I'm still seeing issues where an IP address falls within a blacklisted
range (ie /24) but the specific IP address is whitelisted.
I'm include the message headers and the log file lines (with actual
email addresses redacted). It clearly shows that the IP is whitelisted,
but then gets blacklisted. First, the log lines with the whitelist and
blacklist in bold:
May-20-20 11:29:40 [Worker_2] Connected: session:7F74E1ACC1E8
192.185.50.250:17379 > 165.254.4.49:25 > 165.254.4.142:25
May-20-20 11:29:40 [Worker_2] 192.185.50.250 info: got STARTTLS request
from 192.185.50.250
May-20-20 11:29:41 m1-88581-13275 [Worker_2] [TLS-in] [TLS-out]
192.185.50.250 info: found message size
announcement: 731.80 kByte
May-20-20 11:29:41 m1-88581-13275 [Worker_2] [TLS-in] [TLS-out]
192.185.50.250 message proxied without processing -
message size (749368) is above 10 (npSize).
May-20-20 11:29:41 m1-88581-13275 [Worker_2] [TLS-in] [TLS-out]
[NoProcessing] 192.185.50.250 to:
recipi...@domain.com message proxied without processing content base
check (npSize)
May-20-20 11:29:41 m1-88581-13275 [Worker_2] [TLS-in] [TLS-out]
192.185.50.250 to: recipi...@domain.com
DKIM-Signature found
*May-20-20 11:29:41 m1-88581-13275 [Worker_2] [TLS-in] [TLS-out]
192.185.50.250 to: recipi...@domain.com
Received-RWL: whitelisted from
(list.dnswl.org.wl.mcf.com->127.0.4.3,trust=3-[high]
(category=Organisations);) - high trust is 3-[high] -
client-ip=192.185.50.250*
May-20-20 11:29:41 m1-88581-13275 [Worker_2] [TLS-in] [TLS-out] [DKIM]
192.185.50.250 to: recipi...@domain.com [monitoring]
DKIM signature failed - invalid (public key: not available) - sender
policy is: neutral - author policy is: neutral
May-20-20 11:29:42 m1-88581-13275 [Worker_2] [TLS-in] [TLS-out]
192.185.50.250 to: recipi...@domain.com [monitoring]
SPF: neutral ip=192.185.50.250 mailfrom=sen...@domain.com
helo=gateway23.websitewelcome.com
*May-20-20 11:29:43 m1-88581-13275 [Worker_2] [TLS-in] [TLS-out]
192.185.50.250 to: recipi...@domain.com
Message-Score: added 50 for DNSBL: failed, 192.185.50.250 listed in
bl.mcf.com, total score for this message is now 50**
**May-20-20 11:29:43 m1-88581-13275 [Worker_2] [TLS-in] [TLS-out]
192.185.50.250 to: recipi...@domain.com [scoring]
DNSBL: failed, 192.185.50.250 listed in (bl.mcf.com<-127.0.0.8)**
**May-20-20 11:29:43 m1-88581-13275 [Worker_2] [TLS-in] [TLS-out]
[PenaltyBox] 192.185.50.250 to: recipi...@domain.com
[monitoring] totalscore for 192.185.50.250 is 50, last bad penalty was
'DNSBLfailed'*
May-20-20 11:29:43 m1-88581-13275 [Worker_2] [TLS-in] [TLS-out]
[MessageLimit] 192.185.50.250 to:
recipi...@domain.com [spam found] (MessageScore 50, limit 50) [WO 65424]
-> /usr/share/assp/discarded/WO_65424--1258687.eml;
May-20-20 11:29:43 m1-88581-13275 [Worker_2] [TLS-in] [TLS-out]
192.185.50.250 to: recipi...@domain.com [SMTP Error]
554 5.7.1 Mail appears to be unsolicited and will be checked before
being delivered --contact postmas...@formsfulfillment.com if you need help
May-20-20 11:29:43 m1-88581-13275 [Worker_2] [TLS-in] [TLS-out]
192.185.50.250 to: recipi...@domain.com info:
PB-IP-Score for '192.185.50.0' is 50, added 50 in this session
May-20-20 11:29:43 m1-88581-13275 [Worker_2] [TLS-in] [TLS-out]
192.185.50.250 to: recipi...@domain.com finished
message - received DATA size: 731.97 kByte - sent DATA size: 0 Byte
May-20-20 11:29:43 m1-88581-13275 [Worker_2] [TLS-in] [TLS-out]
192.185.50.250 to: recipi...@domain.com
disconnected: session:7F74E1ACC1E8 192.185.50.250 - processing time 3
seconds
Here are the message headers:
Return-Path:
Delivered-To: s...@besttechsvc.com
Received: from ASSP.xmsi.net (ns1.mcf.com [165.254.4.23])
by linuxmail.xmsi.net (Postfix) with ESMTP id 65E5D248129C
for ; Wed, 20 May 2020 11:29:43 -0400 (EDT)
X-Assp-Version: 2.6.3(20002) on ASSP.xmsi.net
X-Assp-ID: ASSP.xmsi.net m1-88581-13275
X-Assp-Session: 7F74E1ACC1E8 (mail 1)
X-Assp-Intended-For-IP: 165.254.4.49
X-Assp-Client-TLS: yes
X-Assp-Server-TLS: yes
X-Assp-NoProcessing: YES - (noProcessing - message size (749368) is above
10 (npSize))
X-Assp-Received-RWL: whitelisted from
(list.dnswl.org.wl.mcf.com->127.0.4.3,trust=3-[high]
(category=Organisations);) - high trust is 3-[high] -
client-ip=192.185.50.250
X-Original-Authentication-Results: assp.xmsi.net; dkim=invalid
X-Assp-Message-Score: 50 (DNSBL: failed, 192.185.50.250 listed in
bl.mcf.com)
X-Assp-IP-Score: 50 (DNSBL: failed, 192.185.50.250 listed in
bl.mcf.com)
X-Assp-DNSBL: failed, 192.185.50.250 listed in (bl.mcf.com<-127.0.0.8)
X-Assp-Tag: MessageLimit
X-Assp-Spam: YES
X-Spam-Status:yes
X-Assp-Spam-Reason: MessageScore 50, limit 50
X-Assp-Message-Totalscore: 50
X-Assp-Spam-Level: ***
X-Assp-Intended-For: recipi...@domain.com
X-Assp-Copy-Spam: Yes
Received: from gateway23.websitewelcome.com ([192.185.50.250]
helo=gateway23.websitewelcome.com) by ASSP.xmsi.net with SMTPS(TLSv1_2