Matus UHLAR - fantomas wrote: > Hello, > > I've received e-mail that received score 4.9 just because of the same > problem - invalid HELO. > > * 2.8 RCVD_HELO_IP_MISMATCH Received: HELO and IP do not match, but should > * 2.1 RCVD_NUMERIC_HELO Received: contains an IP address used for HELO > > Received: from 88.102.6.114 (67.kcity.telenet.cz [194.228.203.67]) > by 8.hotelulipy.cz (Postfix) with SMTP id <censored> > for <censored>; <date> > > I think that combination above hits way too much. Why is a bogous HELO being generated in the first place? i.e.: why is an address literal used, but not the correct address literal?
I've not seen a legitimate mail client do this, so I'm actually rather curious as to what happened. In the set0 mass-checks, this rule had a S/O of 0.996, which is *VERY* good. OVERALL SPAM% HAM% S/O RANK SCORE NAME 1.197 1.8719 0.0078 0.996 0.86 2.40 RCVD_HELO_IP_MISMATCH And that's a pretty large scale test of over 953k spam, and 540k nonspam emails. It matched a total of 43 of those nonspam messages.