Thanks jdow. The reason I believe it is because I know "newuser1" to be
legitimate however the path the message takes getting to me through SA
generates FP's consistently. Can someone familiar with what causes
SA to confirm forgery, identify the specific cause?
--Roger
----- Original Message -----
From: "jdow" <[EMAIL PROTECTED]>
To: <users@spamassassin.apache.org>
Sent: Saturday, November 27, 2004 12:48 PM
Subject: Re: False Positives: CONFIRMED_FORGED from yahoo.com
Er, Roger, one might ask you what makes you think for a picosecond
that the message is not forged. Trace the headers backwards starting
at the top. I see nothing there to inspire belief in the headers below
the second "Received:" header.
{^_^}
----- Original Message -----
From: "Jolly ArrRoger" <[EMAIL PROTECTED]>
>
> Can someone please explain why SA declares forgery on the attached
message?
> Seem to be getting an excessive number of false positives from legitimate
> yahoo.com email addresses that are delivered through YahooGroups.com.
I've
> been "whitelisting" each one I find but wonder if there is a specific
> anomaly occurring with this combination. Group subscribers who use their
> comcast.com or aol.com, etc. email addresses seem to not trigger the
> CONFIRMED_FORGED and FORGED_YAHOO_RCVD messages.
> Please advise.
>
> --Roger
>
> __________ Original Header <modified by Yours Truly> ________________
> Return-Path:
> <sentto-9840495-3661-1101401565-<YoursTruly>@returns.groups.yahoo.com>
> Delivered-To: <YoursTruly>
> X-Envelope-To: <YoursTruly>
> Received: (qmail 43883 invoked from network); 25 Nov 2004 16:52:46 -0000
> Received: from n22a.bulk.scd.yahoo.com (66.94.237.51)
> by ainaz.pair.com with SMTP; 25 Nov 2004 16:52:46 -0000
> Received: from [66.218.69.1] by n22.bulk.scd.yahoo.com with NNFMP; 25 Nov
> 2004 16:52:46 -0000
> Received: from [66.218.66.30] by mailer1.bulk.scd.yahoo.com with NNFMP; 25
> Nov 2004 16:52:46 -0000
> X-Yahoo-Newman-Property: groups-email
> Received: (qmail 52933 invoked from network); 25 Nov 2004 16:52:44 -0000
> Received: from unknown (66.218.66.216)
> by m24.grp.scd.yahoo.com with QMQP; 25 Nov 2004 16:52:44 -0000
> Received: from unknown (HELO n3a.bulk.scd.yahoo.com) (66.94.237.37)
> by mta1.grp.scd.yahoo.com with SMTP; 25 Nov 2004 16:52:44 -0000
> Received: from [66.218.69.2] by n3.bulk.scd.yahoo.com with NNFMP; 25 Nov
> 2004 16:52:34 -0000
> Received: from [66.218.67.163] by mailer2.bulk.scd.yahoo.com with NNFMP;
25
> Nov 2004 16:52:34 -0000
> X-Sender: [EMAIL PROTECTED]
> X-Apparently-To: [EMAIL PROTECTED]
> Received: (qmail 18949 invoked from network); 25 Nov 2004 10:16:52 -0000
> Received: from unknown (66.218.66.218)
> by m22.grp.scd.yahoo.com with QMQP; 25 Nov 2004 10:16:52 -0000
> Received: from unknown (HELO n8a.bulk.scd.yahoo.com) (66.94.237.42)
> by mta3.grp.scd.yahoo.com with SMTP; 25 Nov 2004 10:16:51 -0000
> Received: from [66.218.69.3] by n8.bulk.scd.yahoo.com with NNFMP; 25 Nov
> 2004 10:16:47 -0000
> Received: from [66.218.67.164] by mailer3.bulk.scd.yahoo.com with NNFMP;
25
> Nov 2004 10:16:47 -0000
> To: [EMAIL PROTECTED]
> Message-ID: <[EMAIL PROTECTED]>
> User-Agent: eGroups-EW/0.82
> X-Mailer: Yahoo Groups Message Poster
> X-eGroups-Remote-IP: 66.94.237.42
> From: "" <[EMAIL PROTECTED]>
> X-Originating-IP: 67.51.204.140
> X-Yahoo-Profile: newuser
> X-eGroups-Edited-By: nwfs <[EMAIL PROTECTED]>
> X-eGroups-Approved-By: nwfs <[EMAIL PROTECTED]> via web; 25 Nov 2004
> 16:52:31 -0000
> X-eGroups-Remote-IP: 66.94.237.37
> MIME-Version: 1.0
> Mailing-List: list [EMAIL PROTECTED]; contact
[EMAIL PROTECTED]
> Delivered-To: mailing list [EMAIL PROTECTED]
> Precedence: bulk
> List-Unsubscribe: <mailto:[EMAIL PROTECTED]>
> Date: Thu, 25 Nov 2004 10:16:39 -0000
> Subject: **JUNK** [NWFS] A New Member saying "Hi"
> Reply-To: [EMAIL PROTECTED]
> Content-Type: text/html; charset=ISO-8859-1
> Content-Transfer-Encoding: 7bit
> X-Spam-Filtered: 27d8e8c12adf38f84030330200646532
> X-Spam-Status: Yes, hits=6.6 required=4.0
>
tests=MIME_HTML_ONLY,CONFIRMED_FORGED,HTML_IMAGE_ONLY_10,HTML_MESSAGE,HTML_5
0_60,FORGED_YAHOO_RCVD,HTML_IMAGE_RATIO_14,HTML_FONTCOLOR_BLUE,CLICK_BELOW
> X-Spam-Flag: YES
> X-Spam-Level: ******
>
> SPAM: -------------------- Start SpamAssassin
results ----------------------
> SPAM: This mail is probably junk. The original message has been altered
> SPAM: so you can recognise or block similar unwanted mail in future.
> SPAM: See http://spamassassin.org/tag/ for more details.
> SPAM:
> SPAM: Content analysis details: (6.6 points, 4.0 required)
> SPAM: 0.3 HTML_IMAGE_RATIO_14 BODY: HTML has a low ratio of text to
> image area
> SPAM: 0.1 HTML_FONTCOLOR_BLUE BODY: HTML font color is blue
> SPAM: 0.0 HTML_MESSAGE BODY: HTML included in message
> SPAM: 1.1 HTML_IMAGE_ONLY_10 BODY: HTML: images with 800-1000 bytes
of
> words
> SPAM: 0.1 MIME_HTML_ONLY BODY: Message only has text/html MIME
> parts
> SPAM: 0.2 HTML_50_60 BODY: Message is 50% to 60% HTML
> SPAM: 0.5 FORGED_YAHOO_RCVD 'From' yahoo.com does not match
'Received'
> headers
> SPAM: 0.0 CLICK_BELOW Asks you to click below
> SPAM: 4.3 CONFIRMED_FORGED Received headers are forged
> SPAM:
> SPAM: -------------------- End of SpamAssassin
results ---------------------
>
