You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Mike Grau <m....@kcc.state.ks.us> on 2010/06/29 16:56:40 UTC

FPs on FH_FAKE_RCVD_LINE_B

Hello,

I'm getting a lot of FPs from FH_FAKE_RCVD_LINE_B RCVD line looks faked
(B) since the default score for this rule is a whopping 4.000.

It's matching on this header:

Received: from 68.103.178.110 by webmail.east.cox.net; Mon, 28 Jun 2010
18:02:23 -0400

This rule matches the ISP Cox Communication residential customers using
their webmail service. For now I've made a rule negating
FH_FAKE_RCVD_LINE_B RCVD for Cox, but will someone educate me as to what
it is that makes this header look faked?

For reference, here's the (probably wrapped) rule:
Received =~
/from\s*\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\s*by\s*[a-z0-9.]{4,24}\.[a-z0-9.]{4,36}\.(?:com|net|org|biz);\s*[SMTWF].{2},\s*\d{1,2}\s*[JFMASOND].{2,5}\s*\d{4}\s*\d{2}:\d{2}:\d{2}\s*[-+]\d{4}/i

Thanks!
-- Mike

Re: FPs on FH_FAKE_RCVD_LINE_B

Posted by Mike Grau <m....@kcc.state.ks.us>.

> 
> I believe the issue is that there are no brackets around the IP.  The
> line should look like this:
> 
> Received: from [68.103.178.110] by webmail.east.cox.net; Mon, 28 Jun 2010 18:02:23 -0400
> 
> 

Ah, right! Thanks!

( Drat, sorry about the reply to poster rather than list. )

Re: FPs on FH_FAKE_RCVD_LINE_B

Posted by Bowie Bailey <Bo...@BUC.com>.

Mike Grau wrote:
> Hello,
>
> I'm getting a lot of FPs from FH_FAKE_RCVD_LINE_B RCVD line looks faked
> (B) since the default score for this rule is a whopping 4.000.
>
> It's matching on this header:
>
> Received: from 68.103.178.110 by webmail.east.cox.net; Mon, 28 Jun 2010
> 18:02:23 -0400
>
> This rule matches the ISP Cox Communication residential customers using
> their webmail service. For now I've made a rule negating
> FH_FAKE_RCVD_LINE_B RCVD for Cox, but will someone educate me as to what
> it is that makes this header look faked?
>
> For reference, here's the (probably wrapped) rule:
> Received =~
> /from\s*\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\s*by\s*[a-z0-9.]{4,24}\.[a-z0-9.]{4,36}\.(?:com|net|org|biz);\s*[SMTWF].{2},\s*\d{1,2}\s*[JFMASOND].{2,5}\s*\d{4}\s*\d{2}:\d{2}:\d{2}\s*[-+]\d{4}/i
>   

I believe the issue is that there are no brackets around the IP.  The
line should look like this:

Received: from [68.103.178.110] by webmail.east.cox.net; Mon, 28 Jun 2010 18:02:23 -0400


-- 
Bowie