6296 – Problem with DATE_IN_FUTURE_48_96 rule

Bug 6296 - Problem with DATE_IN_FUTURE_48_96 rule

Summary: Problem with DATE_IN_FUTURE_48_96 rule

Status:	RESOLVED WORKSFORME

Alias:	None

Product:	Spamassassin
Classification:	Unclassified
Component:	Rules (Eval Tests) (show other bugs)
Version:	3.2.5
Hardware:	PC Linux

Importance:	P5 normal
Target Milestone:	Undefined
Assignee:	SpamAssassin Developer Mailing List

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2010-01-19 21:51 UTC by Stuart Schneider
Modified:	2010-06-21 17:20 UTC (History)
CC List:	2 users (show)

Attachment	Type	Modified	Status	Actions	Submitter/CLA Status
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Stuart Schneider 2010-01-19 21:51:37 UTC

Seeing frequent incorrect false positives on the DATE_IN_FUTURE_48_96 rule.

The relevant headers from one example are:

Received: from pdxgw1.a{removed}.com (10.10.10.1) by pdxexch1.domain.local
 (10.10.10.12) with Microsoft SMTP Server (TLS) id 8.1.393.1; Mon, 18 Jan 2010
 13:23:30 -0800
Received: from axis.com (yab.axis.com [195.60.68.32])	by
 pdxgw1.a{removed}.com (8.13.8/8.13.8) with ESMTP id o0ILNGbr022226	for
 <{removed}>; Mon, 18 Jan 2010 13:23:25 -0800
Date: Mon, 18 Jan 2010 22:23:24 +0100
X-Spam-Status: Yes, score=5.7 required=5.0 tests=BAYES_50,DATE_IN_FUTURE_48_96,
	HTML_MESSAGE,MIME_HTML_ONLY,TO_REMOVE autolearn=disabled version=3.2.5

(There is no Resent-Date header.)

If I manually run the dates thru Mail::SpamAssassin::Util::parse_rfc822_date the results are all within just a few seconds.  Manually running the message back thru SpamAssassin does not cause the rule to hit.

System is running CentOS 5.4 x86_64 with SpamAssassin and spamass-milter installed from rpmforge repository.

Any suggestion(s) as to how to debug this further?

Comment 1 Justin Mason 2010-01-20 03:12:26 UTC

please attach a full sample mail that displays the problem -- feel free to modify headers etc, as long as it still reproduces the issue with "spamassassin -Lt < msg".

Comment 2 Stuart Schneider 2010-01-20 03:16:54 UTC

A sample message which displays the problem when run thru the milter or when run from the command line?  

As I tried to indicate, I'm (so far) not able to reproduce the issue when running the messages thru from the command-line.

Comment 3 Justin Mason 2010-01-20 04:29:13 UTC

> As I tried to indicate, I'm (so far) not able to reproduce the issue when
> running the messages thru from the command-line.

doh.  sorry, missed that part.

Comment 4 Stuart Schneider 2010-04-13 20:51:44 UTC

I've got a little bit of an update on this.....it appears that the bug may be with spamass-milter and the Received header that it generates.

Since the original report, SpamAssassin has been updated to the RPMforge/DAG release of 3.3.1 (2010-03-16).

Here are the sendmail logs from a recent false-positive of the DATE_IN_FUTURE_48_96 rule:

Apr 12 15:00:38 pdxgw1 sendmail[14752]: o3CM0YMx014752: Milter add: header: X-Spam-Status: No, score=-101.8 required=5.0 tests=BAYES_00,\n\tDATE_IN_FUTURE_48_96,EXTRA_MPART_TYPE,HTML_MESSAGE,T_RP_MATCHES_RCVD,\n\tWHITELISTED,WHITE_TEXT autolearn=disabled version=3.3.1
Apr 12 15:00:38 pdxgw1 sendmail[14752]: o3CM0YMx014752: Milter add: header: X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on\n\tpdxgw1.{removed}.com


These are the relevant headers from the email:

Received: from {removed}.com (ex1.{removed}.com [67.88.100.172])	by
 pdxgw1.{removed}.com (8.13.8/8.13.8) with ESMTP id o3CM0YMx014752
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL)	for
 <{removed}@{removed}.com>; Mon, 12 Apr 2010 15:00:35 -0700
Received: from ([10.1.1.10])	by mail.{removed}.com with ESMTP  id
 0822B00820.2144728;	Mon, 12 Apr 2010 16:00:33 -0600
Date: Mon, 12 Apr 2010 16:00:33 -0600
X-Spam-Status: No, score=-101.8 required=5.0 tests=BAYES_00,
	DATE_IN_FUTURE_48_96,EXTRA_MPART_TYPE,HTML_MESSAGE,T_RP_MATCHES_RCVD,
	WHITELISTED,WHITE_TEXT autolearn=disabled version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdxgw1.{removed}.com


I have also been able to enable logging of the Received header generated by spamass-milter as seen by SpamAssassin.  The Received headers that were passed to SA are:

Received: from {removed}.com (ex1.{removed}.com [67.88.100.172])
	by pdxgw1.{removed}.com(8.13.8/8.13.8) with ESMTP id o3CM0YMx014752
	Thu, 8 Apr 2010 15:23:50 -0700
	(envelope-from <{removed}@{removed}.com>
Received: from ([10.1.1.10]) by mail.{removed}.com with ESMTP  id 0822B00820.2144728; Mon, 12 Apr 2010 16:00:33 -0600


The "Thu, 8 Apr 2010 15:23:50 -0700" Received date that SpamAssassin saw appears to be in error.

I will attempt to follow-up with the group responsible for spamass-milter.

Comment 5 Karsten Bräckelmann 2010-06-21 17:20:01 UTC

Thanks for the update, Stuart. Closing this report, since it is not reproducible with SA alone and appears to be an issue with the milter.