Er, Roger, one might ask you what makes you think for a picosecond
that the message is not forged. Trace the headers backwards starting
at the top. I see nothing there to inspire belief in the headers below
the second "Received:" header.
{^_^}
----- Original Message -----
From: "Jolly ArrRoger" <[EMAIL PROTECTED]>
>
> Can someone please explain why SA declares forgery on the attached
message?
> Seem to be getting an excessive number of false positives from legitimate
> yahoo.com email addresses that are delivered through YahooGroups.com.
I've
> been "whitelisting" each one I find but wonder if there is a specific
> anomaly occurring with this combination. Group subscribers who use their
> comcast.com or aol.com, etc. email addresses seem to not trigger the
> CONFIRMED_FORGED and FORGED_YAHOO_RCVD messages.
> Please advise.
>
> --Roger
>
> __________ Original Header <modified by Yours Truly> ________________
> Return-Path:
> <sentto-9840495-3661-1101401565-<YoursTruly>@returns.groups.yahoo.com>
> Delivered-To: <YoursTruly>
> X-Envelope-To: <YoursTruly>
> Received: (qmail 43883 invoked from network); 25 Nov 2004 16:52:46 -0000
> Received: from n22a.bulk.scd.yahoo.com (66.94.237.51)
> by ainaz.pair.com with SMTP; 25 Nov 2004 16:52:46 -0000
> Received: from [66.218.69.1] by n22.bulk.scd.yahoo.com with NNFMP; 25 Nov
> 2004 16:52:46 -0000
> Received: from [66.218.66.30] by mailer1.bulk.scd.yahoo.com with NNFMP; 25
> Nov 2004 16:52:46 -0000
> X-Yahoo-Newman-Property: groups-email
> Received: (qmail 52933 invoked from network); 25 Nov 2004 16:52:44 -0000
> Received: from unknown (66.218.66.216)
> by m24.grp.scd.yahoo.com with QMQP; 25 Nov 2004 16:52:44 -0000
> Received: from unknown (HELO n3a.bulk.scd.yahoo.com) (66.94.237.37)
> by mta1.grp.scd.yahoo.com with SMTP; 25 Nov 2004 16:52:44 -0000
> Received: from [66.218.69.2] by n3.bulk.scd.yahoo.com with NNFMP; 25 Nov
> 2004 16:52:34 -0000
> Received: from [66.218.67.163] by mailer2.bulk.scd.yahoo.com with NNFMP;
25
> Nov 2004 16:52:34 -0000
> X-Sender: [EMAIL PROTECTED]
> X-Apparently-To: [EMAIL PROTECTED]
> Received: (qmail 18949 invoked from network); 25 Nov 2004 10:16:52 -0000
> Received: from unknown (66.218.66.218)
> by m22.grp.scd.yahoo.com with QMQP; 25 Nov 2004 10:16:52 -0000
> Received: from unknown (HELO n8a.bulk.scd.yahoo.com) (66.94.237.42)
> by mta3.grp.scd.yahoo.com with SMTP; 25 Nov 2004 10:16:51 -0000
> Received: from [66.218.69.3] by n8.bulk.scd.yahoo.com with NNFMP; 25 Nov
> 2004 10:16:47 -0000
> Received: from [66.218.67.164] by mailer3.bulk.scd.yahoo.com with NNFMP;
25
> Nov 2004 10:16:47 -0000
> To: [EMAIL PROTECTED]
> Message-ID: <[EMAIL PROTECTED]>
> User-Agent: eGroups-EW/0.82
> X-Mailer: Yahoo Groups Message Poster
> X-eGroups-Remote-IP: 66.94.237.42
> From: "" <[EMAIL PROTECTED]>
> X-Originating-IP: 67.51.204.140
> X-Yahoo-Profile: newuser
> X-eGroups-Edited-By: nwfs <[EMAIL PROTECTED]>
> X-eGroups-Approved-By: nwfs <[EMAIL PROTECTED]> via web; 25 Nov 2004
> 16:52:31 -0000
> X-eGroups-Remote-IP: 66.94.237.37
> MIME-Version: 1.0
> Mailing-List: list [EMAIL PROTECTED]; contact
[EMAIL PROTECTED]
> Delivered-To: mailing list [EMAIL PROTECTED]
> Precedence: bulk
> List-Unsubscribe: <mailto:[EMAIL PROTECTED]>
> Date: Thu, 25 Nov 2004 10:16:39 -0000
> Subject: **JUNK** [NWFS] A New Member saying "Hi"
> Reply-To: [EMAIL PROTECTED]
> Content-Type: text/html; charset=ISO-8859-1
> Content-Transfer-Encoding: 7bit
> X-Spam-Filtered: 27d8e8c12adf38f84030330200646532
> X-Spam-Status: Yes, hits=6.6 required=4.0
>
tests=MIME_HTML_ONLY,CONFIRMED_FORGED,HTML_IMAGE_ONLY_10,HTML_MESSAGE,HTML_5
0_60,FORGED_YAHOO_RCVD,HTML_IMAGE_RATIO_14,HTML_FONTCOLOR_BLUE,CLICK_BELOW
> X-Spam-Flag: YES
> X-Spam-Level: ******
>
> SPAM: -------------------- Start SpamAssassin
results ----------------------
> SPAM: This mail is probably junk. The original message has been altered
> SPAM: so you can recognise or block similar unwanted mail in future.
> SPAM: See http://spamassassin.org/tag/ for more details.
> SPAM:
> SPAM: Content analysis details: (6.6 points, 4.0 required)
> SPAM: 0.3 HTML_IMAGE_RATIO_14 BODY: HTML has a low ratio of text to
> image area
> SPAM: 0.1 HTML_FONTCOLOR_BLUE BODY: HTML font color is blue
> SPAM: 0.0 HTML_MESSAGE BODY: HTML included in message
> SPAM: 1.1 HTML_IMAGE_ONLY_10 BODY: HTML: images with 800-1000 bytes
of
> words
> SPAM: 0.1 MIME_HTML_ONLY BODY: Message only has text/html MIME
> parts
> SPAM: 0.2 HTML_50_60 BODY: Message is 50% to 60% HTML
> SPAM: 0.5 FORGED_YAHOO_RCVD 'From' yahoo.com does not match
'Received'
> headers
> SPAM: 0.0 CLICK_BELOW Asks you to click below
> SPAM: 4.3 CONFIRMED_FORGED Received headers are forged
> SPAM:
> SPAM: -------------------- End of SpamAssassin
results ---------------------
>
