false positive?
mikea
mikea at MIKEA.ATH.CX
Tue Aug 12 16:16:19 IST 2003
On Tue, Aug 12, 2003 at 09:55:44AM -0500, Tim Tyler wrote:
> mailscanner experts,
> We are running 4.x version of mailscanner with spamassassin which we
> updated last month. We have been running it for nearly 3 weeks now and I
> got my first report of a false positive. A professor received a legitimate
> message with a score of 6.4. The relevant headers are below:
>
> >> X-MailScanner: Found to be clean
> >> X-MailScanner-SpamCheck: spam, SpamAssassin (score=6.4, required 5,
> >> MIME_BOUND_NEXTPART 0.16, RCVD_FAKE_HELO_DOTCOM 3.43,
> >> RCVD_FAKE_HELO_DOTCOM_2 2.80)
> >> X-MailScanner-SpamScore: ssssss
>
> The bulk of the score relates to rcvd_fake_helo_dotcom. Can anyone tell
> me what that means and why it might occur on a legitimate message? I
> believe the message was sent from a service in Morocco for whatever that is
> worth.
[folded to 72 characters max]
header RCVD_FAKE_HELO_DOTCOM Received =~ /^from (?:msn|yahoo|
yourwebsite|lycos|excite|cs|aol|localhost|koreanmail|allexecs|
mydomain|juno|eudoramail|compuserve|desertmail|excite|caramail)
\.com \(/m
describe RCVD_FAKE_HELO_DOTCOM Received contains a faked HELO hostname
This rule triggers on data like "msn.com" or "cs.com" followed by a
left parenthesis. I suppose that this rule is designed to catch spam
with a "Received:" header falsely claiming to be from one of those
ISPs, and that none of them ever appears as a bare <foo>.com for <foo>
in the rule above, but rather as <something>.<foo>.com.
I've seen it trigger falsely a few times, but not a whole lot.
--
Mike Andrews
mikea at mikea.ath.cx
Tired old sysadmin since 1964
More information about the MailScanner
mailing list