You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Mark London <mr...@psfc.mit.edu> on 2005/10/19 01:00:42 UTC
False positive for HELO_DYNAMIC_DHCP HELO_DYNAMIC_HCC &
HELO_DYNAMIC_IPADDR
Hi - We are receiving mail from a site that includes the headers:
Received: from mail1.xxxx.com (mail.xxxx.com [xx.xx.xx.xx])
by psfcsv1.psfc.mit.edu (8.13.1/8.13.1) with ESMTP id j9IM7qTG018418
for <xx...@psfc.mit.edu>; Tue, 18 Oct 2005 18:07:52 -0400
Received: from adsl-xx-xx-xx-xx.dsl.pltn13.pacbell.net [xx.xx.xx.xx] by
mail1.xxxx.com with SMTP; Tue, 18 Oct 2005 15:36:54 -0600
This causes spamassassin to flag it with:
HELO_DYNAMIC_DHCP HELO_DYNAMIC_HCC HELO_DYNAMIC_IPADDR
This easily causes a very high spam score. I've never seen these
tests be positive for non-spam mail. That last Received line
definitely looks suspicious, but it's real. The rest of the header
follows. Is this a deranged mail server, or is spamassassin at
fault? Thanks. - Mark
Date: Tue, 18 Oct 2005 14:36:54 -0700
Message-ID: <00...@hpcykpm3adosev>
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_009F_01C5D3F1.633A6E80"
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook, Build 10.0.2616
Importance: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
In-Reply-To: <6....@mail1.psfc.mit.edu>
X-Declude-Spoolname: 424328766399.EML
X-Declude-Note: Scanned by Declude 2.0.6.16 (http://www.declude.com/x-note.htm)
for spam.
X-Declude-Scan: Score [-5] at 15:37:16 on 18 Oct 2005
X-Declude-Fail: None
X-Country-Chain: UNITED STATES->destination
X-NOTE: hpcsystems.com
X-Scanned-By: MIMEDefang 2.45
Re: False positive for HELO_DYNAMIC_DHCP HELO_DYNAMIC_HCC & HELO_DYNAMIC_IPADDR
Posted by "Daryl C. W. O'Shea" <sp...@dostech.ca>.
Matt Kettler wrote:
>>>Received: from FOOBAR (adsl-xx-xx-xx-xx.dsl.pltn13.pacbell.net
>>>[xx.xx.xx.xx]) by
>>> > mail1.xxxx.com with SMTP; Tue, 18 Oct 2005 15:36:54 -0600
>>
>>It doesn't like it when the HELLO is
>>adsl-xx-xx-xx-xx.dsl.pltn13.pacbell.net Why?
>
> Because a trusted host shouldn't be receiving mail from a dialup ADSL node. The
> big question is why is mail1.xxxx.com trusted.
http://article.gmane.org/gmane.mail.spam.spamassassin.general/73330/match=
It turned out that the actual IPs were important as 'mail1' has a 72/8
address which was previously unassigned.
Daryl
Re: False positive for HELO_DYNAMIC_DHCP HELO_DYNAMIC_HCC & HELO_DYNAMIC_IPADDR
Posted by Matt Kettler <mk...@evi-inc.com>.
Mark London wrote:
> Hi - spamassassin is running on psfcsv1.psfc.mit.edu (has been for
> several years, with same configuration)/
Ok, does psfcsv1.psfc.mit.edu resolve psfcsv1.psfc.mit.edu to a reserved IP?
>I don't use trusted_networks.
Ok, so you use the auto-guessed trusted_networks list.
>
> If I change the 2nd received line to:
>
>> Received: from adsl-xx-xx-xx-xx.dsl.pltn13.pacbell.net ([xx.xx.xx.xx]) by
>> > mail1.xxxx.com with SMTP; Tue, 18 Oct 2005 15:36:54 -0600
>
>
> The problem goes away. Note the added (). This also works:
>
>> Received: from FOOBAR (adsl-xx-xx-xx-xx.dsl.pltn13.pacbell.net
>> [xx.xx.xx.xx]) by
>> > mail1.xxxx.com with SMTP; Tue, 18 Oct 2005 15:36:54 -0600
>
>
> It doesn't like it when the HELLO is
> adsl-xx-xx-xx-xx.dsl.pltn13.pacbell.net Why?
Because a trusted host shouldn't be receiving mail from a dialup ADSL node. The
big question is why is mail1.xxxx.com trusted.
Re: False positive for HELO_DYNAMIC_DHCP HELO_DYNAMIC_HCC &
HELO_DYNAMIC_IPADDR
Posted by Mark London <mr...@psfc.mit.edu>.
Hi - spamassassin is running on psfcsv1.psfc.mit.edu (has been for
several years, with same configuration)/ I don't use
trusted_networks.
If I change the 2nd received line to:
>Received: from adsl-xx-xx-xx-xx.dsl.pltn13.pacbell.net ([xx.xx.xx.xx]) by
> > mail1.xxxx.com with SMTP; Tue, 18 Oct 2005 15:36:54 -0600
The problem goes away. Note the added (). This also works:
>Received: from FOOBAR (adsl-xx-xx-xx-xx.dsl.pltn13.pacbell.net
>[xx.xx.xx.xx]) by
> > mail1.xxxx.com with SMTP; Tue, 18 Oct 2005 15:36:54 -0600
It doesn't like it when the HELLO is
adsl-xx-xx-xx-xx.dsl.pltn13.pacbell.net Why?
Mark
At 7:29 PM -0400 10/18/05, Matt Kettler wrote:
>Mark London wrote:
>> Hi - We are receiving mail from a site that includes the headers:
>>
>> Received: from mail1.xxxx.com (mail.xxxx.com [xx.xx.xx.xx])
>> by psfcsv1.psfc.mit.edu (8.13.1/8.13.1) with ESMTP id
>> j9IM7qTG018418
>> for <xx...@psfc.mit.edu>; Tue, 18 Oct 2005 18:07:52 -0400
> > Received: from adsl-xx-xx-xx-xx.dsl.pltn13.pacbell.net [xx.xx.xx.xx] by
>> mail1.xxxx.com with SMTP; Tue, 18 Oct 2005 15:36:54 -0600
> >
>> This causes spamassassin to flag it with:
>>
>> HELO_DYNAMIC_DHCP HELO_DYNAMIC_HCC HELO_DYNAMIC_IPADDR
>
>1) do you have a trusted_networks setting? If so, does it include
>"mail1.xxx.com"? If so, are you sure you what to?
>
>2) If you don't have a trusted_networks setting, what would the spamassassin
>system resolve the IP address of psfcsv1.psfc.mit.edu as? Is it a reserved
>address (ie: 10.*, 192.168.*, etc) due to split-dns?
>
>If it's a reserved address, you must manually declare a trusted_networks
>setting. You're suffering from a broken trust path caused by the
>"auto guesser"
>being confused.
>
>See:
>
>http://wiki.apache.org/spamassassin/TrustPath
Re: False positive for HELO_DYNAMIC_DHCP HELO_DYNAMIC_HCC & HELO_DYNAMIC_IPADDR
Posted by Matt Kettler <mk...@evi-inc.com>.
Mark London wrote:
> Hi - We are receiving mail from a site that includes the headers:
>
> Received: from mail1.xxxx.com (mail.xxxx.com [xx.xx.xx.xx])
> by psfcsv1.psfc.mit.edu (8.13.1/8.13.1) with ESMTP id
> j9IM7qTG018418
> for <xx...@psfc.mit.edu>; Tue, 18 Oct 2005 18:07:52 -0400
> Received: from adsl-xx-xx-xx-xx.dsl.pltn13.pacbell.net [xx.xx.xx.xx] by
> mail1.xxxx.com with SMTP; Tue, 18 Oct 2005 15:36:54 -0600
>
> This causes spamassassin to flag it with:
>
> HELO_DYNAMIC_DHCP HELO_DYNAMIC_HCC HELO_DYNAMIC_IPADDR
1) do you have a trusted_networks setting? If so, does it include
"mail1.xxx.com"? If so, are you sure you what to?
2) If you don't have a trusted_networks setting, what would the spamassassin
system resolve the IP address of psfcsv1.psfc.mit.edu as? Is it a reserved
address (ie: 10.*, 192.168.*, etc) due to split-dns?
If it's a reserved address, you must manually declare a trusted_networks
setting. You're suffering from a broken trust path caused by the "auto guesser"
being confused.
See:
http://wiki.apache.org/spamassassin/TrustPath
Re: False positive for HELO_DYNAMIC_DHCP HELO_DYNAMIC_HCC & HELO_DYNAMIC_IPADDR
Posted by "Daryl C. W. O'Shea" <sp...@dostech.ca>.
Mark London wrote:
> Hi - We are receiving mail from a site that includes the headers:
>
> Received: from mail1.xxxx.com (mail.xxxx.com [xx.xx.xx.xx])
> by psfcsv1.psfc.mit.edu (8.13.1/8.13.1) with ESMTP id
> j9IM7qTG018418
> for <xx...@psfc.mit.edu>; Tue, 18 Oct 2005 18:07:52 -0400
> Received: from adsl-xx-xx-xx-xx.dsl.pltn13.pacbell.net [xx.xx.xx.xx] by
> mail1.xxxx.com with SMTP; Tue, 18 Oct 2005 15:36:54 -0600
>
> This causes spamassassin to flag it with:
>
> HELO_DYNAMIC_DHCP HELO_DYNAMIC_HCC HELO_DYNAMIC_IPADDR
>
> This easily causes a very high spam score. I've never seen these tests
> be positive for non-spam mail. That last Received line definitely looks
> suspicious, but it's real. The rest of the header follows. Is this a
> deranged mail server, or is spamassassin at fault? Thanks. - Mark
You obfuscated all of the network addresses required to produce an
intelligent response. You also didn't say at (after) which host
(received header) the mail is being scanned.
Daryl