4889 – new rules: detecting same HELO and BY

Bug 4889 - new rules: detecting same HELO and BY

Summary: new rules: detecting same HELO and BY

Status:	RESOLVED FIXED

Alias:	None

Product:	Spamassassin
Classification:	Unclassified
Component:	Rules (show other bugs)
Version:	unspecified
Hardware:	All Linux

Importance:	P5 normal
Target Milestone:	Undefined
Assignee:	SpamAssassin Developer Mailing List

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2006-05-01 19:43 UTC by MATSUDA Yoh-ichi
Modified:	2019-06-18 17:43 UTC (History)
CC List:	1 user (show)

Attachment	Type	Actions	Submitter/CLA Status
sample spam: for testing "HELO_BY_SAME"	text/plain	None	MATSUDA Yoh-ichi
sample spam for testing "HELO_BY_PARTIALSAME"	text/plain	None	MATSUDA Yoh-ichi
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description MATSUDA Yoh-ichi 2006-05-01 19:43:48 UTC

header HELO_BY_SAME X-Spam-Relays-Untrusted =~
/ip=(?!(127\.0\.0\.1|192\.168(\.\d{1,3}){2}|172\.(1[6-9]|2\d|3[01](\.\d{1,3}){2}|10(\.\d{1,3}){3})))\d{2,3}(\.\d{1,3}){3}
rdns=[^\[]* helo=([\w\.-]+) by=\7/
describe HELO_BY_SAME HELO is same received MTA's FQDN
score HELO_BY_SAME 1.5

header HELO_BY_PARTIALSAME X-Spam-Relays-Untrusted =~
/ip=(?!(127\.0\.0\.1|192\.168(\.\d{1,3}){2}|172\.(1[6-9]|2\d|3[01](\.\d{1,3}){2}|10(\.\d{1,3}){3})))\d{2,3}(\.\d{1,3}){3}
rdns=[^\[]* helo=([\w\.-]+) by=[\w\.]+\7/
describe HELO_BY_PARTIALSAME HELO is same received MTA's domain name
score HELO_BY_PARTIALSAME 1.5

Comment 1 MATSUDA Yoh-ichi 2006-05-01 19:48:30 UTC

Created attachment 3497 [details]
sample spam: for testing "HELO_BY_SAME"

This is a sample spam for testing "HELO_BY_SAME".

Comment 2 MATSUDA Yoh-ichi 2006-05-01 19:51:12 UTC

Created attachment 3498 [details]
sample spam for testing "HELO_BY_PARTIALSAME"

This is a sample spam for testing "HELO_BY_PARTIALSAME".

Comment 3 Henrik Krohns 2019-06-18 17:43:49 UTC

Closing old bugs. This exists as __HELO_AS_VICTIM.