5516 – Legitimate email scores as forged MS Outlook

Bug 5516 - Legitimate email scores as forged MS Outlook

Summary: Legitimate email scores as forged MS Outlook

Status:	RESOLVED INVALID

Alias:	None

Product:	Spamassassin
Classification:	Unclassified
Component:	Rules (show other bugs)
Version:	3.1.8
Hardware:	Other other

Importance:	P5 normal
Target Milestone:	Undefined
Assignee:	SpamAssassin Developer Mailing List

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2007-06-14 03:12 UTC by Volker Kuhlmann
Modified:	2007-06-14 05:04 UTC (History)
CC List:	0 users

Attachment	Type	Modified	Status	Actions	Submitter/CLA Status
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Volker Kuhlmann 2007-06-14 03:12:42 UTC

I keep on having trouble with a particular sender whos emails are being scored 
as being from forged MS Outlook. The emails are definitely ham, the person 
probably uses a Win9x. Headers are:

MIME-version: 1.0
X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-Priority: 3
X-MSMail-priority: Normal
References: <WclBLXxg5gE.A.HeE.04ibGB@kereru>
Message-Id: <BVJ2oNHhJeP.A.u1G.kKFcGB@kereru>

SA scores:

 4.1 FORGED_MUA_OUTLOOK     Forged mail pretending to be from MS Outlook

and with a score that high, it's practically over the limit already.
SA's detection of outlook emails is too wide in scope.

Thanks!

Comment 1 Justin Mason 2007-06-14 03:34:50 UTC

we'll need to see full headers -- a full message if possible, as an attachment.

my preliminary guess is that something in their mailserver is removing
message-IDs and replacing them with different ones.

Comment 2 Volker Kuhlmann 2007-06-14 05:04:49 UTC

Thanks for getting me on track Justin, you're right. Message-id: was recreated 
when the email was forwarded, with the other 3 outlook headers being the same 
it's tripping SA's test.