5496 – False positive on FORGED_MUA_OUTLOOK with Outlook Express

Bug 5496 - False positive on FORGED_MUA_OUTLOOK with Outlook Express

Summary: False positive on FORGED_MUA_OUTLOOK with Outlook Express

Status:	RESOLVED FIXED

Alias:	None

Product:	Spamassassin
Classification:	Unclassified
Component:	Rules (show other bugs)
Version:	3.1.7
Hardware:	PC NetBSD

Importance:	P3 normal
Target Milestone:	3.2.5
Assignee:	SpamAssassin Developer Mailing List

URL:
Whiteboard:
Keywords:

Duplicates (2):	5910 5914 (view as bug list)
Depends on:
Blocks:

Reported:	2007-06-05 04:50 UTC by Greg Troxel
Modified:	2008-05-29 01:32 UTC (History)
CC List:	3 users (show)

Attachment	Type	Actions	Submitter/CLA Status
mail that triggered false positive	text/plain	None	Greg Troxel
False positive on FORGED_MUA_OUTLOOK	text/plain	None	Nick Radov
example false positive	text/plain	None	Tony Finch
example false positive	application/octet-stream	None	Tony Finch
Show Obsolete (1) Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Greg Troxel 2007-06-05 04:50:25 UTC

The FORGED_MUA_OUTLOOK test has a false positive on ham that is really from outlook.

Key headers are

Message-ID: <8C51A835039D48A6A1CFA74053B91DE0@CDCHOME>

X-Mailer: Microsoft Outlook Express 6.00.3790.3959

Comment 1 Greg Troxel 2007-06-05 04:51:16 UTC

Created attachment 3969 [details]
mail that triggered false positive

Comment 2 Greg Troxel 2007-06-05 05:01:26 UTC

This is still present with 3.2.0.

Comment 3 AXB 2007-06-05 08:00:31 UTC

With your required level of 1.0 , you shouldn't be surprised that a hard rule
FPs on you.

X-Spam-Status: Yes, score=1.5 required=1.0 tests=AWL,BAYES_00,
	FORGED_MUA_OUTLOOK autolearn=no version=3.1.7

Message-ID: <8C51A835039D48A6A1CFA74053B91DE0@CDCHOME> is not an Outlook Express
Msg-ID.
It was modified/replaced/broken by something else so markign it "forged" is correct.

Comment 4 Nick Radov 2007-06-14 15:11:56 UTC

Created attachment 3990 [details]
False positive on FORGED_MUA_OUTLOOK

The problem is still occurring with SpamAssassin 3.1.8. It looks like the
default score for FORGED_MUA_OUTLOOK is now 4.1, so a false positive on that
rule alone gets it close to being marked as spam with the default threshold of
5.0.

I think the Message-ID header originally set by Outlook was altered by a Lyris
ListManager, but the X-Mailer header was still set to "Microsoft Outlook
Express 6.00.2900.3138". This is probably what triggered the
FORGED_MUA_OUTLOOK. You can argue that this is a bug in Lyris ListManager, but
it's going to happen frequently and SpamAssassin ought to deal with it. I
recommend that the FORGED_MUA_OUTLOOK rule be altered to not trigger on e-mail
that is forwarded through a list server.

Comment 5 Tony Finch 2008-03-11 12:36:25 UTC

We've had a very similar false positive report to this which does not involve a mailing list manager. As far as I know the messages are not going through anything that would change the Message-ID field. I'll attach a sample.

Comment 6 Tony Finch 2008-03-11 12:40:52 UTC

Created attachment 4272 [details]
example false positive

Comment 7 Tony Finch 2008-03-11 12:41:37 UTC

Created attachment 4273 [details]
example false positive

Comment 8 Justin Mason 2008-05-18 06:45:49 UTC

I think we can avoid all of these by matching for the release of Outlook & OE:

: jm 75...; svn commit -m "add test rule to avoid FORGED_MUA_OUTLOOK FPs in bug 5496" rulesrc/
Adding         rulesrc/sandbox/jm/20_bug5496.cf
Transmitting file data .
Committed revision 657561.

let's see...

Comment 9 Justin Mason 2008-05-19 15:28:36 UTC

*** Bug 5910 has been marked as a duplicate of this bug. ***

Comment 10 Justin Mason 2008-05-19 15:43:43 UTC

http://ruleqa.spamassassin.org/?daterev=20080519-r657758-n&rule=%2FFORGED_MUA_OUTLOOK&srcpath=&g=Change


0.00000 	 9.3765  207602 of 2214067 messages  	 0.0100  12 of 119894 messages  	 0.999 	 0.97 	 4.20 	FORGED_MUA_OUTLOOK 	
0.00000 	9.3759 207589 of 2214067 messages 	0.0100 12 of 119894 messages 	0.999 	0.97 	0.01 	T_FORGED_MUA_OUTLOOK_BUG5496 	

fine by me! checking that in.

: jm 157...; svn commit -m "bug 5496, bug 5910: clear some FORGED_MUA_OUTLOOK false positives, particularly on the new-format Message-ID generated by the Outlook Express version used in Windows XP service pack 3" rules/20_ratware.cf rulesrc/sandbox/jm
Deleting       rulesrc/sandbox/jm/20_bug5496.cf
Sending        rules/20_ratware.cf
Transmitting file data .
Committed revision 658009.

3.2.x:

: jm 165...; svn commit -m "bug 5496, bug 5910: clear some FORGED_MUA_OUTLOOK false positives, particularly on the new-format Message-ID generated by the Outlook Express version used in Windows XP service pack 3" rules/20_ratware.cf
Sending        rules/20_ratware.cf
Transmitting file data .
Committed revision 658010.

and 3.2.x updates:

: jm 184...; svn commit -m "sync up with 3.2.0 SVN rules file, including FORGED_MUA_OUTLOOK fp fixes for bug 5910 and 5496"  /home/jm/ftp/sa/b3_2_0_updates/20_ratware.cf
Sending        /home/jm/ftp/sa/b3_2_0_updates/20_ratware.cf
Transmitting file data .
Committed revision 658011.

update built as per http://wiki.apache.org/spamassassin/ManualRuleUpdates.

Comment 11 Justin Mason 2008-05-29 01:32:19 UTC

*** Bug 5914 has been marked as a duplicate of this bug. ***