SA Bugzilla – Bug 6797
lower score for combined RCVD_IN_SORBS_HTTP and RCVD_IN_SORBS_SOCKS hits
Last modified: 2014-07-21 14:33:09 UTC
rules RCVD_IN_SORBS_HTTP and RCVD_IN_SORBS_SOCKS seem to hit in together too often, at least here: % grep -Fh ']: spamd: result: ' /var/log/today/courier | grep -e RCVD_IN_SORBS_HTTP -e RCVD_IN_SORBS_SOCKS | awk ' /RCVD_IN_SORBS_HTTP/ && /RCVD_IN_SORBS_SOCKS/ { both++} END {print NR, both;}' 12 12 % grep -Fh ']: spamd: result: ' /var/log/yesterday/courier | grep -e RCVD_IN_SORBS_HTTP -e RCVD_IN_SORBS_SOCKS | awk ' /RCVD_IN_SORBS_HTTP/ && /RCVD_IN_SORBS_SOCKS/ { both++} END {print NR, both;}' 3 3 They both have similar scores about 2.5 in network&!bayes set. I propose small score fix, so they together don't puth too hard: meta SORBS_SOCKS_HTTP (RCVD_IN_SORBS_HTTP && RCVD_IN_SORBS_SOCKS) describe SORBS_SOCKS_HTTP fix for HTTP&SOCKS proxies in SORBS (usually come together) score SORBS_SOCKS_HTTP 0 -2 0 0 Note they are both used in deep scanning, so this indicated that proxies are often open for both HTTP and SOCKS, but mail from such hosts may be valid and relayed through spam filtering MTAs.
I agree with this, but think that the individual rules are simply scored too high. These two SORBS lists are automated, and they give you no recourse to correct a false positive. They'll re-test your IP address, but there's no "your test is busted" option, so predictably, their busted test continues to misclassify perfectly good hosts as open proxies. 2.5 points is a lot for something you can't fix.