On 22 May 2019, at 12:34, John Hardin wrote:
On Wed, 22 May 2019, Alex Woick wrote:
The description is strangely wrong. It seems the person who created
the description didn't understand what the rule does. He probably
wasn't the rule creator. Or the rule was changed to the opposite
without updating the description.
The rule itself is also somewhat strange, because (?!localhost)
asserts that "localhost" isn't appearing, but this is already
ensured, because with [^\s.a-z0-9-]+ lower case characters are
explicity excluded from match, so this exclusion includes
"localhost".
So the rule actually matches HELO names that consists of a single
upper-cased word. A word that may also include some non-word
characters such as "$/)" and so on, since that isn't excluded.
Very likely an ancient spammer/spamware signature.
It may also be written as
header TVD_RCVD_SINGLE Received =~ /^from\s+[^\s.a-z0-9-]+\s/
or if it really should only match characters, like this: (without any
specials, but only if this was really the original intention)
header TVD_RCVD_SINGLE Received =~ /^from\s+[A-Z]+\s/
It seems the rule is some degenerated relict of a once even more
complicated rule.
Not so much...
It is a sandbox rule that hasn't changed since the day it was created
12.5 years ago.
I'm surprised it's still present - the masscheck corpus spam/ham is
zero/zero:
https://ruleqa.spamassassin.org/20190522-r1859703-n/TVD_RCVD_SINGLE/detail
It could probably be safely removed if there's any question about it.
I've pulled its entries in the "10_force_active.cf" and "50_scores.cf"
files, so it will drop out of the distribution if it continues to match
nothing in the submitted corpora. The score had been static for almost
10 years, so I expect it won't get re-promoted any time soon...
