 08:44:54 -0300 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0042_01C2FF3D.756311B0" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6700 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 X-Grupos: Controle To: grupo3.uac@grupos.com.br X-Mailing-List: grupo3.uac@grupos.com.br From: fsap@power.ufscar.br Reply-To: grupo3.uac@grupos.com.br MIME-Version: 1.0 Subject: [GrupoIII - UAC] inaugurando a discussão.... Message-Id: <20034109233.16232@out10.grupos.com.br>
BTW, I don't want to hear any complaints about headers pasted not attached. This should be fixed by adding a check in check_messageid_not_usable, for X-Mailing-List or X-Grupos or X-Grupos-Retornadas or something.
Bug #2239 confirms this for Outlook 2003 Beta 2: X-Mailer: Microsoft Outlook, Build 11.0.4920 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 And I confirm it for Outlook 2003 Beta 2 Technical Refresh (yeah, doesn't *that* look like a typical Microsoft naming): X-Mailer: Microsoft Office Outlook, Build 11.0.5329 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 In addtion to: * 3.5 -- Forged mail pretending to be from MS Outlook Outlook 2003 Beta 2 Technical Refresh gets yet another score: * 0.6 -- Message looks like Outlook, but isn't Which is because in "20_head_tests.cf": header __HAS_OUTLOOK_IN_MAILER X-Mailer =~ /Microsoft (CDO|Outlook)\b/ which should obviously be changed to something like: header __HAS_OUTLOOK_IN_MAILER X-Mailer =~ /Microsoft (CDO|(Office )?Outlook))\b/
*** Bug 2239 has been marked as a duplicate of this bug. ***
a) Outlook 2003 seems to follow a new X-Mailer pattern. b) Some list softwares can't keep their fingers from the Message-Id. c) This might be fixed in 2.60-cvs as these rules have changed. d) Could somebody *please* attach a sample mail to test against? e) Bug 2239 has some more information though not very much ;-)
Created attachment 1181 [details] Additional outlook 2003beta2 (NOT tecnical refresh 2!) headers via another account Dear Malte and his colleagues, I've attached another headers on your request. please notice there's no message-id. Maybe the Auto- line is added by Communigate? I hope you will manage to fix it for TR2. I'm going to technically refresh-2 soon :) many thanks to your help!!!! Andy.
Huh? No Message-Id at all?? I guess the beta 2 is pretty buggy :-/ (Jepp, those auto- header was most probably added by CommuniGate because it didn't detect one.) Sorry, without Outlook producing valid e-mails, we can't write or modify any rules. I hope the TR2 behaves better...
I'm pretty sure this bug is a dupe. and yes, Outlook 2003 really does not generate a Message-ID header for some reason! it's psychotic!!
Bug 2107 is also about missing Message-Ids but with Outlook 9. I think I remember a bug or commit which was about Outlook not doing something when you switch from the Exchange-mode to IMO but I can't find it again...
spamassassin-contrib@msquadrat.de: my bug 2239 is not about MsgIDs. The problem is that MS has changed the product ID for unknown reason. I'm sure rules can be changed now (and believe they should be) to prevent massive problems for Office 2003 users in near future. TR2 is an official pre-release version (afaik it's about a month till the final release). This is now my primary e-mail client and I do experience serious problems with false ratings. Besides that, it's far more convinient and easy to deal with tons of messages. I'm sure they will be plenty of users right after the release.
I did it! Technical Refresh 2 loads and works faster. here I include the part of 2003-TR2 outlook-specific headers. bye-bye, message IDs! welcome, Thread-Index! seems like that. Subject: =?koi8-r?B?1MXT1A==?= Date: Wed, 23 Jul 2003 23:29:09 +0400 MIME-Version: 1.0 Content-Type: text/plain; charset="koi8-r" Content-Transfer-Encoding: base64 X-Mailer: Microsoft Outlook, Build 11.0.4920 Thread-Index: AcNRULBakAEUaBPTRNG+7TSohX36Kw== X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Andy.
I've posted an OBSOLETE code in my previous post. I'm sorry. here goes the actual TR2 part: Subject: =?koi8-r?B?1MXT1A==?= Date: Thu, 24 Jul 2003 19:39:55 +0400 MIME-Version: 1.0 Content-Type: text/plain; charset="koi8-r" Content-Transfer-Encoding: base64 X-Mailer: Microsoft Office Outlook, Build 11.0.5329 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Thread-Index: AcNR+dSIxujVhyv/SrWH2nISdGI94w== anyways, Thread-Index is used instead of msgids. Andy.
no, Thread-Index is not a replacement for Message-Ids -- it's an Exchange-specific threading header which AFAIK the entire thread of replies will share. (not sure why they had to invent a new header given that the technology to do threading without it is available, but hey). Outlook 2003-TR2 really is not generating Message-Ids. This is valid behaviour, technically; RFC 2822 states: 3.6.4. Identification fields Though optional, every message SHOULD have a "Message-ID:" field. unfortunately it breaks our outlook-forgery tests, will cause FPs, will cause Outlook messages to be dropped by many ISPs using their own antispam filters, and it's unclear why they did this. But we have to support it ;)
Suggest to change the bug summary to: FORGED_MUA_OUTLOOK, MISSING_OUTLOOK_NAME false positives or something alike.
Subject: Re: [SAdev] FORGED_MUA_OUTLOOK test detects legitimate mail sent with Outlook 2003 (v11) > ------- Additional Comments From jm@jmason.org 2003-07-24 10:55 ------- > no, Thread-Index is not a replacement for Message-Ids -- it's an > Exchange-specific threading header which AFAIK the entire thread of replies will > share. (not sure why they had to invent a new header given that the technology > to do threading without it is available, but hey). Has anybody written to Microsoft telling them that the change they are making will cause Outlook mail to be "rejected as spam by X% of the world's email"? Perhaps they might consider fixing it if it will cause there users some grief. One can always hope, anyway. Brian ( bcwhite@precidia.com ) ------------------------------------------------------------------------------- ... was no trading on the NYSE today; everybody was happy with what they had.
I tried to contact the Outlook developers via [1] (found via [5,6]) and it seems like they really try to keep in touch with the beta testers. Yes, a real developer, Jeff Stephenson, responded to my posting [2] (you see how surprised I am/was ;-) and said [3,4]: | Neo's right (I'm the developer he refers to). We made this change because | we've had a number of complaints about revealing internal machine names in | the Message-IDs we generated. As you know, a message id has an ID portion | preceeding the '@' sign, followed by the name of the machine that generated | that ID. So if, for example, you're sending mail via your ISP or Hotmail | from your work machine, your work machine's name would be in the Message-ID. | | A number of people have objected to this for two major reasons: | | 1) Revealing internal machine names provides information that hackers can | potentially use to compromise the network. | 2) They don't want to reveal their employer when sending mail via their ISP | from work, and a message id generated by Outlook would contain the domain | name of their employer. | | We felt that the requests to change this were very valid, and thus changed | Outlook so that it relies on the SMTP server to generate the message id. So, whatever problems this brings us and probably the future Outlook 2003 users (I think about rejected mails etc.), this step has obviously taken deliberately. [1]nntp://news.microsoft.com/microsoft.public.outlook.general [2]news:1456203.UzchhEFHTG@malte.stretz.eu.org [3]http://communities.microsoft.com/newsgroups/previewFrame.asp?ICP=Prod_officebeta&sLCID=us&sgroupURL=microsoft.public.outlook.general&sMessageID=%253C%2523LvON%2523TVDHA.2164@TK2MSFTNGP09.phx.gbl%253E [4]news:#LvON#TVDHA.2164@TK2MSFTNGP09.phx.gbl [4]http://www.microsoft.com/office/Preview/editions/default.asp [5]http://communities.microsoft.com/newsgroups/default.asp?icp=Prod_officebeta&slcid=us
whoa, nice one Malte ;) I didn't realise one could do that without being on the beta program, officially. any chance you could post a suggestion that they hash the real site name into something unrecognisable, and generate a MID using that, just so that a Message-Id header with *some* data *will* appear? I'm pretty sure there's a lot of spamfilters out there -- not just SA -- that will FP like crazy on this.
I have seen three false positives from an MUA that identifies itself with X-Mailer: Microsoft Outlook Express for Macintosh - 4.01 (295) This also relies on the MTA to generate the message-ID (I've seen an Exim M-ID and two kinds of Sendmail M-ID). I'll have to ask the users concerned for permission to post the full headers here.
Verified: --- cut here ---- Return-Path: <sebastian@xxxx> Received: from obelix.xxxx ([217.160.134.148]) by mailin03.xxxx with esmtp id 19hmQa-28qGsC0; Wed, 30 Jul 2003 10:35:20 +0200 [....] Received: from [80.142.3.205] (helo=dtp1) by mrvdomng.xxxx with esmtp (Exim 3.35 #1) id 19hmQM-0006wW-00 for sebastian@xxxx; Wed, 30 Jul 2003 10:35:06 +0200 Return-Receipt-To: "kathrin zzzz" <kathrin.zzzz@xxxx> From: "kathrin stein" <kathrin.stein@xxxx> To: <sebastian@xxxx> Subject: Kino & co Date: Wed, 30 Jul 2003 10:30:25 +0200 Message-ID: <!~!UENERkVCMDkAAQACAAAAAAAAAAAAAAAAABgAAAAAAAAAxLg62a4REkesc/XNhIOkKcKAAAAQAAAAmMmlsWcs7EWkvRsrMkjGDwEAAAAA@scopeone.de> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_000_0000_01C35685.9755FD60" X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2616 Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Disposition-Notification-To: "kathrin zzzz" <kathrin.zzzz@xxxx> X-Spam-Status: No, hits=0.7 required=5.0 tests=BAYES_20,FORGED_MUA_OUTLOOK,MSGID_CHARS_SPAM,RCVD_IN_NJABL version=2.55 X-Spam-Level: X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp) X-Seen: false --- cut here ----
Created attachment 1197 [details] Another legitimate Outlook mail detected as forged I've added a mail by OE 4.x detected as forged (Forged_Mua_Outlook).
*** Bug 2309 has been marked as a duplicate of this bug. ***
I think we've gotta fix (or axe) this test in the 2.6x branch...
This is caused by the presense of the Disposition-Notification-To: "User" <user@domain> header. This is obtained by composing a message and under View->Options, checking "Request read receipt for this message"
*** Bug 2318 has been marked as a duplicate of this bug. ***
Heise just reported [6] that Office 2003 will be officially released on October 21st. Corporate licensees will get it already sometime in September. Guess I'll have a look at these rules next weekend... [6]http://www.heise.de/newsticker/data/hps-20.08.03-000/
Hm. I just discovere bug 1717 which says this is fixed... (But obviously it isn't)
*** Bug 2471 has been marked as a duplicate of this bug. ***
regarding comment#17, Here is an example of a positive for a legitimate message from "X-Mailer: Microsoft Outlook Express for Macintosh - 4.01 (295)": The header (with senders name and IP concealed): Return-Path: <sendersname@telus.net> Received: from priv-edtnes10-hme0.telusplanet.net (outbound02.telus.net [199. 185.220.221]) by star3.baremetal.com (8.12.9/8.12.9) with ESMTP id h8G2GhkV003817 for <systems@haven.ca>; Mon, 15 Sep 2003 19:16:43 -0700 Received: from [209.53.xxx.xxx] by priv-edtnes10-hme0.telusplanet.net (InterMail vM.5.01.05.17 201-253-122-126-117-20021021) with ESMTP id <20030916021705. SDAX14255.priv-edtnes10-hme0.telusplanet.net@[209.53.xxx.xxx]> for <systems@haven.ca>; Mon, 15 Sep 2003 20:17:05 -0600 X-Mailer: Microsoft Outlook Express for Macintosh - 4.01 (295) Date: Mon, 15 Sep 2003 19:18:08 -0700 Subject: Re: spam bouncing fixed From: Senders Name <sendersname@telus.net> To: Bill Leuze <systems@haven.ca> Mime-version: 1.0 X-Priority: 3 Content-type: multipart/alternative; boundary= "MS_Mac_OE_3146498288_45056_MIME_Part" Message-Id: <20030916021705.SDAX14255.priv-edtnes10-hme0.telusplanet.net@[209. 53.245.29]> X-Scanned-By: MIMEDefang 2.36 X-Spam-Status: No, hits=-94.7 required=5.0 tests=FORGED_MUA_OUTLOOK,HTML_10_20, HTML_FONT_COLOR_BLUE, HTML_MESSAGE,MIME_LONG_LINE_QP,USER_IN_WHITELIST version=2.55 X-Spam-Level: X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp) X-Envelope-To: systems@haven.ca X-UIDL: 7d25fb7527b86057a6fce909449c3314 Status: U X-Evolution-Source: pop://systems@haven.ca/
*** Bug 1192 has been marked as a duplicate of this bug. ***
Obviously, this bug is about one effect (Outlook mails mistreated as fakes) of multiple, partially unrelated causes. It covers (or merely *tries* to cover) codes at different places that needs to be fixed. Since many of those fixes are independant from each other, I think this is rather a meta bug, and it may be better if we split it. One of those fixes is very easy, and I suggested a fix in comment #2. Please, can someone with CVS commit access make this simple fix as soon as possible?
merging into meta bug 2538 *** This bug has been marked as a duplicate of 2538 ***
*** Bug 2627 has been marked as a duplicate of this bug. ***
*** Bug 3355 has been marked as a duplicate of this bug. ***
*** Bug 3281 has been marked as a duplicate of this bug. ***