Hello all.
I searched my archive of the list, and couldn't find a similar issue. This
is probably something I've misconfigured, but here goes. Running SA
3.14via the Mail::SpamAssassin Perl plugin from amavisd-new. Have
been running
into a problem where some dynamic RBL lists are firing just because the IP
is in the headers, not necessarily because it's the IP talking to my MTA.
They are indeed IPs in the list but shouldn't be firing because they're
really using their ISP's mail servers as you can see later in the headers.
I'm *really* hoping this isn't intended operation and it's just something
I've blundered somehow. Below is a piece of one of the message
notifications I receive. I've been watching this on a couple small domains
I own before putting it on our main one, and it's a good thing!
Thanks in advance for the help.
- D.J.
Content analysis details: (10.9 points, 5.0 required)
pts rule name description
1.4 MSGID_FRM_MTA_ID Message-Id for external message added locally
-0.0 SPF_PASS SPF: sender matches SPF record
0.0 HTML_MESSAGE BDY: HTML included in message
0.0 BAYES_50 BDY: Bayesian spam probability is 40 to 60%
[score: 0.4964]
2.2 RCVD_IN_SRBS_SCKS RBL: SRBS: sender is open SCKS proxy server
[24.140.8.46 listed in dnsbl.sorbs.net]
2.0 RCVD_IN_SRBS_DUL RBL: SRBS: sent directly from dynamic IP
address
[24.140.8.46 listed in dnsbl.sorbs.net]
2.6 RCVD_IN_DSBL RBL: Received via a relay in list.dsbl.org
[<>]
0.7 RCVD_IN_NJABL_PRXY RBL: NJABL: sender is an open proxy
[24.140.8.46 listed in combined.njabl.org]
1.9 RCVD_IN_NJABL_DUL RBL: NJABL: dialup sender did non-local SMTP
[24.140.8.46 listed in combined.njabl.org]
1.8 MISSING_SUBJECT Missing Subject: header
-1.8 AWL AWL: From: address is in the auto white-list
Return-Path: <protected>
Received: from smtp-1.sssnet.com (nat-147.sssnet.com [24.140.1.147])
by test.sssnet.com (Postfix) with ESMTP id 663292B803E
for <protected>; Wed, 23 Aug 2006 14:58:41 -0400 (EDT)
Received: (qmail 11376 invoked by uid 507); 23 Aug 2006 18:58:42 -0000
Received: from 24.140.8.46 by smtp-1.sssnet.com (envelope-from <protected>,
uid 501) with qmail-scanner-1.25st
(clamdscan: 0.88.2/1715. spamassassin: 3.0.3. perlscan: 1.25st.
Clear:RC:1(24.140.8.46):SA:0(1.2/14.0):.
Processed in 0.727458 secs); 23 Aug 2006 18:58:42 -0000
X-Spam-Status: No, hits=1.2 required=14.0
X-Spam-Level: +
Received: from cable-8-46.sssnet.com (HEL SERVER) ([24.140.8.46])
(envelope-sender <protected>)
by 0 (qmail-ldap-1.03) with SMTP
for <protected>; 23 Aug 2006 18:58:41 -0000
From: "Sue Repp" <protected>
To: "'Mary Richardson'" <protected>
Subject:
Date: Wed, 23 Aug 2006 14:58:53 -0400
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary=""
X-Mailer: Microsoft , Build 11.0.5510
Thread-Index: AcbGUpRAZ33ceQQ==
X-MLE: Produced By Microsoft MLE V6.00.2900.2962
X-Qmail-Scanner-Message-ID: <115635952192211365 (AT) smtp-1 (DOT) sssnet.com>
Message-Id: <20060823185841.663292B803E (AT) test (DOT) sssnet.com>

As a quick guess, you probably need to fix your Trust Path:

D.J. wrote:
Hello all.

I searched my archive of the list, and couldn't find a similar issue.
This is probably something I've misconfigured, but here goes. Running
SA 3.14 via the Mail::SpamAssassin Perl plugin from amavisd-new. Have
been running into a problem where some dynamic RBL lists are firing just
because the IP is in the headers, not necessarily because it's the IP
talking to my MTA. They are indeed IPs in the list but shouldn't be
firing because they're really using their ISP's mail servers as you can
see later in the headers. I'm *really* hoping this isn't intended
operation and it's just something I've blundered somehow. Below is a
piece of one of the message notifications I receive. I've been watching
this on a couple small domains I own before putting it on our main one,
and it's a good thing!

Thanks in advance for the help.
- D.J.

Content analysis details: (10.9 points, 5.0 required)

pts rule name description

1.4 MSGID_FRM_MTA_ID Message-Id for external message added locally
-0.0 SPF_PASS SPF: sender matches SPF record
0.0 HTML_MESSAGE BDY: HTML included in message
0.0 BAYES_50 BDY: Bayesian spam probability is 40 to 60%
[score: 0.4964]
2.2 RCVD_IN_SRBS_SCKS RBL: SRBS: sender is open SCKS proxy server
[24.140.8.46 <http://24.140.8.46listed in
dnsbl.sorbs.net <http://dnsbl.sorbs.net>]
2.0 RCVD_IN_SRBS_DUL RBL: SRBS: sent directly from dynamic IP
address
[24.140.8.46 <http://24.140.8.46listed in
dnsbl.sorbs.net <http://dnsbl.sorbs.net>]
2.6 RCVD_IN_DSBL RBL: Received via a relay in list.dsbl.org
<http://list.dsbl.org>
[<>]
0.7 RCVD_IN_NJABL_PRXY RBL: NJABL: sender is an open proxy
[24.140.8.46 <http://24.140.8.46listed in
combined.njabl.org <http://combined.njabl.org>]
1.9 RCVD_IN_NJABL_DUL RBL: NJABL: dialup sender did non-local SMTP
[24.140.8.46 <http://24.140.8.46listed in
combined.njabl.org <http://combined.njabl.org>]
1.8 MISSING_SUBJECT Missing Subject: header
-1.8 AWL AWL: From: address is in the auto white-list

Return-Path: <protected>
Received: from smtp-1.sssnet.com <http://smtp-1.sssnet.com
(nat-147.sssnet.com <http://nat-147.sssnet.com[24.140.1.147
<http://24.140.1.147>])
by test.sssnet.com <http://test.sssnet.com(Postfix) with ESMTP
id 663292B803E
for <protected>; Wed, 23 Aug 2006 14:58:41 -0400 (EDT)
Received: (qmail 11376 invoked by uid 507); 23 Aug 2006 18:58:42 -0000
Received: from 24.140.8.46 <http://24.140.8.46by smtp-1.sssnet.com
<http://smtp-1.sssnet.com(envelope-from <protected>, uid 501) with
qmail-scanner-1.25st
(clamdscan: 0.88.2/1715. spamassassin: 3.0.3. perlscan: 1.25st.
Clear:RC:1(24.140.8.46 <http://24.140.8.46>):SA:0(1.2/14.0):.
Processed in 0.727458 secs); 23 Aug 2006 18:58:42 -0000
X-Spam-Status: No, hits=1.2 required=14.0
X-Spam-Level: +
Received: from cable-8-46.sssnet.com <http://cable-8-46.sssnet.com
(HEL SERVER) ([24.140.8.46 <http://24.140.8.46>])
(envelope-sender <protected>)
by 0 (qmail-ldap-1.03) with SMTP
for <protected>; 23 Aug 2006 18:58:41 -0000
From: "Sue Repp" <protected>
To: "'Mary Richardson'" <protected>
Subject:
Date: Wed, 23 Aug 2006 14:58:53 -0400
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary=""
X-Mailer: Microsoft , Build 11.0.5510
Thread-Index: AcbGUpRAZ33ceQQ==
X-MLE: Produced By Microsoft MLE V6.00.2900.2962
X-Qmail-Scanner-Message-ID: <115635952192211365 (AT) smtp-1 (DOT) sssnet.com
<mailto:115635952192211365 (AT) smtp-1 (DOT) sssnet.com>>
Message-Id: <20060823185841.663292B803E (AT) test (DOT) sssnet.com
<@test.sssnet.com>>

8/24/06, D. J. <daringone (AT) gmail (DOT) comwrote:

D.J. wrote:
Hello all.

I searched my archive of the list, and couldn't find a similar issue.
This is probably something I've misconfigured, but here goes. Running
SA 3.14 via the Mail::SpamAssassin Perl plugin from amavisd-new. Have
been running into a problem where some dynamic RBL lists are firing
just
because the IP is in the headers, not necessarily because it's the IP
talking to my MTA. They are indeed IPs in the list but shouldn't be
firing because they're really using their ISP's mail servers as you
can
see later in the headers. I'm *really* hoping this isn't intended
operation and it's just something I've blundered somehow. Below is a
piece of one of the message notifications I receive. I've been
watching
this on a couple small domains I own before putting it on our main
one,
and it's a good thing!

Thanks in advance for the help.

- D.J.
--
Content analysis details: ( 10.9 points, 5.0 required)

pts rule name description

1.4 MSGID_FRM_MTA_ID Message-Id for external message added
locally
-0.0 SPF_PASS SPF: sender matches SPF record
0.0 HTML_MESSAGE BDY: HTML included in message
0.0 BAYES_50 BDY: Bayesian spam probability is 40 to
60%
[score: 0.4964]
2.2 RCVD_IN_SRBS_SCKS RBL: SRBS: sender is open SCKS proxy
server
[24.140.8.46 <http://24.140.8.46 listed
in
dnsbl.sorbs.net <http://dnsbl.sorbs.net>]
2.0 RCVD_IN_SRBS_DUL RBL: SRBS: sent directly from dynamic IP
address
[24.140.8.46 <http://24.140.8.46listed
in
dnsbl.sorbs.net <http://dnsbl.sorbs.net>]
2.6 RCVD_IN_DSBL RBL: Received via a relay in list.dsbl.org
< http://list.dsbl.org>
[<>]
0.7 RCVD_IN_NJABL_PRXY RBL: NJABL: sender is an open proxy
[24.140.8.46 <http://24.140.8.46listed
in
combined.njabl.org < http://combined.njabl.org>]
1.9 RCVD_IN_NJABL_DUL RBL: NJABL: dialup sender did non-local
SMTP
[24.140.8.46 <http://24.140.8.46listed
in
combined.njabl.org <http://combined.njabl.org>]
1.8 MISSING_SUBJECT Missing Subject: header
-1.8 AWL AWL: From: address is in the auto
white-list

Return-Path: <protected>
Received: from smtp-1.sssnet.com <http://smtp-1.sssnet.com>
(nat-147.sssnet.com <http://nat-147.sssnet.com [24.140.1.147
<http://24.140.1.147>])
by test.sssnet.com < http://test.sssnet.com(Postfix) with
ESMTP
id 663292B803E
for <protected>; Wed, 23 Aug 2006 14:58:41 -0400 (EDT)
Received: (qmail 11376 invoked by uid 507); 23 Aug 2006 18:58:42 -0000

Received: from 24.140.8.46 <http://24.140.8.46by smtp-1.sssnet.com
< http://smtp-1.sssnet.com(envelope-from <protected>, uid 501) with
qmail-scanner-1.25st
(clamdscan: 0.88.2/1715. spamassassin: 3.0.3. perlscan: 1.25st.
Clear:RC:1( 24.140.8.46 <http://24.140.8.46>):SA:0(1.2/14.0):.
Processed in 0.727458 secs); 23 Aug 2006 18:58:42 -0000
X-Spam-Status: No, hits=1.2 required=14.0
X-Spam-Level: +
Received: from cable-8-46.sssnet.com <http://cable-8-46.sssnet.com>
(HEL SERVER) ([ 24.140.8.46 <http://24.140.8.46>])
(envelope-sender <protected>)
by 0 (qmail-ldap-1.03) with SMTP
for <protected>; 23 Aug 2006 18:58:41 -0000
From: "Sue Repp" <protected>
To: "'Mary Richardson'" <protected>
Subject:
Date: Wed, 23 Aug 2006 14:58:53 -0400
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary=""
X-Mailer: Microsoft , Build 11.0.5510
Thread-Index: AcbGUpRAZ33ceQQ==
X-MLE: Produced By Microsoft MLE V6.00.2900.2962
X-Qmail-Scanner-Message-ID: <115635952192211365 (AT) smtp-1 (DOT) sssnet.com
<mailto: 115635952192211365 (AT) smtp-1 (DOT) sssnet.com>>
Message-Id: <20060823185841.663292B803E (AT) test (DOT) sssnet.com
<mailto: 20060823185841.663292B803E (AT) test (DOT) sssnet.com>>
--
8/23/06, Stuart Johnston <stuart (AT) ebby (DOT) comwrote:

As a quick guess, you probably need to fix your Trust Path:

--
No, I've got that set properly, as I didn't trust the autodiscovery. So
I've already entered the class C for my MX's and SMTP's there for both
trusted_networks and internal_networks.
>
>
>

>
8/23/06, Stuart Johnston <stuart (AT) ebby (DOT) comwrote:

As a quick guess, you probably need to fix your Trust Path:

--
No, I've got that set properly, as I didn't trust the autodiscovery. So
I've already entered the class C for my MX's and SMTP's there for both
trusted_networks and internal_networks.
>
>
>

K, after Googling around for a bit, I may have stumbled on something
specifically this trust path thing. I had my trusted_networks and
internal_networks set as my SMTP's and MX's class C network. Because of
that, is that causing SA to look at the relay beyond the trusted network as
the agent to compare the RBL to? Come to think of it, this didn't appear
(or at least wasn't reported to me) before I set those values. At any rate,
I've completely removed the internal_networks value, and changed the trusted
values variable to 127.0.0.1. Eventually this will be behind a NAT machine,
so I have to set *something*. If anyone thinks I'm on the right path, let
me know. I'm also going to continue monitoring for this problem, so if it
goes away now, I'll let the list know for posterity's sake. Thanks!
- D.J.

>
K, after Googling around for a bit, I may have stumbled on something
specifically this trust path thing. I had my trusted_networks and
internal_networks set as my SMTP's and MX's class C network. Because of
that, is that causing SA to look at the relay beyond the trusted network as
the agent to compare the RBL to? Come to think of it, this didn't appear
(or at least wasn't reported to me) before I set those values. At any rate,
I've completely removed the internal_networks value, and changed the trusted
values variable to 127.0.0.1. Eventually this will be behind a NAT
machine, so I have to set *something*. If anyone thinks I'm on the right
path, let me know. I'm also going to continue monitoring for this problem,
so if it goes away now, I'll let the list know for posterity's sake.
Thanks!

- D.J.

The problem has indeed ceased since changing the setting. At first it
didn't quite make sense to me as to why it was working the way it was, but I
guess it makes perfect sense if you sit and think about it. A lesson for
those who don't know, you never want your MX server to be a "trusted server"
or you may have rules firing that shouldn't ;-)

D.J. wrote:
K, after Googling around for a bit, I may have stumbled on
something specifically this trust path thing. I had my
trusted_networks and internal_networks set as my SMTP's and MX's
class C network. Because of that, is that causing SA to look at the
relay beyond the trusted network as the agent to compare the RBL
to? Come to think of it, this didn't appear (or at least wasn't
reported to me) before I set those values. At any rate, I've
completely removed the internal_networks value, and changed the
trusted values variable to 127.0.0.1 <http://127.0.0.1>. Eventually
this will be behind a NAT machine, so I have to set *something*. If
anyone thinks I'm on the right path, let me know. I'm also going to
continue monitoring for this problem, so if it goes away now, I'll
let the list know for posterity's sake. Thanks!
- D.J.

The problem has indeed ceased since changing the setting. At first it
didn't quite make sense to me as to why it was working the way it was,
but I guess it makes perfect sense if you sit and think about it. A
lesson for those who don't know, you never want your MX server to be a
"trusted server" or you may have rules firing that shouldn't ;-)

That's incorrect. You always want your MX to be trusted. SA will then
check the IP that connects to your MX against most RBLs. Regardless,
there are a few RBLs that SA will check all IPs against. Debug info
makes it clear what exactly is being checked.

Daryl