Recently, Somebody Somewhere wrote these words > On Monday 30 May 2005 09:02 am, Declan Moriarty wrote: > > > > > If your mail identified as being from bellsouth.net, there would be > > no issue. That's your email address. It identifies as > > www.ccolton.com. FIX THAT! You don't have to change hostname, or > > domain name. Just tell your mail software that your box is to > > identify as bellsouth.net, and see if earthlink still accepts the > > mail. > > > My last post was intended for the list - didn't mean to send it to you > directly - sorry.
No prob - we are both heading out of our depth here. > > Since this post I've tried every concievable combination of hostnames > and addresses to try to satisfy SA's FORGED_RCVD_HELO test - no luck. > This is a new Spam Assasin setup with all defaults still in place. I'm > too new at it to say for sure that it's set up right, but it does > score my incoming email, and has sent some to the spam box (and let > others slide :-). > > Here's the relevent part of one I sent to myself: > > X-Originating-IP: 24.148.198.211 X-Spam-Checker-Version: SpamAssassin > 3.0.3 (2005-04-27) on clara X-Spam-Level: X-Spam-Status: No, > score=0.1 required=5.0 tests=FORGED_RCVD_HELO autolearn=unavailable > version=3.0.3 > > I can't find a shred of documentation on how SA tests for a forged > HELO, and only a little on what HELO is and how smtp uses it. Its an > aggravating little problem that I'd like to solve. Sorry, my bad. It is FORGED_RECVD_HELO (20_head_tests.cf) but just mebbe this is a moving target header FORGED_RCVD_HELO eval:check_for_forged_received_helo() describe FORGED_RCVD_HELO Received: contains a forged HELO This is an internal thingy coded into spamassassin. The only other rule type is perl regexes. The Helo, I gather, is an initial interaction from the sending server before they begin a mail transfer. If the initial helo says the server is one thing, and the mail transferred says another (i.e. the received from line) that is certainly suspicious. > > Something that I've noticed though, is that I'm not the only one with > it. SA reports a FORGED_RCVD_HELO on 9 out of 10 of my recently > recieved emails (including yours) - none of them spam. It seems like > it might be a common problem and maybe that's why SA's default score > for it is only .1. It's not a common problem for me. There are a few, but the most common one is whitelisted, so it doesn't matter. The reason my email scores on a forged_helo is that it is a reply to _your_ email carrying _your_ FORGED_RCVD_HELO :-). The line checked, AFAIK, is the very last Received From: line before the 'From'. That one is yours. If you save the email to its own file, open it in in vim and remove that header, it will check the one above:-D. Save as 'test1'; run cat test1 |spamassassin --remove-markup >test cat test |spamc -R (presuming you use spamd) cat test |spamassassin -R (if you don't) > > It seems like your SA setup scored FORGED_RCVD_HELO as 3.0. That's a > huge difference from 0.1. Is there a reason? Yes. I have upped the spam score of these header tests, as they are reliable for me in picking out phoney email. I have 17 hits in 87 spam stored for this test alone. But there are a few false positives, so I should really tweak the score down a bit > > My apologies for any dumb assumptions stemming from ignorance about > Spam Assassin. > No need to eat the humble pie _before_ you make a fool of yourself :-) Besides spamassassin is poorly explained and a rough ride the first time. I have mine set up this way: a large local.cf in /etc/mail/spamassassin, and many of the SARE (Spam Assassin Rules Emporium) rulesets in /usr/local/share/spamassassin/. I call it after Vipul's Razor, from procmail, and run spamd from an rc script. The thing is set up/run by programmers and perl specialists who obviously get a great buzz out of it, but they have limited patience for newbies, and writing documentation is not their favourite pastime. -- With best Regards, Declan Moriarty. -- http://linuxfromscratch.org/mailman/listinfo/blfs-support FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page