[RndTbl] SpamAssassin false positives on DATE_IN_FUTURE_96_Q?

Peter O'Gorman peter at pogma.com
Fri Nov 18 10:29:37 CST 2011


Google turned up this:
http://lists.nongnu.org/archive/html/spamass-milt-list/2010-05/msg00001.html

Looks like the problem is spamass-milter's synthesized Received header, 
rather than the spamassassin rule.

Peter

On 11/15/2011 10:45 AM, Gilbert E. Detillieux wrote:
> On 2011-11-14 17:46, Kevin McGregor wrote:
>> So you've changed the date manually to be exactly the same, and the rule
>> doesn't trigger?
>
> Well... Here's the weird thing: if I pass the exact same message through
> spamc manually, I don't get the false positive on that rule. So, I tried
> mailing that message back to myself from a non-local mailer (so that it
> goes through spamass-milter again), but this generates extra "Received"
> headers that change the behaviour. (I now get a trigger on the
> DATE_IN_PAST_24_48 rule, since the message is now that old.)
>
> So, I can't test under exactly the same conditions. Given that running
> the message through spamc manually didn't trigger the rule, I'm tempted
> to think it might be something in the spamass-milter configuration,
> which is causing some information to not be transferred to spamc, or to
> be transferred incorrectly. Not sure at this point.
>
> Gilbert
>
>> On Mon, Nov 14, 2011 at 4:56 PM, Gilbert E. Detillieux
>> <gedetil at cs.umanitoba.ca <mailto:gedetil at cs.umanitoba.ca>> wrote:
>>
>> I mentioned this problem at the last round-table session, but didn't
>> get a solution, so I thought I'd post it here, just in case anyone
>> has any suggestions to offer.
>>
>> I'm still seeing a whole bunch of false positives in SpamAssassin,
>> since an update was installed in mid-September on a CentOS 5.7
>> system, for a rule called DATE_IN_FUTURE_96_Q, which is only
>> supposed to be triggered when the "Date:" header has a date that is
>> 4 days to 4 month ahead of the date in the "Received" header that
>> has the _smallest_ difference in date.
>>
>> Here are the headers from the latest e-mail I've received with this
>> false-positive. (I've stripped out irrelevant headers, for the sake
>> of clarity and simplicity.)
>>
>> >From topfivestories at messagent.__itworldcanada.com
>> <mailto:topfivestories at messagent.itworldcanada.com> Mon Nov 14
>> 07:50:13 2011
>> Received: from mail.messagent.itworldcanada.__com
>> <http://mail.messagent.itworldcanada.com>
>> (mail.messagent.itworldcanada.__com
>> <http://mail.messagent.itworldcanada.com> [207.112.10.80])
>> by palladium.cs.umanitoba.ca
>> <http://palladium.cs.umanitoba.ca> (8.13.8/8.13.8) with SMTP id
>> pAEDoAxV028594
>> for <gedetil at cs.umanitoba.ca
>> <mailto:gedetil at cs.umanitoba.ca>>; Mon, 14 Nov 2011 07:50:12 -0600
>> Date: Mon, 14 Nov 2011 08:50:13 -0500
>> X-Spam-Status: No, score=-0.3 required=5.0
>> tests=BAYES_00,DATE_IN_FUTURE___96_Q,
>> HTML_MESSAGE,RP_MATCHES_RCVD autolearn=no version=3.3.1
>> X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
>> palladium.cs.umanitoba.ca <http://palladium.cs.umanitoba.ca>
>>
>> Note that I'm calling spamd via the spamass-milter on a system
>> running sendmail. Note also, that in the above example, the only
>> "Received" header was the one generated by my own server. (I've had
>> other false positives, however, with multiple "Received" headers,
>> all of which were within seconds of the time in the "Date" header.)
>>
>> Any ideas?
>



More information about the Roundtable mailing list