SA Bugzilla – Bug 4459
RCVD_ILLEGAL_IP includes valid IPs
Last modified: 2006-12-05 10:47:01 UTC
Checking for FPs in the 3.1 score run, I found a few ham hits for this rule. 4.668 5.0251 0.0121 0.998 0.89 1.33 RCVD_ILLEGAL_IP Looking at the code: return 1 if ($check =~ /^(?: (?:[01257]|22[3-9]|23[0-9]|24[0-9]|25[0-5])\.\d+\.\d+\.\d+| 127\.[1-9]\.\d+\.\d+| 127\.0\.[1-9]\.\d+| 127\.0\.0\.(?:\d\d+|[2-9]) )$/x); These are all valid IPs, but the ones that are FPing are the 127 ones... 127/8 is a valid range for "localhost" addresses, so I'm not sure why they're "illegal".
Subject: Re: New: RCVD_ILLEGAL_IP includes valid IPs bugzilla-daemon@bugzilla.spamassassin.org writes: > 4.668 5.0251 0.0121 0.998 0.89 1.33 RCVD_ILLEGAL_IP > > Looking at the code: > These are all valid IPs, but the ones that are FPing are the 127 > ones... 127/8 is a valid range for "localhost" addresses, so I'm not > sure why they're "illegal". Just rename the test. It works as a test ... very well. ;-) Daniel
Triage: My pre3 mass-check gives: > 1.531 2.7263 0.1885 0.935 0.52 1.33 RCVD_ILLEGAL_IP That's a lot lower S/O than Daniel reports from historical results. Still a good rule, but should we test to see if it is improved (or not) by excluding valid 127/8 addresses from the test?
This is an alternate tests for illegal IPs. header FORGED_RCVD_IP Received =~ /(\W(9[6-9]|1[01]\d|120|2(2[3-9]|[3-9]\d)|[3-9]\d\d)(\.\d{1,3}){3}[^\w\.-]|\d{1,3}\.(2(5[6-9]|[6-9]\d)|[3-9]\d\d)(\.\d{1,3}){2}|(\d{1,3}\.){2}(2(5[6-9]|[6-9]\d)|[3-9]\d\d)(\.\d{1,3})|(\d{1,3}\.){3}(2(5[6-9]|[6-9]\d)|[3-9]\d\d))/ describe FORGED_RCVD_IP Invalid IP number, over 255. score FORGED_RCVD_IP 2.5
Please test it. header FORGED_RCVD_IP Received =~ /(\W([01257]|2[37]|3[1679]|42|7[789]|9[6-9]|1[01]\d|120|17[3-9]|18[0-7]|197|2(2[3-9]|[3-9]\d)|[3-9]\d\d)(\.\d{1,3}){3}[^\w\.-]|\d{1,3}\.(2(5[6-9]|[6-9]\d)|[3-9]\d\d)(\.\d{1,3}){2}|(\d{1,3}\.){2}(2(5[6-9]|[6-9]\d)|[3-9]\d\d)(\.\d{1,3})|(\d{1,3}\.){3}(2(5[6-9]|[6-9]\d)|[3-9]\d\d))/
ok, I have a test version in place, which looks for more illegal IPs and allows 127.0.0.*, which seems to be the FPs. will deal with the results appropriately.