I noticed some bad false positives on email sent from certain web servers that haven't (yet) been properly configured. For example, a trusted header line starting:
Received: from 94.229.160.4.srvlist.ukfast.net (94.229.160.4.srvlist.ukfast.net [94.229.160.4]) looks to SpamAssassin like the dynamic IP address of a botnet, when it's actually a perfectly valid mailout or form submission. It hits HELO_DYNAMIC_IPADDR2, HELO_DYNAMIC_SPLIT_IP, RCVD_NUMERIC_HELO and TVD_RCVD_IP. On the Bayes+network scores for SpamAssassin 3.3, this totals 8.948, and on 3.2.5 it's 11.886. IP addresses have been changed to protect the innocent, but the netblock affected is 94.229.160.0/20, excluding some servers where the hostname has been set to something descriptive. I've emailed UKFast, but don't know when or if they will fix the problem, so here are some workaround rules for anyone who might be affected: header __HELO_DYNAMIC_UKFAST X-Spam-Relays-Untrusted=~/^[^\]]+ helo=\d+\.\S+\d+[^\d\s]\d+[^\d\s]\d+\.srvlist\.ukfast\.net / meta COMPENSATE_BAD_HELO (HELO_DYNAMIC_IPADDR2 && HELO_DYNAMIC_SPLIT_IP && __HELO_DYNAMIC_UKFAST) describe COMPENSATE_BAD_HELO HELO_DYNAMIC_* hit hard on poorly-chosen static rDNS/hostname score COMPENSATE_BAD_HELO -5.0 and also RDNS_DYNAMIC triggers on the reverse DNS, which in these cases is identical with the hostname, so I've rewritten one subrule: header __RDNS_STATIC X-Spam-Relays-Untrusted =~ /^[^\]]+ rdns=\S*(?:static|fixip|srvlist\.ukfast\.net)/i -- All best wishes, Cedric Knight GreenNet GreenNet supports and promotes groups and individuals working for peace, human rights and the environment through the use of information and communication technologies. GreenNet, Development House, 56-64 Leonard Street, London EC2A 4LT Tel: UK 0845 055 4011 (Intl +44) 20 7065 0935 Fax: 020 7253 0936 Registered in England No. 02070438 VAT Reg GB 473 0262 65