Bug 7971

Summary: too many DOS_RCVD_IP_TWICE_B ?
Product: Spamassassin Reporter: Pascal <pascal>
Component: RulesAssignee: SpamAssassin Developer Mailing List <dev>
Status: NEW ---    
Severity: minor CC: billcole, pascal
Priority: P3    
Version: SVN Trunk (Latest Devel Version)   
Target Milestone: Undefined   
Hardware: All   
OS: All   
Whiteboard:
Attachments: some headers

Description Pascal 2022-04-14 11:46:45 UTC 
I see a lot of DOS_RCVD_IP_TWICE_B messages (3.3pts), from various routers (Adobe Campaign, Emarsys, Selligent, ...).
Did you change something on this recently ?
Isn't it a bug ?
Comment 1 Bill Cole 2022-04-14 19:15:46 UTC 
DOS_RCVD_IP_TWICE_B has not changed since 2008. See https://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/dos/70_other.cf?r1=627944&r2=627945&

That rule depends on specific mail routing details and configuration of local parameters like trusted_networks and internal_networks, so it is impossible to analyze what is causing you to see a lot of hits on that without full sample emails. I do not see a large number of hits on this rule in the systems I work with. 

However, I do see *some* hits that are on definite ham, resulting from local mail submission on a public address. That's not common but it is also not "wrong" and in this specific case there's a solid reason for it.  

Looking at RuleQA I see that the rule is fairly reliable and hits a large amount of spam, but it also has substantial hits on ham at most reporting sites (as much as 2.5% of all ham!) and hits only ham at a few. 

I've limited the score to 2.0 in revision 1899866. I am very reluctant to modify the rule to reduce its hits on ham based solely on the idiosyncratic examples that I have in hand from 1 source. If you have matching non-spam samples that you can share, please attach them to this ticket so that we can (maybe) refer to them and modify the rule to avoid problems.
Comment 2 Pascal 2022-04-14 19:28:54 UTC 
Created attachment 5768 [details]
some headers