[tech] Problem with KAS and SpamAssassin

Alastair Irvine alastair at ucc.gu.uwa.edu.au
Sun Dec 26 17:29:48 WST 2004 

On Wed, 15 December, 2004 at 10:43:33AM +0800, David Basden wrote:
> Could you please send on all the message headers? Also, if you have
> them, and it's very definately a trusted source, headers from
> other messages sent by the same mailer?

The only other examples I have with this exact MUA version are from the
Eidolist, which munges the Received lines.  Searching for the first three
components of the version number yielded no matching e-mails with
hotmail.com From addresses.

It looks like the e-mail in question (munged headers attached) has been
through a non-standards-compliant Microsoft MTA, which added an invalid
Received line.  ("phx.gbl")

> 
> It's not just looking at X-Mailer, it's looking at quite a few 
> different headers, and checking that they are the same as generated
> by specific versions of OE.[0] There seems to be spam mailers that
> make small errors in the headers that wouldn't be made by OE.

The message ID did not match either of the two patterns mentioned by luyer.

> 
> Cheers,
> 
> David
> 
> 
> [0] mooneye:/usr/share/spamassassin/20_ratware.cf (lines 115-134)

I don't have access to this as I'm not in wheel.

> 
> 
> On Mon, Dec 13, 2004 at 10:24:11PM +0800, Alastair Irvine wrote:
> > Howdy.  I have received a known-good message that both KAS* and
> > SpamAssassin (FORGED_MUA_OUTLOOK) think is bad.  From the header:
> > 
> >   X-Mailer: Microsoft Outlook Express 6.00.2800.1437
> > 
> > * X-SpamTest-Info: {X-Mailer: forged OE}

-- 
... Youthful figure: What you get when asking a woman's age.
 _____________________________________________________________________ 
|                                                                     |
|  -=*Alastair Irvine*=-   <http://www.ucc.gu.uwa.edu.au/~alastair/>  |
|  C-monkey/wanderer/board&RPGer/net-nut  alastair at ucc.gu.uwa.edu.au  |
|_____________________________________________________________________|
-------------- next part --------------
>From xxxxxxxxxxxxxx at hotmail.com  Wed Nov 24 21:39:08 2004
Return-Path: <xxxxxxxxxxxxxx at hotmail.com>
Delivered-To: alastair at ucc.gu.uwa.edu.au
Received: by mooneye.ucc.gu.uwa.edu.au (Postfix, from userid 801)
	id ABDDD17E92; Wed, 24 Nov 2004 21:39:07 +0800 (WST)
Received: from asclepius.uwa.edu.au (asclepius3.uwa.edu.au [130.95.128.60])
	by mooneye.ucc.gu.uwa.edu.au (Postfix) with ESMTP id 5F6E917E17
	for <alastair at ucc.gu.uwa.edu.au>; Wed, 24 Nov 2004 21:39:04 +0800 (WST)
Received: from asclepius.kas (localhost.localdomain [127.0.0.1])
	by asclepius.uwa.edu.au (Postfix) with SMTP id DD3A5183C1A
	for <alastair at ucc.gu.uwa.edu.au>; Wed, 24 Nov 2004 21:37:59 +0800 (WST)
Received: from asclepius (localhost.localdomain [127.0.0.1])
	by asclepius.prekas (Postfix) with SMTP id BC8B91842FE
	for <alastair at ucc.gu.uwa.edu.au>; Wed, 24 Nov 2004 21:37:59 +0800 (WST)
X-UWA-Client-IP: 64.4.31.180 (EXTERNAL)
Received-SPF: pass (asclepius: domain of xxxxxxxxxxxxxx at hotmail.com designates 64.4.31.180 as permitted sender)
Received: from hotmail.com (bay13-dav6.bay13.hotmail.com [64.4.31.180])
	by asclepius.input (Postfix) with ESMTP id DDE5C18439F
	for <alastair at ucc.gu.uwa.edu.au>; Wed, 24 Nov 2004 21:37:58 +0800 (WST)
Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC;
	 Wed, 24 Nov 2004 05:39:00 -0800
Message-ID: <BAY13-DAV634FF66691D7C43D9E74093B80 at phx.gbl>
Received: from nnnnnnnnnnnnnn by BAY13-DAV6.phx.gbl with DAV;
	Wed, 24 Nov 2004 13:38:21 +0000
X-Originating-IP: [nnnnnnnnnnnnnn]
X-Originating-Email: [xxxxxxxxxxxxxx at hotmail.com]
X-Sender: xxxxxxxxxxxxxx at hotmail.com
From: XXXXXXXXXX <xxxxxxxxxxxxxx at hotmail.com>
To: XXXXXXXXXX
Subject: Birthday Dinner Invitation
Date: Wed, 24 Nov 2004 21:41:22 +0800
MIME-Version: 1.0
Content-Type: multipart/related;
	type="multipart/alternative";
	boundary="----=_NextPart_000_00B4_01C4D26E.578F4860"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1437
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441
X-OriginalArrivalTime: 24 Nov 2004 13:39:00.0631 (UTC) FILETIME=[F4893A70:01C4D22A]
X-SpamTest-Info: Profile: Formal (167/041122)
X-SpamTest-Info: {X-Mailer: forged OE}
X-SpamTest-Info: Profile: Detect Hard [UCS 290904]
X-SpamTest-Info: Profile: SysLog
X-SpamTest-Info: Profile: Marking Spam - Subject (UCS) [02-08-04]
X-SpamTest-Method: Headers: Suspicious X-Mailer
X-SpamTest-Status: Probable Spam
X-SpamTest-Version: SMTP-Filter Version 2.0.0 [0125], KAS/Release
X-Spam-Flag: YES
X-Spam-Checker-Version: SpamAssassin 2.64 (2004-01-11) on 
	mooneye.ucc.gu.uwa.edu.au
X-Spam-Level: *********
X-Spam-Status: Yes, hits=9.1 required=5.0 tests=FORGED_MUA_OUTLOOK,HTML_40_50,
	HTML_MESSAGE,KASPERSKY_PROBABLE,MSGID_FROM_MTA_HEADER,SPF_HEADER_PASS 
	autolearn=no version=2.64
Status: RO
X-Status: A
Content-Length: 10941
Lines: 190

More information about the tech mailing list