SA Bugzilla – Bug 4496
FPS with FORGED_MUA_OIMO
Last modified: 2019-06-18 17:42:10 UTC
I see some FPS per day relating from FORGED_MUA_OIMO. The problem seems to be that there are clients out there which don't add e MSGID to mails. And we see then MSGID_FROM_MTA_ID matching. If we change the test to be: meta FORGED_MUA_OIMO (__OIMO_MUA && !__OIMO_MSGID && !__OUTLOOK_DOLLARS_MSGID && !__UNUSABLE_MSGID && !MSGID_FROM_MTA_ID) the FPS cases are fixed. I've looked at the last three days: yesterday: 58 ALL FORGED_MUA_OIMO 1 SPM FORGED_MUA_OIMO + MSGID_FROM_MTA_ID 3 HAM FORGED_MUA_OIMO + MSGID_FROM_MTA_ID today: 62 ALL FORGED_MUA_OIMO 1 SPM FORGED_MUA_OIMO + MSGID_FROM_MTA_ID 15 HAM FORGED_MUA_OIMO + MSGID_FROM_MTA_ID
Please attach (in RFC-822 format, as an attachment, not pasted) the full headers and body of sample messages. Thanks.
Created attachment 4190 [details] header that triggers false positive This is all I could find from the Exim log, I hope it can you. Here are the rules that are triggered. FORGED_MUA_OIMO MSGID_FROM_MTA_HEADER SPF_PASS
Created attachment 4191 [details] patch for 20_ratware.cf to fix false positive Here is a patch that I made to fixed the false triggering of FORGED_MUA_OIMO
Created attachment 4595 [details] headers documenting FP on FORGED_MUA_OIMO This morning I had an FP on FORGED_MUA_OIMO.
My personal fix: 'D' added : header __OIMO_MSGID MESSAGEID =~ /^<[A-P]{26}A[ABCD]\.[-\w.]+\@\S+>$/m
Closing, seems to be fixed in 3.3+
I've just had an FP on this again - I'm running 3.2.5, but I used the applicable rules from 3.3.1 (Mail-SpamAssassin-rules-3.3.1.r923114.tgz).
(In reply to comment #7) > I've just had an FP on this again - I'm running 3.2.5, but I used the > applicable rules from 3.3.1 (Mail-SpamAssassin-rules-3.3.1.r923114.tgz). You need to provide Message-ID header from the FP to verify.
Yeah, sorry, I got interrupted: Message-ID: <42078AAE08ED487FB511FB55B3F6DB8E@PGN> Message-ID: <C2895014FF874E2CA3AD8F19B3E5089B@PGN> Message-ID: <9EB8422CE9EE43229E1FD6454A86E7D1@PGN> I think the emails are auto-replies, but they're in tnef format. I can provide complete headers if needed.
Correction, they are "email read" confirmations.
I guess we could use the other headers too. If these kind of Message-ID come only from auto-replies, maybe we could do a meta for them together.
Created attachment 4885 [details] email header & body I've got another two, but they're virtually the same.
Reopen if it's still a problem (unlikely?).