On Thu, 2011-02-10 at 19:30 -0500, Michael Scheidell wrote:
> host mx1.res.cisco.com
> mx1.res.cisco.com has address 208.90.57.13
> $ host 208.90.57.13
> 13.57.90.208.in-addr.arpa domain name pointer mx1.res.cisco.com.
>
> looks fine to me, why does this look to SA like a dynamic ip?
Kind of... irrelevant. In this context. Or rather, terribly confusing.
In your snippet, RDNS_DYNAMIC accounts for a score of 0.4 (score-set 1),
but you said that network tests and Bayes pushed it above the threshold.
That would be score-set 4, and this one rule scoring just shy of 1.0.
So, what are the real rules hit, the real scores? What weight did the
network rules and Bayes have? More than that 1.0? Which rule really
caused the FP here?
> sorry, sender, receiver are all confidential, but here is a debug:
> (network and bayes tests pushed it past 5.0)
> Content analysis details: (3.0 points, 5.0 required)
> 0.0 RELAY_COUNTRY_US Relayed through United States
> 1.6 SUBJ_ALL_CAPS Subject is all capitals
> 0.0 HTML_MESSAGE BODY: HTML included in message
> 0.4 RDNS_DYNAMIC Delivered to internal network by host with
> dynamic-looking rDNS
> 1.0 NO_REAL_NAME NO_REAL_NAME
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
