Bug 6874 - HELO_DYNAMIC_IPADDR2 & HELO_DYNAMIC_SPLIT_IP hitting ham
Summary: HELO_DYNAMIC_IPADDR2 & HELO_DYNAMIC_SPLIT_IP hitting ham
Status: RESOLVED FIXED
Alias: None
Product: Spamassassin
Classification: Unclassified
Component: Rules (show other bugs)
Version: unspecified
Hardware: PC Windows 7
: P2 normal
Target Milestone: Undefined
Assignee: SpamAssassin Developer Mailing List
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2012-12-10 15:42 UTC by Niamh Holding
Modified: 2017-12-20 17:25 UTC (History)
3 users (show)


Attachment Type Modified Status Actions Submitter/CLA Status
2 hamss that hit the aforementioned rules application/octet-stream None Niamh Holding [NoCLA]
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Niamh Holding 2012-12-10 15:42:45 UTC 
Created attachment 5116 [details]
2 hamss that hit the aforementioned rules

mbax with 2 false positives attached.

X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on
        mail.redbus.holtain.net
X-Spam-Flag: YES
X-Spam-Level: *******
X-Spam-Status: Yes, score=7.2 required=4.5 autolearn=no
X-Spam-Report: 
        *  3.6 HELO_DYNAMIC_IPADDR2 Relay HELO'd using suspicious hostname (IP addr
        *       2)
        *  3.5 HELO_DYNAMIC_SPLIT_IP Relay HELO'd using suspicious hostname (Split
        *      IP)
        * -0.0 RP_MATCHES_RCVD Envelope sender domain matches handover relay domain
        * -2.0 BAYES_00 BODY: Bayes spam probability is 0 to 1%
        *      [score: 0.0000]
        *  0.0 HTML_MESSAGE BODY: HTML included in message
        *  0.7 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
        *  0.0 MIME_QP_LONG_LINE RAW: Quoted-printable line longer than 76 chars
        *  0.4 HTML_MIME_NO_HTML_TAG HTML-only message, but there is no HTML tag
        *  1.0 RDNS_DYNAMIC Delivered to internal network by host with
        *      dynamic-looking rDNS
        *  0.0 T_REMOTE_IMAGE Message contains an external image
X-Spam-Relays-Untrusted: [ ip=159.253.211.188
        rdns=159.253.211.188.srvlist.ukfast.net
        helo=159.253.211.188.srvlist.ukfast.net by=mail.redbus.holtain.net ident=
        envfrom= intl=0 id= auth= msa=0 ] [ ip=159.253.211.188 rdns= helo= by= ident=
        envfrom= intl=0 id= auth= msa=0 ]
X-Spam-Language: en
X-Spam-DKIM-i: 
X-Spam-DKIM-d: 
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----------=_50BB4CB1.94D30094"
Comment 1 Kevin A. McGrail 2012-12-10 19:27:21 UTC 
The overlap for a 7.1 score seems high and unintended.  Both of these rules are in 20_fake_helo_tests.cf.

159.253.211.188.srvlist.ukfast.net shouldn't hit BOTH rules, should it?

Dec 10 14:24:34.676 [8558] dbg: rules: ran header rule HELO_DYNAMIC_IPADDR2 ======> got hit: "[ ip=159.253.211.188 rdns=159.253.211.188.srvlist.ukfast.net helo=159.253.211.188.srvlist.ukfast.net by=mail.redbus.holtain.net ident= envfrom= intl=0 id= auth= "
Dec 10 14:24:34.680 [8558] dbg: rules: ran header rule HELO_DYNAMIC_SPLIT_IP ======> got hit: "[ ip=159.253.211.188 rdns=159.253.211.188.srvlist.ukfast.net helo=159.253.211.188."


So switching one of the rules to a meta testing for the other seems sane for the moment:

header __HELO_DYNAMIC_IPADDR2 X-Spam-Relays-External =~ /^[^\]]+ helo=\d{1,3}(?:[\Wx_]\d{1,3}){3}[^\d\s][^\s.]*\.\S+\.\S+[^\]]+ auth= /i
meta HELO_DYNAMIC_IPADDR2  (__HELO_DYNAMIC_IPADDR2 && !HELO_DYNAMIC_SPLIT_IP)
describe HELO_DYNAMIC_IPADDR2 Relay HELO'd using suspicious hostname (IP addr 2)

svn commit -m 'Tweak for bug 6874'

Sending        rules/20_fake_helo_tests.cf
Transmitting file data .
Committed revision 1419685.
[root@devel rules]#
Comment 2 Giovanni Bechis 2017-12-20 07:52:07 UTC 
No fp mentioned in ~5 years, time to close the bz ?
Comment 3 Bill Cole 2017-12-20 17:25:08 UTC 
Fixed 5ya