|Summary:||Overlapping HELO tests: CK_HELO_DYNAMIC_SPLIT_IP, HELO_DYNAMIC_IPADDR2, HELO_DYNAMIC_HCC|
|Product:||Spamassassin||Reporter:||Tom Hendrikx <tom>|
|Component:||Rules||Assignee:||SpamAssassin Developer Mailing List <dev>|
|Severity:||normal||CC:||kylem, me, tom|
Description Tom Hendrikx 2013-11-28 13:46:17 UTC
Hi, We received some false positives due to HELO checks overlapping and applying a high score. The received header from a ham message: Received: from 82-69-83-178.dsl.in-addr.zen.co.uk (HELO 82-69-83-178.dsl.in-addr.zen.co.uk [184.108.40.206]) by mx.example.com (qpsmtpd/0.80) with ESMTP id 1383824659htusq28abh; Wed, 27 Nov 2013 11:44:19 +0000 hits 4 rules, of which 3 are accounting for a total score of ~7.9: - CK_HELO_DYNAMIC_SPLIT_IP (score: 1.492) - TVD_RCVD_IP (score: 0.001) - HELO_DYNAMIC_IPADDR2 (score: 3.888) - HELO_DYNAMIC_HCC (score: 2.514) This looks a bit the same issue as with bug #6874.
Comment 1 Benny Pedersen 2013-11-28 14:44:20 UTC
-7.9 is ham, where is the problem ?
Comment 2 Tom Hendrikx 2013-11-28 14:50:03 UTC
@Benny: keep reading. ~7.9 is not -7.9
Comment 3 Benny Pedersen 2013-11-28 15:00:34 UTC
(In reply to Tom Hendrikx from comment #2) > @Benny: keep reading. ~7.9 is not -7.9 damm in verbose around 7.9 is not negative 7.9, ups :) when i see overlapping rules i just make a meta to compensate for it, but have it resolved upstream is the way to go
Comment 4 Kyle M 2014-04-24 17:37:44 UTC
I'd like to chime in with our false positive too.. 6.6/5.0 1.5 CK_HELO_DYNAMIC_SPLIT_IP Relay HELO'd using suspicious hostname (Split IP) 0.2 CK_HELO_GENERIC Relay used name indicative of a Dynamic Pool or Generic rPTR 2.0 HELO_DYNAMIC_IPADDR2 Relay HELO'd using suspicious hostname (IP addr 2) 0.4 RDNS_DYNAMIC Delivered to internal network by host with dynamic-looking rDNS 2.5 HELO_DYNAMIC_HCC Relay HELO'd using suspicious hostname (HCC) The valid helo is formatted as so: 11-23-456-78.abcd.efg.hijk.com We're looking at reducing these scores as well, since there seems to be quite a bit of overlapping scores being triggered here.