Re: TVD_RCVD_SINGLE hitting

Wed, 22 May 2019 09:35:39 -0700 

On Wed, 22 May 2019, Alex Woick wrote:
The description is strangely wrong. It seems the person who created the description didn't understand what the rule does. He probably wasn't the rule creator. Or the rule was changed to the opposite without updating the description. The rule itself is also somewhat strange, because (?!localhost) asserts that "localhost" isn't appearing, but this is already ensured, because with [^\s.a-z0-9-]+ lower case characters are explicity excluded from match, so this exclusion includes "localhost". 


So the rule actually matches HELO names that consists of a single upper-cased 
word. A word that may also include some non-word characters such as "$/)" and 
so on, since that isn't excluded.


It may also be written as
header TVD_RCVD_SINGLE Received =~ /^from\s+[^\s.a-z0-9-]+\s/


or if it really should only match characters, like this: (without any 
specials, but only if this was really the original intention)

header TVD_RCVD_SINGLE Received =~ /^from\s+[A-Z]+\s/


It seems the rule is some degenerated relict of a once even more complicated 
rule.



I'm surprised it's still present - the masscheck corpus spam/ham is 
zero/zero:

https://ruleqa.spamassassin.org/20190522-r1859703-n/TVD_RCVD_SINGLE/detail

It could probably be safely removed if there's any question about it.



anyone has idea what exactly is TVD_RCVD_SINGLE supposed to catch?

According to description:

describe TVD_RCVD_SINGLEĀ  Message was received from localhost

however, according to the RE:

header TVD_RCVD_SINGLE Received =~ /^from\s+(?!localhost)[^\s.a-z0-9-]+\s/

it will catch any helo hostnames consisting of uppercase characters and
undersores, or more recisely, every hostname not containing lowercase,
number, dash or dot.

Is this the expected behaviour?


--
 John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
 jhar...@impsec.org    FALaholic #11174     pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
  Any time law enforcement becomes a revenue center, the system
  becomes corrupt.
-----------------------------------------------------------------------
 5 days until Memorial Day - honor those who sacrificed for our liberty





















					Reply via email to