3.2.5 FORGED_MUA_OIMO false positive

Thu, 28 Jan 2010 05:30:02 -0800 

Hello,

 

I've got a few mails that were tagged with FORGED_MUA_OIMO

 

Seems those email were sent from Sympatico's Webmail

 

The rule that is triggering the score is located in 20_ratware.cf

 

Mails are scanned by two different servers on my setup, 1st is a Qmail+SA
setup, then an MDaemon server, that also uses SpamAssassin

 

Both are running 3.2.5 and rules are updated daily

 

 

Here's a log from my qmail/SpamAssassin server:

 

 

Tue, 26 Jan 2010 21:56:42 EST:25054: +++ starting debugging for process
25054 (ppid=25052) by uid=501

Tue, 26 Jan 2010 21:56:42 EST:25054: normalize_string: finished normalizing
in 5.6e-05 secs

Tue, 26 Jan 2010 21:56:42 EST:25054: w_c: Total time between DATA command
and "." was 0.004887 secs

Tue, 26 Jan 2010 21:56:42 EST:25054: from='" Michel Desforges"
<mycusto...@sympatico.ca>',
subj='TR:_Scandinave_Spa_élu_par_Organic_Spa_Magazine', via

 SMTP from blu0-omc2-s3.blu0.hotmail.com

Tue, 26 Jan 2010 21:56:42 EST:25054: clamdscan: finished scan in 0.033096
secs

Tue, 26 Jan 2010 21:56:46 EST:25054: SA: REPORT hits = 0.4/5.0

  0.0 HTML_MESSAGE           BODY: HTML inclus dans le message

 -2.6 BAYES_00               BODY: L'algorithme Bayésien a évalué la
probabilité de spam

                             entre 0 et 1%

                             [score: 0.0000]

  2.2 FORGED_MUA_OIMO        Message falsifié prétendant provenir du
logiciel MS

                             Outlook IMO

  0.2 SARE_SUB_ENC_UTF8      Message uses character set often used in spam

  0.8 MSGID_FROM_MTA_HEADER  Message-ID ajouté par un relais

 -0.1 AWL                    AWL: From: address is in the auto white-list

 -------------------- Fin de Rapport SpamAssassin ---------------------

Tue, 26 Jan 2010 21:56:46 EST:25054: SA: finished scan in 4.380904 secs -
hits=0.4/5.0

Tue, 26 Jan 2010 21:56:46 EST:25054: p_s: finished scan in 0.010061 secs

Tue, 26 Jan 2010 21:56:46 EST:25054: ini_sc: finished scan of
"/var/spool/qmailscan/tmp/Pluton.cybergeneration.com126456100278325054"...

Tue, 26 Jan 2010 21:56:46 EST:25054: ------ Process 25054 finished. Total of
4.581216 secs

 

 

 

And here are the headers, once the email got scanned by the other SA
instance:

 

 

 

 

X-Spam-Processed: mail.cybergeneration.com, Tue, 26 Jan 2010 21:56:48 -0500

Return-path: <mycusto...@sympatico.ca>

X-Spam-Flag: YES

X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10)

X-Spam-Level: *****

X-Spam-Status: Yes, score=5.1 required=5.0
tests=FORGED_MUA_OIMO,HTML_MESSAGE,

        MSGID_FROM_MTA_HEADER shortcircuit=no autolearn=disabled
version=3.2.5

X-Spam-Report:

        *  0.0 HTML_MESSAGE BODY: HTML included in message

        *  1.5 MSGID_FROM_MTA_HEADER Message-Id was added by a relay

        *  3.6 FORGED_MUA_OIMO Forged mail pretending to be from MS Outlook
IMO

Received: from Pluton.cybergeneration.com ([10.0.0.11])

        by mail.cybergeneration.com (mail.cybergeneration.com)

        (MDaemon PRO v10.1.2)

        with ESMTP id md50028010368.msg

        for <mycusto...@mydomain.com>; Tue, 26 Jan 2010 21:56:48 -0500

X-Rcpt-To: mycusto...@mydomain.com

X-MDRcpt-To: mycusto...@mydomain.com

X-MDRemoteIP: 10.0.0.11

X-Return-Path: mycusto...@sympatico.ca

X-Envelope-From: mycusto...@sympatico.ca

X-MDaemon-Deliver-To: mycusto...@mydomain.com

Received: (qmail 25067 invoked by uid 509); 27 Jan 2010 02:56:46 -0000

Received: from blu0-omc2-s3.blu0.hotmail.com by Pluton.cybergeneration.com
(envelope-from <mycusto...@sympatico.ca>, uid 501) with qmail-scanner-2.02$

 (clamdscan: 0.95.3/9959. spamassassin: 3.2.5. perlscan: 2.02st.

 Clear:RC:0(65.55.111.78):SA:0(0.4/5.0):.

 Processed in 4.437037 secs); 27 Jan 2010 02:56:46 -0000

Received: from blu0-omc2-s3.blu0.hotmail.com (65.55.111.78)

  by Pluton.cybergeneration.com with SMTP; 27 Jan 2010 02:56:42 -0000

Received: from BLU0-SMTP95 ([65.55.111.73]) by blu0-omc2-s3.blu0.hotmail.com
with Microsoft SMTPSVC(6.0.3790.3959);

         Tue, 26 Jan 2010 18:56:41 -0800

X-Originating-IP: [65.94.81.238]

X-Originating-Email: [mycusto...@sympatico.ca]

Message-ID: <blu0-smtp955ed0a4629d69bd24fcea9a...@phx.gbl>

Received: from michelako57wtk ([65.94.81.238]) by
BLU0-SMTP95.blu0.hotmail.com over TLS secured channel with Microsoft
SMTPSVC(6.0.3790.3959);

         Tue, 26 Jan 2010 18:56:40 -0800

From: " Michel Desforges" <mycusto...@sympatico.ca>

To: <mycusto...@mydomain.com>

Subject: [***SPAM*** Score/Req: 05.1/5.0]
=?utf-8?Q?TR:_Scandinave_Spa_=C3=A9lu_par_Organic_Spa_Magazine?=

Date: Tue, 26 Jan 2010 21:56:41 -0500

MIME-Version: 1.0

Content-Type: multipart/alternative;

        boundary="----=_NextPart_000_0000_01CA9ED2.717F2840"

X-Priority: 3 (Normal)

X-MSMail-Priority: Normal

X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0)

Importance: Normal

X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5579

X-OriginalArrivalTime: 27 Jan 2010 02:56:41.0033 (UTC)
FILETIME=[59E0C390:01CA9EFC]

X-Spam-Prev-Subject:
=?utf-8?Q?TR:_Scandinave_Spa_=C3=A9lu_par_Organic_Spa_Magazine?=

 

 

So basically, both instances tag the mail with FORGED_MUA_OIMO

 

What's in the FORGED_MUA_OIMO rule (20_ratware.cf):

 

# Outlook IMO (Internet Mail Only)

header __OIMO_MUA       X-Mailer =~ /Outlook IMO/

header __OIMO_MSGID          MESSAGEID =~
/^<[a-p]{26}a[abc]\.[-\w....@\s+>$/m

meta FORGED_MUA_OIMO         (__OIMO_MUA && !__OIMO_MSGID && !__OE_MSGID_2
&& !__UNUSABLE_MSGID)

describe FORGED_MUA_OIMO     Forged mail pretending to be from MS Outlook
IMO

 

 

Any idea how to fix that?

 

Thank you!

Reply via email to