Bug 6986

Product: Spamassassin Reporter: Tom Hendrikx <tom>
Component: RulesAssignee: SpamAssassin Developer Mailing List <dev>
Status: NEW ---    
Severity: normal CC: kylem, me, tom
Priority: P2    
Version: 3.3.2   
Target Milestone: Undefined   
Hardware: PC   
OS: Linux   

Description Tom Hendrikx 2013-11-28 13:46:17 UTC

We received some false positives due to HELO checks overlapping and applying a high score. The received header from a ham message: 

Received: from 82-69-83-178.dsl.in-addr.zen.co.uk (HELO 82-69-83-178.dsl.in-addr.zen.co.uk [])
    by mx.example.com (qpsmtpd/0.80) with ESMTP id 1383824659htusq28abh; Wed, 27 Nov 2013 11:44:19 +0000

hits 4 rules, of which 3 are accounting for a total score of ~7.9: 
- CK_HELO_DYNAMIC_SPLIT_IP (score: 1.492)
- TVD_RCVD_IP (score: 0.001)
- HELO_DYNAMIC_IPADDR2 (score: 3.888)
- HELO_DYNAMIC_HCC (score: 2.514)

This looks a bit the same issue as with bug #6874.
Comment 1 Benny Pedersen 2013-11-28 14:44:20 UTC
-7.9 is ham, where is the problem ?
Comment 2 Tom Hendrikx 2013-11-28 14:50:03 UTC
@Benny: keep reading. ~7.9 is not -7.9
Comment 3 Benny Pedersen 2013-11-28 15:00:34 UTC
(In reply to Tom Hendrikx from comment #2)
> @Benny: keep reading. ~7.9 is not -7.9

damm in verbose around 7.9 is not negative 7.9, ups :)

when i see overlapping rules i just make a meta to compensate for it, but have it resolved upstream is the way to go
Comment 4 Kyle M 2014-04-24 17:37:44 UTC
I'd like to chime in with our false positive too..

 1.5 CK_HELO_DYNAMIC_SPLIT_IP Relay HELO'd using suspicious hostname
                            (Split IP)
 0.2 CK_HELO_GENERIC        Relay used name indicative of a Dynamic Pool or
                            Generic rPTR
 2.0 HELO_DYNAMIC_IPADDR2   Relay HELO'd using suspicious hostname (IP addr
 0.4 RDNS_DYNAMIC           Delivered to internal network by host with
                            dynamic-looking rDNS
 2.5 HELO_DYNAMIC_HCC       Relay HELO'd using suspicious hostname (HCC)

The valid helo is formatted as so: 11-23-456-78.abcd.efg.hijk.com

We're looking at reducing these scores as well, since there seems to be quite a bit of overlapping scores being triggered here.