Just had a compromised account on one of my customer's mail servers (96.4.156.21) try to blast out phishing email. This 96.4 IP is our customer space so it's in my trusted_networks since it will not forge the Received header.
The 88.233 IP is from Turkey (88.233.47.16.dynamic.ttnet.com.tr) and should have triggered a number of rules based on the RelayCountry plugin. This email should not have hit ALL_TRUSTED and should have done RelayCountry and ASN lookups on 88.233.47.16. Received: from mail.lced.net (mail.lced.net [96.4.156.2]) by smtp5i.ena.net (Postfix) with ESMTP id DF9421480F90 for <brookeandj...@eastlink.ca>; Thu, 4 Jul 2019 12:56:42 -0500 (CDT) Received: from 192.168.1.2 (unknown [88.233.47.16]) by mail.lced.net (Postfix) with ESMTPA id 8F22630961D6D for <brookeandj...@eastlink.ca>; Thu, 4 Jul 2019 12:56:40 -0500 (CDT) -- David Jones