false positive?

mikea mikea at MIKEA.ATH.CX
Tue Aug 12 16:16:19 IST 2003


On Tue, Aug 12, 2003 at 09:55:44AM -0500, Tim Tyler wrote:
> mailscanner experts,
>    We are running 4.x version of mailscanner with spamassassin which we
> updated last month.  We have been running it for nearly  3 weeks now and I
> got my first report of a false positive.  A professor received a legitimate
> message with a score of 6.4.  The relevant headers are below:
>
>  >> X-MailScanner: Found to be clean
>  >> X-MailScanner-SpamCheck: spam, SpamAssassin (score=6.4, required 5,
>  >>     MIME_BOUND_NEXTPART 0.16, RCVD_FAKE_HELO_DOTCOM 3.43,
>  >>     RCVD_FAKE_HELO_DOTCOM_2 2.80)
>  >> X-MailScanner-SpamScore: ssssss
>
> The bulk of the score relates to rcvd_fake_helo_dotcom.   Can anyone tell
> me what that means and why it might occur on a legitimate message?  I
> believe the message was sent from a service in Morocco for whatever that is
> worth.

[folded to 72 characters max]

header RCVD_FAKE_HELO_DOTCOM    Received =~ /^from (?:msn|yahoo|
   yourwebsite|lycos|excite|cs|aol|localhost|koreanmail|allexecs|
   mydomain|juno|eudoramail|compuserve|desertmail|excite|caramail)
   \.com \(/m
describe RCVD_FAKE_HELO_DOTCOM  Received contains a faked HELO hostname

This rule triggers on data like "msn.com" or "cs.com" followed by a
left parenthesis. I suppose that this rule is designed to catch spam
with a "Received:" header falsely claiming to be from one of those
ISPs, and that none of them ever appears as a bare <foo>.com for <foo>
in the rule above, but rather as <something>.<foo>.com.

I've seen it trigger falsely a few times, but not a whole lot.

--
Mike Andrews
mikea at mikea.ath.cx
Tired old sysadmin since 1964



More information about the MailScanner mailing list