Nice Google-fu! :-)

On Fri, Nov 18, 2011 at 10:29 AM, Peter O'Gorman <peter@pogma.com> wrote:
Google turned up this:
http://lists.nongnu.org/archive/html/spamass-milt-list/2010-05/msg00001.html

Looks like the problem is spamass-milter's synthesized Received header, rather than the spamassassin rule.

Peter


On 11/15/2011 10:45 AM, Gilbert E. Detillieux wrote:
On 2011-11-14 17:46, Kevin McGregor wrote:
So you've changed the date manually to be exactly the same, and the rule
doesn't trigger?

Well... Here's the weird thing: if I pass the exact same message through
spamc manually, I don't get the false positive on that rule. So, I tried
mailing that message back to myself from a non-local mailer (so that it
goes through spamass-milter again), but this generates extra "Received"
headers that change the behaviour. (I now get a trigger on the
DATE_IN_PAST_24_48 rule, since the message is now that old.)

So, I can't test under exactly the same conditions. Given that running
the message through spamc manually didn't trigger the rule, I'm tempted
to think it might be something in the spamass-milter configuration,
which is causing some information to not be transferred to spamc, or to
be transferred incorrectly. Not sure at this point.

Gilbert

On Mon, Nov 14, 2011 at 4:56 PM, Gilbert E. Detillieux
<gedetil@cs.umanitoba.ca <mailto:gedetil@cs.umanitoba.ca>> wrote:

I mentioned this problem at the last round-table session, but didn't
get a solution, so I thought I'd post it here, just in case anyone
has any suggestions to offer.

I'm still seeing a whole bunch of false positives in SpamAssassin,
since an update was installed in mid-September on a CentOS 5.7
system, for a rule called DATE_IN_FUTURE_96_Q, which is only
supposed to be triggered when the "Date:" header has a date that is
4 days to 4 month ahead of the date in the "Received" header that
has the _smallest_ difference in date.

Here are the headers from the latest e-mail I've received with this
false-positive. (I've stripped out irrelevant headers, for the sake
of clarity and simplicity.)

>From topfivestories@messagent.__itworldcanada.com
<mailto:topfivestories@messagent.itworldcanada.com> Mon Nov 14
07:50:13 2011
Received: from mail.messagent.itworldcanada.__com
<http://mail.messagent.itworldcanada.com>
(mail.messagent.itworldcanada.__com
<http://mail.messagent.itworldcanada.com> [207.112.10.80])
by palladium.cs.umanitoba.ca
<http://palladium.cs.umanitoba.ca> (8.13.8/8.13.8) with SMTP id
pAEDoAxV028594
for <gedetil@cs.umanitoba.ca
<mailto:gedetil@cs.umanitoba.ca>>; Mon, 14 Nov 2011 07:50:12 -0600
Date: Mon, 14 Nov 2011 08:50:13 -0500
X-Spam-Status: No, score=-0.3 required=5.0
tests=BAYES_00,DATE_IN_FUTURE___96_Q,
HTML_MESSAGE,RP_MATCHES_RCVD autolearn=no version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
palladium.cs.umanitoba.ca <http://palladium.cs.umanitoba.ca>

Note that I'm calling spamd via the spamass-milter on a system
running sendmail. Note also, that in the above example, the only
"Received" header was the one generated by my own server. (I've had
other false positives, however, with multiple "Received" headers,
all of which were within seconds of the time in the "Date" header.)

Any ideas?