Results 1 to 7 of 7
  1. #1
    Untangler
    Join Date
    Apr 2009
    Posts
    35

    Default Time is in the future

    We have a client's NGFW on version 11 with the full version of Spam Blocker. I'm investigating some false positives. In the spam logs I see a lot of entries where the description includes something saying the time is in the future. What causes this? What does it mean?

    Thanks,
    Darrin

  2. #2
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    17,486

    Default

    edit: nevermind,
    What does "includes something saying the time is in the future" mean?
    What is "something" ?
    Last edited by dmorris; 11-18-2014 at 12:31 PM.
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  3. #3
    Untangler
    Join Date
    Apr 2009
    Posts
    35

    Default

    You were probably right the first time. The message in question was a meeting request which obviously includes a date in the future. The spam detail on the message is as follows:

    T_RP_MATCHES_RCVD[-0.0] SPF_PASS[-0.0] DATE_IN_FUTURE_03_06[3.0] HTML_MESSAGE[0.0] BAYES_50[0.8]

    3.0 seems like a hefty amount to add if I understand it correctly.

  4. #4
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    17,486

    Default

    https://wiki.apache.org/spamassassin...N_FUTURE_03_06
    spamassassin weights are set such that their testing corpus scores optimally, not by hand.

    Receiving an email from 3-6 hours in the future is highly correlated with spam and as such is given a heavy weight.

    If there is a server with the incorrect time somewhere in the chain you should address that and try again. Just check the headers and look for which date is incorrect and which server added it. Also verify the date on your Untangle server is correct.
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  5. #5
    Untangler
    Join Date
    Apr 2009
    Posts
    35

    Default

    Thanks. I think I understand better now. I'll ask the senders to look into it.

    Thanks,
    Darrin

  6. #6
    Newbie
    Join Date
    Dec 2014
    Posts
    1

    Default

    I am having some issues with spam blocker lite in marking only mode... marking messages as "DATE_IN_FUTURE_03_06" score of 3.0... yet after reviewing the headers, the times are not off? Below is a copy/paste (sanitized, of course) of header information from one such message at our receiving MTA...

    As you can see... [Tue, 30 Dec 2014 17:56:50 +0000] is not 3-6 hours off from [Tue, 30 Dec 2014 12:57:35 -0500]

    I would love to simply report this to the sending MTA administrator, and tell him/her to fix the time on their server... but based on these headers the times are not off?! So why is that rule being triggered?

    Also one other oddity... why does Untangle mark the message as "was determined by the Phish Blocker to be PHISH"? Phish Blocker is actually turned off (powered off in rack) and the spam blocker lite shows this message in its log?

    Thanks for any help you can offer on this... this is just one example... we are seeing several emails get marked this way... may be 1-2% legit emails being marked (false positives)...


    Copy/Paste Begins Here:
    ----------------------------
    Received: from p3fed1.frb.org ([199.169.204.4])
    by citizensbankco.com stage1 with esmtp
    (Exim MailCleaner)
    id 1Y6131-0006FA-5n
    for <xxx>
    from <xxx>; Tue, 30 Dec 2014 12:57:35 -0500
    X-MailCleaner-SPF: pass
    Message-ID: <1133084794.2402101419962255165.JavaMail.root@mailfilter>
    Date: Tue, 30 Dec 2014 17:56:50 +0000
    From: xxx
    To: xxx
    Subject: [SPAM] RE: xxx
    In-Reply-To: <003901d0244e$65e4d910$31ae8b30$@xxx>
    MIME-Version: 1.0
    Content-Type: multipart/mixed;
    boundary="----=_Part_239847_1648213521.1419962255165"
    Thread-Topic: xxx
    Thread-Index: AdAkOwXlvpt2T/hJS6WDKt2/tnbQNAAE0wFQAALgJsA=
    References: <003901d0244e$65e4d910$31ae8b30$@xxx>
    Accept-Language: en-US
    Content-Language: en-US
    X-MS-Has-Attach:
    X-MS-TNEF-Correlator:
    x-originating-ip: [172.19.8.64]
    X-VPM-MSG-ID: 72108557-beff-4f9b-8115-b6d579c01047
    X-VPM-HOST: p1pzix13.glc.frb.org
    X-VPM-GROUP-ID: 4d569d65-7e78-44c2-80ea-3030c372b54d
    X-VPM-ENC-REGIME: Plaintext
    X-VPM-CERT-FLAG: 0
    X-VPM-IS-HYBRID: 0
    X-Spamc: is spam (15.5/5.0)
    X-MailCleaner-Information: Please contact xxx for more information
    X-MailCleaner-ID: 1Y6131-0006FF-Cd
    X-MailCleaner: Not scanned: please contact xxx for details
    X-MailCleaner-SpamCheck: spam, Spamc (score=15.5, required=5.0,
    US_DOLLARS_3 2.5, EXCUSE_REMOVE 3.0, HTML_MESSAGE 0.0, KAM_MARK 10,
    LOTS_OF_MONEY 0.0)
    X-Auto-Response-Suppress: DR, NDR, RN, NRN, OOF, AutoReply


    ------=_Part_239847_1648213521.1419962255165
    Content-Type: text/plain
    Content-Transfer-Encoding: 7bit

    The attached message from "xxx" <xxx>
    was determined by the Phish Blocker to be PHISH (a fraudulent email intended to steal information).

    The kind of PHISH that was found was (-0.0) RCVD_IN_DNSWL_NONE
    (-0.0) T_RP_MATCHES_RCVD
    (-0.0) SPF_PASS
    (3.0) DATE_IN_FUTURE_03_06
    (3.3) EXCUSE_REMOVE
    (1.8) US_DOLLARS_3
    (-1.9) BAYES_00
    (0.0) HTML_MESSAGE
    (0.5) MISSING_MID
    (0.0) LOTS_OF_MONEY
    (0.5) XFER_LOTSA_MONEY

    ------=_Part_239847_1648213521.1419962255165
    Content-Type: message/rfc822
    Content-Transfer-Encoding: 7bit
    Content-Disposition: inline

    From: xxx
    To: xxx
    Subject: RE: xxx
    Thread-Topic: xxx
    Thread-Index: AdAkOwXlvpt2T/hJS6WDKt2/tnbQNAAE0wFQAALgJsA=
    Date: Tue, 30 Dec 2014 17:56:50 +0000
    References: <003901d0244e$65e4d910$31ae8b30$@xxx>
    In-Reply-To: <003901d0244e$65e4d910$31ae8b30$@xxx>
    Accept-Language: en-US
    Content-Language: en-US
    X-MS-Has-Attach:
    X-MS-TNEF-Correlator:
    x-originating-ip: [172.19.8.64]
    Content-Type: multipart/alternative;
    boundary="_000_773961680B6B554881218B7244BEA95C2952CABBNR1PWPGLCD1Drbw_"
    MIME-Version: 1.0
    X-VPM-MSG-ID: 72108557-beff-4f9b-8115-b6d579c01047
    X-VPM-HOST: p1pzix13.glc.frb.org
    X-VPM-GROUP-ID: 4d569d65-7e78-44c2-80ea-3030c372b54d
    X-VPM-ENC-REGIME: Plaintext
    X-VPM-CERT-FLAG: 0
    X-VPM-IS-HYBRID: 0

    --_000_773961680B6B554881218B7244BEA95C2952CABBNR1PWPGLCD1Drbw_
    Content-Type: text/plain; charset="us-ascii"
    Content-Transfer-Encoding: quoted-printable

  7. #7
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    2,469

    Talking Welcome

    ...to Untangle NGFW and the forums.

    new-user-guidelines.html

    @nealbarrett: It would really be better to not hijack a thread. Can you repost it please?
    If you think I got Grumpy

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2