Hi all,
I've noticed that the rule identifying Outlook Express as a non-spam
MUA actually has a (small) positive score. My guess is that this is
because many spammers fake an X-Mailer header claiming that the
message was sent with OE. Frequently, though, they don't fake all of
the headers that OE includes. One of the most noticable of these is
the format used for the Message-Id header.
I'm proposing a new rule to identify the Message-Id format used by OE
(and Outlook) and tying it to the existing meta rule that spots the
string "Microsoft Outlook" in the X-Mailer header.
I'm currently using the following in my local.cf:
header __MSGID_MS_FORMAT Message-Id =~
/^<[0-9a-f]{12,12}\$[0-9a-f]{8,8}\$[0-9a-f]{8,8}\@.{1,50}>$/
describe __MSGID_MS_FORMAT Message-Id is in standard Microsoft format
meta FAKED_MS_MUA (__HAS_OUTLOOK_IN_MAILER && !__MSGID_MS_FORMAT)
describe FAKED_MS_MUA Mailer claims to be Outlook/OE, but Message-Id is in wrong
format
score FAKED_MS_MUA 1.0
Now I'm not sure about the "@.{1,50}>$" bit (perhaps 50 is too short),
and obviously the score for that rule will need to be calculated. But
hopefully it might allow the non-spam MUA rule to be fixed so that
it's the right (expected) side of zero!
I've submitted this to Bugzilla, which gave it bug #1106.
Comments welcome (but be gentle, this is my first "proper"
contribution to SA).
Martin
--
Martin Radford | "Only wimps use tape backup: _real_
[EMAIL PROTECTED] | men just upload their important stuff -o)
Registered Linux user #9257 | on ftp and let the rest of the world /\\
- see http://counter.li.org | mirror it ;)" - Linus Torvalds _\_V
-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
