Bug 5707

Summary: MSGID_MULTIPLE_AT false positive
Product: Spamassassin Reporter: Patrick von der hagen <patrick>
Component: RulesAssignee: SpamAssassin Developer Mailing List <dev>
Status: RESOLVED WORKSFORME    
Severity: normal CC: jm, kmcgrail, per, spamassassin, uhlar
Priority: P5    
Version: 3.2.0   
Target Milestone: 3.4.2   
Hardware: Other   
OS: other   
Whiteboard:
Attachments: patch to make MSGID_MULTIPLE_AT conditional on split local part and not Outlook

Description Patrick von der hagen 2007-10-30 09:13:45 UTC 
I've seen messages from "X-Mailer: Microsoft Office Outlook 12.0" containing
Message-IDs like "Message-ID:
<002e01c81a2f$65cc92f0$3165b8d0$@LOCALPART@DOMAIN>". Those messages trigger
MSGID_MULTIPLE_AT.
I had to disable this test at my site. I'm not running the latest release but
haven't seen that issue mentioned and the source for 3.2.3 implements the test
the same 3.2.0 does it, so a more recent release wouldn't fix the issue.
Comment 1 Keith Edmunds 2007-11-29 11:12:04 UTC 
I've seen this too, and again the MUA was Microsoft Office Outlook 12.0
Comment 2 M. Wilk 2008-02-07 06:45:11 UTC 
Seen that as well.

Message id syntax is < id-left @ id-right >

id-left and id-right may NOT have an @ sign, so the MUA is generating an invalid
msg-id. Does Microsoft run a kind of a bugzilla for reporting this bug?
Comment 3 Brad Baker 2009-07-30 18:12:39 UTC 
We've also seen this issue with email from Outlook 2007 (aka Outlook 12). 

Given the prevalence of the Outlook 2007 client why is this unaddressed over a year and a half later?
Comment 4 John Hardin 2009-07-30 18:46:50 UTC 
...because it's a problem within Outlook/Exchange, not SA? Sadly, Microsoft Outlook isn't (yet) recognized by the Microsoft Connect website.

Perhaps the correct fix is to meta it:

meta  ADJ_OUTLOOK_MSGID_BUG  (MSGID_MULTIPLE_AT && __ANY_OUTLOOK_MUA && !MSGID_OUTLOOK_INVALID)
score ADJ_OUTLOOK_MSGID_BUG  -1.00
Comment 5 Matus UHLAR - fantomas 2009-08-07 02:46:24 UTC 
What about changing MSGID_MULTIPLE_AT to __MSGID_MULTIPLE_AT and defining MSGID_MULTIPLE_AT as __MSGID_MULTIPLE_AT && !__ANY_OUTLOOK_MUA
?
Comment 6 Cedric Knight 2009-08-08 14:41:43 UTC 
Created attachment 4507 [details]
patch to make MSGID_MULTIPLE_AT conditional on split local part and not Outlook

FWIW I agree with Matus.  Also in my experience, this Outlook bug only manifests when the local part of the sender contains a dot, so here's a patch to apply both those conditions.

Supposedly one should be able to make a "Suggestion for Microsoft" via https://www.microsoft.com/office/community/en-us/default.mspx?dg=microsoft.public.outlook.general&lang=en&cr=US , but it wasn't working for me with a new LiveID, so I posted via Google Groups instead:
http://groups.google.co.uk/group/microsoft.public.outlook.general/browse_thread/thread/487aa7845624b86/8ce0680570f47114 . 

Searching the web also incidentally turned up what may be a related Outlook bug, although not one that SA seems sensitive to:
http://office-outlook.com/outlook-forum/index.php/m/255091/
Comment 7 Per Jessen 2009-12-10 11:34:39 UTC 
I have just had a couple of FPs due to X-Mailer = "Microsoft Office Outlook 12.0" not being recognised by __ANY_OUTLOOK_MUA.
Comment 8 Justin Mason 2009-12-11 05:56:05 UTC 
before this can be reviewed, we need to see it checked in and ruleqa'd against the original.
Comment 9 Justin Mason 2010-03-23 16:33:28 UTC 
moving all open 3.3.1 bugs to 3.3.2
Comment 10 Karsten Bräckelmann 2010-03-23 17:42:39 UTC 
Moving back off of Security, which got changed by accident during the mass Target Milestone move.
Comment 11 Kevin A. McGrail 2013-06-21 16:09:45 UTC 
Moving all open bugs where target is defined and 3.4.0 or lower to 3.4.1 target
Comment 12 Christian Kujau 2014-04-11 00:28:15 UTC 
This happens here as well, with SpamAssassin version 3.3.2:

X-Mailer: Microsoft Office Outlook 12.0
Message-ID: <000601cf5403$d83f83f0$88be8bd0$@username@domain.de>
Comment 13 AXB 2014-04-11 05:29:08 UTC 
(In reply to Christian Kujau from comment #12)
> This happens here as well, with SpamAssassin version 3.3.2:
> 
> X-Mailer: Microsoft Office Outlook 12.0
> Message-ID: <000601cf5403$d83f83f0$88be8bd0$@username@domain.de>

please post the full spam report of a message where this rule caused an FP
Comment 14 Kevin A. McGrail 2015-04-06 21:59:05 UTC 
cannot reproduce and need spample on pastebin or similar.   Pushing to 3.4.2
Comment 15 Christian Kujau 2015-04-07 01:41:06 UTC 
> please post the full spam report of a message where this rule caused an FP

I missed this request, but it was still in my spam folder:

========================================================
Content preview:  ok ok [...] 

Content analysis details:   (3.1 points, 2.5 required)

 pts rule name              description
---- ---------------------- --------------------------------------------------
-0.0 RCVD_IN_DNSWL_NONE     RBL: Sender listed at http://www.dnswl.org/, no
                            trust
                            [212.227.17.175 listed in list.dnswl.org]
 1.0 MSGID_MULTIPLE_AT      Message-ID contains multiple '@' characters
 0.0 FREEMAIL_FROM          Sender email is commonly abused enduser mail provider
                            (foo.bar[at]freenet.de)
 0.4 MIME_HTML_MOSTLY       BODY: Multipart message mostly text/html MIME
 0.0 HTML_MESSAGE           BODY: HTML included in message
 0.8 BAYES_50               BODY: Bayes spam probability is 40 to 60%
                            [score: 0.5000]
 0.8 RDNS_NONE              Delivered to internal network by a host with no rDNS
 1.0 TVD_SPACE_RATIO        TVD_SPACE_RATIO
 0.2 HELO_MISC_IP           Looking for more Dynamic IP Relays
-1.2 AWL                    AWL: From: address is in the auto white-list
========================================================

I've since moved to SpamAssassin 3.4.0 (Debian: 3.4.0-2~bpo70+1) and cannot reproduce this any more.

My SA changelog.gz has his from March 2012 (when Debian was shipping SA 3.3.2):

========================================================
r1303397 | kmcgrail | 2012-03-21 14:10:27 +0000 (Wed, 21 Mar 2012) | 1 line

 Demoted MSGID_MULTIPLE_AT from default rules to sandbox
========================================================

So, maybe this got fixed long ago?
Comment 16 Kevin A. McGrail 2015-04-07 12:59:04 UTC 
OK, closing as worksforme unless we can get a current sample.