> >> Matus UHLAR - fantomas wrote: > >>> I've received e-mail that received score 4.9 just because of the same > >>> problem - invalid HELO. > >>> > >>> * 2.8 RCVD_HELO_IP_MISMATCH Received: HELO and IP do not match, but > >>> should > >>> * 2.1 RCVD_NUMERIC_HELO Received: contains an IP address used for HELO > >>> > >>> Received: from 88.102.6.114 (67.kcity.telenet.cz [194.228.203.67]) > >>> by 8.hotelulipy.cz (Postfix) with SMTP id <censored> > >>> for <censored>; <date> > >>> > >>> I think that combination above hits way too much.
> > On 20.02.09 08:56, Matt Kettler wrote: > >> Why is a bogous HELO being generated in the first place? i.e.: why is > >> an address literal used, but not the correct address literal? > Matus UHLAR - fantomas a écrit : > > I guess this happenns for hosts behing NAT, that do not know the real IP > > address under which they are accessing the internet. On 21.02.09 02:19, mouss wrote: > $ host 88.102.6.114 > 114.6.102.88.in-addr.arpa domain name pointer 114.6.broadband7.iol.cz. > > Are > - iol.cz > - telenet.cz > - hotelulipy.cz > > the same organisation? > if not, this is direct to MX junk. ...your presumption that the Received: header is the only one is false. > BTW. which (legitimate and not outdated) mail clients helo with a bare IP? However I may look at the e-mail again and more deeply, if you think. > >> I've not seen a legitimate mail client do this, so I'm actually rather > >> curious as to what happened. In the set0 mass-checks, this rule had a > >> S/O of 0.996, which is *VERY* good. > > > > I've just seen another one... > > > > However the main problem is that most HELO rules fire independently > > together Ohh, that should be "more", not "most". Rephrasing: More rules checking the very similar thing fire independently together. I guess that _the same_ error (invalid HELO) should not cause firing more rules with total score of nearly 5 (sum of those two: 5.0 4.919 4.899 4.904) I have already filed similar bug and it got resolved by removing one of those rules (5682). You may also see bug 5488 concerning similar issue. > try a meta that uses an AND and run a mass check. I'm sure I would get a > score of 5 :) I doubt so, unluckily I don't have corpus big enough to masschecks :( If there were two rules checking for exactly the same thing, both scoring 2.5 (we'd wonder if they has different score, right?), their combination would score 5.0, while meta rule matching both of them would get -2.5. Can someone please try to do meta RCVD_HELO_NUMERIC_MISMATCH (RCVD_HELO_IP_MISMATCH && RCVD_NUMERIC_HELO) and check, or should I fill -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. The early bird may get the worm, but the second mouse gets the cheese.
