Would appreciaate some clarification of the firsthop look up rules for BlackLists..
This one is a valid mail from a hotmail account, and it nearly got hammered: (i've xxxxxxxx'd out all private info..)
Shouldn't 200.78.33.237 be treated as the first hop (originating host)
and therefore not trigger in all those blacklists?
Firsthop *ONLY* applies to dialup/dynamic IP lists. None of the lists that fired are dialup lists.
The IP in question is listed in the sorbs based DYNABLOCK dynamic list, but that SA rule never matched (and correctly so) because it was firsthop skipped.
HTML_MESSAGE,MIME_HTML_NO_CHARSET,MIME_HTML_ONLY,RCVD_IN_DSBL,RCVD_IN_NJABL,RCVD_IN_NJABL_PROXY,RCVD_IN_SORBS,RCVD_IN_SORBS_HTTP,RCVD_IN_SORBS_MISC,RCVD_IN_SORBS_SOCKS
In this case, it looks like the RBLs are claiming 200.78.33.237 was running an open proxy. SORBS last scanned it august of 2003, but nobody has ever requested rescan or challenged the listing.
The SORBS ones can be cleared up pretty easily, if the user goes to www.dnsbl.sorbs.net and looks up their IP, they can request a re-scan.
