Bug 6064 - false positive: el-al e-ticket
Summary: false positive: el-al e-ticket
Status: RESOLVED WONTFIX
Alias: None
Product: Spamassassin
Classification: Unclassified
Component: Rules (show other bugs)
Version: 3.2.5
Hardware: Other All
: P5 normal
Target Milestone: Undefined
Assignee: SpamAssassin Developer Mailing List
URL:
Whiteboard:
Keywords:
Depends on: 5553
Blocks:
  Show dependency tree
 
Reported: 2009-02-11 06:09 UTC by Tony Finch
Modified: 2011-12-13 01:28 UTC (History)
2 users (show)


Attachment Type Modified Status Actions Submitter/CLA Status
El-Al e-ticket text/plain None Tony Finch [HasCLA]
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Tony Finch 2009-02-11 06:09:55 UTC 
Created attachment 4433 [details]
El-Al e-ticket

This airline e-ticket is particularly egregiously malformed, and at the same time rather important for the recipient. It scores

score 10.7 from SpamAssassin-3.2.5-730418
* -4.0 RCVD_IN_DNSWL_MED RBL: Sender listed at http://www.dnswl.org/,
*      medium trust
*      [82.150.225.79 listed in list.dnswl.org]
*  1.2 LOW_PRICE BODY: Lowest Price
*  1.8 SUBJ_ALL_CAPS Subject is all capitals
*  0.8 HTML_TAG_BALANCE_BODY BODY: HTML has unbalanced "body" tags
*  2.7 HTML_OBFUSCATE_20_30 BODY: Message is 20% to 30% HTML obfuscation
*  0.0 HTML_MESSAGE BODY: HTML included in message
*  2.8 MIME_BASE64_TEXT RAW: Message text disguised using base64 encoding
*  2.0 ADVANCE_FEE_2 Appears to be advance fee fraud (Nigerian 419)
*  1.9 UPPERCASE_75_100 message body is 75-100% uppercase
*  1.4 ADVANCE_FEE_3 Appears to be advance fee fraud (Nigerian 419)

It seems that amadeus.net provide e-ticket services for more airlines than just el-al and their messages' filthy encoding means they frequently score more than 5. From my logs...

HTML_MESSAGE,HTML_NONELEMENT_30_40,HTML_TAG_BALANCE_BODY,MIME_BASE64_TEXT,RCVD_IN_DNSWL_MED,SUBJ_ALL_CAPS,UPPERCASE_75_100
HTML_MESSAGE,HTML_OBFUSCATE_10_20,HTML_TAG_BALANCE_BODY,MIME_BASE64_TEXT,RCVD_IN_DNSWL_MED,SUBJ_ALL_CAPS,UPPERCASE_75_100
HTML_MESSAGE,HTML_TAG_BALANCE_BODY,MIME_BASE64_TEXT,RCVD_IN_DNSWL_LOW,SUBJ_ALL_CAPS,UPPERCASE_75_100
ADVANCE_FEE_2,ADVANCE_FEE_3,HTML_MESSAGE,HTML_OBFUSCATE_20_30,HTML_TAG_BALANCE_BODY,LOW_PRICE,MIME_BASE64_TEXT,SUBJ_ALL_CAPS,UPPERCASE_75_100

I'm not sure whether the best solution is to whitelist them or if the collective wisdom of the SA developers and users has a better idea
Comment 1 Mark Martinec 2009-02-11 07:03:28 UTC 
I'd suggest to just whitelist them, the message looks like a lost cause:

whitelist_from_rcvd *@*.amadeus.net   amadeus.net
whitelist_from_rcvd *@amadeus.net     amadeus.net
Comment 2 eriker-sa 2009-04-29 02:03:48 UTC 
+1 on adding a whitelisting for amadeus.net; we are already doing that locally.

Many airlines at least in Europe are using Amadeus, and obviously airline e-tickets are the kind of email which simply should never get eaten by a spam filter.

All the ones I've seen have been from *@*.amadeus.net (and specifically I think pop3.amadeus.net) so the second whitelisting entry might be superfluous.

If somebody knows how to persuade the people at Amadeus to generate less broken email, the world could be a better place, but yes, perhaps this is a lost cause.  (I left a note at http://amadeusnet.wordpress.com/2008/04/02/20/#comment-349 but don't really expect a reply.)

MIME_BASE64_TEXT should not be triggering on this message IMHO; I think this is bug #5553

This sample message takes several seconds to scan -- somebody should look into that as well.
Comment 3 Kevin A. McGrail 2011-12-13 01:28:35 UTC 
The only issue in this ticket that is an issue with SA has been resolved.  While the content is important, the email is very badly crafted.