Fwd: Re: False positive for HELO_DYNAMIC_DHCP HELO_DYNAMIC_HCC & HELO_DYNAMIC_IPADDR

Tue, 18 Oct 2005 17:08:43 -0700 

Mark London wrote:

Mark London wrote:


Hi - We are receiving mail from a site that includes the headers:

Received: from mail1.xxxx.com (mail.xxxx.com [xx.xx.xx.xx])
by psfcsv1.psfc.mit.edu (8.13.1/8.13.1) with ESMTP id j9IM7qTG018418 
        for <[EMAIL PROTECTED]>; Tue, 18 Oct 2005 18:07:52 -0400
Received: from adsl-xx-xx-xx-xx.dsl.pltn13.pacbell.net [xx.xx.xx.xx] by
    mail1.xxxx.com with SMTP;   Tue, 18 Oct 2005 15:36:54 -0600

This causes spamassassin to flag it with:

HELO_DYNAMIC_DHCP  HELO_DYNAMIC_HCC  HELO_DYNAMIC_IPADDR
This easily causes a very high spam score. I've never seen these tests be positive for non-spam mail. That last Received line definitely looks suspicious, but it's real. The rest of the header follows. Is this a deranged mail server, or is spamassassin at fault? Thanks. - Mark
You obfuscated all of the network addresses required to produce an intelligent response. You also didn't say at (after) which host (received header) the mail is being scanned.
I believe (although I could be wrong), that none of the below spam tests rely on what I removed, except that you need to know that xx represents a number.
20_fake_helo_tests.cf:header HELO_DYNAMIC_DHCP X-Spam-Relays-Untrusted =~ /^[^\] 
]+ helo=\S*(?:cm|catv|docsis|cable|dsl|dhcp|cpe|node)\S*\d+[^\d\s]+\d+/i
20_fake_helo_tests.cf:header HELO_DYNAMIC_HCC X-Spam-Relays-Untrusted =~ /^[^\ 
]]+ helo=\S*\d+[^\d\s]+\d+\S*\.(?:docsis|cable|dsl|adsl|dhcp|cpe)\./i
20_fake_helo_tests.cf:header HELO_DYNAMIC_IPADDR X-Spam-Relays-Untrusted =~ /^[^ 
\]]+ helo=[a-z]\S*\d+[^\d\s]\d+[^\d\s]\d+[^\d\s]\d+[^\d\s][^\.]*\.\S+\.\S+/i

spamassassin is running on psfcsv1.psfc.mit.edu -  Mark
Nope, the actual numbers and which host is doing the scanning make a huge difference in positively identifying a trust path issue. 

Received: from mail1.easyasphosting.com (mail.easyasphosting.com [72.18.128.5])
        by psfcsv1.psfc.mit.edu (8.13.1/8.13.1) with ESMTP id j9IFVi4u011453
        for <[EMAIL PROTECTED]>; Tue, 18 Oct 2005 11:31:44 -0400
Received: from adsl-69-233-55-246.dsl.pltn13.pacbell.net (adsl-69-233-55-246.dsl 
.pltn13.pacbell.net [69.233.55.246]) by mail1.easyasphosting.com with SMTP;
   Tue, 18 Oct 2005 09:30:50 -0600

Reply via email to