At this point you're stuck reading the "FORGED_YAHOO_RCVD" tests in
the 20_headers.cf file (at least on 2.63.) On my machine this is in
/usr/share/spamassassin. On closer look it appears this is a web mail
posting via yahoo to a yahoo group that fribbles is way around way more
yahoo machines than makes sense. It appears there may be a name that
shows up in the headers that triggers the above rule somehow.
(Of course, barring EXTREME emergencies it'd be easier to commit
honorable seppuku than use web mail, IMAO. {^_-})
{^_^}
----- Original Message -----
From: "Jolly ArrRoger" <[EMAIL PROTECTED]>
> Thanks jdow. The reason I believe it is because I know "newuser1" to be
> legitimate however the path the message takes getting to me through SA
> generates FP's consistently. Can someone familiar with what causes
> SA to confirm forgery, identify the specific cause?
>
> --Roger
>
> ----- Original Message -----
> From: "jdow" <[EMAIL PROTECTED]>
>
> Er, Roger, one might ask you what makes you think for a picosecond
> that the message is not forged. Trace the headers backwards starting
> at the top. I see nothing there to inspire belief in the headers below
> the second "Received:" header.
>
> {^_^}
> ----- Original Message -----
> From: "Jolly ArrRoger" <[EMAIL PROTECTED]>
> >
> > Can someone please explain why SA declares forgery on the attached
> message?
> > Seem to be getting an excessive number of false positives from
legitimate
> > yahoo.com email addresses that are delivered through YahooGroups.com.
> I've
> > been "whitelisting" each one I find but wonder if there is a specific
> > anomaly occurring with this combination. Group subscribers who use
their
> > comcast.com or aol.com, etc. email addresses seem to not trigger the
> > CONFIRMED_FORGED and FORGED_YAHOO_RCVD messages.
> > Please advise.
> >
> > --Roger
> >
> > __________ Original Header <modified by Yours Truly> ________________
> > Return-Path:
> > <sentto-9840495-3661-1101401565-<YoursTruly>@returns.groups.yahoo.com>
> > Delivered-To: <YoursTruly>
> > X-Envelope-To: <YoursTruly>
> > Received: (qmail 43883 invoked from network); 25 Nov 2004 16:52:46 -0000
> > Received: from n22a.bulk.scd.yahoo.com (66.94.237.51)
> > by ainaz.pair.com with SMTP; 25 Nov 2004 16:52:46 -0000
> > Received: from [66.218.69.1] by n22.bulk.scd.yahoo.com with NNFMP; 25
Nov
> > 2004 16:52:46 -0000
> > Received: from [66.218.66.30] by mailer1.bulk.scd.yahoo.com with NNFMP;
25
> > Nov 2004 16:52:46 -0000
> > X-Yahoo-Newman-Property: groups-email
> > Received: (qmail 52933 invoked from network); 25 Nov 2004 16:52:44 -0000
> > Received: from unknown (66.218.66.216)
> > by m24.grp.scd.yahoo.com with QMQP; 25 Nov 2004 16:52:44 -0000
> > Received: from unknown (HELO n3a.bulk.scd.yahoo.com) (66.94.237.37)
> > by mta1.grp.scd.yahoo.com with SMTP; 25 Nov 2004 16:52:44 -0000
> > Received: from [66.218.69.2] by n3.bulk.scd.yahoo.com with NNFMP; 25 Nov
> > 2004 16:52:34 -0000
> > Received: from [66.218.67.163] by mailer2.bulk.scd.yahoo.com with NNFMP;
> 25
> > Nov 2004 16:52:34 -0000
> > X-Sender: [EMAIL PROTECTED]
> > X-Apparently-To: [EMAIL PROTECTED]
> > Received: (qmail 18949 invoked from network); 25 Nov 2004 10:16:52 -0000
> > Received: from unknown (66.218.66.218)
> > by m22.grp.scd.yahoo.com with QMQP; 25 Nov 2004 10:16:52 -0000
> > Received: from unknown (HELO n8a.bulk.scd.yahoo.com) (66.94.237.42)
> > by mta3.grp.scd.yahoo.com with SMTP; 25 Nov 2004 10:16:51 -0000
> > Received: from [66.218.69.3] by n8.bulk.scd.yahoo.com with NNFMP; 25 Nov
> > 2004 10:16:47 -0000
> > Received: from [66.218.67.164] by mailer3.bulk.scd.yahoo.com with NNFMP;
> 25
> > Nov 2004 10:16:47 -0000
> > To: [EMAIL PROTECTED]
> > Message-ID: <[EMAIL PROTECTED]>
> > User-Agent: eGroups-EW/0.82
> > X-Mailer: Yahoo Groups Message Poster
> > X-eGroups-Remote-IP: 66.94.237.42
> > From: "" <[EMAIL PROTECTED]>
> > X-Originating-IP: 67.51.204.140
> > X-Yahoo-Profile: newuser
> > X-eGroups-Edited-By: nwfs <[EMAIL PROTECTED]>
> > X-eGroups-Approved-By: nwfs <[EMAIL PROTECTED]> via web; 25 Nov 2004
> > 16:52:31 -0000
> > X-eGroups-Remote-IP: 66.94.237.37
> > MIME-Version: 1.0
> > Mailing-List: list [EMAIL PROTECTED]; contact
> [EMAIL PROTECTED]
> > Delivered-To: mailing list [EMAIL PROTECTED]
> > Precedence: bulk
> > List-Unsubscribe: <mailto:[EMAIL PROTECTED]>
> > Date: Thu, 25 Nov 2004 10:16:39 -0000
> > Subject: **JUNK** [NWFS] A New Member saying "Hi"
> > Reply-To: [EMAIL PROTECTED]
> > Content-Type: text/html; charset=ISO-8859-1
> > Content-Transfer-Encoding: 7bit
> > X-Spam-Filtered: 27d8e8c12adf38f84030330200646532
> > X-Spam-Status: Yes, hits=6.6 required=4.0
> >
>
tests=MIME_HTML_ONLY,CONFIRMED_FORGED,HTML_IMAGE_ONLY_10,HTML_MESSAGE,HTML_5
> 0_60,FORGED_YAHOO_RCVD,HTML_IMAGE_RATIO_14,HTML_FONTCOLOR_BLUE,CLICK_BELOW
> > X-Spam-Flag: YES
> > X-Spam-Level: ******
> >
> > SPAM: -------------------- Start SpamAssassin
> results ----------------------
> > SPAM: This mail is probably junk. The original message has been altered
> > SPAM: so you can recognise or block similar unwanted mail in future.
> > SPAM: See http://spamassassin.org/tag/ for more details.
> > SPAM:
> > SPAM: Content analysis details: (6.6 points, 4.0 required)
> > SPAM: 0.3 HTML_IMAGE_RATIO_14 BODY: HTML has a low ratio of text to
> > image area
> > SPAM: 0.1 HTML_FONTCOLOR_BLUE BODY: HTML font color is blue
> > SPAM: 0.0 HTML_MESSAGE BODY: HTML included in message
> > SPAM: 1.1 HTML_IMAGE_ONLY_10 BODY: HTML: images with 800-1000 bytes
> of
> > words
> > SPAM: 0.1 MIME_HTML_ONLY BODY: Message only has text/html MIME
> > parts
> > SPAM: 0.2 HTML_50_60 BODY: Message is 50% to 60% HTML
> > SPAM: 0.5 FORGED_YAHOO_RCVD 'From' yahoo.com does not match
> 'Received'
> > headers
> > SPAM: 0.0 CLICK_BELOW Asks you to click below
> > SPAM: 4.3 CONFIRMED_FORGED Received headers are forged
> > SPAM:
> > SPAM: -------------------- End of SpamAssassin
> results ---------------------
