[RndTbl] SpamAssassin false positives on DATE_IN_FUTURE_96_Q?

Gilbert E. Detillieux gedetil at cs.umanitoba.ca
Tue Nov 15 10:45:37 CST 2011 

On 2011-11-14 17:46, Kevin McGregor wrote:
> So you've changed the date manually to be exactly the same, and the rule
> doesn't trigger?

Well...  Here's the weird thing:  if I pass the exact same message 
through spamc manually, I don't get the false positive on that rule. 
So, I tried mailing that message back to myself from a non-local mailer 
(so that it goes through spamass-milter again), but this generates extra 
"Received" headers that change the behaviour.  (I now get a trigger on 
the DATE_IN_PAST_24_48 rule, since the message is now that old.)

So, I can't test under exactly the same conditions.  Given that running 
the message through spamc manually didn't trigger the rule, I'm tempted 
to think it might be something in the spamass-milter configuration, 
which is causing some information to not be transferred to spamc, or to 
be transferred incorrectly.  Not sure at this point.

Gilbert

> On Mon, Nov 14, 2011 at 4:56 PM, Gilbert E. Detillieux
> <gedetil at cs.umanitoba.ca <mailto:gedetil at cs.umanitoba.ca>> wrote:
>
>     I mentioned this problem at the last round-table session, but didn't
>     get a solution, so I thought I'd post it here, just in case anyone
>     has any suggestions to offer.
>
>     I'm still seeing a whole bunch of false positives in SpamAssassin,
>     since an update was installed in mid-September on a CentOS 5.7
>     system, for a rule called DATE_IN_FUTURE_96_Q, which is only
>     supposed to be triggered when the "Date:" header has a date that is
>     4 days to 4 month ahead of the date in the "Received" header that
>     has the _smallest_ difference in date.
>
>     Here are the headers from the latest e-mail I've received with this
>     false-positive.  (I've stripped out irrelevant headers, for the sake
>     of clarity and simplicity.)
>
>      >From topfivestories at messagent.__itworldcanada.com
>     <mailto:topfivestories at messagent.itworldcanada.com>  Mon Nov 14
>     07:50:13 2011
>     Received: from mail.messagent.itworldcanada.__com
>     <http://mail.messagent.itworldcanada.com>
>     (mail.messagent.itworldcanada.__com
>     <http://mail.messagent.itworldcanada.com> [207.112.10.80])
>             by palladium.cs.umanitoba.ca
>     <http://palladium.cs.umanitoba.ca> (8.13.8/8.13.8) with SMTP id
>     pAEDoAxV028594
>             for <gedetil at cs.umanitoba.ca
>     <mailto:gedetil at cs.umanitoba.ca>>; Mon, 14 Nov 2011 07:50:12 -0600
>     Date: Mon, 14 Nov 2011 08:50:13 -0500
>     X-Spam-Status: No, score=-0.3 required=5.0
>     tests=BAYES_00,DATE_IN_FUTURE___96_Q,
>             HTML_MESSAGE,RP_MATCHES_RCVD autolearn=no version=3.3.1
>     X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
>     palladium.cs.umanitoba.ca <http://palladium.cs.umanitoba.ca>
>
>     Note that I'm calling spamd via the spamass-milter on a system
>     running sendmail.  Note also, that in the above example, the only
>     "Received" header was the one generated by my own server.  (I've had
>     other false positives, however, with multiple "Received" headers,
>     all of which were within seconds of the time in the "Date" header.)
>
>     Any ideas?

-- 
Gilbert E. Detillieux		E-mail: <gedetil at muug.mb.ca>
Manitoba UNIX User Group	Web:	http://www.muug.mb.ca/
PO Box 130 St-Boniface		Phone:  (204)474-8161
Winnipeg MB CANADA  R2H 3B4	Fax:    (204)474-7609

More information about the Roundtable mailing list