Re: rbl checks not running

[Mark Hedges]

On Fri, 20 Nov 2009, Benny Pedersen wrote:

> On fre 20 nov 2009 21:07:00 CET, Mark Hedges wrote
>
> > Hi.  I've set up my own rbldnsd server.  It's responding to
> > queries correctly, for example, I am trying to block the
> > server that this message comes from, 64.22.103.163.
>
> spamassassin 2>&1 -D metadata -t msg | less
>
> the ip above is not in the mail

Hi Benny, thanks for the suggestion.  Actually, the IP is in
the mail, for example check the headers of this,
64.22.103.163 is mail.scriptdolphin.com, the server that I'm
sending from.

Trying your suggestion, I found something rather odd.  The
test is not triggered (or does not run) when received by
sendmail and scanned via ~/procmailrc.  But the test DOES
run, and scores correctly, when I run through the command
line as you suggested.  Details follow.  Actually it doesn't
matter if I remove the X-* headers, the original message
produces the same results.  Thanks for your help.  --mark--

hed...@d100:/tmp$ cat testmsg_as_scanned
>From hed...@scriptdolphin.com  Fri Nov 20 14:49:01 2009
Return-Path: <hed...@scriptdolphin.com>
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on d100.companyv.net
X-Spam-Level:
X-Spam-Status: No, score=0.5 required=5.0 tests=BAYES_50 autolearn=no
    version=3.2.5
X-Spam-RBL-Report: <dns:scriptdolphin.com?type=MX> [10 mail.scriptdolphin.com.]
    <dns:scriptdolphin.com> [64.22.103.163]
Received: from li16-163.members.linode.com (li16-163.members.linode.com 
[64.22.103.163])
    by d100.companyv.net (8.13.8/8.13.8) with ESMTP id nAKMmwMB011232
    (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=NO)
    for <hed...@digicine.net>; Fri, 20 Nov 2009 14:49:01 -0800
Received: from localhost ([127.0.0.1])
    by li16-163.members.linode.com with esmtp (Exim 4.69)
    (envelope-from <hed...@scriptdolphin.com>)
    id 1NBcGz-0002I5-LW
    for hed...@digicine.net; Fri, 20 Nov 2009 14:48:13 -0800
Date: Fri, 20 Nov 2009 14:48:13 -0800 (PST)
From: Mark Hedges <hed...@scriptdolphin.com>
To: hed...@digicine.net
Subject: testing 1 2 3 testing
Message-ID: <alpine.deb.1.10.0911201446480.8...@li16-163.members.linode.com>
User-Agent: Alpine 1.10 (DEB 962 2008-03-14)
X-Ray: Vision
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
X-SA-Exim-Connect-IP: 127.0.0.1
X-SA-Exim-Rcpt-To: hed...@digicine.net
X-SA-Exim-Mail-From: hed...@scriptdolphin.com
X-SA-Exim-Scanned: No (on li16-163.members.linode.com); SAEximRunCond expanded 
to false
X-Scanned-By: MIMEDefang 2.67 on 207.151.82.60


test 1 2 3 test


hed...@d100:/tmp$ cat testmsg_as_scanned | grep -v '^X-' > 
testmsg_minus_xheaders
hed...@d100:/tmp$ spamassassin --no-create-prefs 
--siteconfigpath=/etc/mail/spamassassin/digicine/ -D metadata -t 
testmsg_minus_xheaders 2>&1
[11390] dbg: metadata: X-Spam-Relays-Trusted:
[11390] dbg: metadata: X-Spam-Relays-Untrusted: [ ip=64.22.103.163 
rdns=li16-163.members.linode.com helo=li16-163.members.linode.com 
by=d100.companyv.net ident= envfrom= intl=0 id=nAKMmwMB011232 auth= msa=0 ] [ 
ip=127.0.0.1 rdns=localhost helo=localhost by=li16-163.members.linode.com 
ident= envfrom=hed...@scriptdolphin.com intl=0 id=1NBcGz-0002I5-LW auth= msa=0 ]
[11390] dbg: metadata: X-Spam-Relays-Internal:
[11390] dbg: metadata: X-Spam-Relays-External: [ ip=64.22.103.163 
rdns=li16-163.members.linode.com helo=li16-163.members.linode.com 
by=d100.companyv.net ident= envfrom= intl=0 id=nAKMmwMB011232 auth= msa=0 ] [ 
ip=127.0.0.1 rdns=localhost helo=localhost by=li16-163.members.linode.com 
ident= envfrom=hed...@scriptdolphin.com intl=0 id=1NBcGz-0002I5-LW auth= msa=0 ]
[11390] dbg: metadata: X-Relay-Countries: US **
>From hed...@scriptdolphin.com  Fri Nov 20 14:49:01 2009
Return-Path: <hed...@scriptdolphin.com>
X-Spam-Flag: YES
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on d100.companyv.net
X-Spam-Level: SSSSS
X-Spam-Status: Yes, score=5.5 required=5.0 tests=BAYES_50,RCVD_IN_COV_SPAMMERS
    autolearn=no version=3.2.5
X-Spam-RBL-Report: <dns:163.103.22.64.spammers.rbl.dmz> [127.0.0.2]
X-Spam-Report:
    *  5.0 RCVD_IN_COV_SPAMMERS RBL: Spammer blocked by CompanyV RBL
    *      [64.22.103.163 listed in spammers.rbl.dmz]
    *  0.5 BAYES_50 BODY: Bayesian spam probability is 40 to 60%
    *      [score: 0.4847]
    version=3.2.5
    <dns:scriptdolphin.com> [64.22.103.163]
Received: from li16-163.members.linode.com (li16-163.members.linode.com 
[64.22.103.163])
    by d100.companyv.net (8.13.8/8.13.8) with ESMTP id nAKMmwMB011232
    (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=NO)
    for <hed...@digicine.net>; Fri, 20 Nov 2009 14:49:01 -0800
Received: from localhost ([127.0.0.1])
    by li16-163.members.linode.com with esmtp (Exim 4.69)
    (envelope-from <hed...@scriptdolphin.com>)
    id 1NBcGz-0002I5-LW
    for hed...@digicine.net; Fri, 20 Nov 2009 14:48:13 -0800
Date: Fri, 20 Nov 2009 14:48:13 -0800 (PST)
From: Mark Hedges <hed...@scriptdolphin.com>
To: hed...@digicine.net
Subject: *****SPAM***** testing 1 2 3 testing
Message-ID: <alpine.deb.1.10.0911201446480.8...@li16-163.members.linode.com>
User-Agent: Alpine 1.10 (DEB 962 2008-03-14)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
X-Spam-Prev-Subject: testing 1 2 3 testing


test 1 2 3 test


Spam detection software, running on the system "d100.companyv.net", has
identified this incoming email as possible spam.  The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email.  If you have any questions, see
'postmas...@companyv.com' for details.

Content preview:  test 1 2 3 test [...]

Content analysis details:   (5.5 points, 5.0 required)

 pts rule name              description
---- ---------------------- --------------------------------------------------
 5.0 RCVD_IN_COV_SPAMMERS   RBL: Spammer blocked by CompanyV RBL
                            [64.22.103.163 listed in spammers.rbl.dmz]
 0.5 BAYES_50               BODY: Bayesian spam probability is 40 to 60%
                            [score: 0.4847]