spamassassin-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dan Fulbright <dan+spamassassin-users-l...@dan.tulsa.ok.us>
Subject Re: Multiple rules for dynamic-looking IP addresses
Date Tue, 04 Sep 2007 21:26:11 GMT
On 2007-08-29 23:16, Dan Fulbright wrote:
> I'm having problems with high scores from messages sent from IP
> addresses that appear to be dynamic, but in fact are static. Here's an
> example:
> 
>         *  4.2 HELO_DYNAMIC_SPLIT_IP Relay HELO'd using suspicious
>              hostname (Split
>         *      IP)
>         *  4.4 HELO_DYNAMIC_IPADDR2 Relay HELO'd using suspicious
>              hostname (IP addr
>         *       2)
>         *  1.6 TVD_RCVD_IP TVD_RCVD_IP
>         *  2.1 RCVD_NUMERIC_HELO Received: contains an IP address used
>              for HELO
> 
> Here are the Received lines, with specific information cleaned:
> 
> Received: from 1.2.3.4.static.vsnl.net.in [1.2.3.4] by mail5.example2.com with SMTP;
>    Sat, 25 Aug 2007 04:11:59 -0500
> Received: from gbd07 ([192.168.96.107]) by mail.example1.com with Microsoft SMTPSVC(6.0.3790.1830);
>          Sat, 25 Aug 2007 14:48:07 +0530
> 
> I realize that 1.2.3.4 should have a better reverse DNS, but it seems
> that it causes the SA score to be artificially high. I know I could
> disable some of these tests, but I feel like that would artificially
> lower scores.
> 
> How can I adjust the scores or write/fix rules so that static IP
> addresses are recognized as such?
> 
> I am an admin for example2.com.

Thank you for the replies, however, I think I'll restate my own
question. Why are there so many rules that seem to check for the same
thing? I'm seeing this more and more often. xo.net seems to be a
common domain that uses hostnames like this to send mail. I feel like
the right thing to do would be to tell the sender to get a better
reverse DNS, but that just isn't feasible.

Received: from 1.2.3.4.ptr.us.xo.net [1.2.3.4] by mail4.example2.com with SMTP;
   Tue, 4 Sep 2007 12:10:07 -0500

Is anyone familiar with xo.net? If so, do you know why I am seeing so
many messages from hostnames that look like this? Are these dynamic or
static IP addresses?

Thanks.

--df

Mime
View raw message