Re: TVD_RCVD_SINGLE hitting

Thu, 23 May 2019 08:10:02 -0700 

anyone has idea what exactly is TVD_RCVD_SINGLE supposed to catch?

According to description:

describe TVD_RCVD_SINGLEĀ  Message was received from localhost

however, according to the RE:

header TVD_RCVD_SINGLE Received =~ /^from\s+(?!localhost)[^\s.a-z0-9-]+\s/

it will catch any helo hostnames consisting of uppercase characters and
undersores, or more recisely, every hostname not containing lowercase,
number, dash or dot.

Is this the expected behaviour?



On Wed, 22 May 2019, Alex Woick wrote:
The description is strangely wrong. It seems the person who created the description didn't understand what the rule does. He probably wasn't the rule creator. Or the rule was changed to the opposite without updating the description. The rule itself is also somewhat strange, because (?!localhost) asserts that "localhost" isn't appearing, but this is already ensured, because with [^\s.a-z0-9-]+ lower case characters are explicity excluded from match, so this exclusion includes "localhost".
So the rule actually matches HELO names that consists of a single upper-cased word. A word that may also include some non-word characters such as "$/)" and so on, since that isn't excluded. 

It may also be written as
header TVD_RCVD_SINGLE Received =~ /^from\s+[^\s.a-z0-9-]+\s/
or if it really should only match characters, like this: (without any specials, but only if this was really the original intention) 
header TVD_RCVD_SINGLE Received =~ /^from\s+[A-Z]+\s/
It seems the rule is some degenerated relict of a once even more complicated rule. 

On 22.05.19 09:34, John Hardin wrote:
I'm surprised it's still present - the masscheck corpus spam/ham is zero/zero: 
https://ruleqa.spamassassin.org/20190522-r1859703-n/TVD_RCVD_SINGLE/detail

It could probably be safely removed if there's any question about it.


well, the score is still high:

score TVD_RCVD_SINGLE 0.242 1.213 0.001 2.172

and it matches any helo string containing of uppercase characters
(and some companies still have local computers with uppercase hostnames)

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
A day without sunshine is like, night.

Reply via email to