On Fri, 20 Nov 2009, Benny Pedersen wrote:
> On fre 20 nov 2009 21:07:00 CET, Mark Hedges wrote > > > Hi. I've set up my own rbldnsd server. It's responding to > > queries correctly, for example, I am trying to block the > > server that this message comes from, 64.22.103.163. > > spamassassin 2>&1 -D metadata -t msg | less > > the ip above is not in the mail Hi Benny, thanks for the suggestion. Actually, the IP is in the mail, for example check the headers of this, 64.22.103.163 is mail.scriptdolphin.com, the server that I'm sending from. Trying your suggestion, I found something rather odd. The test is not triggered (or does not run) when received by sendmail and scanned via ~/procmailrc. But the test DOES run, and scores correctly, when I run through the command line as you suggested. Details follow. Actually it doesn't matter if I remove the X-* headers, the original message produces the same results. Thanks for your help. --mark-- hed...@d100:/tmp$ cat testmsg_as_scanned >From hed...@scriptdolphin.com Fri Nov 20 14:49:01 2009 Return-Path: <hed...@scriptdolphin.com> X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on d100.companyv.net X-Spam-Level: X-Spam-Status: No, score=0.5 required=5.0 tests=BAYES_50 autolearn=no version=3.2.5 X-Spam-RBL-Report: <dns:scriptdolphin.com?type=MX> [10 mail.scriptdolphin.com.] <dns:scriptdolphin.com> [64.22.103.163] Received: from li16-163.members.linode.com (li16-163.members.linode.com [64.22.103.163]) by d100.companyv.net (8.13.8/8.13.8) with ESMTP id nAKMmwMB011232 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=NO) for <hed...@digicine.net>; Fri, 20 Nov 2009 14:49:01 -0800 Received: from localhost ([127.0.0.1]) by li16-163.members.linode.com with esmtp (Exim 4.69) (envelope-from <hed...@scriptdolphin.com>) id 1NBcGz-0002I5-LW for hed...@digicine.net; Fri, 20 Nov 2009 14:48:13 -0800 Date: Fri, 20 Nov 2009 14:48:13 -0800 (PST) From: Mark Hedges <hed...@scriptdolphin.com> To: hed...@digicine.net Subject: testing 1 2 3 testing Message-ID: <alpine.deb.1.10.0911201446480.8...@li16-163.members.linode.com> User-Agent: Alpine 1.10 (DEB 962 2008-03-14) X-Ray: Vision MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-SA-Exim-Connect-IP: 127.0.0.1 X-SA-Exim-Rcpt-To: hed...@digicine.net X-SA-Exim-Mail-From: hed...@scriptdolphin.com X-SA-Exim-Scanned: No (on li16-163.members.linode.com); SAEximRunCond expanded to false X-Scanned-By: MIMEDefang 2.67 on 207.151.82.60 test 1 2 3 test hed...@d100:/tmp$ cat testmsg_as_scanned | grep -v '^X-' > testmsg_minus_xheaders hed...@d100:/tmp$ spamassassin --no-create-prefs --siteconfigpath=/etc/mail/spamassassin/digicine/ -D metadata -t testmsg_minus_xheaders 2>&1 [11390] dbg: metadata: X-Spam-Relays-Trusted: [11390] dbg: metadata: X-Spam-Relays-Untrusted: [ ip=64.22.103.163 rdns=li16-163.members.linode.com helo=li16-163.members.linode.com by=d100.companyv.net ident= envfrom= intl=0 id=nAKMmwMB011232 auth= msa=0 ] [ ip=127.0.0.1 rdns=localhost helo=localhost by=li16-163.members.linode.com ident= envfrom=hed...@scriptdolphin.com intl=0 id=1NBcGz-0002I5-LW auth= msa=0 ] [11390] dbg: metadata: X-Spam-Relays-Internal: [11390] dbg: metadata: X-Spam-Relays-External: [ ip=64.22.103.163 rdns=li16-163.members.linode.com helo=li16-163.members.linode.com by=d100.companyv.net ident= envfrom= intl=0 id=nAKMmwMB011232 auth= msa=0 ] [ ip=127.0.0.1 rdns=localhost helo=localhost by=li16-163.members.linode.com ident= envfrom=hed...@scriptdolphin.com intl=0 id=1NBcGz-0002I5-LW auth= msa=0 ] [11390] dbg: metadata: X-Relay-Countries: US ** >From hed...@scriptdolphin.com Fri Nov 20 14:49:01 2009 Return-Path: <hed...@scriptdolphin.com> X-Spam-Flag: YES X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on d100.companyv.net X-Spam-Level: SSSSS X-Spam-Status: Yes, score=5.5 required=5.0 tests=BAYES_50,RCVD_IN_COV_SPAMMERS autolearn=no version=3.2.5 X-Spam-RBL-Report: <dns:163.103.22.64.spammers.rbl.dmz> [127.0.0.2] X-Spam-Report: * 5.0 RCVD_IN_COV_SPAMMERS RBL: Spammer blocked by CompanyV RBL * [64.22.103.163 listed in spammers.rbl.dmz] * 0.5 BAYES_50 BODY: Bayesian spam probability is 40 to 60% * [score: 0.4847] version=3.2.5 <dns:scriptdolphin.com> [64.22.103.163] Received: from li16-163.members.linode.com (li16-163.members.linode.com [64.22.103.163]) by d100.companyv.net (8.13.8/8.13.8) with ESMTP id nAKMmwMB011232 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=NO) for <hed...@digicine.net>; Fri, 20 Nov 2009 14:49:01 -0800 Received: from localhost ([127.0.0.1]) by li16-163.members.linode.com with esmtp (Exim 4.69) (envelope-from <hed...@scriptdolphin.com>) id 1NBcGz-0002I5-LW for hed...@digicine.net; Fri, 20 Nov 2009 14:48:13 -0800 Date: Fri, 20 Nov 2009 14:48:13 -0800 (PST) From: Mark Hedges <hed...@scriptdolphin.com> To: hed...@digicine.net Subject: *****SPAM***** testing 1 2 3 testing Message-ID: <alpine.deb.1.10.0911201446480.8...@li16-163.members.linode.com> User-Agent: Alpine 1.10 (DEB 962 2008-03-14) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Spam-Prev-Subject: testing 1 2 3 testing test 1 2 3 test Spam detection software, running on the system "d100.companyv.net", has identified this incoming email as possible spam. The original message has been attached to this so you can view it (if it isn't spam) or label similar future email. If you have any questions, see 'postmas...@companyv.com' for details. Content preview: test 1 2 3 test [...] Content analysis details: (5.5 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 5.0 RCVD_IN_COV_SPAMMERS RBL: Spammer blocked by CompanyV RBL [64.22.103.163 listed in spammers.rbl.dmz] 0.5 BAYES_50 BODY: Bayesian spam probability is 40 to 60% [score: 0.4847]