Can someone please explain why SA declares forgery on the attached message? Seem to be getting an excessive number of false positives from legitimate yahoo.com email addresses that are delivered through YahooGroups.com. I've been "whitelisting" each one I find but wonder if there is a specific anomaly occurring with this combination. Group subscribers who use their comcast.com or aol.com, etc. email addresses seem to not trigger the CONFIRMED_FORGED and FORGED_YAHOO_RCVD messages. Please advise.
--Roger __________ Original Header <modified by Yours Truly> ________________ Return-Path: <sentto-9840495-3661-1101401565-<YoursTruly>@returns.groups.yahoo.com> Delivered-To: <YoursTruly> X-Envelope-To: <YoursTruly> Received: (qmail 43883 invoked from network); 25 Nov 2004 16:52:46 -0000 Received: from n22a.bulk.scd.yahoo.com (66.94.237.51) by ainaz.pair.com with SMTP; 25 Nov 2004 16:52:46 -0000 Received: from [66.218.69.1] by n22.bulk.scd.yahoo.com with NNFMP; 25 Nov 2004 16:52:46 -0000 Received: from [66.218.66.30] by mailer1.bulk.scd.yahoo.com with NNFMP; 25 Nov 2004 16:52:46 -0000 X-Yahoo-Newman-Property: groups-email Received: (qmail 52933 invoked from network); 25 Nov 2004 16:52:44 -0000 Received: from unknown (66.218.66.216) by m24.grp.scd.yahoo.com with QMQP; 25 Nov 2004 16:52:44 -0000 Received: from unknown (HELO n3a.bulk.scd.yahoo.com) (66.94.237.37) by mta1.grp.scd.yahoo.com with SMTP; 25 Nov 2004 16:52:44 -0000 Received: from [66.218.69.2] by n3.bulk.scd.yahoo.com with NNFMP; 25 Nov 2004 16:52:34 -0000 Received: from [66.218.67.163] by mailer2.bulk.scd.yahoo.com with NNFMP; 25 Nov 2004 16:52:34 -0000 X-Sender: [EMAIL PROTECTED] X-Apparently-To: [EMAIL PROTECTED] Received: (qmail 18949 invoked from network); 25 Nov 2004 10:16:52 -0000 Received: from unknown (66.218.66.218) by m22.grp.scd.yahoo.com with QMQP; 25 Nov 2004 10:16:52 -0000 Received: from unknown (HELO n8a.bulk.scd.yahoo.com) (66.94.237.42) by mta3.grp.scd.yahoo.com with SMTP; 25 Nov 2004 10:16:51 -0000 Received: from [66.218.69.3] by n8.bulk.scd.yahoo.com with NNFMP; 25 Nov 2004 10:16:47 -0000 Received: from [66.218.67.164] by mailer3.bulk.scd.yahoo.com with NNFMP; 25 Nov 2004 10:16:47 -0000 To: [EMAIL PROTECTED] Message-ID: <[EMAIL PROTECTED]> User-Agent: eGroups-EW/0.82 X-Mailer: Yahoo Groups Message Poster X-eGroups-Remote-IP: 66.94.237.42 From: "" <[EMAIL PROTECTED]> X-Originating-IP: 67.51.204.140 X-Yahoo-Profile: newuser X-eGroups-Edited-By: nwfs <[EMAIL PROTECTED]> X-eGroups-Approved-By: nwfs <[EMAIL PROTECTED]> via web; 25 Nov 2004 16:52:31 -0000 X-eGroups-Remote-IP: 66.94.237.37 MIME-Version: 1.0 Mailing-List: list [EMAIL PROTECTED]; contact [EMAIL PROTECTED] Delivered-To: mailing list [EMAIL PROTECTED] Precedence: bulk List-Unsubscribe: <mailto:[EMAIL PROTECTED]> Date: Thu, 25 Nov 2004 10:16:39 -0000 Subject: **JUNK** [NWFS] A New Member saying "Hi" Reply-To: [EMAIL PROTECTED] Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Spam-Filtered: 27d8e8c12adf38f84030330200646532 X-Spam-Status: Yes, hits=6.6 required=4.0 tests=MIME_HTML_ONLY,CONFIRMED_FORGED,HTML_IMAGE_ONLY_10,HTML_MESSAGE,HTML_50_60,FORGED_YAHOO_RCVD,HTML_IMAGE_RATIO_14,HTML_FONTCOLOR_BLUE,CLICK_BELOW X-Spam-Flag: YES X-Spam-Level: ****** SPAM: -------------------- Start SpamAssassin results ---------------------- SPAM: This mail is probably junk. The original message has been altered SPAM: so you can recognise or block similar unwanted mail in future. SPAM: See http://spamassassin.org/tag/ for more details. SPAM: SPAM: Content analysis details: (6.6 points, 4.0 required) SPAM: 0.3 HTML_IMAGE_RATIO_14 BODY: HTML has a low ratio of text to image area SPAM: 0.1 HTML_FONTCOLOR_BLUE BODY: HTML font color is blue SPAM: 0.0 HTML_MESSAGE BODY: HTML included in message SPAM: 1.1 HTML_IMAGE_ONLY_10 BODY: HTML: images with 800-1000 bytes of words SPAM: 0.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts SPAM: 0.2 HTML_50_60 BODY: Message is 50% to 60% HTML SPAM: 0.5 FORGED_YAHOO_RCVD 'From' yahoo.com does not match 'Received' headers SPAM: 0.0 CLICK_BELOW Asks you to click below SPAM: 4.3 CONFIRMED_FORGED Received headers are forged SPAM: SPAM: -------------------- End of SpamAssassin results ---------------------
