I noticed the HELO_DYNAMIC_* thread and the conclusion that IMP adding a Received header may be a source of problems. I pieced together the same conclusion just this morning based on several false positives that went through our campus' IMP-based webmail. In addition to the several variations of HELO_DYNAMIC_*, I also saw one which hit an SPF rule (since it didn't get relayed through the "official" relay.
My first question, for anyone who knows the relavent RFCs better than I, is IMP's behavior of adding a Received header following specs?
Second, has anyone determined the best way to handle this? The two options that immediately come to mind would be to turn off the HELO_DYNAMIC_* rules (but I suspect this would cause more false negatives), or create a score-lowering rule that fires when a webmail/IMP header is detected (also problematic since a webmail header isn't necessarily related to the spamminess of the email, only to the likely existence of false triggers on other rules).
Alternately, is this something that spammassassin should be taking into account in its analysis? That is, when SA sees a "with HTTP" descriptor in a received header, it should just ignore that header altogether (or ignore it in relation to certain rules).
I just stumbled upon this thread now. I must have missed it, or ignored it thinking Shane wasn't using 3.0.2 which doesn't have this problem if you set your trusted networks manually (3.0.2 will extend trust to IMP hops if trusted_networks is set manually). Since Shane never mentioned that he was letting SA infer the trust path, the fact that a bug was still present wasn't obvious.
In any case, I've modified the inferral code to extend trust to (the supported) authenticated relays, such as IMP's webmail received header.
It'll also work with any webmail software that adds 'with HTTP' tokens, Sendmail style authentication tokens, or RFC 3848 compatible authentication tokens.
So... the next major release of SA will fix Shane's problem. Until then, setting trusted_networks manually will also fix his problem if he is using SpamAssassin version 3.0.2.
Daryl
