On 4/17/25 7:50 PM, Michael Peddemors wrote:
On 2025-04-16 23:29, giova...@paclan.it wrote:
On 4/17/25 3:23 AM, John Hardin wrote:
On Wed, 16 Apr 2025, Giovanni Bechis wrote:

Hi,

__HELO_NOT_RDNS is defined as
header __HELO_NOT_RDNS    X-Spam-Relays-External =~ /^[^\]]+ rdns=(\S+) 
helo=(?!(?i)\1)\S/

and it hits on a FPs.

Apr 16 11:02:44.414 [17868] dbg: rules: ran header rule __HELO_NOT_RDNS ======> got hit: 
"[ ip=52.100.155.200 rdns=mail-bn7nam10hn2200.outbound.protection.outlook.com 
helo=N"

It's intended to hit when the HELO isn't the sames as the rdns.

then Microsoft has some rdns issues.
I am going to lower some scores locally until Microsoft fixes their setup.
  Thanks
   Giovanni

Apr 16 11:02:41.469 [17868] dbg: metadata: X-Spam-Relays-External: [ 
ip=52.100.155.200 rdns=mail-bn7nam10hn2200.outbound.protection.outlook.com 
helo=NAM10-BN7-obe.outbound.protection.outlook.com by=srv.example.com ident=


helo=NAM10-BN...

does not match

rdns=mail-bn7...


It appears to me to be working as designed.

A failure would be a hit on a header with a *matching* HELO:

helo=mail-bn7nam10hn2200.outbound.protection.outlook.com





__HELO_NOT_RDNS is a powerful rule, but ONLY in conjunction with other 
conditions.. there is nothing wrong with a HELO being different from rDNS, 
there could be a internal naming convention for networks, while the email 
traffic exits a gateway with more public naming conventions..

You say you need to lower some scores, but this is probably not related to 
__HELO_NOT_RDNS.

GOOG_REDIR_NOTRDNS for example triggers on some FPs
 Giovanni

__HELO_NOT_RDNS is a valuable tool to help detect incorrectly configured 
servers, as well as specific snow shoe spammers, forgeries and other things.





Attachment: OpenPGP_signature.asc
Description: OpenPGP digital signature

Reply via email to