You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Alex <my...@gmail.com> on 2016/05/16 01:16:13 UTC
FSL_HELO_HOME FPs
Hi,
I'm seeing a lot of FPs involving FSL_HELO_HOME due to its extremely high score:
* 3.7 FSL_HELO_HOME No description available.
Is that score really warranted? For example:
Received: from host82.torus.pl (91.209.116.82) (HELO [192.168.20.7])
by sedan1.home.pl (89.161.160.215) with SMTP (IdeaSmtpServer v0.80.2)
id 74a9561edc57ecb3; Wed, 11 May 2016 09:57:10 +0200
It appears to be triggered based on the "home" in the hostname?
What was the intention of this rule? To catch mail with "home" in the
HELO string?
This seems to be quite prevalent with mail received from abroad.
Perhaps they just do things differently there or something??
Re: FSL_HELO_HOME FPs
Posted by John Hardin <jh...@impsec.org>.
On Sun, 15 May 2016, Alex wrote:
>> I'm seeing a lot of FPs involving FSL_HELO_HOME due to its extremely high score:
>>
>> * 3.7 FSL_HELO_HOME No description available.
>
> Oops, it's been a really busy week for me and just haven't been able
> to keep up with the volume the past couple of days. Apparently there's
> been some discussion of this rule already :-)
Plus the update that just went out (1743621) doesn't score it at all, so
it will use the default of 1.0, and it's been disabled in the sandbox so
the next update will remove it entirely.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
The real opiate of the masses isn't religion; it's the belief that
somewhere there is a benefit that can be delivered without a
corresponding cost. -- Tom of "Radio Free NJ"
-----------------------------------------------------------------------
145 days since the first successful real return to launch site (SpaceX)
Re: FSL_HELO_HOME FPs
Posted by Alex <my...@gmail.com>.
> I'm seeing a lot of FPs involving FSL_HELO_HOME due to its extremely high score:
>
> * 3.7 FSL_HELO_HOME No description available.
Oops, it's been a really busy week for me and just haven't been able
to keep up with the volume the past couple of days. Apparently there's
been some discussion of this rule already :-)
Re: FSL_HELO_HOME FPs
Posted by Reindl Harald <h....@thelounge.net>.
Am 17.05.2016 um 03:28 schrieb Alex:
> Hi,
>
> On Mon, May 16, 2016 at 9:15 AM, RW <rw...@googlemail.com> wrote:
>> On Sun, 15 May 2016 20:58:41 -0700 (PDT)
>> John Hardin wrote:
>>
>>> On Sun, 15 May 2016, Alex wrote:
>>>
>>>> Is that score really warranted? For example:
>>>>
>>>> Received: from host82.torus.pl (91.209.116.82) (HELO [192.168.20.7])
>>>> by sedan1.home.pl (89.161.160.215) with SMTP (IdeaSmtpServer
>>>> v0.80.2) id 74a9561edc57ecb3; Wed, 11 May 2016 09:57:10 +0200
>>>>
>>>> It appears to be triggered based on the "home" in the hostname?
>>>>
>>>> What was the intention of this rule? To catch mail with "home" in
>>>> the HELO string?
>>>
>>> A HELO that ends with ".home", regardless of the hostname. Your
>>> example above should not have hit that rule.
>>
>> It only require a boundary after "home".
>
> Have we looked at some of the other FSL_ rules? Do we have any reason
> to believe they may also be scored to high or disproportionately tag
> ham?
>
> I've seen a significant number of FSL_HELO_BARE_IP_2 also hitting a
> lot of ham, and just wanted to make sure, with such a high score, it
> was also not FP prone...
http://comments.gmane.org/gmane.mail.spam.spamassassin.general/150742
http://spamassassin.1065346.n5.nabble.com/RCVD-NUMERIC-HELO-td120003.html
Re: FSL_HELO_HOME FPs
Posted by RW <rw...@googlemail.com>.
On Mon, 16 May 2016 21:28:40 -0400
Alex wrote:
> I've seen a significant number of FSL_HELO_BARE_IP_2 also hitting a
> lot of ham, and just wanted to make sure, with such a high score, it
> was also not FP prone...
Is that recently? Before February there was a bug that caused most of
what should have hit FSL_HELO_BARE_IP_1 to hit FSL_HELO_BARE_IP_2
instead. This may have caused the score of FSL_HELO_BARE_IP_2 to be
artificially high. It's also now been limited to 1.5.
Re: FSL_HELO_HOME FPs
Posted by Alex <my...@gmail.com>.
Hi,
On Mon, May 16, 2016 at 9:15 AM, RW <rw...@googlemail.com> wrote:
> On Sun, 15 May 2016 20:58:41 -0700 (PDT)
> John Hardin wrote:
>
>> On Sun, 15 May 2016, Alex wrote:
>>
>> > Is that score really warranted? For example:
>> >
>> > Received: from host82.torus.pl (91.209.116.82) (HELO [192.168.20.7])
>> > by sedan1.home.pl (89.161.160.215) with SMTP (IdeaSmtpServer
>> > v0.80.2) id 74a9561edc57ecb3; Wed, 11 May 2016 09:57:10 +0200
>> >
>> > It appears to be triggered based on the "home" in the hostname?
>> >
>> > What was the intention of this rule? To catch mail with "home" in
>> > the HELO string?
>>
>> A HELO that ends with ".home", regardless of the hostname. Your
>> example above should not have hit that rule.
>
> It only require a boundary after "home".
Have we looked at some of the other FSL_ rules? Do we have any reason
to believe they may also be scored to high or disproportionately tag
ham?
I've seen a significant number of FSL_HELO_BARE_IP_2 also hitting a
lot of ham, and just wanted to make sure, with such a high score, it
was also not FP prone...
Re: FSL_HELO_HOME FPs
Posted by RW <rw...@googlemail.com>.
On Sun, 15 May 2016 20:58:41 -0700 (PDT)
John Hardin wrote:
> On Sun, 15 May 2016, Alex wrote:
>
> > Is that score really warranted? For example:
> >
> > Received: from host82.torus.pl (91.209.116.82) (HELO [192.168.20.7])
> > by sedan1.home.pl (89.161.160.215) with SMTP (IdeaSmtpServer
> > v0.80.2) id 74a9561edc57ecb3; Wed, 11 May 2016 09:57:10 +0200
> >
> > It appears to be triggered based on the "home" in the hostname?
> >
> > What was the intention of this rule? To catch mail with "home" in
> > the HELO string?
>
> A HELO that ends with ".home", regardless of the hostname. Your
> example above should not have hit that rule.
It only require a boundary after "home".
Re: FSL_HELO_HOME FPs
Posted by John Hardin <jh...@impsec.org>.
On Sun, 15 May 2016, Alex wrote:
> Is that score really warranted? For example:
>
> Received: from host82.torus.pl (91.209.116.82) (HELO [192.168.20.7])
> by sedan1.home.pl (89.161.160.215) with SMTP (IdeaSmtpServer v0.80.2)
> id 74a9561edc57ecb3; Wed, 11 May 2016 09:57:10 +0200
>
> It appears to be triggered based on the "home" in the hostname?
>
> What was the intention of this rule? To catch mail with "home" in the
> HELO string?
A HELO that ends with ".home", regardless of the hostname. Your example
above should not have hit that rule.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
The real opiate of the masses isn't religion; it's the belief that
somewhere there is a benefit that can be delivered without a
corresponding cost. -- Tom of "Radio Free NJ"
-----------------------------------------------------------------------
145 days since the first successful real return to launch site (SpaceX)