Wednesday, April 05, 2006

Really bad day for this email

Take a look at this message from ALM Expo. It's a message that I wasn't expecting, but I was glad to receive because I write for CM Crossroads and do expect to get mail from them. And I'm talking at the ALM Expo. Looks perfectly ok, right?

It had three strikes against it: first GMail stuck it in the spam folder so I fished it out by clicking "Not Spam", then POPFile thought it was spam and stuck it in my spam folder and finally Thunderbird reported that it thought the message was an email scam (i.e. phishing).

I don't know what GMail saw that it didn't like, I know that POPFile saw some suspicious words (like unsubscribe, unlimited and event) and the email used font size 1 (a favorite of spammers).

According to this post Thunderbird's scam filter looks for forms in email, URLs that don't go where they say they do and IP address-only URLs. The email doesn't appear to contain any of those things. Anyone know if it's possible to get Thunderbird to give its reasoning?


Justin Mason said...

That's odd. Here's what SpamAssassin (svn trunk) thought:

0.0 RCVD_BY_IP Received by mail server with no name

0.0 FORGED_RCVD_HELO Received: contains a forged HELO

0.0 HTML_60_70 BODY: Message is 60% to 70% HTML


0.0 HTML_SHOUTING3 BODY: HTML has very strong "shouting" markup

0.0 HTML_MESSAGE BODY: HTML included in message

0.0 MIME_HTML_ONLY BODY: Message only has text/html MIME parts

0.0 HTML_FONT_TINY BODY: HTML tag for a tiny font size

0.0 MIME_QP_LONG_LINE RAW: Quoted-printable line longer than 76 chars

In other words, a load of informational, but harmless, noise about the HTML structure -- and nothing serious otherwise.

Manni said...

I turned off the anti-phishing "feature" in Thunderbird. It seemed pretty useless to me since the only emails it ever reported as a possible scam were your newsletters. Go figure.