SA Bugzilla – Bug 2122
FORGED_MUA_* test makes false match for some mailing lists
Last modified: 2003-11-04 11:53:41 UTC
1) I'm getting false FORGED_MUA_* matches for some mailing lists, which use CommuniGate Pro as ListServer. Seems, the list server renames the "Message-ID" field for "X-Original-Message-ID", while inserting its own field for refference. Personally, I regard this as valid practice. And it would be nice if Spamassassin could consider this -- as Spamassassin puts such huge weight to FORGED_MUA_* tests, so it supposed to do the work almost unfailingly. ------------------------- EXAMPLE START ----------------------------- Content analysis details: (6.60 points, 6.3 required) QUOTED_EMAIL_TEXT (-0.5 points) BODY: Contains what looks like a quoted email text BASE64_ENC_TEXT (2.4 points) RAW: Message text disguised using base-64 encoding MSG_ID_ADDED_BY_MTA_2 (1.0 points) 'Message-Id' was added by a relay (2) FORGED_MUA_OUTLOOK (3.7 points) Forged mail pretending to be from MS Outlook ------------------------- BEGIN HEADERS ----------------------------- X-ListServer: CommuniGate Pro LIST 4.0.6 List-Unsubscribe: <mailto:Hard-off@soobcha.org> List-ID: <Hard.soobcha.org> List-Archive: <http://soobcha.org:80/Lists/Hard/List.html> Message-ID: <list-766763@nvptus.ru> Reply-To: <Hard@soobcha.org> Sender: <Hard@soobcha.org> To: <Hard@soobcha.org> Precedence: list Received: from mail.gmx.net ([213.165.64.20] verified) by nvptus.ru (CommuniGate Pro SMTP 4.0.6) with SMTP id 766762 for Hard@soobcha.org; Mon, 23 Jun 2003 12:58:41 +0400 Received: (qmail 13954 invoked by uid 65534); 23 Jun 2003 09:04:51 -0000 Received: from c1.dial.mels.ru (EHLO Konst) (62.109.190.1) by mail.gmx.net (mp014) with SMTP; 23 Jun 2003 11:04:51 +0200 From: "Konstantin" <Nkvl@gmx.net> Subject: Re: Re[6]: i440BX Date: Mon, 23 Jun 2003 13:04:31 +0400 X-Original-Message-ID: <000a01c33966$77d4d470$0200a8c0@Konst> MIME-Version: 1.0 Content-Type: text/plain; charset="koi8-r" Content-Transfer-Encoding: base64 X-Mailer: Microsoft Outlook, Build 10.0.2627 -------------------------- END HEADERS ------------------------------ 2) I don't sure with the second case, but I'm getting now the same FORGED_MUA_* match from one of the huge Russian listservers, maillist.ru: ------------------------- EXAMPLE START ----------------------------- Content analysis details: (8.00 points, 6.3 required) HTML_WEB_BUGS (0.5 points) BODY: Image tag with an ID code to identify you HTML_TAG_EXISTS_TBODY (0.5 points) BODY: HTML has "tbody" tag HTML_FONT_FACE_ODD (0.1 points) BODY: HTML font face is not a commonly used face HTML_FONT_COLOR_UNSAFE (0.1 points) BODY: HTML font color not within safe 6x6x6 palette HTML_60_70 (0.5 points) BODY: Message is 60% to 70% HTML HTML_FONT_COLOR_NAME (0.4 points) BODY: HTML font color has unusual name HTML_MESSAGE (0.1 points) BODY: HTML included in message HTML_FONT_BIG (0.2 points) BODY: FONT Size +2 and up or 3 and up HTML_FONT_COLOR_BLUE (0.1 points) BODY: HTML font color is blue HTML_FONT_COLOR_GRAY (0.1 points) BODY: HTML font color is gray MAILTO_LINK (0.1 points) BODY: Includes a URL link to send an email NORMAL_HTTP_TO_IP (0.9 points) URI: Uses a dotted-decimal IP address in URL MIME_HTML_ONLY (0.1 points) Message only has text/html MIME parts FORGED_MUA_THEBAT (4.3 points) Forged mail pretending to be from The Bat! ------------------------- BEGIN HEADERS ----------------------------- Received: from localhost.localdomain (shadow2.agava.net [195.161.118.24]) by round.agava.net (Postfix) with ESMTP id 9001017EEEE; Sun, 22 Jun 2003 03:50:15 +0400 (MSD) Date: Sun, 22 Jun 2003 03:43:04 +0400 X-Mailer: The Bat! (v1.62 Christmas Edition) Personal Organization: House X-Priority: 3 (Normal) Subject: =?KOI8-R?B?7sXU0sHEycPJz87O2cogV2luZG93cw==?= MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----------731E21DE3AE328D3" X-MailList-Message-ID: 117997 Sender: 44518-errors@maillist.ru Content-Transfer-Encoding: 8bit List-Help: <http://www.maillist.ru> List-Subscribe: <http://www.maillist.ru/mpb/ml_fs.cgi?Action=fs&topic=44518> Errors-To: 44518-errors@maillist.ru List-Unsubscribe: <http://www.maillist.ru> List-Post: NO List-Owner: <mailto:m_bogdan@ukr.net> From: =?KOI8-R?B?TWFpbExpc3QucnU6IO7F1NLBxMnDyc/OztnKIFdp?= =?KOI8-R?B?bmRvd3M=?= <null@maillist.ru> To: =?KOI8-R?B?TWFpbExpc3QgbGlzdDQ0NTE4IFN1YnNjcmliZXI=?= <null@maillist.ru> Message-Id: <20030621235015.9001017EEEE@round.agava.net> -------------------------- END HEADERS ------------------------------ There seem to be different mailing lists, going from the server, where I see different TheBat versions for mailer in header, and they all catch the same alarm: X-Mailer: The Bat! (v1.62 Christmas Edition) Personal Message-Id: <20030621235015.9001017EEEE@round.agava.net> X-Mailer: The Bat! (v1.60) UNREG / CD5BF9353B3B7091 Message-Id: <20030620100458.6DB7C46EC2@round.agava.net> X-Mailer: The Bat! (v1.62i) Message-Id: <20030623154532.D77D1193287@round.agava.net> They all seem to use hex digits in the second ID-part, while the rule says: # The Bat! forgeries header __THEBAT_MUA X-Mailer =~ /The Bat!/ header __THEBAT_MSGID MESSAGEID =~ /^<\d+\.\d+\@\S+>$/m meta FORGED_MUA_THEBAT (__THEBAT_MUA && !__THEBAT_MSGID)
So we need to extend the "MESSAGEID" set of headers to include that...
Created attachment 1510 [details] fix for first one OK, here's a patch for the first mail. The second one really doesn't give us enough info to want to work around; I think that mail list host jsut needs manual whitelisting, and hopefully they'll stop replacing Message-IDs -- or else they'll start removing X-Mailers as well -- at some stage ;)
+1's please!
+1 looks ok corpus test would make me feel better about it
+1 I have no hits for that header at all in my corpus, but it seems ok to me right now.
applied.