SA Bugzilla – Bug 7770
KHOP_HELO_FCRDNS falsely triggers if HELO is uppercase.
Last modified: 2020-04-10 08:46:32 UTC
The rule is triggered if HELO is upper case: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on psfcmail.mit.edu X-Spam-Level: * X-Spam-Status: No, score=1.4 required=5.0 tests=BODY_URI_ONLY,EMPTY_MESS, KHOP_HELO_FCRDNS autolearn=disabled version=3.4.0 Received: from w92exedge4.exchange.mit.edu (W92EXEDGE4.EXCHANGE.MIT.EDU [18.7.73 .16]) by outgoing-exchange-7.mit.edu (8.14.7/8.12.4) with ESMTP id xA7GffnY019 407 for <xxx@psfc.mit.edu>; Thu, 7 Nov 2019 11:41:44 -0500 But if the HELO is lowercase, it doesn't trigger. X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on psfcmail.mit.edu X-Spam-Level: * X-Spam-Status: No, score=1.0 required=5.0 tests=BODY_URI_ONLY,EMPTY_MESS autolearn=disabled version=3.4.0 Received: from w92exedge4.exchange.mit.edu (w92exedge4.exchange.mit.edu [18.7.73 .16]) by outgoing-exchange-7.mit.edu (8.14.7/8.12.4) with ESMTP id xA7GffnY019 407 for <xxx@psfc.mit.edu>; Thu, 7 Nov 2019 11:41:44 -0500
FWIW it's not specifically when it's upper case. It's looking for a mismatch between helo and rdns, and the check is case-sensitive.
I don't see the useful of this rule, by itself. A score of .4 is simply too small to make a difference for the handful of spams, i.e. < 5, that managed to avoid detection at my site, that weren't caught by other means. I.e., about 400 spams that triggered that rule, were either blocked due to RBLs or came from the .eu domain. The few other spams, either had SPF_HELO_SOFTFAIL or SPF_FAIL. So if you want to combine KHOP_HELO_FCRDNS with those other rules, and then assign it a decently high score (right now, it's only .4), then it might be useful.
Changed to case-insensitive. Probably doesn't make difference either way. Sending rulesrc/sandbox/khopesh/20_khop_experimental.cf Transmitting file data .done Committing transaction... Committed revision 1876357.