Martin Lee wrote:
We've had some false positives with the X_LIBRARY, MIME_BOUND_RKFINDY
rules being tripped on e-faxes received through www.myvfm.com. Fairly
obviously the service has been built using the Indy.Sockets library
(www.indyproject.org).
The Indyproject knowledge base admits that headers similar to those
produced by their library have been found in worms and spams sent with
some spamware.
Has anyone else experienced this problem ? I could create a rule to
decrease the score for emails generated by myvfm.com, but do the format
of emails from this service change ? How likely is it for spammers to
spoof mails from this service in order to reduce their SA scores using
such a rule ?
FYI I have handled an email today that hit these 2 rules as well (being
ham) with this header:
X-Library: Indy 9.00.10
So it looks like those rules needs to be adjusted down in the score
quite alot as this is already 3.7
2.3 MIME_BOUND_RKFINDY Spam tool pattern in MIME boundary (rfkindy)
1.4 X_LIBRARY Message has X-Library header
Regards
Bjorn Jensen
--
A: Because it messes up the order in which people normally read text.
Q: Why is it such a bad thing?
A: Top-posting
