http://bugzilla.spamassassin.org/show_bug.cgi?id=4576
------- Additional Comments From [EMAIL PROTECTED] 2005-09-09 01:15 -------
After further investigations I'm sure that we hit here a spamassassin bug.
The HELO_[...] rules should only match if we have just one hop before our
SMTP server. Here is an example:
[43256] dbg: received-header: relay 195.141.101.242 trusted? yes internal? no
[43256] dbg: received-header: relay 127.0.0.1 trusted? yes internal? no
[43256] dbg: received-header: relay 213.165.64.20 trusted? yes internal? no
[43256] dbg: received-header: relay 81.173.228.159 trusted? no internal? no
Trusted IPs:
------------
195.141.101.242
127.0.0.1
213.165.64.20
Untrusted IP:
--------------
81.173.228.159
Should match the HELO rules:
----------------------------
>From xxx Thu Sep 8 11:20:15 2005
Received: from 15.254.203.62.cust.bluewin.ch (15.254.203.62.cust.bluewin.ch
[81.173.228.159])
by mx2.imp.ch (8.13.4/8.13.4) with ESMTP id j889KE9j063340
for <xxx>; Thu, 8 Sep 2005 11:20:15 +0200 (CEST)
(envelope-from xxx)
We have just one hop here, 81.173.228.159 is the direct sender to our MX.
And it does correctly match:
1.5 HELO_DYNAMIC_IPADDR2 Relay HELO'd using suspicious hostname (IP addr2)
2.9 HELO_DYNAMIC_SPLIT_IP Relay HELO'd using suspicious hostname (SpliIP)
1.3 RCVD_NUMERIC_HELO Received: contains an IP address used for HELO
Shouldn't match the HELO rules:
-------------------------------
>From xxx Thu Sep 8 11:20:15 2005
Received: from mail.dataflow.ch (falafel.dataflow.ch [195.141.101.242])
by mx2.imp.ch (8.13.4/8.13.4) with ESMTP id j889KE9j063340
for <xxx>; Thu, 8 Sep 2005 11:20:15 +0200 (CEST)
(envelope-from xxx)
Received: from falafel.dataflow.ch (localhost [127.0.0.1])
by falafel.dataflow.ch (Postfix) with ESMTP id CE7221CF1A2;
Thu, 8 Sep 2005 11:16:40 +0200 (CEST)
Received: from mail.gmx.net (mail.gmx.de [213.165.64.20])
by falafel.dataflow.ch (Postfix) with SMTP id A2F501CF19D
for <xxx>; Thu, 8 Sep 2005 11:16:33 +0200 (CEST)
Received: (qmail invoked by alias); 08 Sep 2005 09:19:52 -0000
Received: from 15.254.203.62.cust.bluewin.ch (EHLO SERVER) [81.173.228.159]
by hamburg134 with SMTP; 23 Jan 2005 11:53:28 -0000
It still matches. This is IMHO a spamassassin bug and shouldn't happen.
1.5 HELO_DYNAMIC_IPADDR2 Relay HELO'd using suspicious hostname (IP addr2
2.9 HELO_DYNAMIC_SPLIT_IP Relay HELO'd using suspicious hostname (Split IP)
The rules are defined as:
header HELO_DYNAMIC_IPADDR2 X-Spam-Relays-Untrusted =~ /^[^\]]+
helo=\d+[^\d\s]\d+[^\d\s]\d+[^\d\s]\d+[^\d\s][^\.]*\.\S+\.\S+[^\]]+ auth= /i
header HELO_DYNAMIC_SPLIT_IP X-Spam-Relays-Untrusted =~ /^[^\]]+
helo=\d+\.\S+\d+[^\d\s]\d+[^\d\s]\d+[^\d\s]/
The don't look if there is just one hop, the just match the IP in the
untrusted list.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
