On 2/15/2004 at 7:42 AM, "Jonas Eckerman" <[EMAIL PROTECTED]> wrote:
> On Sat, 14 Feb 2004 22:30:09 -0800, Bob Menschel wrote:
>>� Question concerning RCVD_NUMERIC_HELO
>>� Is there a reason the square brackets were left out of the
>>� distribution rule set?
Because the correct case is hardly ever encountered, and the author of
that rule may never have seen the 'correct' case in headers.
> The most probable reason is that it's perfectly legal to use an IP adress
> in HELO as long as it's enclosed in square brackets.
Reality is different. Blame it on spamware:
Of 3604 connects to dummy-smtpd logged here over the last 4 weeks:
19 used the bracketed IP number as HELO/EHLO parameter (correct use)
989 used EHLO/HELO with our IP number (pretended to be us) without brackets
182 used EHLO/HELO with a bare IP number without brackets,
40 of those used an IP number not matching that of the connecting host
> The distribuition rule gives a score to incorrect numeric HELO, while your
> rule would give the score to both correct and incorrect numeric HELOs.
I can second that change, but the improvement is at most marginal.
Open a Mozilla-bug ticket on this?
You can almost guess what other test would show smashing results,
but for that, SA has to learn what the local interface IP number(s)
is(are), and I don't think there is any code to do that right now.
bye,Kai
