Recently, Somebody Somewhere wrote these words
> On Monday 30 May 2005 09:02 am, Declan Moriarty wrote:
>
> >
> > If your mail identified as being from bellsouth.net, there would be
> > no issue. That's your email address. It identifies as
> > www.ccolton.com. FIX THAT! You don't have to change hostname, or
> > domain name. Just tell your mail software that your box is to
> > identify as bellsouth.net, and see if earthlink still accepts the
> > mail.
> >
> My last post was intended for the list - didn't mean to send it to you
> directly - sorry.
No prob - we are both heading out of our depth here.
>
> Since this post I've tried every concievable combination of hostnames
> and addresses to try to satisfy SA's FORGED_RCVD_HELO test - no luck.
> This is a new Spam Assasin setup with all defaults still in place. I'm
> too new at it to say for sure that it's set up right, but it does
> score my incoming email, and has sent some to the spam box (and let
> others slide :-).
>
> Here's the relevent part of one I sent to myself:
>
> X-Originating-IP: 24.148.198.211 X-Spam-Checker-Version: SpamAssassin
> 3.0.3 (2005-04-27) on clara X-Spam-Level: X-Spam-Status: No,
> score=0.1 required=5.0 tests=FORGED_RCVD_HELO autolearn=unavailable
> version=3.0.3
>
> I can't find a shred of documentation on how SA tests for a forged
> HELO, and only a little on what HELO is and how smtp uses it. Its an
> aggravating little problem that I'd like to solve.
Sorry, my bad. It is FORGED_RECVD_HELO (20_head_tests.cf) but just
mebbe this is a moving target
header FORGED_RCVD_HELO eval:check_for_forged_received_helo()
describe FORGED_RCVD_HELO Received: contains a forged HELO
This is an internal thingy coded into spamassassin. The only other rule
type is perl regexes. The Helo, I gather, is an initial interaction from
the sending server before they begin a mail transfer. If the initial
helo says the server is one thing, and the mail transferred says another
(i.e. the received from line) that is certainly suspicious.
>
> Something that I've noticed though, is that I'm not the only one with
> it. SA reports a FORGED_RCVD_HELO on 9 out of 10 of my recently
> recieved emails (including yours) - none of them spam. It seems like
> it might be a common problem and maybe that's why SA's default score
> for it is only .1.
It's not a common problem for me. There are a few, but the most common
one is whitelisted, so it doesn't matter. The reason my email scores on
a forged_helo is that it is a reply to _your_ email carrying _your_
FORGED_RCVD_HELO :-). The line checked, AFAIK, is the very last Received
From: line before the 'From'. That one is yours. If you save the email
to its own file, open it in in vim and remove that header, it will check
the one above:-D. Save as 'test1'; run
cat test1 |spamassassin --remove-markup >test
cat test |spamc -R (presuming you use spamd)
cat test |spamassassin -R (if you don't)
>
> It seems like your SA setup scored FORGED_RCVD_HELO as 3.0. That's a
> huge difference from 0.1. Is there a reason?
Yes. I have upped the spam score of these header tests, as they are
reliable for me in picking out phoney email. I have 17 hits in 87 spam
stored for this test alone. But there are a few false positives, so I
should really tweak the score down a bit
>
> My apologies for any dumb assumptions stemming from ignorance about
> Spam Assassin.
>
No need to eat the humble pie _before_ you make a fool of yourself :-)
Besides spamassassin is poorly explained and a rough ride the first
time.
I have mine set up this way: a large local.cf in /etc/mail/spamassassin,
and many of the SARE (Spam Assassin Rules Emporium) rulesets in
/usr/local/share/spamassassin/. I call it after Vipul's Razor, from
procmail, and run spamd from an rc script.
The thing is set up/run by programmers and perl specialists who
obviously get a great buzz out of it, but they have limited patience for
newbies, and writing documentation is not their favourite pastime.
--
With best Regards,
Declan Moriarty.
--
http://linuxfromscratch.org/mailman/listinfo/blfs-support
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page
