Bug 4459 - RCVD_ILLEGAL_IP includes valid IPs
Summary: RCVD_ILLEGAL_IP includes valid IPs
Status: RESOLVED FIXED
Alias: None
Product: Spamassassin
Classification: Unclassified
Component: Rules (Eval Tests) (show other bugs)
Version: SVN Trunk (Latest Devel Version)
Hardware: Other other
: P5 normal
Target Milestone: 3.2.0
Assignee: SpamAssassin Developer Mailing List
URL:
Whiteboard:
Keywords: triage
Depends on:
Blocks:
 
Reported: 2005-07-05 11:08 UTC by Theo Van Dinter
Modified: 2006-12-05 10:47 UTC (History)
0 users


Attachment Type Modified Status Actions Submitter/CLA Status
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Theo Van Dinter 2005-07-05 11:08:15 UTC 
Checking for FPs in the 3.1 score run, I found a few ham hits for this rule.

  4.668   5.0251   0.0121    0.998   0.89    1.33  RCVD_ILLEGAL_IP

Looking at the code:

      return 1 if ($check =~ /^(?:
        (?:[01257]|22[3-9]|23[0-9]|24[0-9]|25[0-5])\.\d+\.\d+\.\d+|
        127\.[1-9]\.\d+\.\d+|
        127\.0\.[1-9]\.\d+|
        127\.0\.0\.(?:\d\d+|[2-9])
        )$/x);

These are all valid IPs, but the ones that are FPing are the 127 ones...  127/8 is a valid range for 
"localhost" addresses, so I'm not sure why they're "illegal".
Comment 1 Daniel Quinlan 2005-07-06 01:18:12 UTC 
Subject: Re:   New: RCVD_ILLEGAL_IP includes valid IPs

bugzilla-daemon@bugzilla.spamassassin.org writes:

>   4.668   5.0251   0.0121    0.998   0.89    1.33  RCVD_ILLEGAL_IP
> 
> Looking at the code:

> These are all valid IPs, but the ones that are FPing are the 127
> ones...  127/8 is a valid range for "localhost" addresses, so I'm not
> sure why they're "illegal".

Just rename the test.  It works as a test ... very well.  ;-)

Daniel
Comment 2 Bob Menschel 2005-07-14 00:22:19 UTC 
Triage: My pre3 mass-check gives: 
> 1.531   2.7263   0.1885    0.935   0.52    1.33  RCVD_ILLEGAL_IP
That's a lot lower S/O than Daniel reports from historical results. 
Still a good rule, but should we test to see if it is improved (or not) 
by excluding valid 127/8 addresses from the test?
Comment 3 MATSUDA Yoh-ichi 2006-05-01 12:50:39 UTC 
This is an alternate tests for illegal IPs.

header FORGED_RCVD_IP Received =~
/(\W(9[6-9]|1[01]\d|120|2(2[3-9]|[3-9]\d)|[3-9]\d\d)(\.\d{1,3}){3}[^\w\.-]|\d{1,3}\.(2(5[6-9]|[6-9]\d)|[3-9]\d\d)(\.\d{1,3}){2}|(\d{1,3}\.){2}(2(5[6-9]|[6-9]\d)|[3-9]\d\d)(\.\d{1,3})|(\d{1,3}\.){3}(2(5[6-9]|[6-9]\d)|[3-9]\d\d))/
describe FORGED_RCVD_IP Invalid IP number, over 255.
score FORGED_RCVD_IP 2.5
Comment 4 MATSUDA Yoh-ichi 2006-05-18 03:13:47 UTC 
Please test it.
header FORGED_RCVD_IP Received =~
/(\W([01257]|2[37]|3[1679]|42|7[789]|9[6-9]|1[01]\d|120|17[3-9]|18[0-7]|197|2(2[3-9]|[3-9]\d)|[3-9]\d\d)(\.\d{1,3}){3}[^\w\.-]|\d{1,3}\.(2(5[6-9]|[6-9]\d)|[3-9]\d\d)(\.\d{1,3}){2}|(\d{1,3}\.){2}(2(5[6-9]|[6-9]\d)|[3-9]\d\d)(\.\d{1,3})|(\d{1,3}\.){3}(2(5[6-9]|[6-9]\d)|[3-9]\d\d))/
Comment 5 Theo Van Dinter 2006-12-05 10:47:01 UTC 
ok, I have a test version in place, which looks for more illegal IPs and allows
127.0.0.*, which seems to be the FPs.  will deal with the results appropriately.