SA Bugzilla – Bug 6986
Overlapping HELO tests: CK_HELO_DYNAMIC_SPLIT_IP, HELO_DYNAMIC_IPADDR2, HELO_DYNAMIC_HCC
Last modified: 2014-04-24 17:37:44 UTC
Hi, We received some false positives due to HELO checks overlapping and applying a high score. The received header from a ham message: Received: from 82-69-83-178.dsl.in-addr.zen.co.uk (HELO 82-69-83-178.dsl.in-addr.zen.co.uk [82.69.83.178]) by mx.example.com (qpsmtpd/0.80) with ESMTP id 1383824659htusq28abh; Wed, 27 Nov 2013 11:44:19 +0000 hits 4 rules, of which 3 are accounting for a total score of ~7.9: - CK_HELO_DYNAMIC_SPLIT_IP (score: 1.492) - TVD_RCVD_IP (score: 0.001) - HELO_DYNAMIC_IPADDR2 (score: 3.888) - HELO_DYNAMIC_HCC (score: 2.514) This looks a bit the same issue as with bug #6874.
-7.9 is ham, where is the problem ?
@Benny: keep reading. ~7.9 is not -7.9
(In reply to Tom Hendrikx from comment #2) > @Benny: keep reading. ~7.9 is not -7.9 damm in verbose around 7.9 is not negative 7.9, ups :) when i see overlapping rules i just make a meta to compensate for it, but have it resolved upstream is the way to go
I'd like to chime in with our false positive too.. 6.6/5.0 1.5 CK_HELO_DYNAMIC_SPLIT_IP Relay HELO'd using suspicious hostname (Split IP) 0.2 CK_HELO_GENERIC Relay used name indicative of a Dynamic Pool or Generic rPTR 2.0 HELO_DYNAMIC_IPADDR2 Relay HELO'd using suspicious hostname (IP addr 2) 0.4 RDNS_DYNAMIC Delivered to internal network by host with dynamic-looking rDNS 2.5 HELO_DYNAMIC_HCC Relay HELO'd using suspicious hostname (HCC) The valid helo is formatted as so: 11-23-456-78.abcd.efg.hijk.com We're looking at reducing these scores as well, since there seems to be quite a bit of overlapping scores being triggered here.