Bug 7971 - too many DOS_RCVD_IP_TWICE_B ?
Summary: too many DOS_RCVD_IP_TWICE_B ?
Status: NEW
Alias: None
Product: Spamassassin
Classification: Unclassified
Component: Rules (show other bugs)
Version: SVN Trunk (Latest Devel Version)
Hardware: All All
: P3 minor
Target Milestone: Undefined
Assignee: SpamAssassin Developer Mailing List
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2022-04-14 11:46 UTC by Pascal
Modified: 2022-04-14 19:28 UTC (History)
2 users (show)


Attachment Type Modified Status Actions Submitter/CLA Status
some headers application/x-zip-compressed None Pascal [NoCLA]
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Pascal 2022-04-14 11:46:45 UTC 
I see a lot of DOS_RCVD_IP_TWICE_B messages (3.3pts), from various routers (Adobe Campaign, Emarsys, Selligent, ...).
Did you change something on this recently ?
Isn't it a bug ?
Comment 1 Bill Cole 2022-04-14 19:15:46 UTC 
DOS_RCVD_IP_TWICE_B has not changed since 2008. See https://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/dos/70_other.cf?r1=627944&r2=627945&

That rule depends on specific mail routing details and configuration of local parameters like trusted_networks and internal_networks, so it is impossible to analyze what is causing you to see a lot of hits on that without full sample emails. I do not see a large number of hits on this rule in the systems I work with. 

However, I do see *some* hits that are on definite ham, resulting from local mail submission on a public address. That's not common but it is also not "wrong" and in this specific case there's a solid reason for it.  

Looking at RuleQA I see that the rule is fairly reliable and hits a large amount of spam, but it also has substantial hits on ham at most reporting sites (as much as 2.5% of all ham!) and hits only ham at a few. 

I've limited the score to 2.0 in revision 1899866. I am very reluctant to modify the rule to reduce its hits on ham based solely on the idiosyncratic examples that I have in hand from 1 source. If you have matching non-spam samples that you can share, please attach them to this ticket so that we can (maybe) refer to them and modify the rule to avoid problems.
Comment 2 Pascal 2022-04-14 19:28:54 UTC 
Created attachment 5768 [details]
some headers