SA Bugzilla – Bug 6874
HELO_DYNAMIC_IPADDR2 & HELO_DYNAMIC_SPLIT_IP hitting ham
Last modified: 2017-12-20 17:25:08 UTC
Created attachment 5116 [details] 2 hamss that hit the aforementioned rules mbax with 2 false positives attached. X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on mail.redbus.holtain.net X-Spam-Flag: YES X-Spam-Level: ******* X-Spam-Status: Yes, score=7.2 required=4.5 autolearn=no X-Spam-Report: * 3.6 HELO_DYNAMIC_IPADDR2 Relay HELO'd using suspicious hostname (IP addr * 2) * 3.5 HELO_DYNAMIC_SPLIT_IP Relay HELO'd using suspicious hostname (Split * IP) * -0.0 RP_MATCHES_RCVD Envelope sender domain matches handover relay domain * -2.0 BAYES_00 BODY: Bayes spam probability is 0 to 1% * [score: 0.0000] * 0.0 HTML_MESSAGE BODY: HTML included in message * 0.7 MIME_HTML_ONLY BODY: Message only has text/html MIME parts * 0.0 MIME_QP_LONG_LINE RAW: Quoted-printable line longer than 76 chars * 0.4 HTML_MIME_NO_HTML_TAG HTML-only message, but there is no HTML tag * 1.0 RDNS_DYNAMIC Delivered to internal network by host with * dynamic-looking rDNS * 0.0 T_REMOTE_IMAGE Message contains an external image X-Spam-Relays-Untrusted: [ ip=159.253.211.188 rdns=159.253.211.188.srvlist.ukfast.net helo=159.253.211.188.srvlist.ukfast.net by=mail.redbus.holtain.net ident= envfrom= intl=0 id= auth= msa=0 ] [ ip=159.253.211.188 rdns= helo= by= ident= envfrom= intl=0 id= auth= msa=0 ] X-Spam-Language: en X-Spam-DKIM-i: X-Spam-DKIM-d: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----------=_50BB4CB1.94D30094"
The overlap for a 7.1 score seems high and unintended. Both of these rules are in 20_fake_helo_tests.cf. 159.253.211.188.srvlist.ukfast.net shouldn't hit BOTH rules, should it? Dec 10 14:24:34.676 [8558] dbg: rules: ran header rule HELO_DYNAMIC_IPADDR2 ======> got hit: "[ ip=159.253.211.188 rdns=159.253.211.188.srvlist.ukfast.net helo=159.253.211.188.srvlist.ukfast.net by=mail.redbus.holtain.net ident= envfrom= intl=0 id= auth= " Dec 10 14:24:34.680 [8558] dbg: rules: ran header rule HELO_DYNAMIC_SPLIT_IP ======> got hit: "[ ip=159.253.211.188 rdns=159.253.211.188.srvlist.ukfast.net helo=159.253.211.188." So switching one of the rules to a meta testing for the other seems sane for the moment: header __HELO_DYNAMIC_IPADDR2 X-Spam-Relays-External =~ /^[^\]]+ helo=\d{1,3}(?:[\Wx_]\d{1,3}){3}[^\d\s][^\s.]*\.\S+\.\S+[^\]]+ auth= /i meta HELO_DYNAMIC_IPADDR2 (__HELO_DYNAMIC_IPADDR2 && !HELO_DYNAMIC_SPLIT_IP) describe HELO_DYNAMIC_IPADDR2 Relay HELO'd using suspicious hostname (IP addr 2) svn commit -m 'Tweak for bug 6874' Sending rules/20_fake_helo_tests.cf Transmitting file data . Committed revision 1419685. [root@devel rules]#
No fp mentioned in ~5 years, time to close the bz ?
Fixed 5ya