Hi,
I have been asked why this message got such a "high" score. It seems to
mainly be because of the
3.9 FORGED_MUA_OUTLOOK Forged mail pretending to be from MS Outlook
rule. On first inspection I thought that the message was forged (see the
phx.gbl domain), but after creating a test hotmail account myself,
messages I send from that have this strange domain, too.
My guess is that the message was sent using Outlook Express directly to
Hotmail (I think this can be done if you pay for your hotmail account?).
This would explain the Outlook headers while the mail actually came from
hotmail.
Have tried to obfuscate minimal details to hide original sender (data
protection and all that), but apart from that all headers as supplied to
me are below.
Any ideas? Is this a bug in SA?
Thanks,
Matthew
Received: from artemis.le.ac.uk ([143.210.4.129]) by SUMAC.cfs.le.ac.uk
with Microsoft SMTPSVC(6.0.3790.211);
Tue, 1 Feb 2005 14:04:22 +0000
Received: from bay24-dav11.bay24.hotmail.com ([64.4.18.191] helo=hotmail.com)
by artemis.le.ac.uk with esmtp (Exim 4.44)
id 1Cvydg-00006G-HI
for [EMAIL PROTECTED]; Tue, 01 Feb 2005 14:04:22 +0000
Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC;
Tue, 1 Feb 2005 06:03:00 -0800
Message-ID: <[EMAIL PROTECTED]>
Received: from xx.xx.xx.xx by BAY24-DAV11.phx.gbl with DAV;
Tue, 01 Feb 2005 14:02:49 +0000
X-Originating-IP: [xx.xx.xx.xx]
X-Originating-Email: [EMAIL PROTECTED]
X-Sender: [EMAIL PROTECTED]
From: "removed" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Subject: removed
Date: Sun, 24 Oct 2004 17:45:00 +0100
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0005_01C4B9F1.2F7BDCC0"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1106
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
X-OriginalArrivalTime: 01 Feb 2005 14:03:00.0441 (UTC)
FILETIME=[BD3B8C90:01C50866]
X-Spam-Score: (+++++) 5.4
X-Spam-Report: This e-mail has been scored by SpamAssassin 3.0.2
Pts Rule name Description
---- ---------------------- ---------------------------------------
-0.0 SPF_HELO_PASS SPF: HELO matches SPF record
1.4 DATE_IN_PAST_96_XX Date: is 96 hours or more before Received:
date
0.0 HTML_30_40 BODY: Message is 30% to 40% HTML
0.0 HTML_MESSAGE BODY: HTML included in message
0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60%
[score: 0.5000]
0.1 MSGID_FROM_MTA_HEADER Message-Id was added by a relay
3.9 FORGED_MUA_OUTLOOK Forged mail pretending to be from MS Outlook
Return-Path: [EMAIL PROTECTED]
--
Matthew Newton <[EMAIL PROTECTED]>
UNIX and e-mail Systems Administrator, Network Support Section,
Computer Centre, University of Leicester,
Leicester LE1 7RH, United Kingdom
