Rule question: HFILTER_HOSTNAME_UNKNOWN

[Sophie Lo]

Hi,

I see most email coming through hitting this rule HFILTER_HOSTNAME_UNKNOWN (2.50) for a while.
Email comes from yahoo.com to smaller domains.

What does this rule target?

Note: I am still running v 1.7.5.

Best, Sophie
Sent from a mobile. Excuse my brevity.

[Sophie Loe]

Based on an example email below, which field would contain the hostname that failed the PTR/FCrDNS valification? All hosts in the email resolve bar this line:
Received: from so-prod-service ([52.177.199.129])
by smtp.gmail.com with ESMTPSA id h67-v6sm4802066qkc.77.2018.06.18.01.15.58


Found the rule in scores.d/hfilter_group.conf
"HFILTER_HOSTNAME_UNKNOWN" {
weight = 2.50;
description = "Unknown client hostname (PTR or FCrDNS verification failed)";
}



Example mail that triggered this rule:

Return-Path: <in...@hiddensender.be>
Delivered-To: anony...@example.co.uk
Received: from mx10.example.co.uk
by mx10 (Dovecot) with LMTP id w5WkK0RqJ1tbIAAAQEGcbA
for <anony...@example.co.uk>; Mon, 18 Jun 2018 08:16:04 +0000
Received: from mail-qk0-f173.google.com (unknown [209.85.220.173])
by mx10.example.co.uk (Postfix) with ESMTPS id CBB403C
for <anony...@example.co.uk>; Mon, 18 Jun 2018 08:16:01 +0000 (UTC)
Received: by mail-qk0-f173.google.com with SMTP id a195-v6so8895440qkg.3
for <anony...@example.co.uk>; Mon, 18 Jun 2018 01:16:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=hiddensender-be.20150623.gappssmtp.com; s=20150623;
h=message-id:date:mime-version:from:to:reply-to:subject
:content-transfer-encoding;
bh=sEB63XmNJarP9Z3rWPamtUAc9SPoZl7BQglwXwvDQvk=;
b=ihmfqzEu4+5B1qcfCbzIBMCOfklbTWByFl/slWcWWzEFSU6kSLHGRSgVK3dCf6TOMh
ujBmJKR/4a33QRc03s/qjGH1WP+bDF2y5XBu3fz3swPgDJq4qCiu+VJeMveR8E3mEm+R
OqoQy0ep1qziPXgIIkx9TNuyIqIstkeoaHOsuyyPO1vehIbKl//8HiWreRKaEH++VZeQ
IiRf2okC7D1L3fjYPKb8iTtE64v6Xem74/nqAWiecSOOHX37HPPYpw/TlVcMr9WODKyv
2bqJrUI2kAehdOpyN3lAy2SKqztVcC0fWx0Z04jigmC7ypBBZJbUwRISUC++VTGLaVIz
QlCw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20161025;
h=x-gm-message-state:message-id:date:mime-version:from:to:reply-to
:subject:content-transfer-encoding;
bh=sEB63XmNJarP9Z3rWPamtUAc9SPoZl7BQglwXwvDQvk=;
b=G+1xlkVLrUJJcgLiHLd0GRKtGwaXLl6Um8AekEBdPtMSG+MiNrp8GJCQb93AYaRoSP
aUHA8pJitxunM7buOq+f9R5tvKA6k/oOF9UR7FzeG8KefPzXdB3yD2LxdUsXDMFYN6vL
Clu13lUGyPXpFuicmSygNzIRzyAyHY3zbgvSsB/IEtMzJwfhOWQ9Hi4YIH2TiXqXAtjF
p/q8RLQZpi79fJcHB4PswJ2Xxgn2LaXr2EO1uKoF2vaLal4oqMeGCPySAD2fwhUZauSx
AneP1ihfsOeFGJaOLSmws+akTetXrNF9/qSHFgNj+lKjahJYt/pyGWMvtsp0zKWqgBOp
kV5w==
X-Gm-Message-State: APt69E2qRuV6Kh2gAQKi9z9AySsQX1pqTH1WAEd3UX4u44QdvpUYK5Lu
AeQLkVwXS22KUkWmgpdkNXPo9wgY0Sc=
X-Google-Smtp-Source: ADUXVKKA9zqvMLIw1goMKAPNQjJOkRwUM+1tFxviOR5GYsAPuZr/7pxY/z1w3C1m7cVON0Vlph33nQ==
X-Received: by 2002:a37:7e04:: with SMTP id z4-v6mr9038731qkc.66.1529309759834;
Mon, 18 Jun 2018 01:15:59 -0700 (PDT)
Received: from so-prod-service ([52.177.199.129])
by smtp.gmail.com with ESMTPSA id h67-v6sm4802066qkc.77.2018.06.18.01.15.58
(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
Mon, 18 Jun 2018 01:15:58 -0700 (PDT)
Message-ID: <5b276a3e.1c69f...@mx.google.com>
Date: Mon, 18 Jun 2018 01:15:58 -0700 (PDT)
X-Google-Original-Date: 18 Jun 2018 01:15:58 -0700
MIME-Version: 1.0
From: "ScheduleOnce Mailer" <in...@hiddensender.be>
To: anony...@example.co.uk
Reply-To: in...@2hiddensender.com
Subject: ***SPAM*** Your upcoming appointment is starting in approximately 24 hours
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: base64
X-Spamd-Bar: ++++++
X-Spam-Level: ******
X-Rspamd-Server: mx10
Authentication-Results: mx10.example.co.uk;
dkim=pass header.d=hiddensender-be.20150623.gappssmtp.com;
spf=softfail smtp.mailfrom=in...@hiddensender.be
X-Rspamd-Queue-Id: CBB403C
X-Spamd-Result: default: False [6.83 / 14.00];
ARC_NA(0.00)[];
RCVD_IN_DNSWL_NONE(0.00)[173.220.85.209.list.dnswl.org : 127.0.5.0];
REPLYTO_DOM_NEQ_FROM_DOM(0.00)[];
BAYES_HAM(-2.76)[98.98%];
DKIM_TRACE(0.00)[hiddensender-be.20150623.gappssmtp.com:+];
FROM_HAS_DN(0.00)[];
DMARC_NA(0.00)[hiddensender.be];
RWL_MAILSPIKE_GOOD(0.00)[173.220.85.209.rep.mailspike.net : 127.0.0.18];
FROM_EQ_ENVFROM(0.00)[];
PREVIOUSLY_DELIVERED(0.00)[anony...@example.co.uk];
TO_MATCH_ENVRCPT_ALL(0.00)[];
RCVD_COUNT_THREE(0.00)[3];
MIME_BASE64_TEXT(0.10)[];
HAS_REPLYTO(0.00)[in...@2hiddensender.com];
R_SPF_SOFTFAIL(0.00)[~all];
R_DKIM_ALLOW(-0.20)[hiddensender-be.20150623.gappssmtp.com];
HTML_SHORT_LINK_IMG_1(2.00)[];
MIME_HTML_ONLY(0.20)[];
RCVD_TLS_LAST(0.00)[];
RCPT_COUNT_ONE(0.00)[1];
R_SUSPICIOUS_URL(5.00)[maps.google.com];
ASN(0.00)[asn:15169, ipnet:209.85.128.0/17, country:US];
TO_DN_NONE(0.00)[];
MX_GOOD(-0.01)[ASPMX.L.GOOGLE.COM];
HFILTER_HOSTNAME_UNKNOWN(2.50)[];
RCVD_VIA_SMTP_AUTH(0.00)[]