Re: Multiple rules for dynamic-looking IP addresses

> I'm having problems with high scores from messages sent from IP
> addresses that appear to be dynamic, but in fact are static. Here's an
> example:
>
> * 4.2 HELO_DYNAMIC_SPLIT_IP Relay HELO'd using suspicious
> hostname (Split
> * IP)
> * 4.4 HELO_DYNAMIC_IPADDR2 Relay HELO'd using suspicious
> hostname (IP addr
> * 2)
> * 1.6 TVD_RCVD_IP TVD_RCVD_IP
> * 2.1 RCVD_NUMERIC_HELO Received: contains an IP address used
> for HELO
>
> Here are the Received lines, with specific information cleaned:
>
> Received: from 1.2.3.4.static.vsnl.net.in [1.2.3.4] by mail5.example2.com
> with SMTP;
> Sat, 25 Aug 2007 04:11:59 -0500
> Received: from gbd07 ([192.168.96.107]) by mail.example1.com with
> Microsoft SMTPSVC(6.0.3790.1830);
> Sat, 25 Aug 2007 14:48:07 +0530
>
> I realize that 1.2.3.4 should have a better reverse DNS, but it seems
> that it causes the SA score to be artificially high. I know I could
> disable some of these tests, but I feel like that would artificially
> lower scores.
>
> How can I adjust the scores or write/fix rules so that static IP
> addresses are recognized as such?
>
> I am an admin for example2.com.

You could probably do something crudely along the lines of

__STATIC_NAME Received =~ /\d\.\static\./ meta SCORE_FUTZER __STATIC_NAME && (HELO_DYNAMIC_SPLIT_IP || HELO_DYNAMIC_IPADDR2)
score SCORE_FUTZER -8

There is probably a better solution, and you could also probably use lasttrusted or firstuntrusted to advantage, depending on whether you have the static* lines in your trust domain.

        Loren Received on Thu Aug 30 00:32:28 2007