Bug 4833 - False Positive with MSGID_DOLLARS_RANDOM
Summary: False Positive with MSGID_DOLLARS_RANDOM
Status: RESOLVED FIXED
Alias: None
Product: Spamassassin
Classification: Unclassified
Component: Rules (show other bugs)
Version: 3.1.1
Hardware: All All
: P5 normal
Target Milestone: Undefined
Assignee: SpamAssassin Developer Mailing List
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2006-03-18 10:09 UTC by Dhawal Doshy
Modified: 2011-05-02 09:56 UTC (History)
2 users (show)


Attachment Type Modified Status Actions Submitter/CLA Status
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Dhawal Doshy 2006-03-18 10:09:05 UTC 
A regular mail hit the meta MSGID_DOLLARS_RANDOM

 Message-ID: <7571549AB905$3E89F8AE$17C83C32@ipop>
 X-Mailer: Intrapop 1.4 SMTP Component 1.0

The X-Mailer indicates that the message was sent using a product developed by
cyberoam.com

A mail to the sa-users didn't get any replies, hence am posting it to bugzilla.

- dhawal
Comment 1 Thomas Sandford 2006-03-27 11:49:24 UTC 
The tests for dollars in the Message-Id are grossly overused.

There are at least two tests for this condition, namely:
header __MSGID_DOLLARS_OK      MESSAGEID =~ /<[0-9a-f]{4,}\$[0-9a-f]{4,}\$[0-9a-
f]{4,}\@\S+>/m
header __OUTLOOK_DOLLARS_MSGID  MESSAGEID =~ /^<[0-9a-f]{12}\$[0-9a-f]{8}\$[0-9a
-f]{8}\@\S+>$/m
[by inspection the latter is a subset of the former]

These then appear in numerous, independant, metas, including:
MSGID_DOLLARS
RATWARE_MS_HASH
RATWARE_OUTLOOK_NONAME

A single header (this one is from Microsoft exchange) eg
Message-ID: <00e401c65061$a661f46a$6a01a8c0@valehousing.co.uk>
will trigger all three of the above, resulting in a false positive (score 5.4 
just for those three rules).

The rules need mergeing/adapting so that only one scoring rule is triggered by 
such a header.
Comment 2 Justin Mason 2007-01-05 08:46:52 UTC 
please attach sample messages.
Comment 3 Henrik Krohns 2011-05-02 09:56:44 UTC 
Closing, seems already disabled in 3.3+