Bug 7770 - KHOP_HELO_FCRDNS falsely triggers if HELO is uppercase.
Summary: KHOP_HELO_FCRDNS falsely triggers if HELO is uppercase.
Status: RESOLVED FIXED
Alias: None
Product: Spamassassin
Classification: Unclassified
Component: Rules (show other bugs)
Version: 3.4.0
Hardware: PC Linux
: P2 normal
Target Milestone: Undefined
Assignee: SpamAssassin Developer Mailing List
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-11-07 18:39 UTC by Mark London
Modified: 2020-04-10 08:46 UTC (History)
3 users (show)


Attachment Type Modified Status Actions Submitter/CLA Status
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Mark London 2019-11-07 18:39:35 UTC 
The rule is triggered if HELO is upper case:

X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on psfcmail.mit.edu
X-Spam-Level: *
X-Spam-Status: No, score=1.4 required=5.0 tests=BODY_URI_ONLY,EMPTY_MESS,
        KHOP_HELO_FCRDNS autolearn=disabled version=3.4.0
Received: from w92exedge4.exchange.mit.edu (W92EXEDGE4.EXCHANGE.MIT.EDU [18.7.73
.16])
        by outgoing-exchange-7.mit.edu (8.14.7/8.12.4) with ESMTP id xA7GffnY019
407
        for <xxx@psfc.mit.edu>; Thu, 7 Nov 2019 11:41:44 -0500

But if the HELO is lowercase, it doesn't trigger.

X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on psfcmail.mit.edu
X-Spam-Level: *
X-Spam-Status: No, score=1.0 required=5.0 tests=BODY_URI_ONLY,EMPTY_MESS
        autolearn=disabled version=3.4.0
Received: from w92exedge4.exchange.mit.edu (w92exedge4.exchange.mit.edu [18.7.73
.16])
        by outgoing-exchange-7.mit.edu (8.14.7/8.12.4) with ESMTP id xA7GffnY019
407
        for <xxx@psfc.mit.edu>; Thu, 7 Nov 2019 11:41:44 -0500
Comment 1 RW 2019-11-07 19:02:01 UTC 
FWIW it's not specifically when it's upper case. It's looking for a mismatch between helo and rdns, and the check is case-sensitive.
Comment 2 Mark London 2019-11-07 20:23:03 UTC 
I don't see the useful of this rule, by itself.  A score of .4 is simply too small to make a difference for the handful of spams,  i.e. < 5, that managed to avoid detection at my site, that weren't caught by other means.   

I.e., about 400 spams that triggered that rule, were either blocked due to RBLs or came from the .eu domain.

The few other spams, either had SPF_HELO_SOFTFAIL or SPF_FAIL.   

So if you want to combine KHOP_HELO_FCRDNS with those other rules, and then assign it a decently high score (right now, it's only .4), then it might be useful.
Comment 3 Henrik Krohns 2020-04-10 08:46:32 UTC 
Changed to case-insensitive. Probably doesn't make difference either way.

Sending        rulesrc/sandbox/khopesh/20_khop_experimental.cf
Transmitting file data .done
Committing transaction...
Committed revision 1876357.