Bug 2056 - False positive FORGED_MUA_IMS
Summary: False positive FORGED_MUA_IMS
Status: RESOLVED WONTFIX
Alias: None
Product: Spamassassin
Classification: Unclassified
Component: Rules (Eval Tests) (show other bugs)
Version: SVN Trunk (Latest Devel Version)
Hardware: All Linux
: P5 normal
Target Milestone: 2.61
Assignee: SpamAssassin Developer Mailing List
URL:
Whiteboard:
Keywords:
Depends on:
Blocks: 2344
  Show dependency tree
 
Reported: 2003-06-13 03:59 UTC by Andrew Hood
Modified: 2003-10-01 13:59 UTC (History)
1 user (show)


Attachment Type Modified Status Actions Submitter/CLA Status
false positive text/plain None Stanley Appel [NoCLA]
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Andrew Hood 2003-06-13 03:59:08 UTC 
Internet Mail Service (5.5.2653.19)
generated the following Message-Id line

Message-Id: <200306130209.h5D294128509@mail.munged.com.au>

which trips the FORGED_MUA_IMS rule
Comment 1 Daniel Quinlan 2003-06-22 22:17:35 UTC 
We could use an example message.

(Please use the "Create a New Attachment" link to attach the message, don't
cut-and-paste.)
Comment 2 Stanley Appel 2003-06-25 06:15:41 UTC 
I have the same problem. Here is a false positive:
--------------------------------------------
Return-Path: <janneke@axioma.nl>
Delivered-To: spam-quarantine
X-Envelope-To: <postmaster@vsn.nl>
X-Quarantine-id: <spam-163ac0b6aa468c86057a445a55024977-20030611-135704-26725-
02>
Received: from ntserver.axioma.nl (axioma.nl [213.84.240.227])
	by denhaag.vsn.nl (Postfix) with ESMTP id D177513B62
	for <postmaster@vsn.nl>; Wed, 11 Jun 2003 13:57:02 +0200 (CEST)
Received: by  with Internet Mail Service (5.5.2653.19)
	id <MP72MMTX>; Wed, 11 Jun 2003 13:56:36 +0200
Message-ID: <C60146BB34953A4BA240D378DDDD2A5131685B@>
From: janneke <janneke@axioma.nl>
To: "'postmaster@vsn.nl'" <postmaster@vsn.nl>
Subject: undeliverable mail 
Date: Wed, 11 Jun 2003 13:56:30 +0200
Return-Receipt-To: janneke <janneke@axioma.nl>
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2653.19)
Content-Type: text/plain;
	charset="iso-8859-1"
X-Spam-Status: Yes, hits=7.4 tag1=3.0 tag2=6.3 kill=6.3 tests=FORGED_MUA_IMS,
 INVALID_MSGID, MSGID_NO_HOST
X-Spam-Level: *******

ik tracht een email bericht (met word bijlage) te zenden aan
anja.horemans@vsn.nl en marcel.timmen@vsn.nl
krijg het bericht echter niet naar hen verzonden, kunt u mij vertellen
waarom niet? onderstaande melding kreeg ik daarbij:

hartelijk dank voor uw reactie

Janneke Koppelmans
Office Manager Stichting Het HIC
----------------------------------------------
Comment 3 Stanley Appel 2003-06-25 06:25:23 UTC 
Created attachment 1099 [details]
false positive
Comment 4 Adrian Bridgett 2003-09-23 02:55:30 UTC 
I had some FPs on this too:
Message-ID: <T64d9226b36a1ad8441608@honts384.homeoffice.Wal-Mart.com>
X-Mailer: Internet Mail Service (5.5.2656.59)

and

Message-Id: <03Sep22.154034bst.118134@gateway.mlc.org.uk>
X-Mailer: Internet Mail Service (5.5.2653.19)

I can't guarantee these were sent by IMS, but they were definitely ham not spam.

Cheers,
Adrian
Comment 5 Theo Van Dinter 2003-10-01 21:59:14 UTC 
after an extensive amount of corpus digging, I'm going to close this as "just some odd ball 
messages". :)

C60146BB34953A4BA240D378DDDD2A5131685B@
there was nothing like this in the corpus (>100k messages), all IMS mails had a host part.

Out of the 615 messages I have which claim to be IMS, only 2 were in the form:
03Sep22.154034bst.118134@gateway.mlc.org.uk

which makes me think there is something else, fairly uncommon, that modifies the message-id.

I also found, in my own corpus, 3 mails claiming IMS generation, but message-ids from apple mail.

overall, this isn't a big enough problem to be concerned with right now.