You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Thomas Harold <th...@nybeta.com> on 2013/08/08 05:29:49 UTC

FSL_HELO_BARE_IP_2 rule?

Not documented on the wiki:
http://wiki.apache.org/spamassassin/Rules/FSL_HELO_BARE_IP_2

FSL_HELO_BARE_IP_1 is documented as:
X-Spam-Relays-External =~ /^[^\]]+ helo=\d+\.\d+\.\d+\.\d+ /i 	

Anyone know what the goal of FSL_HELO_BARE_IP_2 is?

Re: FSL_HELO_BARE_IP_2 rule?

Posted by RW <rw...@googlemail.com>.
It's not just FSL_HELO_BARE_IP_1 and FSL_HELO_BARE_IP_2 that overlap.

There's also

 RCVD_NUMERIC_HELO 
 TVD_RCVD_IP  
 TVD_RCVD_IP4 



Re: FSL_HELO_BARE_IP_2 rule?

Posted by RW <rw...@googlemail.com>.
On Thu, 08 Aug 2013 10:32:12 +0100
Steve Freegard wrote:


> FSL_HELO_BARE_IP_1 looks at only the last external IP address,
> whereas FSL_HELO_BARE_IP_2 looks at all external received hops.

FSL_HELO_BARE_IP_2 also matches on hostnames like 1.2.3.4.example.com,
which I think is probably a mistake.



> FSL_HELO_BARE_IP_2 should probably be meta'd to only hit if 
> FSL_HELO_IP_1 doesn't hit to prevent a double hit if the last
> external is a raw IP.
> 
> I'll create an FSL_HELO_BARE_IP_3 rule as a meta 

There's no need for a meta, you can just have FSL_HELO_BARE_IP_2 skip
the first [...] section.


Re: FSL_HELO_BARE_IP_2 rule?

Posted by Thomas Harold <th...@nybeta.com>.
On 8/8/2013 5:32 AM, Steve Freegard wrote:
>
> Sure - I wrote both rules.
>
> It's to identify hosts that HELO with a 'raw' IP e.g.
>
> HELO 1.2.3.4
>
> Which is not syntactically correct as per the RFC.  IP addresses used in
> the HELO should be in a IP literal format:
>
> HELO [1.2.3.4]
>
> FSL_HELO_BARE_IP_1 looks at only the last external IP address, whereas
> FSL_HELO_BARE_IP_2 looks at all external received hops.
>
> These were supposed just to be sandbox rules, but they've been
> autopromoted by the masschecker and I hadn't noticed until now.
>
> FSL_HELO_BARE_IP_2 should probably be meta'd to only hit if
> FSL_HELO_IP_1 doesn't hit to prevent a double hit if the last external
> is a raw IP.
>
> I'll create an FSL_HELO_BARE_IP_3 rule as a meta and see what the
> results are tomorrow, and then I'll remove FSL_HELO_BARE_IP_2 provided
> the results are satisfactory.
>

We have a client who is hitting these (yes we're working with them to 
try and fix it).  I haven't seen the _1 rule hit, but it is hitting the 
following rules:

X-Spam-Status: Yes, score=6.904 tagged_above=-999 required=4.5
	tests=[BAYES_50=0.8, FSL_HELO_BARE_IP_2=2.699,
	RCVD_IN_BRBL_LASTEXT=1.449, RCVD_NUMERIC_HELO=1.164, RDNS_NONE=0.793,
	SPF_PASS=-0.001] autolearn=no

Hop #1 in their mailing output is emitting a HELO with a bare IP address 
of the style "1.2.3.4".  Hop #2 has a valid HELO, but they don't have a 
reverse DNS record.


Re: FSL_HELO_BARE_IP_2 rule?

Posted by Steve Freegard <st...@fsl.com>.
On 08/08/13 04:29, Thomas Harold wrote:
> Not documented on the wiki:
> http://wiki.apache.org/spamassassin/Rules/FSL_HELO_BARE_IP_2
>
> FSL_HELO_BARE_IP_1 is documented as:
> X-Spam-Relays-External =~ /^[^\]]+ helo=\d+\.\d+\.\d+\.\d+ /i
>
> Anyone know what the goal of FSL_HELO_BARE_IP_2 is?
>

Sure - I wrote both rules.

It's to identify hosts that HELO with a 'raw' IP e.g.

HELO 1.2.3.4

Which is not syntactically correct as per the RFC.  IP addresses used in 
the HELO should be in a IP literal format:

HELO [1.2.3.4]

FSL_HELO_BARE_IP_1 looks at only the last external IP address, whereas 
FSL_HELO_BARE_IP_2 looks at all external received hops.

These were supposed just to be sandbox rules, but they've been 
autopromoted by the masschecker and I hadn't noticed until now.

FSL_HELO_BARE_IP_2 should probably be meta'd to only hit if 
FSL_HELO_IP_1 doesn't hit to prevent a double hit if the last external 
is a raw IP.

I'll create an FSL_HELO_BARE_IP_3 rule as a meta and see what the 
results are tomorrow, and then I'll remove FSL_HELO_BARE_IP_2 provided 
the results are satisfactory.

Regards,
Steve.


Re: FSL_HELO_BARE_IP_2 rule?

Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
On 07.08.13 23:29, Thomas Harold wrote:
>Not documented on the wiki:
>http://wiki.apache.org/spamassassin/Rules/FSL_HELO_BARE_IP_2
>
>FSL_HELO_BARE_IP_1 is documented as:
>X-Spam-Relays-External =~ /^[^\]]+ helo=\d+\.\d+\.\d+\.\d+ /i 	
>
>Anyone know what the goal of FSL_HELO_BARE_IP_2 is?

looks like more effective alternative of FSL_HELO_BARE_IP_1
However they two seem to overlap, so the FSL_HELO_BARE_IP_1 should be
apparently removed.

I wonder how could they give different scores. Maybe there are e-mails that
only hit one of those, I'd like to see them then...

-- 
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"The box said 'Requires Windows 95 or better', so I bought a Macintosh".

Re: FSL_HELO_BARE_IP_2 rule?

Posted by Benny Pedersen <me...@junc.eu>.
Thomas Harold skrev den 2013-08-08 05:29:
> Not documented on the wiki:
> http://wiki.apache.org/spamassassin/Rules/FSL_HELO_BARE_IP_2
>
> FSL_HELO_BARE_IP_1 is documented as:
> X-Spam-Relays-External =~ /^[^\]]+ helo=\d+\.\d+\.\d+\.\d+ /i
>
> Anyone know what the goal of FSL_HELO_BARE_IP_2 is?

in postfix its dokumented as invalid hostname on helo

http://major.io/2006/12/26/fixing-invalid-helos/