This non spam went over the threshold because 68.198.15.112 is listed
on three different lists, but in fact appears to be one of the legit yahoo
mail servers (the friend who sent this to me did so from a Yahoo mail account).
That IP is NOT a yahoo mailserver.. it's a cablemodem block:
Optimum Online (Cablevision Systems) NETBLK-OOL-5BLK (NET-68-192-0-0-1)
68.192.0.0 - 68.199.255.255
Optimum Online (Cablevision Systems) OOL-67OSNGNY4-0821 (NET-68-198-0-0-1)
68.198.0.0 - 68.198.15.255Host name: ool-44c60f70.dyn.optonline.net IP address: 68.198.15.112
That IP is correctly listed in dialup lists.
The yahoo mailserver is 216.136.131.235, which is correctly not listed.
Do all three blacklists need updating?
No, you just need to look at the mail headers closer, and you need to fix your SA trust path.
SA is apparently getting confused (is your mailserver NATed?) and has concluded that 216.136.131.235 is your external MX, when it's not.
Since SA thinks 216.136.131.235 is your MX, it thinks that a cable-modem directly delivered mail to your network.. when really it was delivered to yahoo.
You can force SA to not guess what the end of your network is by using a trusted_networks command. Force SA to trust your mailserver IPs, and only your mailserver IPs, and the problem should clear up.
