Hello,
I'm getting a lot of FPs from FH_FAKE_RCVD_LINE_B RCVD line looks faked
(B) since the default score for this rule is a whopping 4.000.
It's matching on this header:
Received: from 68.103.178.110 by webmail.east.cox.net; Mon, 28 Jun 2010
18:02:23 -0400
This rule matches the ISP Cox Communication residential customers using
their webmail service. For now I've made a rule negating
FH_FAKE_RCVD_LINE_B RCVD for Cox, but will someone educate me as to what
it is that makes this header look faked?
For reference, here's the (probably wrapped) rule:
Received =~
/from\s*\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\s*by\s*[a-z0-9.]{4,24}\.[a-z0-9.]{4,36}\.(?:com|net|org|biz);\s*[SMTWF].{2},\s*\d{1,2}\s*[JFMASOND].{2,5}\s*\d{4}\s*\d{2}:\d{2}:\d{2}\s*[-+]\d{4}/i
Thanks!
-- Mike
