You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Magnus Holmgren <ho...@lysator.liu.se> on 2005/12/03 16:33:28 UTC
FORGED_RCVD_HELO - what is a forgery?
If I'm not mistaken, SpamAssassin awards FORGED_RCVD_HELO (OK, only 0,
0, 0, or 0.1 points, but were talking principles here) whenever the HELO
name presented by an untrusted host doesn't match either the IP address
or resolved name reported by the receiving MTA, according to the text in
the headers.
What I am wondering is this: Clearly it's a violation if you make
something up and say HELO hotmail.com, for instance (incidentally,
that's exactly what Hotmail themselves do, calling for a hard-coded(!)
whitelisting by helo_forgery_whitelisted()). But if you present a FQDN
that does resolve to the IP you're connecting from, I think that should
be fully acceptable even if it doesn't match the reverse for your host
address. The reason is that you often don't control the RDNS for your IP
and by telling the other end what *you* call your MTA you provide them
with more direct contact information. Sure, spammers can provide a
legitimate-looking domain with bogus whois info as a red herring, but do
they bother?
In practice it may be right to treat all such mismatches alike instead
of doing a forward lookup on the HELO name (but isn't that done
anyway?), but am I correct in principle?
Regards,
--
Magnus Holmgren
Re: FORGED_RCVD_HELO - what is a forgery?
Posted by Matt Kettler <mk...@comcast.net>.
At 10:33 AM 12/3/2005, Magnus Holmgren wrote:
>*
>If I'm not mistaken, SpamAssassin awards FORGED_RCVD_HELO (OK, only 0,
>0, 0, or 0.1 points, but were talking principles here) whenever the HELO
>name presented by an untrusted host doesn't match either the IP address
>or resolved name reported by the receiving MTA, according to the text in
>the headers.
>
>What I am wondering is this: Clearly it's a violation if you make
>something up and say HELO hotmail.com, for instance (incidentally,
>that's exactly what Hotmail themselves do, calling for a hard-coded(!)
>whitelisting by helo_forgery_whitelisted()). But if you present a FQDN
>that does resolve to the IP you're connecting from, I think that should
>be fully acceptable even if it doesn't match the reverse for your host
>address. The reason is that you often don't control the RDNS for your IP
>and by telling the other end what *you* call your MTA you provide them
>with more direct contact information. Sure, spammers can provide a
>legitimate-looking domain with bogus whois info as a red herring, but do
>they bother?
>
>In practice it may be right to treat all such mismatches alike instead
>of doing a forward lookup on the HELO name (but isn't that done
>anyway?), but am I correct in principle?
Yes, although there are some dolts out there that will refuse mail from you
if HELO != RDNS of IP.
Certainly the mismatch is highly common, and I think the devs mostly keep
this rule around for informational purposes.
Look at the statistics:
OVERALL% SPAM% HAM% S/O RANK SCORE NAME
23.352 19.2045 33.0225 0.368 0.26 0.14 FORGED_RCVD_HELO
It's got a S/O of 0.368, meaning that only 36.8% of the messages matching
this rule were in the spam corpus. The rest were nonspam.