Re: yahoo rcvd bug?

[Dave Funk]

On Mon, 20 Oct 2014, Quinn Comendant wrote:

I'm getting FORGED_YAHOO_RCVD false positives for messages with yahoo received 
headers that do not match the search pattern defined in 
check_for_forged_yahoo_received_headers(). I'm using SpamAssassin 3.3.2 with 
latest rules as per `sa-update` rule channels `sought.rules.yerp.org` and 
`updates.spamassassin.org`.
The spamassassin rule that is firing:

        *  1.6 FORGED_YAHOO_RCVD 'From' yahoo.com does not match 'Received' 
headers

The received-by header in question:

        Received: from unknown (HELO nm46-vm10.bullet.mail.bf1.yahoo.com) 
(216.109.114.203)

Full mail headers available at https://cloudup.com/cbmG8tJF71k

And finally here's the `check_for_forged_yahoo_received_headers` function that 
parses this, which doesn't contain the correct regex for this hostname:
[snip..]
     return 1;
   }

You have two different rules that have fired there (FORGED_YAHOO_RCVD &
RDNS_NONE) because your MTA was not able to resolve that IP address to
its registered domain name.
The SA code correctly parsed the info that your MTA gave it, it's just
that info was incorrect either due to local DNS issues or a network issue.

Then because you (or somebody configuring your SA) has lowered the spam
threshold from 5.0 to 3.0 it caused a FP on this message.

I don't think that it is valid to delcare a bug in SA because of an issue 
local to your system. (problematic MTA/DNS & local config choices).

I see that you also have a hit on URIBL_BLOCKED which tends to indicate
that you have local DNS issues that should be addressed.

suggestions:
1) work on improving your DNS system
2) put the spam threshold back to default to reduce FPs triggered by DNS 
issues.
3) create a meta rule that takes the DKIM_VALID detection to nullify the
 effect of that FORGED_YAHOO_RCVD (in case you cannot get your DNS to work
 correctly).

If you lowered that spam threshold because of too many FNs, I think that
getting the DNS fixed so RBL tests work will take care of that too.

There have been plenty of posts to this list about URIBL_BLOCKED and how
to fix it.

--
Dave Funk                                  University of Iowa
<dbfunk (at) engineering.uiowa.edu>        College of Engineering
319/335-5751   FAX: 319/384-0549           1256 Seamans Center
Sys_admin/Postmaster/cell_admin            Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{