https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6693
Bug #: 6693
Summary: FSL_NEW_HELO_USER rule improvements
Product: Spamassassin
Version: 3.3.2
Platform: PC
OS/Version: Linux
Status: NEW
Severity: enhancement
Priority: P2
Component: Rules
AssignedTo: [email protected]
ReportedBy: [email protected]
Classification: Unclassified
Hi,
I'd like to offer some improvements to the FSL_NEW_HELO_USER rule:
72_active.cf:##{ FSL_NEW_HELO_USER
72_active.cf:meta FSL_NEW_HELO_USER (__FSL_HELO_USER_1 ||
__FSL_HELO_USER_2 || __FSL_HELO_USER_3)
72_active.cf:#score FSL_NEW_HELO_USER 2.0
72_active.cf:##} FSL_NEW_HELO_USER
72_active.cf:header __FSL_HELO_USER_1 X-Spam-Relays-External =~ / helo=user
/i
72_active.cf:header __FSL_HELO_USER_2 Received =~ /from
User(?:\s+by|\s*\(|$)/i
72_active.cf:header __FSL_HELO_USER_3 Received =~ /helo(?:=|\s)User/i
72_scores.cf:score FSL_NEW_HELO_USER 0.001 0.001 0.001
0.001
which is a meta of __FSL_HELO_USER_1 to 3 as referenced above.
I had a FP hit against this rule today, hitting __FSL_HELO_USER_3:
Received: from [122.167.215.94] (helo=userPC)
It is not uncommon for the first hop to helo with a string such as helo=user
followed by a number of appended alphanumerics as in the case above. The two
most common examples are "HELO UserPC" and "helo=userpc".
To stop this rule FPing, it should be terminated with a ")". Thus I would
propose:
72_active.cf:header __FSL_HELO_USER_3 Received =~ /helo(?:=|\s)User\)/i
Specifically, the two strings we want to match are:
"helo=User)" and "HELO User)".
I have seen only a handful of spam matching "HELO user)", so the above rule
(__FSL_HELO_USER_3) could be left case insensitive, or could be further split
into two case sensitive rules, for example:
72_active.cf:header __FSL_HELO_USER_3 Received =~ /helo=User\)/
72_active.cf:header __FSL_HELO_USER_4 Received =~ /HELO\sUser\)/
Finally, I have recently started to see a few examples of "EHLO User)" so we
might want to incorporate that too:
72_active.cf:header __FSL_HELO_USER_4 Received =~ /(?:HELO|EHLO)\sUser\)/
Moving on to:
72_active.cf:header __FSL_HELO_USER_2 Received =~ /from
User(?:\s+by|\s*\(|$)/i
which typically matches Received headers such as:
Received: from User ([186.8.37.72]) by nskntotgx03p.mx.bigpond.com
but occasionally will miss headers such as:
Received: from User [41.138.171.214] by host2host.com with ESMTP
So I would suggest the rule can be expanded to match "from User" strings
terminated with either a "(" or "[" as the NSL_RCVD_FROM_USER rule currently
does:
72_active.cf:##{ NSL_RCVD_FROM_USER
72_active.cf:header NSL_RCVD_FROM_USER Received =~ /from User
[\[\(]/
72_active.cf:describe NSL_RCVD_FROM_USER Received from User
72_active.cf:##} NSL_RCVD_FROM_USER
So proposed:
72_active.cf:header __FSL_HELO_USER_2 Received =~ /from
User(?:\s+by|\s*[\[\(]|$)/i
At which point I believe this ruleset to be an exceptional indicator of spam
(zero FPs).
--
Configure bugmail:
https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
