4144 – FORGED_IMS_HTML and FORGED_IMS_TAGS false-positive.

Bug 4144 - FORGED_IMS_HTML and FORGED_IMS_TAGS false-positive.

Summary: FORGED_IMS_HTML and FORGED_IMS_TAGS false-positive.

Status:	RESOLVED DUPLICATE of bug 4649

Alias:	None

Product:	Spamassassin
Classification:	Unclassified
Component:	Rules (show other bugs)
Version:	3.0.2
Hardware:	Other other

Importance:	P5 normal
Target Milestone:	3.1.2
Assignee:	SpamAssassin Developer Mailing List

URL:
Whiteboard:
Keywords:

Depends on:	4649
Blocks:
	Show dependency tree

Reported:	2005-02-17 10:36 UTC by Ajay Sharma
Modified:	2006-04-05 15:02 UTC (History)
CC List:	0 users

Attachment	Type	Modified	Status	Actions	Submitter/CLA Status
false positive email.	text/plain			None	Ajay Sharma
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Ajay Sharma 2005-02-17 10:36:41 UTC

One of my users said they received a ham message that barely went over the limit
and these were the rules it hit on:

0.1 FORGED_RCVD_HELO       Received: contains a forged HELO
0.0 HTML_60_70             BODY: Message is 60% to 70% HTML
0.0 HTML_MESSAGE           BODY: HTML included in message
1.2 MIME_HTML_ONLY         BODY: Message only has text/html MIME parts
0.4 DNS_FROM_RFC_ABUSE     RBL: Envelope sender in abuse.rfc-ignorant.org
1.7 FORGED_IMS_HTML        IMS can't send HTML message only
1.9 FORGED_IMS_TAGS        IMS mailers can't send HTML in this format

It scored 5.1 which barely bumped it over, but those two FORGED_IMS_* rules
might be scoring the message too high as it's a ham and not forged.

I'm running spamassassin 3.0.2 on Centos (RHEL-clone) 3.4.  spamc is being
called from the LDA, maildrop.

Comment 1 Ajay Sharma 2005-02-17 10:38:28 UTC

Created attachment 2657 [details]
false positive email.

the email in question which hit on the FORGED_IMS_* tags.

Comment 2 Bob Menschel 2005-04-28 23:08:52 UTC

Ran the attached email against 3.0.3 and 3.1 svn.  Results: 
X-Spam-Status: No, score=0.5 required=5.0 tests=ALL_TRUSTED,AWL,
  FORGED_IMS_TAGS,HTML_60_70,HTML_MESSAGE autolearn=ham version=3.0.3

So FORGED_IMS_HTML is fixed. FORGED_IMS_TAGS remains.

debug: tests=ALL_TRUSTED,AWL,FORGED_IMS_TAGS,HTML_60_70,HTML_MESSAGE
debug: subtests=__ANY_IMS_MUA, __COMMENT_EXISTS, __CT, __CTYPE_HAS_BOUNDARY,
__CTYPE_MULTIPART_ALT, __HAS_MIMEOLE, __HAS_MSGID, __HAS_SUBJECT,
__HAS_X_MAILER, __IMS_MSGID, __IMS_MUA, __JS_DOCWRITE, __MIME_HTML, __MIME_QP,
__MIME_VERSION, __MSGID_OK_DIGITS, __NEXTPART_ALL, __NEXTPART_NORMAL,
__SANE_MSGID, __TAG_EXISTS_BODY, __TAG_EXISTS_HTML, __UNUSABLE_MSGID

By the definition of FORGED_IMS_TAGS, this email is flagged such because
__TAG_EXISTS_HEAD and __TAG_EXISTS_META didn't fire. 

X-Mailer: Internet Mail Service (5.5.2655.55)

The question then becomes, can this version of IMS really generate such emails? 

Given that FORGED_IMS_HTML and this email therefore falls well under the spam
threshold, I don't see any need to fix this in crisis mode before 3.1.0. So I'm
setting a provisional target threshold of 3.1.1.

Comment 3 Daryl C. W. O'Shea 2005-05-02 20:52:46 UTC

As far as I can tell, it's mangling by Yahoo! Groups that is causing this FP.

Unless anyone can provide a similar message (without <head> tags), sent directly
from an IMS client, we can fix this by adding a test for 'via Yahoo! Groups' to
the FORGED_IMS_TAGS meta test.

Comment 4 Daryl C. W. O'Shea 2005-05-09 14:57:20 UTC

Ajay can you please attach a *complete* message, including all of the received
headers?

Comment 5 Ajay Sharma 2005-05-10 11:53:45 UTC

sorry everyone.  I don't have the full message, I asked the user but she doesn't
have it either.  It hasn't come up again since I posted this bug.

Comment 6 Daryl C. W. O'Shea 2005-05-10 23:13:53 UTC

Googling through some html messages sent through Yahoo! Groups, I couldn't find
any that lost their <head>s.

Here's an example: http://www.imc.org/ietf-mailsig/mail-archive/msg00720.html

So... it appears that it isn't mangling by Yahoo! Groups, which leaves us
pondering whether IMS can actually send mail without head tags.

Comment 7 Daryl C. W. O'Shea 2006-04-05 22:02:43 UTC

Bug 4649 has a rule patch to fix this.  Marking as dupe.

*** This bug has been marked as a duplicate of 4649 ***