Interesting that you are using MailCorral. We spent a few weeks testing it with about 20 email accounts and it would tend to crash and hang - thereby refusing to accept mail. This was two or three months ago and the developer was unable to figure out what was happenning. When it worked it was a great product. We particularly like the corraling of spam and sending users a list of spam that was caught each day. We had modified the program slightly so that you only needed to click on the subject line and the email would be forwarded to you. How is it working for you?
At 06:31 PM 10/1/2003, you wrote:
I got one of the few FPs today. SA 2.60.
1.1 FORGED_OUTLOOK_HTML Outlook can't send HTML message only 1.0 FORGED_OUTLOOK_TAGS Outlook can't send HTML in this format
I get the first when spamd gets the message from our milter (MailCorral), which apparently munges it a bit, and the second when using spamassassin -D directly. Both are wrong about the message.
This message was sent from Outlook Express, not Outlook, and it included text/plain as well, just very much hidden in MIME compartments (so that my mailreader wouldn't display any text, but it's there and it's not hidden intentionally).
I can't open a bug on bugzilla because I can't upload a confidential mail there. I can forward the original source to one of the developers. Basically, it's a text/plain + HTML message, both encoded in QP, plus two attachments. I add the body structure and relevant headers down below, shall I submit it this way via Bugzilla?
I'm also wondering why the Priority tags get so much attention/scoring, see down below: 1.3 X_PRIORITY_HIGH Sent with 'X-Priority' set to high 0.5 X_MSMAIL_PRIORITY_HIGH Sent with 'X-Msmail-Priority' set to high
I don't remember having seen these a lot in spam. Is it really such a high mark for spam?
The message also matched this 2.2 DOMAIN_BODY BODY: Domain registration spam body and I'm trying to figure out what was matched by the regexp:
body DOMAIN_BODY /(?:\s|^)(?:\.|dot\s+)(?:info|biz|name)\b|(?:\s|^)\.\w+ domain/mi
This seems to match almost everything which is like ".xxxxxx domain". Isn't that a bit much? Shouldn't the (?:info|biz|name) have a "+"? (Otherwise that part is of no use and could be omitted.)
And here's the message structure:
X-Priority: 1 X-MSMail-Priority: High X-Mailer: Microsoft Outlook Express 6.00.2800.1158 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
--BodyStart
This is a multi-part message in MIME format.
------=_NextPart_000_0249_01C3883A.66759B10 Content-Type: multipart/related; type="multipart/alternative"; boundary="----=_NextPart_001_024A_01C3883A.66759B10"
------=_NextPart_001_024A_01C3883A.66759B10 Content-Type: multipart/alternative; boundary="----=_NextPart_002_024B_01C3883A.66759B10"
------=_NextPart_002_024B_01C3883A.66759B10 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
long text here
------=_NextPart_002_024B_01C3883A.66759B10 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
HTML equivalent here
------=_NextPart_002_024B_01C3883A.66759B10--
------=_NextPart_001_024A_01C3883A.66759B10 Content-Type: image/jpeg; name="xxxxx.jpg" Content-Transfer-Encoding: base64 Content-ID: <[EMAIL PROTECTED]>
image
------=_NextPart_001_024A_01C3883A.66759B10--
------=_NextPart_000_0249_01C3883A.66759B10 Content-Type: application/pdf; name="xxxxx.pdf" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="xxxxx.pdf"
------=_NextPart_000_0249_01C3883A.66759B10--
--BodyEnd
Kai
--
Kai Schätzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com IE-Center: http://ie5.de & http://msie.winware.org
------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Best Regards,
Jeff Koch, Intersessions
------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
