false positives on rule "FM_RATSIGN_1106" and what to do?

[Chris Yuzik]

Scott Silva wrote:
> It looks at messages that hit both MSGID_VGA and DATE_700
> Message-ID =~ /^<000001c[67]/  and date is -7 hours
>
> It is in 72_active.cf.
> So if you are getting false positives it might be that you deal with a lot of
> mail from a time zone that is 7 hours behind you. If it hits that much, you
> could score lower.
>   
Hi Scott,

Thanks for the quick response.

 From what I can see, the message IDs on the false positives do indeed 
match the pattern you note above, but the date is a bit bizarre. We're 
on the west coast of North America, and because it's summer, everyone in 
this time zone is -0700. From what I can see in the header, the user's 
computer's clock does seem to be correct, and their time zone appears to 
be correct.

I've attached a (censored) copy of a message header from a message 
that's getting hit on this:

    Return-Path: <g>
    Received: from cma30pc (m11.domain3.com [208.18.05.15] (may be forged))
         (authenticated bits=0)
         by devel.fractalweb.com (8.13.1/8.13.1) with ESMTP id
    l4TIkeXu024105
         for <jeff at domain2.com>; Tue, 29 May 2007 11:46:44 -0700
    From: "Jane Doe" <jdoe at domain1.com>
    To: <jeff at domain2.com>
    Subject: Test
    Date: Tue, 29 May 2007 11:46:45 -0700
    Message-ID: <000001c7a221$b74aedb0$820b0a0a at north.domain1.COM>
    MIME-Version: 1.0
    Content-Type: multipart/alternative;
         boundary="----=_NextPart_000_0001_01C7A1E7.0AEC15B0"
    X-Mailer: Microsoft Office Outlook 11
    Thread-Index: AceiIbTeqm6E92mrTWiQjXzemkXObw==
    X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3028

There is nothing suspicious in the message body, and based on your 
explanation of the rule, I don't think it's looking at the body anyways.

Does this rule need to be rewritten?

Chris