On Thu, May 06, 2004 at 01:51:06PM -0500, Keith Whyte wrote:
> Would appreciaate some clarification of the firsthop look up rules for
> BlackLists..
> This one is a valid mail from a hotmail account,
> and it nearly got hammered: (i've xxxxxxxx'd out all private info..)
> Shouldn't 200.78.33.237 be treated as the first hop (originating host)
> and therefore not trigger in all those blacklists?
>
> thnx,
> keith.
No doubt there's a post in the archive that describes it all perfectly,
but I was unable to find it. The question crops up often. I was having
trouble with it myself just the other day.
The resolution AFAIK revolves around:
* setting trusted_networks correctly, and
* Having some sort of DNS that resolves your mailhub or
incoming relay host with an "A" record. The address the
"A" record points to needs to be in trusted_networks.
In our case we have in local.cf:
trusted_networks 192.168. 127.
and incoming mail has:
Received: ... by mail.ssc.com (Postfix) with ESMTP id 70B2AFF80
added by our mail hub, a bastion host hiding from the Internet
behind a NAT router. Outside there's an "A" record for mail.ssc.com
but it points to the outside address of the router, which port-forwards
to the mail hub. Inside, the hub is at 192.168.1.3.
Inside the NAT we run internal split DNS which considers itself
definitive for our domain but resolves all the stuff on our LAN
you can't see at all from the outside.
For quite a long time I was having problems with RCVD_IN_DSBL cropping
up for anything that originated from a dynamic address, regardless of
whether it was correctly relayed via a good ISP address or not.
As I've seen it explained, the "Received" header that's tested
is the last one added prior to arrival at a trusted network. Thus
not penalizing users who send via smtp from a dynamic address so
long as they relay via their ISP.
The final piece that made it all work for us was adding an "A" record
for mail.ssc.com to the internal split of the DNS. Previously we
had had a CNAME record pointing to another name for the host, by which
it is known for most purposes.
Once the A record for mail.ssc.com became available internally, we
stopped getting those annoying FPs
>
>
> PROBLEM MESSAGE FOLLOWS:
>
> Return-Path: <[EMAIL PROTECTED]>
> Received: from hotmail.com (bay2-f170.bay2.hotmail.com [65.54.247.170])
> by xxxxxxxxxxxxxxxxxxx (8.12.11/8.12.11) with ESMTP id i46IWnSi008992
> for <xxxxxxxxxxxxxxxxxxxxx>; Thu, 6 May 2004 19:32:49 +0100
> Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC;
> Thu, 6 May 2004 11:32:43 -0700
> Received: from 200.78.33.237 by by2fd.bay2.hotmail.msn.com with HTTP;
> Thu, 06 May 2004 18:32:42 GMT
> X-Originating-IP: [200.78.33.237]
> X-Originating-Email: [EMAIL PROTECTED]
> X-Sender: [EMAIL PROTECTED]
> From: "xxxxxxxxxxx" <[EMAIL PROTECTED]>
> To: xxxxxxxxxxxxxxxxxxxxxx
> Subject: ** SPAM? (6.522) xxxxxxxxxxxxxxxxx **
> Date: Thu, 06 May 2004 18:32:42 +0000
> Mime-Version: 1.0
> Content-Type: multipart/mixed; boundary="----------=_1083868372-7696-6"
> Message-ID: <[EMAIL PROTECTED]>
> X-OriginalArrivalTime: 06 May 2004 18:32:43.0210 (UTC)
> FILETIME=[84F7E2A0:01C43398]
> X-Spam-Score: 6.522 (******)
> HTML_MESSAGE,MIME_HTML_NO_CHARSET,MIME_HTML_ONLY,RCVD_IN_DSBL,RCVD_IN_NJABL,RCVD_IN_NJABL_PROXY,RCVD_IN_SORBS,RCVD_IN_SORBS_HTTP,RCVD_IN_SORBS_MISC,RCVD_IN_SORBS_SOCKS
> X-Spam-Level: ******
> X-Scanned-By: MIMEDefang 2.42
>
> This is a multi-part message in MIME format...
>
> ------------=_1083868372-7696-6
> Content-Type: text/html
> Content-Disposition: inline
>
> <html>
> [ ...
> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
> ...]
> </html>
>
> ------------=_1083868372-7696-6
> Content-Type: text/plain; name="SpamAssassinReport.txt"
> Content-Disposition: inline; filename="SpamAssassinReport.txt"
> Content-Transfer-Encoding: 7bit
> MIME-Version: 1.0
> X-Mailer: MIME-tools 5.411 (Entity 5.404)
>
> Spam detection software, running on the system "xxxxxxxxxxxxxxx", has
> identified this incoming email as possible spam. The original message
> has been attached to this so you can view it (if it isn't spam) or block
> similar future email. If you have any questions, see
> the administrator of that system for details.
>
> Content analysis details: (6.5 points, 9.0 required)
>
> pts rule name description
> ---- ----------------------
> --------------------------------------------------
> 0.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
> 0.0 HTML_MESSAGE BODY: HTML included in message
> 0.7 MIME_HTML_NO_CHARSET RAW: Message text in HTML without charset
> 1.1 RCVD_IN_SORBS_HTTP RBL: SORBS: sender is open HTTP proxy server
> [200.78.33.237 listed in dnsbl.sorbs.net]
> 1.1 RCVD_IN_SORBS_MISC RBL: SORBS: sender is open proxy server
> [200.78.33.237 listed in dnsbl.sorbs.net]
> 0.1 RCVD_IN_SORBS RBL: SORBS: sender is listed in SORBS
> [200.78.33.237 listed in dnsbl.sorbs.net]
> 0.1 RCVD_IN_NJABL RBL: Received via a relay in dnsbl.njabl.org
> [200.78.33.237 listed in dnsbl.njabl.org]
> 1.1 RCVD_IN_DSBL RBL: Received via a relay in list.dsbl.org
> [<http://dsbl.org/listing?ip=200.78.33.237>]
> 1.1 RCVD_IN_NJABL_PROXY RBL: NJABL: sender is an open proxy
> [200.78.33.237 listed in dnsbl.njabl.org]
> 1.1 RCVD_IN_SORBS_SOCKS RBL: SORBS: sender is open SOCKS proxy server
> [200.78.33.237 listed in dnsbl.sorbs.net]
>
>
>
> ------------=_1083868372-7696-6--
>
--
Dan Wilder
