http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5817
------- Additional Comments From [EMAIL PROTECTED] 2008-02-21 14:53 ------- Boo! ;) Chris confirmed the single FP in the total of 120k hams to be a valid, human composed message using a real MUA. The important part (data changed) of X-Spam-Relays-Untrusted: [ ip=1.1.1.1 rdns=a.b.c.net helo=a.b.c.net by=example.com ... ] [ ip=1.1.1.1 rdns=a.b.c.net helo=!1.1.1.1! by=a.b.c.net ... id=k1G0v .... ] I noticed two differences between that one ham and all spam in my small-ish ad-hoc testing corpus which matched the previous rule: (a) The RDNS of both untrusted hops is identical to the first hops BY, and (b) the first hop has an ID. Going from the meta-rule, I added another constraint of (a), which turned out to be much sharper. It did not result in any less hits, with the notable exception of the FP. This sub-rule is true, if the second hops RDNS is equal to the first hops BY: header __RDNS_EQ_BY X-Spam-Relays-Untrusted =~ /^[^\]]+ rdns=([^ ]*) [^\]]+][^\]]+ by=\1 / Note that this actualy checks the most recent untrusted relays. These are the first and second hop due to the existing sub-rule !__RELAYS_THREE_PLUS The new meta-rule then is: meta FORGED_RELAY_MUA_TO_MX __A && !__B && __C && !__RDNS_EQ_BY For reference and probably discussion: I tested with a rule that checks RDNS and BY both of the first hop. Turned out to be a subset of the above, missing both 1 ham and 1 spam of the original, naive attempt (see comment 8) which still serves me as a testing corpus. *Both* these messages do not hit FORGED_RELAY_MUA_TO_MX anyway, in neither of the discussed rules. The results of the meta-rule for my small-ish test corpus are identical. Since I am unsure about this result, here's the variant testing the first hops data only, for reference. Maybe someone else can tell better than me, which one to use. header RDNS_EQ_BY X-S-R-U =~ / rdns=([^ ]+) [^\[]+ by=\1 [^\[]+$/ ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
