Mailing List Archive: SpamAssassin: users

FSL_HELO_BARE_IP_2 rule?

Index | Next | Previous | View Threaded

thomas-lists at nybeta

Aug 7, 2013, 8:29 PM

Post #1 of 7 (40 views)
Permalink

FSL_HELO_BARE_IP_2 rule?

Not documented on the wiki:
http://wiki.apache.org/spamassassin/Rules/FSL_HELO_BARE_IP_2

FSL_HELO_BARE_IP_1 is documented as:
X-Spam-Relays-External =~ /^[^\]]+ helo=\d+\.\d+\.\d+\.\d+ /i

Anyone know what the goal of FSL_HELO_BARE_IP_2 is?

uhlar at fantomas

Aug 8, 2013, 1:05 AM

Post #2 of 7 (39 views)
Permalink

Re: FSL_HELO_BARE_IP_2 rule? [In reply to]

On 07.08.13 23:29, Thomas Harold wrote:
>Not documented on the wiki:
>http://wiki.apache.org/spamassassin/Rules/FSL_HELO_BARE_IP_2
>
>FSL_HELO_BARE_IP_1 is documented as:
>X-Spam-Relays-External =~ /^[^\]]+ helo=\d+\.\d+\.\d+\.\d+ /i
>
>Anyone know what the goal of FSL_HELO_BARE_IP_2 is?

looks like more effective alternative of FSL_HELO_BARE_IP_1
However they two seem to overlap, so the FSL_HELO_BARE_IP_1 should be
apparently removed.

I wonder how could they give different scores. Maybe there are e-mails that
only hit one of those, I'd like to see them then...

--
Matus UHLAR - fantomas, uhlar [at] fantomas ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"The box said 'Requires Windows 95 or better', so I bought a Macintosh".

steve.freegard at fsl

Aug 8, 2013, 2:32 AM

Post #3 of 7 (37 views)
Permalink

Re: FSL_HELO_BARE_IP_2 rule? [In reply to]

On 08/08/13 04:29, Thomas Harold wrote:
> Not documented on the wiki:
> http://wiki.apache.org/spamassassin/Rules/FSL_HELO_BARE_IP_2
>
> FSL_HELO_BARE_IP_1 is documented as:
> X-Spam-Relays-External =~ /^[^\]]+ helo=\d+\.\d+\.\d+\.\d+ /i
>
> Anyone know what the goal of FSL_HELO_BARE_IP_2 is?
>

Sure - I wrote both rules.

It's to identify hosts that HELO with a 'raw' IP e.g.

HELO 1.2.3.4

Which is not syntactically correct as per the RFC. IP addresses used in
the HELO should be in a IP literal format:

HELO [1.2.3.4]

FSL_HELO_BARE_IP_1 looks at only the last external IP address, whereas
FSL_HELO_BARE_IP_2 looks at all external received hops.

These were supposed just to be sandbox rules, but they've been
autopromoted by the masschecker and I hadn't noticed until now.

FSL_HELO_BARE_IP_2 should probably be meta'd to only hit if
FSL_HELO_IP_1 doesn't hit to prevent a double hit if the last external
is a raw IP.

I'll create an FSL_HELO_BARE_IP_3 rule as a meta and see what the
results are tomorrow, and then I'll remove FSL_HELO_BARE_IP_2 provided
the results are satisfactory.

Regards,
Steve.

rwmaillists at googlemail

Aug 8, 2013, 4:39 AM

Post #4 of 7 (36 views)
Permalink

Re: FSL_HELO_BARE_IP_2 rule? [In reply to]

On Thu, 08 Aug 2013 10:32:12 +0100
Steve Freegard wrote:

> FSL_HELO_BARE_IP_1 looks at only the last external IP address,
> whereas FSL_HELO_BARE_IP_2 looks at all external received hops.

FSL_HELO_BARE_IP_2 also matches on hostnames like 1.2.3.4.example.com,
which I think is probably a mistake.

> FSL_HELO_BARE_IP_2 should probably be meta'd to only hit if
> FSL_HELO_IP_1 doesn't hit to prevent a double hit if the last
> external is a raw IP.
>
> I'll create an FSL_HELO_BARE_IP_3 rule as a meta

There's no need for a meta, you can just have FSL_HELO_BARE_IP_2 skip
the first [...] section.

rwmaillists at googlemail

Aug 8, 2013, 5:35 AM

Post #5 of 7 (36 views)
Permalink

Re: FSL_HELO_BARE_IP_2 rule? [In reply to]

It's not just FSL_HELO_BARE_IP_1 and FSL_HELO_BARE_IP_2 that overlap.

There's also

RCVD_NUMERIC_HELO
TVD_RCVD_IP
TVD_RCVD_IP4

me at junc

Aug 8, 2013, 7:41 AM

Post #6 of 7 (36 views)
Permalink

Re: FSL HELO BARE IP 2 rule? [In reply to]

Thomas Harold skrev den 2013-08-08 05:29:
> Not documented on the wiki:
> http://wiki.apache.org/spamassassin/Rules/FSL_HELO_BARE_IP_2
>
> FSL_HELO_BARE_IP_1 is documented as:
> X-Spam-Relays-External =~ /^[^\]]+ helo=\d+\.\d+\.\d+\.\d+ /i
>
> Anyone know what the goal of FSL_HELO_BARE_IP_2 is?

in postfix its dokumented as invalid hostname on helo

http://major.io/2006/12/26/fixing-invalid-helos/

thomas-lists at nybeta

Aug 9, 2013, 5:46 AM

Post #7 of 7 (29 views)
Permalink

Re: FSL_HELO_BARE_IP_2 rule? [In reply to]

On 8/8/2013 5:32 AM, Steve Freegard wrote:
>
> Sure - I wrote both rules.
>
> It's to identify hosts that HELO with a 'raw' IP e.g.
>
> HELO 1.2.3.4
>
> Which is not syntactically correct as per the RFC. IP addresses used in
> the HELO should be in a IP literal format:
>
> HELO [1.2.3.4]
>
> FSL_HELO_BARE_IP_1 looks at only the last external IP address, whereas
> FSL_HELO_BARE_IP_2 looks at all external received hops.
>
> These were supposed just to be sandbox rules, but they've been
> autopromoted by the masschecker and I hadn't noticed until now.
>
> FSL_HELO_BARE_IP_2 should probably be meta'd to only hit if
> FSL_HELO_IP_1 doesn't hit to prevent a double hit if the last external
> is a raw IP.
>
> I'll create an FSL_HELO_BARE_IP_3 rule as a meta and see what the
> results are tomorrow, and then I'll remove FSL_HELO_BARE_IP_2 provided
> the results are satisfactory.
>

We have a client who is hitting these (yes we're working with them to
try and fix it). I haven't seen the _1 rule hit, but it is hitting the
following rules:

X-Spam-Status: Yes, score=6.904 tagged_above=-999 required=4.5
tests=[BAYES_50=0.8, FSL_HELO_BARE_IP_2=2.699,
RCVD_IN_BRBL_LASTEXT=1.449, RCVD_NUMERIC_HELO=1.164, RDNS_NONE=0.793,
SPF_PASS=-0.001] autolearn=no

Hop #1 in their mailing output is emitting a HELO with a bare IP address
of the style "1.2.3.4". Hop #2 has a valid HELO, but they don't have a
reverse DNS record.

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads