Bug 6797

Summary: lower score for combined RCVD_IN_SORBS_HTTP and RCVD_IN_SORBS_SOCKS hits
Product: Spamassassin Reporter: Matus UHLAR - fantomas <uhlar>
Component: RulesAssignee: SpamAssassin Developer Mailing List <dev>
Status: NEW ---    
Severity: normal CC: michael
Priority: P2    
Version: unspecified   
Target Milestone: Undefined   
Hardware: PC   
OS: Linux   
Whiteboard:

Description Matus UHLAR - fantomas 2012-05-18 15:44:12 UTC
rules RCVD_IN_SORBS_HTTP and RCVD_IN_SORBS_SOCKS seem to hit in together too often, at least here:

% grep -Fh ']: spamd: result: ' /var/log/today/courier | grep -e RCVD_IN_SORBS_HTTP -e RCVD_IN_SORBS_SOCKS | awk ' /RCVD_IN_SORBS_HTTP/ && /RCVD_IN_SORBS_SOCKS/ { both++} END {print NR, both;}'
12 12

% grep -Fh ']: spamd: result: ' /var/log/yesterday/courier | grep -e RCVD_IN_SORBS_HTTP -e RCVD_IN_SORBS_SOCKS | awk ' /RCVD_IN_SORBS_HTTP/ && /RCVD_IN_SORBS_SOCKS/ { both++} END {print NR, both;}'
3 3

They both have similar scores about 2.5 in network&!bayes set.
I propose small score fix, so they together don't puth too hard:

meta SORBS_SOCKS_HTTP (RCVD_IN_SORBS_HTTP && RCVD_IN_SORBS_SOCKS)
describe SORBS_SOCKS_HTTP fix for HTTP&SOCKS proxies in SORBS (usually come together)
score SORBS_SOCKS_HTTP 0 -2 0 0

Note they are both used in deep scanning, so this indicated that proxies are often open for both HTTP and SOCKS, but mail from such hosts may be valid and relayed through spam filtering MTAs.
Comment 1 Michael Orlitzky 2014-07-21 14:33:09 UTC
I agree with this, but think that the individual rules are simply scored too high. These two SORBS lists are automated, and they give you no recourse to correct a false positive.

They'll re-test your IP address, but there's no "your test is busted" option, so predictably, their busted test continues to misclassify perfectly good hosts as open proxies.

2.5 points is a lot for something you can't fix.