>... >Date: Sat, 12 Mar 2005 18:46:52 -0500 >From: "Eric A. Hall" <[EMAIL PROTECTED]> >User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206) >X-Accept-Language: en-us, en >MIME-Version: 1.0 >To: users@spamassassin.apache.org >Subject: Re: SA addr tests need to be updated >References: <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> ><[EMAIL PROTECTED]> >... > >After considering all the discussion, I've filed these three bugs: > > 4188--RCVD_HELO_IP_MISMATCH should check address literals (this was > argued against by Justin, but I'm convinced it's spam-sign) > > 4186--RCVD_NUMERIC_HELO does not test "reserved" addresses (they are > still 'numeric' and aren't hostnames, and should still hit) > > 4187--RCVD_ILLEGAL_IP does not fire in all cases (reserved, malformed, > and literals should all be tested, but aren't) > >The rest of it can stay where it is and still be useful > >Thanks > >-- >Eric A. Hall http://www.ehsco.com/ >Internet Core Protocols http://www.oreilly.com/catalog/coreprot/ > Eric, I know what I say certainly hold no authority, but I clearly agree with 4186 and 4187. And if you mean "literals" unqualified by brackets, I not only agree with 4188, but would argue that it and the others should be promoted to be DSN_ style rules and that the finding of unbracketed numeric HELO/EHLOs anywhere in the received chain is an *excellent* spam-sign (especially when forged one or two levels below the "relay" machine). For 4186 and 4187, it would seem that brackets are irrelevant - you are correct that all cases should be tested. The only exception I would make, if they were DSN_* rules, would be a "-notfirsthop" qualifier for RFC1918 IP hosts and rule #4186 since they are so common for internal corporate networks running DHCP. Paul Shupak [EMAIL PROTECTED]
