I got one of the few FPs today. SA 2.60. 1.1 FORGED_OUTLOOK_HTML Outlook can't send HTML message only 1.0 FORGED_OUTLOOK_TAGS Outlook can't send HTML in this format
I get the first when spamd gets the message from our milter (MailCorral), which apparently munges it a bit, and the second when using spamassassin -D directly. Both are wrong about the message. This message was sent from Outlook Express, not Outlook, and it included text/plain as well, just very much hidden in MIME compartments (so that my mailreader wouldn't display any text, but it's there and it's not hidden intentionally). I can't open a bug on bugzilla because I can't upload a confidential mail there. I can forward the original source to one of the developers. Basically, it's a text/plain + HTML message, both encoded in QP, plus two attachments. I add the body structure and relevant headers down below, shall I submit it this way via Bugzilla? I'm also wondering why the Priority tags get so much attention/scoring, see down below: 1.3 X_PRIORITY_HIGH Sent with 'X-Priority' set to high 0.5 X_MSMAIL_PRIORITY_HIGH Sent with 'X-Msmail-Priority' set to high I don't remember having seen these a lot in spam. Is it really such a high mark for spam? The message also matched this 2.2 DOMAIN_BODY BODY: Domain registration spam body and I'm trying to figure out what was matched by the regexp: body DOMAIN_BODY /(?:\s|^)(?:\.|dot\s+)(?:info|biz|name)\b|(?:\s|^)\.\w+ domain/mi This seems to match almost everything which is like ".xxxxxx domain". Isn't that a bit much? Shouldn't the (?:info|biz|name) have a "+"? (Otherwise that part is of no use and could be omitted.) And here's the message structure: X-Priority: 1 X-MSMail-Priority: High X-Mailer: Microsoft Outlook Express 6.00.2800.1158 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 --BodyStart This is a multi-part message in MIME format. ------=_NextPart_000_0249_01C3883A.66759B10 Content-Type: multipart/related; type="multipart/alternative"; boundary="----=_NextPart_001_024A_01C3883A.66759B10" ------=_NextPart_001_024A_01C3883A.66759B10 Content-Type: multipart/alternative; boundary="----=_NextPart_002_024B_01C3883A.66759B10" ------=_NextPart_002_024B_01C3883A.66759B10 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable long text here ------=_NextPart_002_024B_01C3883A.66759B10 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable HTML equivalent here ------=_NextPart_002_024B_01C3883A.66759B10-- ------=_NextPart_001_024A_01C3883A.66759B10 Content-Type: image/jpeg; name="xxxxx.jpg" Content-Transfer-Encoding: base64 Content-ID: <[EMAIL PROTECTED]> image ------=_NextPart_001_024A_01C3883A.66759B10-- ------=_NextPart_000_0249_01C3883A.66759B10 Content-Type: application/pdf; name="xxxxx.pdf" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="xxxxx.pdf" PDF ------=_NextPart_000_0249_01C3883A.66759B10-- --BodyEnd Kai -- Kai Schätzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com IE-Center: http://ie5.de & http://msie.winware.org ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
