http://bugzilla.spamassassin.org/show_bug.cgi?id=3216
Summary: Received header rules, multiple IP
Product: Spamassassin
Version: 2.63
Platform: Other
OS/Version: other
Status: NEW
Severity: normal
Priority: P5
Component: Rules
AssignedTo: spamassassin-dev@incubator.apache.org
ReportedBy: Bob@Menschel.net
Rule offered to me from someone not on SA lists,
> The rule below was sent to me by Regis Wilson. He offered me the rule,
> validating whether it's generally useful, and asking me to post it if it
> works.
>
> It works! Results of my mass-check here:
>
> Section 3 -- Frequencies Log
> (First numeric frequencies, followed by percentage frequencies)
>
> OVERALL SPAM HAM S/O SCORE NAME
> 119325 98981 20344 0.830 0.00 0.00 (all messages)
> 9199 9198 1 0.999 0.00 3.00 SUSP_IP_RECEIVED
>
> OVERALL% SPAM% HAM% S/O RANK SCORE NAME
> 119325 98981 20344 0.830 0.00 0.00 (all messages)
> 100.000 82.9508 17.0492 0.830 0.00 0.00 (all messages as %)
> 7.709 9.2927 0.0049 0.999 0.00 3.00 SUSP_IP_RECEIVED
>
> Matched 9.3% of all spam in my corpus, and matched only 1 ham.
>
> So I responded back to him, asking
> RM> I'd like to not only post it, but submit it to the SpamAssassin Devs
> RM> for consideration in their next release. Do you give your permission
> RM> for them to include and distribute the rule with no conditions?
>
> His response to me, Thu, 25 Mar 2004 07:43:24 -0800 (PST), message id
> <200403251543.i2PFhOsc067145@wmgnp.tempdomainname.com>, was:
> > Yes, absolutely.
Rule as follows:
header SUSP_IP_RECEIVED Received =~ /from\s+((?:1?\d\d?|2[0-4]\d|25[0-4])\.)
{3}(?:1?\d\d?|2[0-4]\d|25[0-4])\s+by\s+((?:1?\d\d?|2[0-4]\d|25[0-4])\.){3}(?:1?
\d\d?|2[0-4]\d|25[0-4])/i
describe SUSP_IP_RECEIVED Received line is suspicious (from IP by IP)
score SUSP_IP_RECEIVED 3.0
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
Summary: Received header rules, multiple IP
Product: Spamassassin
Version: 2.63
Platform: Other
OS/Version: other
Status: NEW
Severity: normal
Priority: P5
Component: Rules
AssignedTo: spamassassin-dev@incubator.apache.org
ReportedBy: Bob@Menschel.net
Rule offered to me from someone not on SA lists,
> The rule below was sent to me by Regis Wilson. He offered me the rule,
> validating whether it's generally useful, and asking me to post it if it
> works.
>
> It works! Results of my mass-check here:
>
> Section 3 -- Frequencies Log
> (First numeric frequencies, followed by percentage frequencies)
>
> OVERALL SPAM HAM S/O SCORE NAME
> 119325 98981 20344 0.830 0.00 0.00 (all messages)
> 9199 9198 1 0.999 0.00 3.00 SUSP_IP_RECEIVED
>
> OVERALL% SPAM% HAM% S/O RANK SCORE NAME
> 119325 98981 20344 0.830 0.00 0.00 (all messages)
> 100.000 82.9508 17.0492 0.830 0.00 0.00 (all messages as %)
> 7.709 9.2927 0.0049 0.999 0.00 3.00 SUSP_IP_RECEIVED
>
> Matched 9.3% of all spam in my corpus, and matched only 1 ham.
>
> So I responded back to him, asking
> RM> I'd like to not only post it, but submit it to the SpamAssassin Devs
> RM> for consideration in their next release. Do you give your permission
> RM> for them to include and distribute the rule with no conditions?
>
> His response to me, Thu, 25 Mar 2004 07:43:24 -0800 (PST), message id
> <200403251543.i2PFhOsc067145@wmgnp.tempdomainname.com>, was:
> > Yes, absolutely.
Rule as follows:
header SUSP_IP_RECEIVED Received =~ /from\s+((?:1?\d\d?|2[0-4]\d|25[0-4])\.)
{3}(?:1?\d\d?|2[0-4]\d|25[0-4])\s+by\s+((?:1?\d\d?|2[0-4]\d|25[0-4])\.){3}(?:1?
\d\d?|2[0-4]\d|25[0-4])/i
describe SUSP_IP_RECEIVED Received line is suspicious (from IP by IP)
score SUSP_IP_RECEIVED 3.0
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.