Re: Drastic reduction in Phishing scores from 2.63 -> 3.01?

25 Nov 2004 16:48:28 -0000

On Nov 24, 2004, at 10:45 AM, [EMAIL PROTECTED] wrote:
At 01:26 PM 11/24/2004, Greg Earle wrote:
mipl:1:46 [/tmp] # spamassassin -D < SunTrust_spam |& egrep -i
received\|records\|Relays
debug: received-header: parsed as [ ip=137.78.38.32 rdns=mipl.jpl.nasa.gov
helo=mipl.jpl.nasa.gov by=miplnew.JPL.NASA.GOV ident= envfrom= intl=0
id=000269AE.41A2E06E.0000203E ]
debug: received-header: parsed as [ ip=137.78.160.64
rdns=eis-msg-mx01.jpl.nasa.gov helo=eis-msg-mx01.jpl.nasa.gov
by=mipl.jpl.nasa.gov ident= envfrom= intl=0 id=XAA21874 ]
debug: looking up A records for 'miplnew.JPL.NASA.GOV'
debug: A records for 'miplnew.JPL.NASA.GOV': 137.78.38.109
debug: received-header: 'from' 137.78.38.32 is near to first 'by'
debug: received-header: relay 137.78.38.32 trusted? yes internal? no
debug: received-header: 'from' 137.78.160.64 is near to first 'by'
debug: received-header: relay 137.78.160.64 trusted? yes internal? no
debug: metadata: X-Spam-Relays-Trusted: [ ip=137.78.38.32
rdns=mipl.jpl.nasa.gov helo=mipl.jpl.nasa.gov by=miplnew.JPL.NASA.GOV
ident= envfrom= intl=0 id=000269AE.41A2E06E.0000203E ] [ ip=137.78.160.64
rdns=eis-msg-mx01.jpl.nasa.gov helo=eis-msg-mx01.jpl.nasa.gov
by=mipl.jpl.nasa.gov ident= envfrom= intl=0 id=XAA21874 ]
debug: metadata: X-Spam-Relays-Untrusted:
debug: SPF: message was delivered entirely via trusted relays, not required
debug: SPF: message was delivered entirely via trusted relays, not required
Received: from localhost by miplnewold.jpl.nasa.gov
Received: from mipl.jpl.nasa.gov (mipl.jpl.nasa.gov [::ffff:137.78.38.32])
Received: from eis-msg-mx01.jpl.nasa.gov (eis-msg-mx01.jpl.nasa.gov
[137.78.160.64])
Received: from cpe-69-75-17-251.hawaii.rr.com by
eis-msg-mx01.jpl.nasa.gov; Mon, 22 Nov 2004 22:07:57 -0800

This makes me suspicious of this ALL_TRUSTED rule - in other words,
here's a blatant SPAM that was sent from a RoadRunner customer in


Can you put up the full Received: headers?

It seems SA can't correctly parse the one from eis-msg-mx01, thus the
trust-path code isn't aware of the RR system.


Sure:

Received: from eis-msg-mx01.jpl.nasa.gov (eis-msg-mx01.jpl.nasa.gov [137.78.160.64])
by mipl.jpl.nasa.gov (8.9.3p2.cm/8.9.3) with ESMTP id XAA21874
for <[EMAIL PROTECTED]>; Mon, 22 Nov 2004 23:02:04 -0800 (PST)
Received: from cpe-69-75-17-251.hawaii.rr.com by eis-msg-mx01.jpl.nasa.gov; Mon, 22 Nov 2004 22:07:57 -0800

I think "eis-msg-mx01.jpl.nasa.gov" runs a commercial Sendmail product -
possibly TurboSendmail.  Its "Received:" headers are rather terse :)

        - Greg

Reply via email to