Henrik K a écrit :
> On Fri, May 22, 2009 at 06:14:53AM +0200, Benny Pedersen wrote:
>> header HELO_WIERD_FORMAT ALL =~ /\?\d+\.\d+\.\d+\.\d+\?/
matching ALL headers? oh well, it's not my mail...
>> describe HELO_WIERD_FORMAT Helo with ? around nummeric ip
>> score HELO_WIERD_FORMAT 1.5
>
> It's something that mx.google.com likes to do. Better luck next time. :)
>
> OVERALL% SPAM% HAM% S/O RANK SCORE NAME
> 93444 10060 83384 0.108 0.00 0.00 (all messages)
> 175 2 173 0.087 0.00 1.00 HELO_WIERD_FORMAT
>
and not only google. the qmail setup used by free.fr replaces brackets
around helo with '?'. so if mail was sent with HELO [1.2.3.4], I see
Received: from ?1.2.3.4? ([ip]) ...
now, you can still score this (literal IP helo is not frequent in legit
mail sent by a "public" MTA):
(manually wrapped)
header HELO_LITIP X-Spam-Relays-Untrusted =~
/^[^\]]+ helo=\[\d{1,3}(\.\d{1,3}){3}\]\s/
header HELO_LITIP_Q X-Spam-Relays-Untrusted =~
/^[^\]]+ helo=\?\d{1,3}(\.\d{1,3}){3}\?\s/
