On Mon, 28 Sep 2015, Amir Caspi wrote:
[snip..]
AFAIK the "may be forged" indicates that rDNS lookup on the sending IP did not
match the HELO information provided by the client, and wasn't specific to trusted or
untrusted users. Is that not the case?
Using it alone definitely would be a recipe for FP, because I've seen plenty of
ham with this. However, I was thinking maybe scoring it 0.1 or 0.2 points,
which would then be sufficient when added to BAYES_99 + BAYES_999 to knock an
otherwise-non-scoring spam over the threshold. I guess it could be meta-ruled
for additional protection.
Would something like this be sufficient, or should I make the RE more stringent?
# Add spamminess to "may be forged" warning in Received header
header RCVD_MAY_BE_FORGED Received =~ /\(may be forged\)/
describe RCVD_MAY_BE_FORGED Fake HELO info in Received header
score RCVD_MAY_BE_FORGED 0.2
No, as created/used by sendmail that "may be forged" message only relates to the
sending MTA's DNS data. It means that the full-circle-DNS info for the sending
MTA's IP-addr didn't match (IP-addr -rDNS-> host.FQDN -fDNS-> IP-addr).
It has nothing to do with the HELO information.
That can be due to anything from deliberate obfuscation to a simple temporary
net/DNS glitch. Often caused by an ISP/MSP who is too lazy to maintain their DNS
infrastructure correctly.
By itself not a strong spam sign, but good for metas.
--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{
