I'm using SpamAssassin version 3.1.0 with default options, and have run into a serious false positive problem. When I receive mail from one of my correspondents, I get Received: lines like this one:
Received: from adsl-71-133-227-154.dsl.pltn13.pacbell.net (71.133.227.154) (HELO genstor.com) (TLSv1/SSLv3 DHE-RSA-AES256-SHA 256/256) by scs.stanford.edu with SMTP; for [EMAIL PROTECTED]; Wed, 07 Dec 2005 14:39:46 -0800 (PST) That line alone is enough to flag a message as spam. It hits 3 different rules: 2.7 HELO_DYNAMIC_DHCP Relay HELO'd using suspicious hostname (DHCP) 3.3 HELO_DYNAMIC_HCC Relay HELO'd using suspicious hostname (HCC) 3.4 HELO_DYNAMIC_IPADDR Relay HELO'd using suspicious hostname (IP addr 1) While I agree that maybe mail received from a DSL line like the above should get a few points, it seems unreasonable to push it so far above the default 5-point threshold--particularly when nothing else in the message hit any rules. A friend has suggested this may be a bug in the way that SpamAssassin parses the Received header. Is this, in fact, a bug in SpamAssassin? Or is my SMTP server generating Received: headers using an incorrect format? (I don't see anything prohibiting that format in RFC 2822.) Do people have suggestions for working around the problem (other than just re-scoring those three rules, which may be useful in other circumstances)? Thanks, David