Hi again, I have more information on those untrusted hosts.
ALL_TRUSTED is a bit odd. If you you look back through the debug, it >> has identified untrusted relays: >> >> [11689] dbg: metadata: X-Spam-Relays-Untrusted: [ ip=194.230.33.137 >> rdns=mx.xm-rz.net helo=mail.xm-rz.net by=myhost.mydomain.com ident= >> envfrom= intl=0 id=B94C2118004 auth= msa=0 ] [ ip=62.2.104.4 rdns= > > Now, for some reason, when I run this spam through SA, I see this: X-Spam-Report: * -4.0 RCVD_IN_DNSWL_MED RBL: Sender listed at http://www.dnswl.org/ , * medium trust * [194.230.33.137 listed in list.dnswl.org] * 0.0 STOX_REPLY_TYPE STOX_REPLY_TYPE * 3.6 LOCAL_RECVD_TP Recvd from botnet * 3.6 LOCAL_RECVD_XM Recvd from botnet * 2.0 LOCAL_BODY_4046600451 BODY: This message contained the string * "1.845.709.8044" * 2.0 LOCAL_BODY_1577053434 BODY: This message contained the string * "845.709.8044" X-Spam-Status: Yes, score=7.2 required=5.0 tests=LOCAL_BODY_1577053434, LOCAL_BODY_4046600451,LOCAL_RECVD_TP,LOCAL_RECVD_XM,RCVD_IN_DNSWL_MED, STOX_REPLY_TYPE shortcircuit=no autolearn=disabled version=3.2.5 What the hell is RECVD_IN_DNSWL_MED and why is it trusted in dnswl.org? Thanks, Alex