RE: HELO checks give too high score together
> > SA jello wrestling? > > :) > > -- > John Hardin Hardin, SA jello wrestling? now that is just sick. [sic] ...just not wanting to imagine a bunch of over caffinated computer geeks rolling in jello... Now, on the other hand, *jdow* and friends in jello might be much more interesting for those that are not already married. :-) - rh
Re: HELO checks give too high score together
Karsten Bräckelmann wrote: > > So, please, can we *finally* drop that topic? > > If anyone new to the list happens to Cc you, just tell him. And > everything should be ok. > +1. Benny, if you are so violently opposed to the normal format of this list, I, in all seriousness, suggest you consider unsubscribing. This list may just not be the right community for you. Loudly and repeatedly ranting about the list format will not convince us to change the format. Insulting members of the list isn't going to be effective either. Please refrain from both behaviors.
RE: HELO checks give too high score together
On Wed, 2009-02-25 at 02:40 +0100, Benny Pedersen wrote: > On Wed, February 25, 2009 02:31, Karsten Bräckelmann wrote: > > So what do you fucking care if he does Cc me? > > uh :) > > i respect cc if its not posted on maillist also ! Well, the list is the most important part, sure, as long as it might be of general interest. However, in some circumstances I do support and use personal Cc myself. Like replies to $forum users, who might or might not watch, if I happen to know the other guys preference actually is to be Cc'ed, etc. Anyway, I guess everyone by now knows about your preference to not be Cc'ed. Which is fine. And I seem to recall, everyone tries to respect that, regardless their personal habits. So, please, can we *finally* drop that topic? If anyone new to the list happens to Cc you, just tell him. And everything should be ok. -- char *t="\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4"; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
RE: HELO checks give too high score together
> > Ummm Did you just ask Matt to unsubscribe?? He's one of the > > developers. I think most of us would prefer that he stick around... > > :) On Wed, 2009-02-25 at 00:23 +0100, Benny Pedersen wrote: > he one of the dumpest developpers to ? :) Benny, could you please, at least occasionally, keep your opinion to yourself? > if he really is then make a CC: spam stopper into the next > spamassassin could be very usefull in the global world Oh, and seriously -- cut out that stupid holy war against Cc. He did not Cc *you*, right? Actually, despite his habit, he did especially not Cc you even on a direct reply. So what do you fucking care if he does Cc me? -- char *t="\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4"; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
RE: HELO checks give too high score together
On Tue, 24 Feb 2009, RobertH wrote: Ummm Did you just ask Matt to unsubscribe?? He's one of the developers. I think most of us would prefer that he stick around... :) maybe Hardin will lend them each some guns and they can duke it out on the range or something ;-) I think pugil sticks would be better for all concerned. Shall we sell tickets? SA jello wrestling? :) -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- ...to announce there must be no criticism of the President or to stand by the President right or wrong is not only unpatriotic and servile, but is morally treasonous to the American public. -- Theodore Roosevelt, 1918 --- 1348 days until the Presidential Election
Re: HELO checks give too high score together
Bowie Bailey wrote: > Benny Pedersen wrote: > >> On Tue, February 24, 2009 13:50, Matt Kettler wrote: >> >>> Matus UHLAR - fantomas wrote: >>> I really wander why did you want to send me the mail privately. Do youreally think It does not belong to this list? >>> *shrug*.. again, it's very clear you don't want my help. >>> >> please unsubscribe, we dont need a maillist for being helpfull >> > > Ummm Did you just ask Matt to unsubscribe?? He's one of the > developers. I think most of us would prefer that he stick around... :) > > For reference, I'm not a developer. However, I am a member of the project management committee, and I have contributed a few rules (ie: the drugs ruleset). However, I have no perl programing skills, so I can't really be called a developer. Generally speaking most of what I do is a wide variety of "bug triage", and try to test and vote on patches for various bugs when I can.
RE: HELO checks give too high score together
> > Ummm Did you just ask Matt to unsubscribe?? He's one of > the developers. I think most of us would prefer that he > stick around... :) > > -- > Bowie > maybe Hardin will lend them each some guns and they can duke it out on the range or something ;-) - rh
Re: HELO checks give too high score together
On Wed, February 25, 2009 00:03, mouss wrote: > what do you exactly mean? why did you cc me here ? sorry but i dont get it :/ -- http://localhost/ 100% uptime and 100% mirrored :)
RE: HELO checks give too high score together
On Tue, February 24, 2009 16:20, Bowie Bailey wrote: > Ummm Did you just ask Matt to unsubscribe?? He's one of the > developers. I think most of us would prefer that he stick around... > :) he one of the dumpest developpers to ? :) if he really is then make a CC: spam stopper into the next spamassassin could be very usefull in the global world -- http://localhost/ 100% uptime and 100% mirrored :)
Re: HELO checks give too high score together
Benny Pedersen a écrit : > On Tue, February 24, 2009 13:50, Matt Kettler wrote: >> Matus UHLAR - fantomas wrote: >>> I really wander why did you want to send me the mail privately. Do >>> youreally think It does not belong to this list? >> *shrug*.. again, it's very clear you don't want my help. > > please unsubscribe, we dont need a maillist for being helpfull > what do you exactly mean?
Re: HELO checks give too high score together
On Tue, 24 Feb 2009, Benny Pedersen wrote: On Tue, February 24, 2009 13:50, Matt Kettler wrote: Matus UHLAR - fantomas wrote: I really wander why did you want to send me the mail privately. Do youreally think It does not belong to this list? *shrug*.. again, it's very clear you don't want my help. please unsubscribe, we dont need a maillist for being helpfull Please, folks, not on-list. This doesn't provide any value to anyone. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Ignorance is no excuse for a law. --- 1348 days until the Presidential Election
RE: HELO checks give too high score together
Benny Pedersen wrote: > On Tue, February 24, 2009 13:50, Matt Kettler wrote: > > Matus UHLAR - fantomas wrote: > > > I really wander why did you want to send me the mail privately. Do > > > youreally think It does not belong to this list? > > *shrug*.. again, it's very clear you don't want my help. > > please unsubscribe, we dont need a maillist for being helpfull Ummm Did you just ask Matt to unsubscribe?? He's one of the developers. I think most of us would prefer that he stick around... :) -- Bowie
Re: HELO checks give too high score together
On Tue, February 24, 2009 13:50, Matt Kettler wrote: > Matus UHLAR - fantomas wrote: >> I really wander why did you want to send me the mail privately. Do >> youreally think It does not belong to this list? > *shrug*.. again, it's very clear you don't want my help. please unsubscribe, we dont need a maillist for being helpfull -- http://localhost/ 100% uptime and 100% mirrored :)
Re: HELO checks give too high score together
> Matus UHLAR - fantomas wrote: > > I really wander why did you want to send me the mail privately. Do > > youreally think It does not belong to this list? On 24.02.09 07:50, Matt Kettler wrote: > *shrug*.. again, it's very clear you don't want my help. Sorry, no wanting direct mail and not wanting help from list members are two differenc things. If you insist that you'll help only by private mail, then don't call it "I don't want your help" -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. REALITY.SYS corrupted. Press any key to reboot Universe.
Re: HELO checks give too high score together
Matus UHLAR - fantomas wrote: > I really wander why did you want to send me the mail privately. Do > youreally think It does not belong to this list? *shrug*.. again, it's very clear you don't want my help.
Re: HELO checks give too high score together
On 21.02.09 13:11, Matt Kettler wrote: > It seems clear to me that policies with false positives of up to 50% of > their hits are acceptable to you, so the 0.4% false positive rate of the > HELO message should be acceptable to you. rfci is acceptable for me on my mail server, while (RCVD_HELO_IP_MISMATCH && RCVD_NUMERIC_HELO) may be a problem on my employer's mail server. > Regardless, I'm disinclined to help someone complaining about rare false > positive cases in SA while engaging in "aggressive" configurations for > the rest of their systems that have false positive rates that are 2 > orders of magnitude larger. so you wish, I commented the rest in other mail to this thread. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. The 3 biggets disasters: Hiroshima 45, Tschernobyl 86, Windows 95
Re: HELO checks give too high score together
> > On Sat, February 21, 2009 19:11, Matt Kettler wrote: > >> Very well, but you're also using a RBL with a known high risk of > >> blocking nonspam email. > Benny Pedersen wrote: > > http://rfc-ignorant.org/tools/lookup.php?domain=verizon.net > > > > your "small" isp should really have power enough to solve the above > > listning very easely, dont blame others using rfc-i for that On 22.02.09 12:29, Matt Kettler wrote: > Well, let's be clear here. > > I don't have a problem with people using RFCI, however they do need to > realize the implications of doing so. > > RFCI has a *VERY* high rate of nonspam hits, because they, correctly, > list many major ISPs. If you are sensitive to loosing mail, you should > not use it as a SMTP layer reject, and score it very low, if at all, in > a SA config. If you're fine with the implications, by all means use it. > But do so knowing what it means. I'm fully aware about consequencies of using rfci blacklist at SMTP level. However since they are policy lists, not spam-blocking lists, I don't consider (most of) the positives as "false" (unless they fixed problem and forgot to tell rfci). I started using them (on my personal server) when _many_ of my spam (and other) complaints got bounced because people do not care about RFC's, proper mail configuration and their own customers spamming. > That said, personally, I will not provide assistance to anyone I can't > email directly for off-list issues. Hence my post withdrawing myself > from offering support. > > If Matus doesn't want email from RFCI domains, that's fine. However, to > me this also means he does not want assistance from anyone subscribed to > those domains. Since I am a verzion subscriber out of necessity, I'm > simply following that. Nothing more. I really wander why did you want to send me the mail privately. Do you really think It does not belong to this list? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. M$ Win's are shit, do not use it !
Re: HELO checks give too high score together
Benny Pedersen wrote: > On Sat, February 21, 2009 19:11, Matt Kettler wrote: > >> Very well, but you're also using a RBL with a known high risk of >> blocking nonspam email. >> > > http://rfc-ignorant.org/tools/lookup.php?domain=verizon.net > > your "small" isp should really have power enough to solve the above > listning very easely, dont blame others using rfc-i for that > Well, let's be clear here. I don't have a problem with people using RFCI, however they do need to realize the implications of doing so. RFCI has a *VERY* high rate of nonspam hits, because they, correctly, list many major ISPs. If you are sensitive to loosing mail, you should not use it as a SMTP layer reject, and score it very low, if at all, in a SA config. If you're fine with the implications, by all means use it. But do so knowing what it means. I was concerned about Matus, as he was complaining about a rare false positive from malformed HELOs causing loss of email. If he's concerned about such things, he should definitely NOT be using RFCI. If he's fine with loosing mail that's malformed or from badly managed domains, then the HELO bit should be acceptable to him as well. Matus is also free to do whatever he wants on his own servers. I do not particularly care if he will or will not accept email from verizon or other RFCI listed domains. That said, personally, I will not provide assistance to anyone I can't email directly for off-list issues. Hence my post withdrawing myself from offering support. If Matus doesn't want email from RFCI domains, that's fine. However, to me this also means he does not want assistance from anyone subscribed to those domains. Since I am a verzion subscriber out of necessity, I'm simply following that. Nothing more. There's plenty of other members of the SA team who may choose to help on this issue, I've just withdrawn myself. > please dont CC me, i read the maillist every day anyway > OK, I'll send you 50 copies as To instead of CC :-) (Kidding!!)
Re: HELO checks give too high score together
At 01:20 22-02-2009, Benny Pedersen wrote: you dont know it either ? The term "dynamic hostname" is used in intermediate system routing. Regards, -sm
Re: HELO checks give too high score together
Benny Pedersen a écrit : > On Sat, February 21, 2009 19:11, Matt Kettler wrote: >> Very well, but you're also using a RBL with a known high risk of >> blocking nonspam email. > > http://rfc-ignorant.org/tools/lookup.php?domain=verizon.net > > your "small" isp should really have power enough to solve the above > listning very easely, dont blame others using rfc-i for that > they will do, as son as these ones do: yahoo.com hotmail.com gmail.com aol.com de :) > [snip]
Re: HELO checks give too high score together
Benny Pedersen a écrit : > On Sat, February 21, 2009 12:32, mouss wrote: >>> rejecting because HELO does not match violates RFC. case open. >> I said "invalid". a "bare" IP is invalid in helo, and has been since >> 822. > > just use all helo rules that postfix can do pr default is better > gives the answer on this one > I do reject these in postfix, but I don't reject them if they are in Received headers. rejecting based on headers should be avoided. > if i remember postfix right: > > helo 127.0.0.1 is invalid > helo [127.0.0.1] is valid > it's not postfix, it's SMTP. the thing is that a lot of people read "literal IP" without checking the syntax definition. The RFC authors were too optimistic! > maybe i am wroung again :))) >
Re: HELO checks give too high score together
Benny Pedersen a écrit : > On Sat, February 21, 2009 02:38, mouss wrote: >> Matt Kettler a écrit : >>> Since you're bouncing any off-list emails because you reject my >>> entire ISP, I'm going to drop out of aiding on this matter. >> probably a rule that considers "vms173007pub.verizon.net" as a >> dynamic name... > > why does a smtp server have dynamic hostname alike in the first place ? > you mean "generic"? well, if you have a /16 network, will you select names one by one? some providers play games here and use a dictionary: $ host 93.74.0.105 105.0.74.93.in-addr.arpa domain name pointer latheness-pair.volia.net. $ host 93.74.0.106 106.0.74.93.in-addr.arpa domain name pointer practical-sheriff.volia.net. ... I find this practice "worst". BTW, what will all these rdns checks become with IPv6? > and why did the recipient not test spf ? > my bet was wrong. he was rejecting based on rfc-ignorant listing. > http://old.openspf.org/wizard.html?mydomain=verizon.net&submit=Go! > >>> Fix your own domain's over-zealous behaviors first. > > 42 >
Re: HELO checks give too high score together
On Sun, February 22, 2009 09:15, SM wrote: > What is a dynamic hostname? you dont know it either ? -- http://localhost/ 100% uptime and 100% mirrored :)
Re: HELO checks give too high score together
On Sat, February 21, 2009 19:11, Matt Kettler wrote: > Very well, but you're also using a RBL with a known high risk of > blocking nonspam email. http://rfc-ignorant.org/tools/lookup.php?domain=verizon.net your "small" isp should really have power enough to solve the above listning very easely, dont blame others using rfc-i for that please dont CC me, i read the maillist every day anyway -- http://localhost/ 100% uptime and 100% mirrored :)
Re: HELO checks give too high score together
At 23:16 21-02-2009, Benny Pedersen wrote: why does a smtp server have dynamic hostname alike in the first place ? What is a dynamic hostname? Regards, -sm
Re: HELO checks give too high score together
On Sat, February 21, 2009 12:32, mouss wrote: >> rejecting because HELO does not match violates RFC. case open. > I said "invalid". a "bare" IP is invalid in helo, and has been since > 822. just use all helo rules that postfix can do pr default is better gives the answer on this one if i remember postfix right: helo 127.0.0.1 is invalid helo [127.0.0.1] is valid maybe i am wroung again :))) -- http://localhost/ 100% uptime and 100% mirrored :)
Re: HELO checks give too high score together
On Sat, February 21, 2009 02:38, mouss wrote: > Matt Kettler a écrit : >> Since you're bouncing any off-list emails because you reject my >> entire ISP, I'm going to drop out of aiding on this matter. > probably a rule that considers "vms173007pub.verizon.net" as a > dynamic name... why does a smtp server have dynamic hostname alike in the first place ? and why did the recipient not test spf ? http://old.openspf.org/wizard.html?mydomain=verizon.net&submit=Go! >> Fix your own domain's over-zealous behaviors first. 42 -- http://localhost/ 100% uptime and 100% mirrored :)
Re: HELO checks give too high score together
Matus UHLAR - fantomas a écrit : > [snip] >> >> Are >> - iol.cz >> - telenet.cz >> - hotelulipy.cz >> >> the same organisation? > >> if not, this is direct to MX junk. > > ...your presumption that the Received: header is the only one is false. > I didn't presume that. I was only looking at that one Received header, because it meant: some client in the .telenet.cz domain connected to a server in the .hotelulipy.cz domain and helo'ed with an IP in the .iol.cz domain. I would "understand" this if these domains belong to the same organisation, in which case NAT is a possible explanation. >> BTW. which (legitimate and not outdated) mail clients helo with a bare IP? a quick grep shows that something called "Gmexim" (is this a sort of "gmane patched exim"?) does so. > [snip] > Can someone please try to do > > meta RCVD_HELO_NUMERIC_MISMATCH (RCVD_HELO_IP_MISMATCH && RCVD_NUMERIC_HELO) > I now realize that RCVD_NUMERIC_HELO also fires on valid "literal" IP helo, not only on "bare IP helo". the helo rules may need a review... > and check, or should I fill yes, please fill (I guess you meant a PR ;-p).
Re: HELO checks give too high score together
Matus UHLAR - fantomas a écrit : >>> On 21.02.09 12:18, mouss wrote: Matus UHLAR - fantomas a écrit : > On 20.02.09 19:26, Matt Kettler wrote: >> Since you're bouncing any off-list emails because you reject my entire >> ISP, I'm going to drop out of aiding on this matter. > I'm not rejecting "your ISP". I'm rejecting mail from addresses I could > not > complain back to. > >> Fix your own domain's over-zealous behaviors first. > Fix your domain's RFC conformity first so you're complaining about a high score for an invalid helo coupled with extremely weired 3-domains in a hop mail and at the same time rejecting mail from a large ISP because of rfci listing? if you're fighting for rfc compliance, reject both, and the issue is closed ;-p > >> Matus UHLAR - fantomas a écrit : >>> rejecting because HELO does not match violates RFC. case open. > > On 21.02.09 12:32, mouss wrote: >> I said "invalid". a "bare" IP is invalid in helo, and has been since 822. correction: "since RFC 821", and not (year ;-) 822 ;-p > > good point, another thing to check for.
Re: HELO checks give too high score together
Matus UHLAR - fantomas wrote: > On 20.02.09 19:26, Matt Kettler wrote: > >> Since you're bouncing any off-list emails because you reject my entire >> ISP, I'm going to drop out of aiding on this matter. >> > > I'm not rejecting "your ISP". I'm rejecting mail from addresses I could not > complain back to. > Very well, but you're also using a RBL with a known high risk of blocking nonspam email. This list was actually dropped from SA because the false positive rate became unacceptable, it actually matched more nonspam than it did spam! (51% of matches were nonspam and a total of 0.684% of all nonspam email matched this rule ) https://issues.apache.org/SpamAssassin/show_bug.cgi?id=4628 And you're doing this while requesting SA adjust a rule with very rare false positive. (0.4% of matches are nonspam, and a total of 0.0078% of all nonspam email hits this rule), on emails with garbage in the HELO. It seems clear to me that policies with false positives of up to 50% of their hits are acceptable to you, so the 0.4% false positive rate of the HELO message should be acceptable to you. >> Fix your own domain's over-zealous behaviors first. >> > > Fix your domain's RFC conformity first > I do not control this domain, it's a national ISP with "only" a few million subscribers. My other option here is Comcast, who has by far more egregious in their behaviors. Regardless, I'm disinclined to help someone complaining about rare false positive cases in SA while engaging in "aggressive" configurations for the rest of their systems that have false positive rates that are 2 orders of magnitude larger.
Re: HELO checks give too high score together
Matus UHLAR - fantomas wrote: If there were two rules checking for exactly the same thing, both scoring 2.5 (we'd wonder if they has different score, right?), their combination would score 5.0, while meta rule matching both of them would get -2.5. Can someone please try to do meta RCVD_HELO_NUMERIC_MISMATCH (RCVD_HELO_IP_MISMATCH && RCVD_NUMERIC_HELO) and check, or should I fill I don't really see the issue here. The mail failed on two counts and received a score for each. Each are separate issues and each are indicative of spam (or a grossly mis-configured MTA). IMHO they are scored appropriately. If YOU want to adjust the scoring or write a meta rule to only trigger if both rules hit then of course YOU are free to do so. Personally I would just reject mail outright at the smtp level that's not helo'ing correctly at the smtp level and not even let it near SA to start with. If a MTA can't conform to basic RFCs about how to correctly helo then it has no place sending mail. If it's legitimate mail then I suspect the senders experience a lot of their mail not getting through. You'd think that would give them some incentive to fix things and conform to the RFCs.
Re: HELO checks give too high score together
> > On 21.02.09 12:18, mouss wrote: > >> Matus UHLAR - fantomas a écrit : > >>> On 20.02.09 19:26, Matt Kettler wrote: > Since you're bouncing any off-list emails because you reject my entire > ISP, I'm going to drop out of aiding on this matter. > >>> I'm not rejecting "your ISP". I'm rejecting mail from addresses I could > >>> not > >>> complain back to. > >>> > Fix your own domain's over-zealous behaviors first. > >>> Fix your domain's RFC conformity first > >> so you're complaining about a high score for an invalid helo coupled > >> with extremely weired 3-domains in a hop mail and at the same time > >> rejecting mail from a large ISP because of rfci listing? > >> > >> if you're fighting for rfc compliance, reject both, and the issue is > >> closed ;-p > Matus UHLAR - fantomas a écrit : > > rejecting because HELO does not match violates RFC. case open. On 21.02.09 12:32, mouss wrote: > I said "invalid". a "bare" IP is invalid in helo, and has been since 822. good point, another thing to check for. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I intend to live forever - so far so good.
Re: HELO checks give too high score together
> >> Matus UHLAR - fantomas wrote: > >>> I've received e-mail that received score 4.9 just because of the same > >>> problem - invalid HELO. > >>> > >>> * 2.8 RCVD_HELO_IP_MISMATCH Received: HELO and IP do not match, but > >>> should > >>> * 2.1 RCVD_NUMERIC_HELO Received: contains an IP address used for HELO > >>> > >>> Received: from 88.102.6.114 (67.kcity.telenet.cz [194.228.203.67]) > >>> by 8.hotelulipy.cz (Postfix) with SMTP id > >>> for ; > >>> > >>> I think that combination above hits way too much. > > On 20.02.09 08:56, Matt Kettler wrote: > >> Why is a bogous HELO being generated in the first place? i.e.: why is > >> an address literal used, but not the correct address literal? > Matus UHLAR - fantomas a écrit : > > I guess this happenns for hosts behing NAT, that do not know the real IP > > address under which they are accessing the internet. On 21.02.09 02:19, mouss wrote: > $ host 88.102.6.114 > 114.6.102.88.in-addr.arpa domain name pointer 114.6.broadband7.iol.cz. > > Are > - iol.cz > - telenet.cz > - hotelulipy.cz > > the same organisation? > if not, this is direct to MX junk. ...your presumption that the Received: header is the only one is false. > BTW. which (legitimate and not outdated) mail clients helo with a bare IP? However I may look at the e-mail again and more deeply, if you think. > >> I've not seen a legitimate mail client do this, so I'm actually rather > >> curious as to what happened. In the set0 mass-checks, this rule had a > >> S/O of 0.996, which is *VERY* good. > > > > I've just seen another one... > > > > However the main problem is that most HELO rules fire independently > > together Ohh, that should be "more", not "most". Rephrasing: More rules checking the very similar thing fire independently together. I guess that _the same_ error (invalid HELO) should not cause firing more rules with total score of nearly 5 (sum of those two: 5.0 4.919 4.899 4.904) I have already filed similar bug and it got resolved by removing one of those rules (5682). You may also see bug 5488 concerning similar issue. > try a meta that uses an AND and run a mass check. I'm sure I would get a > score of 5 :) I doubt so, unluckily I don't have corpus big enough to masschecks :( If there were two rules checking for exactly the same thing, both scoring 2.5 (we'd wonder if they has different score, right?), their combination would score 5.0, while meta rule matching both of them would get -2.5. Can someone please try to do meta RCVD_HELO_NUMERIC_MISMATCH (RCVD_HELO_IP_MISMATCH && RCVD_NUMERIC_HELO) and check, or should I fill -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. The early bird may get the worm, but the second mouse gets the cheese.
Re: HELO checks give too high score together
Matus UHLAR - fantomas a écrit : > On 21.02.09 12:18, mouss wrote: >> Matus UHLAR - fantomas a écrit : >>> On 20.02.09 19:26, Matt Kettler wrote: Since you're bouncing any off-list emails because you reject my entire ISP, I'm going to drop out of aiding on this matter. >>> I'm not rejecting "your ISP". I'm rejecting mail from addresses I could not >>> complain back to. >>> Fix your own domain's over-zealous behaviors first. >>> Fix your domain's RFC conformity first >> so you're complaining about a high score for an invalid helo coupled >> with extremely weired 3-domains in a hop mail and at the same time >> rejecting mail from a large ISP because of rfci listing? >> >> if you're fighting for rfc compliance, reject both, and the issue is >> closed ;-p > > rejecting because HELO does not match violates RFC. case open. I said "invalid". a "bare" IP is invalid in helo, and has been since 822.
Re: HELO checks give too high score together
On 21.02.09 12:18, mouss wrote: > Matus UHLAR - fantomas a écrit : > > On 20.02.09 19:26, Matt Kettler wrote: > >> Since you're bouncing any off-list emails because you reject my entire > >> ISP, I'm going to drop out of aiding on this matter. > > > > I'm not rejecting "your ISP". I'm rejecting mail from addresses I could not > > complain back to. > > > >> Fix your own domain's over-zealous behaviors first. > > > > Fix your domain's RFC conformity first > > so you're complaining about a high score for an invalid helo coupled > with extremely weired 3-domains in a hop mail and at the same time > rejecting mail from a large ISP because of rfci listing? > > if you're fighting for rfc compliance, reject both, and the issue is > closed ;-p rejecting because HELO does not match violates RFC. case open. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Eagles may soar, but weasels don't get sucked into jet engines.
Re: HELO checks give too high score together
Matus UHLAR - fantomas a écrit : > On 20.02.09 19:26, Matt Kettler wrote: >> Since you're bouncing any off-list emails because you reject my entire >> ISP, I'm going to drop out of aiding on this matter. > > I'm not rejecting "your ISP". I'm rejecting mail from addresses I could not > complain back to. > >> Fix your own domain's over-zealous behaviors first. > > Fix your domain's RFC conformity first so you're complaining about a high score for an invalid helo coupled with extremely weired 3-domains in a hop mail and at the same time rejecting mail from a large ISP because of rfci listing? if you're fighting for rfc compliance, reject both, and the issue is closed ;-p
Re: HELO checks give too high score together
On 20.02.09 19:26, Matt Kettler wrote: > Since you're bouncing any off-list emails because you reject my entire > ISP, I'm going to drop out of aiding on this matter. I'm not rejecting "your ISP". I'm rejecting mail from addresses I could not complain back to. > Fix your own domain's over-zealous behaviors first. Fix your domain's RFC conformity first -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. He who laughs last thinks slowest.
Re: HELO checks give too high score together
mouss wrote: > Matt Kettler a écrit : > >> Since you're bouncing any off-list emails because you reject my entire >> ISP, I'm going to drop out of aiding on this matter. >> >> > > probably a rule that considers "vms173007pub.verizon.net" as a dynamic > name... > No, rejecting anything listed postmaster.rfc-ignorant.org. > >> Fix your own domain's over-zealous behaviors first. >> >> > >
Re: HELO checks give too high score together
On Sat, 21 Feb 2009 02:19:30 +0100 mouss wrote: > $ host 88.102.6.114 > 114.6.102.88.in-addr.arpa domain name pointer 114.6.broadband7.iol.cz. > > Are > - iol.cz > - telenet.cz > - hotelulipy.cz > > the same organisation? > > if not, this is direct to MX junk. > > BTW. which (legitimate and not outdated) mail clients helo with a > bare IP? The OP didn't actually say it was a mail-client to server received header, or that it's spam. Since he's saying that the score is too high, and is speculating about it being due to NAT, I would assume it's a legitimate mail.
Re: HELO checks give too high score together
Matt Kettler a écrit : > Since you're bouncing any off-list emails because you reject my entire > ISP, I'm going to drop out of aiding on this matter. > probably a rule that considers "vms173007pub.verizon.net" as a dynamic name... > Fix your own domain's over-zealous behaviors first. >
Re: HELO checks give too high score together
Matus UHLAR - fantomas a écrit : >> Matus UHLAR - fantomas wrote: >>> I've received e-mail that received score 4.9 just because of the same >>> problem - invalid HELO. >>> >>> * 2.8 RCVD_HELO_IP_MISMATCH Received: HELO and IP do not match, but should >>> * 2.1 RCVD_NUMERIC_HELO Received: contains an IP address used for HELO >>> >>> Received: from 88.102.6.114 (67.kcity.telenet.cz [194.228.203.67]) >>> by 8.hotelulipy.cz (Postfix) with SMTP id >>> for ; >>> >>> I think that combination above hits way too much. > > On 20.02.09 08:56, Matt Kettler wrote: >> Why is a bogous HELO being generated in the first place? i.e.: why is an >> address literal used, but not the correct address literal? > > I guess this happenns for hosts behing NAT, that do not know the real IP > address under which they are accessing the internet. > $ host 88.102.6.114 114.6.102.88.in-addr.arpa domain name pointer 114.6.broadband7.iol.cz. Are - iol.cz - telenet.cz - hotelulipy.cz the same organisation? if not, this is direct to MX junk. BTW. which (legitimate and not outdated) mail clients helo with a bare IP? >> I've not seen a legitimate mail client do this, so I'm actually rather >> curious as to what happened. In the set0 mass-checks, this rule had a >> S/O of 0.996, which is *VERY* good. > > I've just seen another one... > > However the main problem is that most HELO rules fire independently together > try a meta that uses an AND and run a mass check. I'm sure I would get a score of 5 :)
Re: HELO checks give too high score together
Since you're bouncing any off-list emails because you reject my entire ISP, I'm going to drop out of aiding on this matter. Fix your own domain's over-zealous behaviors first. Matus UHLAR - fantomas wrote: >> Matus UHLAR - fantomas wrote: >> >>> I've received e-mail that received score 4.9 just because of the same >>> problem - invalid HELO. >>> >>> * 2.8 RCVD_HELO_IP_MISMATCH Received: HELO and IP do not match, but should >>> * 2.1 RCVD_NUMERIC_HELO Received: contains an IP address used for HELO >>> >>> Received: from 88.102.6.114 (67.kcity.telenet.cz [194.228.203.67]) >>> by 8.hotelulipy.cz (Postfix) with SMTP id >>> for ; >>> >>> I think that combination above hits way too much. >>> > > On 20.02.09 08:56, Matt Kettler wrote: > >> Why is a bogous HELO being generated in the first place? i.e.: why is an >> address literal used, but not the correct address literal? >> > > I guess this happenns for hosts behing NAT, that do not know the real IP > address under which they are accessing the internet. > > >> I've not seen a legitimate mail client do this, so I'm actually rather >> curious as to what happened. In the set0 mass-checks, this rule had a >> S/O of 0.996, which is *VERY* good. >> > > I've just seen another one... > > However the main problem is that most HELO rules fire independently together > >
Re: HELO checks give too high score together
On Fri, 20 Feb 2009 15:11:42 +0100 Matus UHLAR - fantomas wrote: > On 20.02.09 08:56, Matt Kettler wrote: > > Why is a bogous HELO being generated in the first place? i.e.: why > > is an address literal used, but not the correct address literal? > > I guess this happenns for hosts behing NAT, that do not know the real > IP address under which they are accessing the internet. Note that none of the addresses are private. The test ignores private addresses and mismatched addresses from the same /24.
Re: HELO checks give too high score together
> Matus UHLAR - fantomas wrote: > > I've received e-mail that received score 4.9 just because of the same > > problem - invalid HELO. > > > > * 2.8 RCVD_HELO_IP_MISMATCH Received: HELO and IP do not match, but should > > * 2.1 RCVD_NUMERIC_HELO Received: contains an IP address used for HELO > > > > Received: from 88.102.6.114 (67.kcity.telenet.cz [194.228.203.67]) > > by 8.hotelulipy.cz (Postfix) with SMTP id > > for ; > > > > I think that combination above hits way too much. On 20.02.09 08:56, Matt Kettler wrote: > Why is a bogous HELO being generated in the first place? i.e.: why is an > address literal used, but not the correct address literal? I guess this happenns for hosts behing NAT, that do not know the real IP address under which they are accessing the internet. > I've not seen a legitimate mail client do this, so I'm actually rather > curious as to what happened. In the set0 mass-checks, this rule had a > S/O of 0.996, which is *VERY* good. I've just seen another one... However the main problem is that most HELO rules fire independently together -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Remember half the people you know are below average.
Re: HELO checks give too high score together
Matus UHLAR - fantomas wrote: > Hello, > > I've received e-mail that received score 4.9 just because of the same > problem - invalid HELO. > > * 2.8 RCVD_HELO_IP_MISMATCH Received: HELO and IP do not match, but should > * 2.1 RCVD_NUMERIC_HELO Received: contains an IP address used for HELO > > Received: from 88.102.6.114 (67.kcity.telenet.cz [194.228.203.67]) > by 8.hotelulipy.cz (Postfix) with SMTP id > for ; > > I think that combination above hits way too much. Why is a bogous HELO being generated in the first place? i.e.: why is an address literal used, but not the correct address literal? I've not seen a legitimate mail client do this, so I'm actually rather curious as to what happened. In the set0 mass-checks, this rule had a S/O of 0.996, which is *VERY* good. OVERALLSPAM% HAM% S/ORANK SCORE NAME 1.197 1.8719 0.00780.996 0.862.40 RCVD_HELO_IP_MISMATCH And that's a pretty large scale test of over 953k spam, and 540k nonspam emails. It matched a total of 43 of those nonspam messages.