https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6522
Summary: HELO_DYNAMIC_SPLIT_IP suboptimal
Product: Spamassassin
Version: 3.3.1
Platform: PC
OS/Version: Linux
Status: NEW
Severity: minor
Priority: P2
Component: Rules
AssignedTo: dev@spamassassin.apache.org
ReportedBy: ced...@gn.apc.org
HELO_DYNAMIC_SPLIT_IP peculiarly will hit "HELO 12.34.56.78.ahost.com", but not
"HELO 12.3.45.67.ahost.com" (that is, with the second octet being only one
decimal digit). RCVD_NUMERIC_HELO will trigger on both, and also "HELO
12.34.56.78", which can give rise to some high scores when there is a rare FP.
The comment for the rule gives a case which does not start with a dotted quad
address at all:
# 118.Red-80-35-201.pooles.rima-tde.net
header HELO_DYNAMIC_SPLIT_IP X-Spam-Relays-Untrusted =~ /^[^\]]+
helo=\d+\.\S+\d+[^\d\s]\d+[^\d\s]\d+[^\d\s]/
I would suggest replacing this with a rule that excludes the dotted-quad HELOs
caught by RCVD_NUMERIC_HELO. I have tried this, and it hits more spam than the
existing version, and no more ham.
header CK_HELO_DYNAMIC_SPLIT_IP X-Spam-Relays-Untrusted =~ /^[^\]]+
helo=(?!(?:\d+\.){4})\d+[^\d\s]+\d+[^\d\s]\d+[^\d\s]\d+[^\d\s]/
I also submit the following related rules as getting a good S/O and covering
dynamic HELOs not otherwise caught:
header CK_HELO_DYNAMIC_POOL X-Spam-Relays-Untrusted =~ /^[^\]]+
helo=(?=\S*(?:pool|dyna|lease|dial|dip|static))\S*\d+[^\d\s]+\d+[^\]]+ auth= /i
header __HELO_MISC_IP X-Spam-Relays-Untrusted =~ /^[^\]]+ helo=[^
a-z\?]\S{0,30}(?:\d{1,3}[^\d]){4}[^\]]+ auth= /
meta HELO_MISC_IP (__HELO_MISC_IP && !HELO_DYNAMIC_IPADDR &&
!HELO_DYNAMIC_IPADDR2 && !FH_HELO_EQ_D_D_D_D && !HELO_DYNAMIC_SPLIT_IP &&
!HELO_DYNAMIC_HCC && !HELO_DYNAMIC_DIALIN && ((TVD_RCVD_IP4 + TVD_RCVD_IP +
RCVD_NUMERIC_HELO) <2))
--
Configure bugmail:
https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
