Bug 2122 - FORGED_MUA_* test makes false match for some mailing lists
Summary: FORGED_MUA_* test makes false match for some mailing lists
Status: RESOLVED FIXED
Alias: None
Product: Spamassassin
Classification: Unclassified
Component: spamassassin (show other bugs)
Version: 2.55
Hardware: PC FreeBSD
: P3 normal
Target Milestone: 2.61
Assignee: SpamAssassin Developer Mailing List
URL:
Whiteboard:
Keywords:
Depends on:
Blocks: 2344
  Show dependency tree
 
Reported: 2003-06-24 02:15 UTC by Andrey Koklin
Modified: 2003-11-04 11:53 UTC (History)
0 users


Attachment Type Modified Status Actions Submitter/CLA Status
fix for first one patch None Justin Mason [HasCLA]
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Andrey Koklin 2003-06-24 02:15:31 UTC 
1) I'm getting false FORGED_MUA_* matches for some mailing lists,
which use CommuniGate Pro as ListServer.
Seems, the list server renames the "Message-ID" field for
"X-Original-Message-ID", while inserting its own field for refference.

Personally, I regard this as valid practice. And it would be nice if
Spamassassin could consider this -- as Spamassassin puts such huge weight
to FORGED_MUA_* tests, so it supposed to do the work almost unfailingly.

------------------------- EXAMPLE START -----------------------------

Content analysis details:   (6.60 points, 6.3 required)
QUOTED_EMAIL_TEXT  (-0.5 points) BODY: Contains what looks like a quoted email text
BASE64_ENC_TEXT    (2.4 points)  RAW: Message text disguised using base-64 encoding
MSG_ID_ADDED_BY_MTA_2 (1.0 points)  'Message-Id' was added by a relay (2)
FORGED_MUA_OUTLOOK (3.7 points)  Forged mail pretending to be from MS Outlook

------------------------- BEGIN HEADERS -----------------------------
X-ListServer: CommuniGate Pro LIST 4.0.6
List-Unsubscribe: <mailto:Hard-off@soobcha.org>
List-ID: <Hard.soobcha.org>
List-Archive: <http://soobcha.org:80/Lists/Hard/List.html>
Message-ID: <list-766763@nvptus.ru>
Reply-To: <Hard@soobcha.org>
Sender: <Hard@soobcha.org>
To: <Hard@soobcha.org>
Precedence: list
Received: from mail.gmx.net ([213.165.64.20] verified)
  by nvptus.ru (CommuniGate Pro SMTP 4.0.6)
  with SMTP id 766762 for Hard@soobcha.org; Mon, 23 Jun 2003 12:58:41 +0400
Received: (qmail 13954 invoked by uid 65534); 23 Jun 2003 09:04:51 -0000
Received: from c1.dial.mels.ru (EHLO Konst) (62.109.190.1)
  by mail.gmx.net (mp014) with SMTP; 23 Jun 2003 11:04:51 +0200
From: "Konstantin" <Nkvl@gmx.net>
Subject: Re: Re[6]: i440BX
Date: Mon, 23 Jun 2003 13:04:31 +0400
X-Original-Message-ID: <000a01c33966$77d4d470$0200a8c0@Konst>
MIME-Version: 1.0
Content-Type: text/plain;
	charset="koi8-r"
Content-Transfer-Encoding: base64
X-Mailer: Microsoft Outlook, Build 10.0.2627
-------------------------- END HEADERS ------------------------------


2) I don't sure with the second case, but I'm getting now the same
FORGED_MUA_* match from one of the huge Russian listservers, maillist.ru:


------------------------- EXAMPLE START -----------------------------

Content analysis details:   (8.00 points, 6.3 required)
HTML_WEB_BUGS      (0.5 points)  BODY: Image tag with an ID code to identify you
HTML_TAG_EXISTS_TBODY (0.5 points)  BODY: HTML has "tbody" tag
HTML_FONT_FACE_ODD (0.1 points)  BODY: HTML font face is not a commonly used face
HTML_FONT_COLOR_UNSAFE (0.1 points)  BODY: HTML font color not within safe 6x6x6
palette
HTML_60_70         (0.5 points)  BODY: Message is 60% to 70% HTML
HTML_FONT_COLOR_NAME (0.4 points)  BODY: HTML font color has unusual name
HTML_MESSAGE       (0.1 points)  BODY: HTML included in message
HTML_FONT_BIG      (0.2 points)  BODY: FONT Size +2 and up or 3 and up
HTML_FONT_COLOR_BLUE (0.1 points)  BODY: HTML font color is blue
HTML_FONT_COLOR_GRAY (0.1 points)  BODY: HTML font color is gray
MAILTO_LINK        (0.1 points)  BODY: Includes a URL link to send an email
NORMAL_HTTP_TO_IP  (0.9 points)  URI: Uses a dotted-decimal IP address in URL
MIME_HTML_ONLY     (0.1 points)  Message only has text/html MIME parts
FORGED_MUA_THEBAT  (4.3 points)  Forged mail pretending to be from The Bat!

------------------------- BEGIN HEADERS -----------------------------
Received: from localhost.localdomain (shadow2.agava.net [195.161.118.24])
	by round.agava.net (Postfix) with ESMTP
	id 9001017EEEE; Sun, 22 Jun 2003 03:50:15 +0400 (MSD)
Date: Sun, 22 Jun 2003 03:43:04 +0400
X-Mailer: The Bat! (v1.62 Christmas Edition) Personal
Organization: House
X-Priority: 3 (Normal)
Subject: =?KOI8-R?B?7sXU0sHEycPJz87O2cogV2luZG93cw==?=
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----------731E21DE3AE328D3"
X-MailList-Message-ID: 117997
Sender: 44518-errors@maillist.ru
Content-Transfer-Encoding: 8bit
List-Help: <http://www.maillist.ru>
List-Subscribe: <http://www.maillist.ru/mpb/ml_fs.cgi?Action=fs&topic=44518>
Errors-To: 44518-errors@maillist.ru
List-Unsubscribe: <http://www.maillist.ru>
List-Post: NO
List-Owner: <mailto:m_bogdan@ukr.net>
From: =?KOI8-R?B?TWFpbExpc3QucnU6IO7F1NLBxMnDyc/OztnKIFdp?=
=?KOI8-R?B?bmRvd3M=?= <null@maillist.ru>
To: =?KOI8-R?B?TWFpbExpc3QgbGlzdDQ0NTE4IFN1YnNjcmliZXI=?= <null@maillist.ru>
Message-Id: <20030621235015.9001017EEEE@round.agava.net>
-------------------------- END HEADERS ------------------------------

There seem to be different mailing lists, going from the server,
where I see different TheBat versions for mailer in header, and
they all catch the same alarm:

X-Mailer: The Bat! (v1.62 Christmas Edition) Personal
Message-Id: <20030621235015.9001017EEEE@round.agava.net>

X-Mailer: The Bat! (v1.60) UNREG / CD5BF9353B3B7091
Message-Id: <20030620100458.6DB7C46EC2@round.agava.net>

X-Mailer: The Bat! (v1.62i)
Message-Id: <20030623154532.D77D1193287@round.agava.net>

They all seem to use hex digits in the second ID-part,
while the rule says:

# The Bat! forgeries
header __THEBAT_MUA             X-Mailer =~ /The Bat!/
header __THEBAT_MSGID           MESSAGEID =~ /^<\d+\.\d+\@\S+>$/m
meta FORGED_MUA_THEBAT          (__THEBAT_MUA && !__THEBAT_MSGID)
Comment 1 Justin Mason 2003-08-21 20:19:27 UTC 
So we need to extend the "MESSAGEID" set of headers to include that...
Comment 2 Justin Mason 2003-10-26 20:26:38 UTC 
Created attachment 1510 [details]
fix for first one

OK, here's a patch for the first mail.

The second one really doesn't give us enough info to want to work around; I
think that mail list host jsut needs manual whitelisting, and hopefully they'll
stop replacing Message-IDs -- or else they'll start removing X-Mailers as well
-- at some stage ;)
Comment 3 Justin Mason 2003-11-01 16:38:35 UTC 
+1's please!
Comment 4 Daniel Quinlan 2003-11-04 17:14:36 UTC 
+1 looks ok

corpus test would make me feel better about it
Comment 5 Theo Van Dinter 2003-11-04 18:56:16 UTC 
+1

I have no hits for that header at all in my corpus, but it seems ok to me right now.
Comment 6 Justin Mason 2003-11-04 20:53:41 UTC 
applied.