On Thu, 29 Nov 2012, Michael Orlitzky wrote:
On 11/29/2012 05:43 PM, John Hardin wrote:
On Thu, 29 Nov 2012, Kris Deugau wrote:
I've just had another couple of reports of false positives due to hits
on one or more of the FROM_MISSP_* rules.
Curious coincidence: Almost all of the reports to date have involved
webform email for real estate companies. Most of the rest have involved
scan-to-email multifunction devices - mostly Xerox.... used by real
estate companies. O_o
Is there any possibility of getting user agent headers for these FPs? If a
particular piece of legit software always does this then obviously those
rules should ignore such messages.
I had one guy actually read the rejection message and contact
postmaster@ about this.
His sig shows:
Sent from my MOTOROLA ATRIX™ 2 on AT&T
And the headers:
X-Spam-Flag: NO
X-Spam-Score: 4.224
X-Spam-Level: ****
X-Spam-Status: No, score=4.224 required=5 tests=[FREEMAIL_FROM=0.001,
FROM_MISSP_EH_MATCH=2.499, FROM_MISSP_FREEMAIL=1.723,
HTML_MESSAGE=0.001] autolearn=disabled
From: "u...@example.com"<u...@example.com>
X-Mailer: Motorola android mail 1.0
It was relayed through AOL, who you think would clean that up. This
particular model also base64 encodes the entire message...
Thanks, I will add some MUA rules for this and see what the corpus has to
say, if anything.
Kris, any from you?
Anybody who sees FPs with the FROM_MISSP rules is more than welcome to
send me X-Mailer and/or User-Agent headers directly.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhar...@impsec.org FALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
"Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never
does quite what I want. I wish Christopher Robin was here."
-- Peter da Silva in a.s.r
-----------------------------------------------------------------------
26 days until Christmas
