On 4/17/25 7:50 PM, Michael Peddemors wrote:
On 2025-04-16 23:29, giova...@paclan.it wrote:On 4/17/25 3:23 AM, John Hardin wrote:On Wed, 16 Apr 2025, Giovanni Bechis wrote:Hi, __HELO_NOT_RDNS is defined as header __HELO_NOT_RDNS X-Spam-Relays-External =~ /^[^\]]+ rdns=(\S+) helo=(?!(?i)\1)\S/ and it hits on a FPs. Apr 16 11:02:44.414 [17868] dbg: rules: ran header rule __HELO_NOT_RDNS ======> got hit: "[ ip=52.100.155.200 rdns=mail-bn7nam10hn2200.outbound.protection.outlook.com helo=N"It's intended to hit when the HELO isn't the sames as the rdns.then Microsoft has some rdns issues. I am going to lower some scores locally until Microsoft fixes their setup. Thanks GiovanniApr 16 11:02:41.469 [17868] dbg: metadata: X-Spam-Relays-External: [ ip=52.100.155.200 rdns=mail-bn7nam10hn2200.outbound.protection.outlook.com helo=NAM10-BN7-obe.outbound.protection.outlook.com by=srv.example.com ident=helo=NAM10-BN... does not match rdns=mail-bn7... It appears to me to be working as designed. A failure would be a hit on a header with a *matching* HELO: helo=mail-bn7nam10hn2200.outbound.protection.outlook.com__HELO_NOT_RDNS is a powerful rule, but ONLY in conjunction with other conditions.. there is nothing wrong with a HELO being different from rDNS, there could be a internal naming convention for networks, while the email traffic exits a gateway with more public naming conventions.. You say you need to lower some scores, but this is probably not related to __HELO_NOT_RDNS.
GOOG_REDIR_NOTRDNS for example triggers on some FPs Giovanni
__HELO_NOT_RDNS is a valuable tool to help detect incorrectly configured servers, as well as specific snow shoe spammers, forgeries and other things.
OpenPGP_signature.asc
Description: OpenPGP digital signature