Bug 2525 - FORGED_IMS_HTML found in non-spam
Summary: FORGED_IMS_HTML found in non-spam
Status: RESOLVED FIXED
Alias: None
Product: Spamassassin
Classification: Unclassified
Component: Rules (show other bugs)
Version: 2.60
Hardware: All Linux
: P3 normal
Target Milestone: 3.0.0
Assignee: SpamAssassin Developer Mailing List
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2003-09-29 13:26 UTC by Kevin Martin
Modified: 2004-02-28 06:32 UTC (History)
0 users


Attachment Type Modified Status Actions Submitter/CLA Status
Non-spam message which triggered FORGED_IMS_HTML text/plain None Lachlan Cameron-Smith [NoCLA]
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Kevin Martin 2003-09-29 13:26:40 UTC 
The value assigned to FORGED_IMS_HTML seems too high.  Full copy of mail attached.

From ellend@orangeny.COM  Mon Sep 29 15:22:17 2003
Return-Path: <ellend@orangeny.COM>
From: Ellen Daley <ellend@orangeny.COM>
To: "'xxxx@brasscannon.net'" <xxxx@brasscannon.net>
Subject: [SPAM] Chamber and high tech
Date: Mon, 29 Sep 2003 15:16:18 -0400
Message-Id: <AF2F95F40441D311941C00A0C9D4B89D5625D3@NTSERVER1>
X-Spam-Flag: YES
X-Spam-Checker-Version: SpamAssassin 2.60 (1.212-2003-09-23-exp) on
        nyc1.brasscannon.net
X-Spam-Level: ******
X-Spam-Status: Yes, hits=6.8 required=6.0 tests=BAYES_60,CLICK_BELOW,
        FORGED_IMS_HTML,HTML_MESSAGE,MIME_HTML_NO_CHARSET,MIME_HTML_ONLY
        autolearn=no version=2.60
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----------=_3F7884E6.2373B549"
Status: RO
Content-Length: 4638
Lines: 105

This is a multi-part message in MIME format.

------------=_3F7884E6.2373B549
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: 8bit

Spam detection software, running on the system "nyc1.brasscannon.net", has
identified this incoming email as possible spam.  The original message
has been attached to this so you can view it (if it isn't spam) or block
similar future email.  If you have any questions, see
abuse@b3x5c.com for details.

Content preview:  Chamber and high tech If you want to find out how you
  and your company can make the most of high technology, join us for the
  next Chamber membership breakfast on Wednesday, October 8. "High Tech
  in the Hudson Valley" is scheduled from 7:47-9:00 a.m. at the Ramada
  Inn in Newburgh. Speakers will be Lyn Taylor, President of the
  Albany-Colonie Chamber of Commerce, and Sean Mathews, Vice President of
  the Hudson Valley Economic Development Corp. The breakfast sponsor is
  Vanacore, DeBenedictus, DiGovanni and Weddell. For some background info
  on Tech Valley and what it's all about, click here: [...]

Content analysis details:   (6.8 points, 6.0 required)
 pts rule name              description
---- ---------------------- --------------------------------------------------
 1.6 BAYES_60               BODY: Bayesian spam probability is 60 to 70%
                            [score: 0.6550]
 0.1 HTML_MESSAGE           BODY: HTML included in message
 0.3 MIME_HTML_ONLY         BODY: Message only has text/html MIME parts
 0.6 MIME_HTML_NO_CHARSET   RAW: Message text in HTML without charset
 0.1 CLICK_BELOW            Asks you to click below
 4.1 FORGED_IMS_HTML        IMS can't send HTML message only

The original message was not completely plain text, and may be unsafe to
open with some email clients; in particular, it may contain a virus,
or confirm that your address can receive spam.  If you wish to view
it, it may be safer to save it to a file and open it with an editor.


------------=_3F7884E6.2373B549
Content-Type: message/rfc822; x-spam-type=original
Content-Description: original message before SpamAssassin
Content-Disposition: attachment
Content-Transfer-Encoding: 8bit

Return-Path: <ellend@orangeny.COM>
Delivered-To: xxxx@brasscannon.net
Received: from ms-smtp-01.nyroc.rr.com (ms-smtp-01.nyroc.rr.com [24.92.226.148])
        by brasscannon.net (Postfix) with ESMTP id 64A1C1A977
        for <xxxx@brasscannon.net>; Mon, 29 Sep 2003 15:15:45 -0400 (EDT)
Received: from ntserver1.coc (rrcs-nys-24-97-204-39.biz.rr.com [24.97.204.39])
        by ms-smtp-01.nyroc.rr.com (8.12.8p1/8.12.7) with ESMTP id h8TJFiXM000940
        for <xxxx@brasscannon.net>; Mon, 29 Sep 2003 15:15:45 -0400 (EDT)
Received: by NTSERVER1 with Internet Mail Service (5.0.1459.74)
        id <T6PDGTDB>; Mon, 29 Sep 2003 15:16:19 -0400
Message-ID: <AF2F95F40441D311941C00A0C9D4B89D5625D3@NTSERVER1>
From: Ellen Daley <ellend@orangeny.COM>
To: "'xxxx@brasscannon.net'" <xxxx@brasscannon.net>
Subject: Chamber and high tech
Date: Mon, 29 Sep 2003 15:16:18 -0400
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.0.1459.74)
Content-Type: text/html
Content-Transfer-Encoding: quoted-printable
X-Virus-Status: No

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Dus-ascii">
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
5.0.1459.75">
<TITLE>Chamber and high tech</TITLE>
</HEAD>
<BODY>

<P><FONT SIZE=3D2 FACE=3D"Arial">If you want to find out how you and =
your company can make the most of high technology, join us for the next =
Chamber membership breakfast on Wednesday, October 8. &quot;High Tech =
in the Hudson Valley&quot; is scheduled from 7:47-9:00 a.m. at the =
Ramada Inn in Newburgh. Speakers will be Lyn Taylor, President of the =
Albany-Colonie Chamber of Commerce, and Sean Mathews, Vice President of =
the Hudson Valley Economic Development Corp. The breakfast sponsor is =
Vanacore, DeBenedictus, DiGovanni and Weddell. For some background info =
on Tech Valley and what it's all about, click here:</FONT></P>

<P><FONT SIZE=3D2 FACE=3D"Arial"><A HREF=3D"http://www.techvalley.org" =
TARGET=3D"_blank">http://www.techvalley.org</A></FONT>
<BR><FONT SIZE=3D2 FACE=3D"Arial">To make a reservation for the October =
8 breakfast, click here:</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Arial"><A =
HREF=3D"http://www.chamberhub.com/cgi/foxweb.dll/wlx/cal/wlxprofile?cale=
id=3D251&cc=3DCCOCI" =
TARGET=3D"_blank">http://www.chamberhub.com/cgi/foxweb.dll/wlx/cal/wlxpr=
ofile?caleid=3D251&cc=3DCCOCI</A></FONT>
</P>

</BODY>
</HTML>


------------=_3F7884E6.2373B549--
Comment 1 Philip Wilk 2003-10-01 03:50:48 UTC 
Perhaps they are using SPAM software to do their mass-mailings? Why is it not
listed on: http://spamassassin.taint.org/tests.html ?
Comment 2 Lachlan Cameron-Smith 2003-10-28 16:47:40 UTC 
Created attachment 1522 [details]
Non-spam message which triggered FORGED_IMS_HTML

I've attached a message which has triggered the IMS_MUA_HTML rule and been
tagged as spam. Looks like a HTML only e-mail which was legitimately sent
though Internet Mail Service...
Comment 3 Kevin Martin 2003-10-28 17:06:04 UTC 
The comment about FORGED_IMS_HTML not being in the current lists of tests seems to be 
relevant.  I have now upgraded to 2.60.
Comment 4 Lachlan Cameron-Smith 2003-11-11 17:35:34 UTC 
I'm currently using 2.60 and FORGED_IMS_HTML is one of the tests... it has been
triggered by e-mails sent after the one attached to my earlier comment, by
messages which appear to be legitimate...
Comment 5 Justin Mason 2004-02-28 15:32:18 UTC 
crap :(  that was a great test.  *why* did MS do this?

anyway, workaround added to SVN trunk.