How can I correct this FalsePositive?

Fri, 15 Jul 2005 01:29:48 -0700 

Hi all,
a customer mades an abonnement for a weather newsletter and spamassassin always tags it as spam. I've explicitely set some email addresses in the database driven whitelist: 

Filtername      Einstellung     Letzte Änderung         Funktion

WHITELIST_FROM 
<https://spam.booms-edv.de/?prefid=92&aktion=edit_userpref> 
[EMAIL PROTECTED] 	14.07.2005 10:00:53 	Ändern 
<https://spam.booms-edv.de/?prefid=92&aktion=edit_userpref> Löschen 
<https://spam.booms-edv.de/?aktion=delete_userpref&prefid=92>
WHITELIST_FROM 
<https://spam.booms-edv.de/?prefid=91&aktion=edit_userpref> 
[EMAIL PROTECTED] 	14.07.2005 09:59:12 	Ändern 
<https://spam.booms-edv.de/?prefid=91&aktion=edit_userpref> Löschen 
<https://spam.booms-edv.de/?aktion=delete_userpref&prefid=91>



Here's the *cutted* mail source. If you want it complete, let me know:


From - Fri Jul 15 10:23:39 2005

X-UIDL: 1121409728.M235441P13835051114615035475.host1
X-Mozilla-Status: 0001
X-Mozilla-Status2: 10000000
Return-Path: <[EMAIL PROTECTED]>
Delivered-To: ***
Received: from localhost by ***
        with SpamAssassin (version 3.0.4);
        Fri, 15 Jul 2005 08:42:01 +0200
From: "Wetter.com" <[EMAIL PROTECTED]>
To: ***
Subject: ***SPAM*** Ihr persoenlicher Wetterletter fuer Samstag, den 16.07.2005
Date: Fri, 15 Jul 2005 08:41:56 +0200 (MEST)
Message-Id: <[EMAIL PROTECTED]>
X-Spam-Flag: YES
X-Spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on ***
X-Spam-Level: **
X-Spam-Status: Yes, score=2.2 required=2.0 tests=HTML_BACKHAIR_8,HTML_MESSAGE,
        HTML_OBFUSCATE_05_10,MIME_HTML_ONLY autolearn=no version=3.0.4
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----------=_42D75AB9.1D5E14D2"

This is a multi-part message in MIME format.

------------=_42D75AB9.1D5E14D2
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: 8bit

Spam detection software, running on the system "***", has
identified this incoming email as possible spam.  The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email.  If you have any questions, see
*** for details.

Content preview:  Wetterletter Abflughafen:
 beliebigNordSüdWestOstAltenburg-NobitzAmsterdam
 (NL)AugsburgBasel-Mulhouse
 (CH)Berlin-SchönefeldBerlin-TegelBerlin-TempelhofBern-Belp
 (CH)BremenBrüssel (B)DortmundDresdenDüsseldorfEnschede
 (NL)ErfurtFrankfurtFrankfurt-HahnFriedrichshafe! nGenf (CH)Graz
 (A)HamburgHannoverHof-PlauenInnsbruck (A)KarlsruheKasselKielKlagenfurt
 (A)Köln-BonnLeipzig-HalleLinz (A)LübeckLüttich (B)LuxemburgMaastricht
 (NL)MönchengladbachMünchenMünster-OsnabrückNiederrhein
 (Weeze)NürnbergPaderbornRostockSaarbrückenSalzburg!
 (A)SchwerinStrasbourg (F)StuttgartWeeze (Niederrhein)Wien (A)Zürich
 (CH)Zweibrücken Hinflug: (tt.mm.yyyy) Reisedauer: egal 3 Tage 7 Tage 10
 Tage 14 Tage 21 Tage Reiseziel:
 beliebigNahstreckeMittelstreckeFernstreckeMittelmeer
 (Gesamt)Spanien-PortugalGriechenland-Türkei-ZypernKanarische
 
InselnMallorca-Menorca-IbizaKaribik-Mexiko-Dom.Rep.Ägypten-Israel-VAEAsien-Thailand-MaledivenAfrika-Mauritius-SeychellenTunesien-MarokkoKroatien-BulgarienBesondere
 Tauchregionen Rückflug: (tt.mm.yyyy) Wetter-Schnellsuche Suchen Sie

 nach: - Ort (weltweit) - PLZ (D) [...] 


Content analysis details:   (2.2 points, 2.0 required)

pts rule name              description
---- ---------------------- --------------------------------------------------
0.5 HTML_OBFUSCATE_05_10   BODY: Message is 5% to 10% HTML obfuscation
0.6 HTML_BACKHAIR_8        BODY: HTML tags used to obfuscate words
0.0 HTML_MESSAGE           BODY: HTML included in message
1.2 MIME_HTML_ONLY         BODY: Message only has text/html MIME parts

The original message was not completely plain text, and may be unsafe to
open with some email clients; in particular, it may contain a virus,
or confirm that your address can receive spam.  If you wish to view
it, it may be safer to save it to a file and open it with an editor.


------------=_42D75AB9.1D5E14D2
Content-Type: text/plain; x-spam-type=original
Content-Description: original message before SpamAssassin
Content-Disposition: attachment
Content-Transfer-Encoding: 8bit

Received: (qmail 22094 invoked by uid 567); 15 Jul 2005 06:41:57 -0000

Received: from 193.28.192.167 by host1 (envelope-from <[EMAIL PROTECTED]>, uid 502) with qmail-scanner-1.25 
(clamdscan: 0.86.1/978. spamassassin: 3.0.4.  
Clear:RC:0(193.28.192.167):SA:0(2.2/5.0):. 
Processed in 0.360914 secs); 15 Jul 2005 06:41:57 -0000

X-Spam-Status: No, hits=2.2 required=5.0
X-Spam-Level: ++
Received: from unknown (HELO burgas.71im.de) (193.28.192.167)
 by 0 with SMTP; 15 Jul 2005 06:41:57 -0000
Received: from freiberg.dmz.prosiebensat1.net (freiberg.dmz.prosiebensat1.net 
[192.168.192.42])
        by burgas.71im.de (8.12.11/8.12.11) with ESMTP id j6F6fuhJ000842
        for <***>; Fri, 15 Jul 2005 08:41:57 +0200 (CEST)
Received: (from [EMAIL PROTECTED])
        by freiberg.dmz.prosiebensat1.net (8.11.6+Sun/8.11.6) id j6F6fua24798;
        Fri, 15 Jul 2005 08:41:56 +0200 (MEST)
Date: Fri, 15 Jul 2005 08:41:56 +0200 (MEST)
Message-Id: <[EMAIL PROTECTED]>
To: ***
From: "Wetter.com" <[EMAIL PROTECTED]>
Subject: Ihr persoenlicher Wetterletter fuer Samstag, den 16.07.2005
Content-type: text/html
X-Qmail-Scanner-1.25: added fake MIME-Version header
MIME-Version: 1.0

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<style type="text/css">
        body,td,tr              {font-family: Arial, Verdana, Helvetica, 
sans-serif; font-size: 8pt;color: #000000;}
        .Headline               {font-family: Arial, Verdana, Helvetica, 
sans-serif; font-size: 8pt;color: #000000;font-weight:bold;}
        .White                  {color:#FFFFFF}
        .Big                    {font-family: Arial, Verdana, Helvetica, 
sans-serif; font-size: 10pt;font-weight:bold;}
        .adcol {color:#FFFFFF}
        .adcol a{color:#FFFFFF}
</style>
</head>
<body bgcolor="#FFFFFF" text="#000000" link="#000000" vlink="#000000" 
alink="#FF0000">
<table border="0" cellpadding="10" cellspacing="0"><tr><td align="center" 
bgcolor="FF9900">

<IMG SRC="http://wetter.ivwbox.de/cgi-bin/ivw/NP/1c01wettlett;/standard/meinwetter/wetterletter/gelesen/"; 
WIDTH="1" HEIGHT="1" ALIGN="right">
<table width="640" border="0" cellspacing="0" cellpadding="1"><tr>
        <td width="468"><h1>Wetterletter</h1></td>
        <td width="10"></td>
        <td width="162" align="right" valign="top"><a href="http://www.wetter.com/";><img 
src="http://www.wetter.com/v2//img/www/logos/wettercom_115_20.gif"; alt="Wetter.com" border="0"></a></td>
</tr><tr><td colspan="5"><table border="0" cellspacing="0" cellpadding="1" 
bgcolor="#E6F0FF">

[-- snip --]

        <td><br>Um weitere oder andere Wettermeldungen zu erhalten loggen Sie sich bitte unter www.wetter.com 
ein.<br>Dort können Sie unter "Einstellungen" Ihren ganz persönlichen Wetterletter einrichten.<br>Um den 
Wetterletter abzubestellen, müssen Sie lediglich alle bisher eingetragenen Orte wieder löschen.<br><br>Ihre wetter.com 
Redaktion</td>
</tr></table></td></tr></table></body></html>

------------=_42D75AB9.1D5E14D2--



Thanks in advance.

Thomas

--
Booms EDV
- hosting & more -
Herrenstrasse 10
D-59073 Hamm

www.booms-edv.de
[EMAIL PROTECTED]























					Reply via email to