You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@spamassassin.apache.org by bu...@bugzilla.spamassassin.org on 2007/02/23 22:02:07 UTC
[Bug 5352] New: HELO_DYNAMIC_DHCP false positive for acm.org relay
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5352
Summary: HELO_DYNAMIC_DHCP false positive for acm.org relay
Product: Spamassassin
Version: 3.1.7
Platform: All
OS/Version: Linux
Status: NEW
Severity: normal
Priority: P5
Component: Rules
AssignedTo: dev@spamassassin.apache.org
ReportedBy: henson@acm.org
I have a mail forwarding account with the Association for Computing Machinery
(acm.org). I noticed after recently upgrading to the latest version of
Spamassassin from a quite outdated one that every message I receive relayed
through my acm.org forwarding account is tagged with HELO_DYNAMIC_DHCP, even
though none of the relays through which the message passed were suspicious.
I think the name of the ACM mail server is falsely triggering the regular
expression associated with this rule:
Received: from acm26-4.acm.org (acm26-4.acm.org [63.118.7.109]) by
bebe.unx.csupomona.edu (Postfix) with ESMTP id A0593C80EA for
<X>; Thu, 22 Feb 2007 19:35:09 -0800 (PST)
Received: from psmtp.com ([64.18.2.95]) by acm26-4.acm.org (ACM
Email Forwarding Service) with SMTP id CFT87417 for
<X>; Thu, 22 Feb 2007 22:22:17 -0500
ACM is a fairly large organization with a lot of members, all of whom are
presumably getting hit with this false positive. Any chance of modifying the
regular expression not to match their server?
Thanks...
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 5352] HELO_DYNAMIC_DHCP false positive for acm.org relay
Posted by bu...@bugzilla.spamassassin.org.
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5352
nj@leverton.org changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |nj@leverton.org
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 5352] HELO_DYNAMIC_DHCP false positive for acm.org relay
Posted by bu...@bugzilla.spamassassin.org.
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5352
------- Additional Comments From lwilton@earthlink.net 2007-03-05 19:46 -------
Well, it looks easy enough to fix for the example you gave. Something like
helo=\S*(?:[^a]cm|catv|docsis|cable|dsl|dhcp|cpe|node)\S*\d+[^\d\s]+\d+[^\]]+
auth=
should probably do it in this case.
Now just need someone to actually apply some similar patch...
Loren
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 5352] HELO_DYNAMIC_DHCP false positive for acm.org relay
Posted by bu...@bugzilla.spamassassin.org.
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5352
burner@suppressingfire.org changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |burner@suppressingfire.org
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 5352] HELO_DYNAMIC_DHCP false positive for acm.org relay
Posted by bu...@bugzilla.spamassassin.org.
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5352
------- Additional Comments From nj@leverton.org 2007-03-09 04:17 -------
Created an attachment (id=3881)
--> (http://issues.apache.org/SpamAssassin/attachment.cgi?id=3881&action=view)
Spam for which the suggested change causes an FN
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 5352] HELO_DYNAMIC_DHCP false positive for acm.org relay
Posted by bu...@bugzilla.spamassassin.org.
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5352
------- Additional Comments From nj@leverton.org 2007-03-09 04:16 -------
Confirmed, the suggested change will lead to missing some spam, namely that
from hosts named "cm-12-34-56-78". Will attach sample mail in a moment.
With rules as follows, where _1 is the original, _2 is the one from this issue
and _3 is my suggested alternative:
header TEST_DYNAMIC_DHCP_1 X-Spam-Relays-Untrusted =~ /^[^\]]+ helo=\S*(?:cm|
catv|docsis|cable|dsl|dhcp|cpe|node)\S*\d+[^\d\s]+\d+[^\]]+ auth= /i
header TEST_DYNAMIC_DHCP_2 X-Spam-Relays-Untrusted =~ /^[^\]]+ helo=\S*(?:
[^a]cm|catv|docsis|cable|dsl|dhcp|cpe|node)\S*\d+[^\d\s]+\d+[^\]]+ auth= /i
header TEST_DYNAMIC_DHCP_3 X-Spam-Relays-Untrusted =~ /^[^\]]+ helo=\S*(?:
(?<!a)cm|catv|docsis|cable|dsl|dhcp|cpe|node)\S*\d+[^\d\s]+\d+[^\]]+ auth= /i
I get scan results:
0.0 TEST_DYNAMIC_DHCP_1 TEST_DYNAMIC_DHCP_1
0.0 TEST_DYNAMIC_DHCP_3 TEST_DYNAMIC_DHCP_3
3.1 HELO_DYNAMIC_DHCP Relay HELO'd using suspicious hostname (DHCP)
in other words the suggested change will not fire. I don't have privs to
re-open this issue, can anybody hear me ? :-)
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 5352] HELO_DYNAMIC_DHCP false positive for acm.org relay
Posted by bu...@bugzilla.spamassassin.org.
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5352
jm@jmason.org changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |FIXED
------- Additional Comments From jm@jmason.org 2007-03-06 04:35 -------
yep, Loren's fix is right-- works here.
: jm 455...; svn commit -m "bug 5352: trivial rule fix to avoid
HELO_DYNAMIC_DHCP hits on all mail via the ACM mail server"
rules/20_fake_helo_tests.cf
Sending rules/20_fake_helo_tests.cf
Transmitting file data .
Committed revision 515103.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 5352] HELO_DYNAMIC_DHCP false positive for acm.org relay
Posted by bu...@bugzilla.spamassassin.org.
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5352
------- Additional Comments From nj@leverton.org 2007-03-07 10:35 -------
Excuse me butting on on someone else's issue, but are you sure about that RE ?
It will always require one character other than 'a' before the 'cm', which may
or may not be what you mean. The original \S* can occur zero times so I guess
you're trying to match on hostnames like "cm-12-34-56-78.bigisp.com" ?
In that case I'm sure you all know zero-width negative lookbehinds off by
heart so excuse me for teaching relatives :-). The RE for "there may be no
characters before, but if there is one it mustn't be a" should be /(?<!a)cm/
Other ways round it such as [^a]? will, I think, fall foul of the \S* soaking
up characters.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 5352] HELO_DYNAMIC_DHCP false positive for acm.org relay
Posted by bu...@bugzilla.spamassassin.org.
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5352
------- Additional Comments From henson@acm.org 2007-03-05 18:25 -------
I tried reporting it to support@acm.org as well, but so far have received the
same lack of response as this bug... I suppose spamassassin developers probably
don't care too much about ACM's server naming policy, and I've generally found
ACM technical support to be sadly deficient, so we're just stuck in the middle...
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 5352] HELO_DYNAMIC_DHCP false positive for acm.org relay
Posted by bu...@bugzilla.spamassassin.org.
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5352
------- Additional Comments From jm@jmason.org 2007-03-09 04:35 -------
Nick -- I quietly applied that yesterday ;)
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 5352] HELO_DYNAMIC_DHCP false positive for acm.org relay
Posted by bu...@bugzilla.spamassassin.org.
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5352
------- Additional Comments From burner@suppressingfire.org 2007-03-05 21:24 -------
Hmm.. I modified my /usr/share/spamassassin/20_fake_helo_tests.cf but acm emails
still seem to have HELO_DYNAMIC_DHCP in the X-Spam-Status header.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 5352] HELO_DYNAMIC_DHCP false positive for acm.org relay
Posted by bu...@bugzilla.spamassassin.org.
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5352
------- Additional Comments From burner@suppressingfire.org 2007-03-05 18:22 -------
Yup. I have my students submit assignments to my acm.org account. I lost a
number of their assignment submissions due to this.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 5352] HELO_DYNAMIC_DHCP false positive for acm.org relay
Posted by bu...@bugzilla.spamassassin.org.
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5352
------- Additional Comments From burner@suppressingfire.org 2007-03-05 18:29 -------
Here's the rule:
header HELO_DYNAMIC_DHCP X-Spam-Relays-Untrusted =~ /^[^\]]+
helo=\S*(?:cm|catv|docsis|cable|dsl|dhcp|cpe|node)\S*\d+[^\d\s]+\d+[^\]]+ auth=
/i describe HELO_DYNAMIC_DHCP Relay HELO'd using suspicious hostname (DHCP)
Here's the HELO from my (valid) acm-relayed email:
helo=acm26-4.acm.org
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.