SA Bugzilla – Bug 5664
DYNAMIC check FPs
Last modified: 2008-04-01 12:38:32 UTC
header HELO_DYNAMIC_DHCP X-Spam-Relays-Untrusted =~ /^[^\]]+ helo=\S*(?:(?<! a)cm|catv|docsis|cable|dsl|dhcp|cpe|node)\S*\d+[^\d\s]+\d+[^\]]+ auth= /i header __RDNS_DYNAMIC_DHCP X-Spam-Relays-Untrusted =~ /^[^\]]+ rdns=\S*(?:cm| catv|docsis|cable|dsl|dhcp|cpe|node)\S*\d+[^\d\s]+\d+/i The "cm" part is FP prone: cmw2kex02e.rvc.ac.uk cm0.mx.agent.point2.com cmdeliver0.st0.spray.net cmfilter0-ens.phx0m.ensynch.com cmx0.servicemail24.de hchlilmtcm0a0.mcleodusa.net trafficmatt0.clnt.800hosting.net Maybe change it to (\b|\d)cm(\b|\d). Also "node" is FP prone: mail-node-0.i-55.com node0-www.care2.com node0.mail0.netdiscounter.de You should check when stuff like (mx|mail|smtp|www|filter) to negate these. For some ideas, you can check http://sa.hege.li/badrelay.cf for entries that I've been collecting.
names matching the word "static" should not match RDNS_DYNAMIC too. some ISPs (including my employer and me as DNS admin) use generic DNS on statically allocated IP's containing the word 'static' which has to indicate that the IP's are not dynamic.
Try, although not a 'Dynamic' address in the truest sense of the word, addresses at your domain that say static, still do not conform to 'Best Practises' guidelines for email operators, where the domain should reflect the responsible party for the mail server. If there is a mail server at that IP, or behind that IP, then the domain portion should NOT be nnn.nnn.nnn.static.upstreamprovider.com but something like gateway.operator_domain.com or mail.operator_domain.com etc.. So the check for static may still be a legitimate way to weigh the likelihood of the IP address being simple an access point, and a likely location for trojan generated email vs a properly run email server, with a responsible party to report problems to. All Up Stream providers should provide full reverse DNS to parties wishing to run email services. Possibly at the most, the rule should be broken up into two separate rules with different weights, but the recommendations, and the effectiveness of the rule should not be underestimated, whether the naming convention is 'static' or not, it is still an IP address under the responsibility of the upstream provider, and most likely an access point from which trojans, bots can operate. Technically, the term 'dynamic' is incorrect, but aside from the naming of the rule, the principles are still valid.
guys, the best way to illustrate these is to attach false positive samples.
Justin, I appreciate what you are saying, but this isn't really rocket science. Either a host is legimate looking or not. What do you need samples for?