[Bug 4188] RCVD_HELO_IP_MISMATCH should check address literals

Thu, 14 Jul 2005 21:15:01 -0700 

http://bugzilla.spamassassin.org/show_bug.cgi?id=4188





------- Additional Comments From [EMAIL PROTECTED]  2005-07-14 21:14 -------
Subject: Re:  RCVD_HELO_IP_MISMATCH should check address literals


Your assumption is correct. The rule only fires against n.n.n.n in the
HELO greeting, and doesn't fire against [n.n.n.n] (I don't know if this is
still current, but I doubt this has changed since the report was filed)



On 7/14/2005 1:26 AM, [EMAIL PROTECTED] wrote:
> http://bugzilla.spamassassin.org/show_bug.cgi?id=4188
> 
> 
> [EMAIL PROTECTED] changed:
> 
>            What    |Removed                     |Added
> ----------------------------------------------------------------------------
>    Target Milestone|Undefined                   |3.2.0
> 
> 
> 
> 
> ------- Additional Comments From [EMAIL PROTECTED]  2005-07-13 22:26 -------
> Triage: Worth developing a test for, so we can find out whether this 
> enhancement
> will catch spam.  
> 
> Examples, if I understand the request correctly:  A received header of
> Received: from [172.16.11.197] ([172.16.11.197]) by mail.avantwave.com
> (8.12.10/8.12.10) with ESMTP id j5371esB029156 for
> <[email protected]>; Fri, 3 Jun 2005 15:01:40 +0800
> is OK, since the address literal and the actual IP seen match. A received 
> header of 
> Received: from [173.17.12.199] ([172.16.11.197]) by mail.avantwave.com
> (8.12.10/8.12.10) with ESMTP id j5371esB029156 for
> <[email protected]>; Fri, 3 Jun 2005 15:01:40 +0800
> would score this rule, since the address literal does not match the actual IP 
> seen.
> 
> A rule in the SARE collection for this purpose: 
> header    SARE_RECV_SUSP_3         Received =~
> m'\bfrom\s+(\d{1,3}(?:\.\d{1,3}){3})\s+\(\[(?!\1)\d{1,3}(?:\.\d{1,3}){3}\]\)'
> describe  SARE_RECV_SUSP_3         Dotquad hostname doesn't match HELO 
> dotquad.
> score     SARE_RECV_SUSP_3         0.860
> #hist     SARE_RECV_SUSP_3         LW_FAKED_DOTQUAD         
> #counts   SARE_RECV_SUSP_3         2334s/90h of 298277 corpus (136400s/161877h
> RM) 06/06/05
> #counts   SARE_RECV_SUSP_3         2630s/1h of 55848 corpus (18671s/37177h
> JH-3.01) 06/10/05
> #max      SARE_RECV_SUSP_3         2963s/1h of 54179 corpus (17002s/37177h
> JH-3.01) 03/01/05
> #counts   SARE_RECV_SUSP_3         112s/1h of 47283 corpus (43206s/4077h MY)
> 06/05/05
> #counts   SARE_RECV_SUSP_3         11s/0h of 10853 corpus (6391s/4462h CT) 
> 05/16/05
> #counts   SARE_RECV_SUSP_3         5s/0h of 5653 corpus (1019s/4634h ft) 
> 06/04/05
> 
> 
> 
> 
> 
> ------- You are receiving this mail because: -------
> You reported the bug, or are watching the reporter.
> 





------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

Reply via email to