Bug 6986 - Overlapping HELO tests: CK_HELO_DYNAMIC_SPLIT_IP, HELO_DYNAMIC_IPADDR2, HELO_DYNAMIC_HCC
Summary: Overlapping HELO tests: CK_HELO_DYNAMIC_SPLIT_IP, HELO_DYNAMIC_IPADDR2, HELO_...
Status: NEW
Alias: None
Product: Spamassassin
Classification: Unclassified
Component: Rules (show other bugs)
Version: 3.3.2
Hardware: PC Linux
: P2 normal
Target Milestone: Undefined
Assignee: SpamAssassin Developer Mailing List
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-11-28 13:46 UTC by Tom Hendrikx
Modified: 2014-04-24 17:37 UTC (History)
3 users (show)



Attachment Type Modified Status Actions Submitter/CLA Status

Note You need to log in before you can comment on or make changes to this bug.
Description Tom Hendrikx 2013-11-28 13:46:17 UTC
Hi,

We received some false positives due to HELO checks overlapping and applying a high score. The received header from a ham message: 

Received: from 82-69-83-178.dsl.in-addr.zen.co.uk (HELO 82-69-83-178.dsl.in-addr.zen.co.uk [82.69.83.178])
    by mx.example.com (qpsmtpd/0.80) with ESMTP id 1383824659htusq28abh; Wed, 27 Nov 2013 11:44:19 +0000

hits 4 rules, of which 3 are accounting for a total score of ~7.9: 
- CK_HELO_DYNAMIC_SPLIT_IP (score: 1.492)
- TVD_RCVD_IP (score: 0.001)
- HELO_DYNAMIC_IPADDR2 (score: 3.888)
- HELO_DYNAMIC_HCC (score: 2.514)

This looks a bit the same issue as with bug #6874.
Comment 1 Benny Pedersen 2013-11-28 14:44:20 UTC
-7.9 is ham, where is the problem ?
Comment 2 Tom Hendrikx 2013-11-28 14:50:03 UTC
@Benny: keep reading. ~7.9 is not -7.9
Comment 3 Benny Pedersen 2013-11-28 15:00:34 UTC
(In reply to Tom Hendrikx from comment #2)
> @Benny: keep reading. ~7.9 is not -7.9

damm in verbose around 7.9 is not negative 7.9, ups :)

when i see overlapping rules i just make a meta to compensate for it, but have it resolved upstream is the way to go
Comment 4 Kyle M 2014-04-24 17:37:44 UTC
I'd like to chime in with our false positive too..

6.6/5.0
 1.5 CK_HELO_DYNAMIC_SPLIT_IP Relay HELO'd using suspicious hostname
                            (Split IP)
 0.2 CK_HELO_GENERIC        Relay used name indicative of a Dynamic Pool or
                            Generic rPTR
 2.0 HELO_DYNAMIC_IPADDR2   Relay HELO'd using suspicious hostname (IP addr
                            2)
 0.4 RDNS_DYNAMIC           Delivered to internal network by host with
                            dynamic-looking rDNS
 2.5 HELO_DYNAMIC_HCC       Relay HELO'd using suspicious hostname (HCC)

The valid helo is formatted as so: 11-23-456-78.abcd.efg.hijk.com

We're looking at reducing these scores as well, since there seems to be quite a bit of overlapping scores being triggered here.