-----Original Message-----
From: Mark Christoph [mailto:[EMAIL PROTECTED]
Sent: 29 October 2004 18:26
To: users@spamassassin.apache.org
Subject: false positives from HELO_DYNAMIC_HCC and HELO_DYNAMIC_IPADDR rules
We are running SA 3.0.1 site wide at my company and I had some false
positives due to HELO_DYNAMIC_HCC and HELO_DYNAMIC_IPADDR. They are
probably useful rules, but I am surprised that their default scores are so
high. Here are the headers of the message and the scores it
got:
<SNIP>
Content analysis details: (-98.8 points, 6.0 required)
pts rule name description
---- ----------------------
--------------------------------------------------
0.5 HELO_DYNAMIC_HCC Relay HELO'd using suspicious hostname (HCC)
0.5 HELO_DYNAMIC_IPADDR Relay HELO'd using suspicious hostname (IP addr
1)
-100 USER_IN_WHITELIST From: address is in the user's white-list
1.0 MY_GAPPY_BODY BODY: MY: contains G.a.p.p.y-T.e.x.t
1.8 URG_BIZ BODY: Contains urgent matter
-2.6 BAYES_00 BODY: Bayesian spam probability is 0 to 1%
[score: 0.0000]
As a result, I lowered the scores for HELO_DYNAMIC_HCC and
HELO_DYNAMIC_IPADDR.
I also forced bayes to relearn the email as ham, etc. The other problem is
that the sender of the message informed me that it is not a dynamically
assigned address. It is an ADSL connection from the Netherlands with a
fixed IP address.
Mark
--------------------------------
There was no need to relearn it to bayes, it already said it was ham with
-2.6 points, so even with the 1 point for dynamic hello its still ham.
Your friend could configure his mailserver better by giving it a static
names using something like dyndns.org and then it wouldn't hit that rule,
the fact his is static isnt what the rule really looks for, which is dynamic
style hostname.
Martin
