2140 – False positive FORGED_MUA_EUDORA (Eudora Windows 4.3.1, 4.3.2)

Bug 2140 - False positive FORGED_MUA_EUDORA (Eudora Windows 4.3.1, 4.3.2)

Summary: False positive FORGED_MUA_EUDORA (Eudora Windows 4.3.1, 4.3.2)

Status:	RESOLVED FIXED

Alias:	None

Product:	Spamassassin
Classification:	Unclassified
Component:	Rules (show other bugs)
Version:	2.54
Hardware:	Other Solaris

Importance:	P3 normal
Target Milestone:	2.61
Assignee:	SpamAssassin Developer Mailing List

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:	2344
	Show dependency tree

Reported:	2003-06-26 08:08 UTC by Ronny Wichers Schreur
Modified:	2021-02-25 15:17 UTC (History)
CC List:	1 user (show)

Attachment	Type	Modified	Status	Actions	Submitter/CLA Status
sample mail from eudora 4.3	text/plain			None	Theo Van Dinter
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Ronny Wichers Schreur 2003-06-26 08:08:11 UTC

Mail sent with Eudora 4.3.0 and 4.3.1 produces a false positive
on FORGED_MUA_EUDORA. Excerpts from two messages (I haven't obtained
permission to attach the full messages):

Message-Id: <4.3.1.20030626153030.00bfb3f8@pop-srv.cs.kun.nl>
X-Mailer: QUALCOMM Windows Eudora Version 4.3
X-Spam-Status: No, hits=4.3 required=5.0
        tests=FORGED_MUA_EUDORA,TO_MALFORMED
        version=2.54
X-Spam-Level: ****
X-Spam-Checker-Version: SpamAssassin 2.54 (1.174.2.17-2003-05-11-exp)


Message-Id: <4.3.0.20030616094647.00b40950@pop-srv.cs.kun.nl>
X-Mailer: QUALCOMM Windows Eudora Version 4.3
X-Spam-Status: No, hits=3.5 required=5.0
    tests=FORGED_MUA_EUDORA,FROM_ENDS_IN_NUMS
    version=2.54
X-Spam-Level: ***

The problem is that the message id is rejected (from 20_ratware.cf):

header __EUDORA_MSGID           MESSAGEID =~
/^<(?:\d\d?\.){4,5}\d{14}\.[a-f0-9]{8}\@\S+>$/m

The version numbers in the ids of the rejected messages consist of
three parts (not four or five).

Comment 1 Justin Mason 2003-08-21 20:19:00 UTC

btw does anyone have full messages we can use?

Comment 2 Dominic Hargreaves 2003-08-31 17:32:50 UTC

This also appears using Eudora for PalmOS:

(Excerpt of message follows with personal data removed:)

Message-ID: <2.1-13648742-391-A-OEWW@some.smart.host>
Date: Sun, 31 Aug 2003 17:58:23 +0100
X-Mailer: Eudora 2.1 for PalmOS
Mime-Version: 1.0
Content-Type: text/plain; format=flowed
X-Spam-Status: No, hits=-2.2 required=5.0
        tests=BAYES_20,FORGED_MUA_EUDORA
        version=2.55
X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp)

Comment 3 Theo Van Dinter 2003-09-27 11:48:26 UTC

ok, Eudora for PalmOS shouldn't hit in 2.60 since there's a specific test for 
it.

Comment 4 Theo Van Dinter 2003-09-28 09:57:29 UTC

I get 0 FPs if we lowered the 4 to a 3.  will attach a sample 3 mail in a 
minute.

Comment 5 Theo Van Dinter 2003-09-28 09:58:54 UTC

Created attachment 1435 [details]
sample mail from eudora 4.3

Comment 6 Theo Van Dinter 2003-09-28 10:06:14 UTC

fyi, I'm running a mass-check now just to check.

Comment 7 Theo Van Dinter 2003-09-28 10:30:13 UTC

hrm.

looks like the format is also different for 5.x:

Message-Id: <5.2.1.1.0.20030924203657.026caad8@localhost port 111>
X-Mailer: QUALCOMM Windows Eudora Version 5.2.1

Comment 8 Theo Van Dinter 2003-09-28 11:46:26 UTC

  1.622   2.9418   0.0000    1.000   1.00    0.01  T_FORGED_MUA_EUDORA
  1.626   2.9418   0.0097    0.997   0.99    3.43  FORGED_MUA_EUDORA

changing __EUDORA_MSGID to:

header __EUDORA_MSGID         MESSAGEID =~ /^<(?:\d\d?\.){3,5}\d{14}\.[a-f0-9]
{8}\@\S+(?:\sport\s\d+)?>$/m

Comment 9 Justin Mason 2003-09-29 12:59:45 UTC

+1

Comment 10 Daniel Quinlan 2003-09-29 17:45:52 UTC

Lowering the 4 to a 3 looks good to me, I also have examples of this.

However, I don't have any examples of the "port" thing.  port 111 is sunrpc
which is pretty darn strange.  Does it show up often, from multiple users
and multiple sources?

Comment 11 Theo Van Dinter 2003-09-29 18:06:40 UTC

Subject: Re: [SAdev]  False positive FORGED_MUA_EUDORA (Eudora Windows 4.3.1, 4.3.2)

On Mon, Sep 29, 2003 at 05:54:25PM -0700, bugzilla-daemon@bugzilla.spamassassin.org wrote:
> However, I don't have any examples of the "port" thing.  port 111 is sunrpc
> which is pretty darn strange.  Does it show up often, from multiple users
> and multiple sources?

It's the same user, 4 mails to a list I'm on.

Comment 12 Daniel Quinlan 2003-09-30 11:48:27 UTC

+1 on the new format including the port thing too.

I confirmed with someone using Eudora (message provided by Theo) that
it adds the port if configured to connect to a different port, proxies and
such.

Comment 13 Theo Van Dinter 2003-09-30 11:57:37 UTC

committed to 2.61 and head.