We are running SA 3.0.1 site wide at my company and I had some false
positives due to HELO_DYNAMIC_HCC and HELO_DYNAMIC_IPADDR. They are
probably useful rules, but I am surprised that their default scores
are so high. Here are the headers of the message and the scores it
got:
Received: from a80-127-206-219.adsl.xs4all.nl (a80-127-206-219.adsl.xs4all.nl [8
0.127.206.219])
by lassen.graebel.com (Postfix) with SMTP id A95FA120CB5
for <[EMAIL PROTECTED]>; Fri, 29 Oct 2004 05:40:10 -0600 (MDT)
Received: from gwsevil-Message_Server by a80-127-206-219.adsl.xs4all.nl
with Novell_GroupWise; Fri, 29 Oct 2004 13:40:10 +0200
Message-Id: <[EMAIL PROTECTED]>
X-Mailer: Novell GroupWise 5.5.5
Date: Fri, 29 Oct 2004 13:39:53 +0200
From: "Sender" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Subject: Betr.: Re: Mr. ABC
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
I changed the from and to addresses, but left the other headers alone.
Here are the scores:
Content analysis details: (-98.8 points, 6.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
0.5 HELO_DYNAMIC_HCC Relay HELO'd using suspicious hostname (HCC)
0.5 HELO_DYNAMIC_IPADDR Relay HELO'd using suspicious hostname (IP addr 1)
-100 USER_IN_WHITELIST From: address is in the user's white-list
1.0 MY_GAPPY_BODY BODY: MY: contains G.a.p.p.y-T.e.x.t
1.8 URG_BIZ BODY: Contains urgent matter
-2.6 BAYES_00 BODY: Bayesian spam probability is 0 to 1%
[score: 0.0000]
As a result, I lowered the scores for HELO_DYNAMIC_HCC and HELO_DYNAMIC_IPADDR.
I also forced bayes to relearn the email as ham, etc. The other
problem is that the sender of the message informed me that it is not a
dynamically assigned address. It is an ADSL connection from the
Netherlands with a fixed IP address.
Mark
