You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Matthew Schumacher <ma...@aptalaska.net> on 2005/08/24 22:53:07 UTC
RBL checking checks originating IP which could be listed in sorbs
dynamic lists.
List,
I am noticing that SA checks all untrusted relays it finds in the header
against the rbls. This is troubling because some rbls list dynamic
addresses and claim that this doesn't cause problems as long as the
dynamic user relays the message though their ISP, however SA checks both
the ISP's mail system and users IP address against the rbls. This
causes the dynamic address rbls to come up often even if the messages
where not sent directly from the dynamic address.
Here is an example:
This header shows me (64.4.232.99) relaying my mail though the ISP
(216.152.176.5), but then spamssassin checking the user, not just the
ISP, against the RBLS:
Received: from chang-prv.mtaonline.net (mail.mtaonline.net
[216.152.176.5]) by larry.aptalaska.net with ESMTP id j7OKYOmT010820 for
<ma...@aptalaska.net>; Wed, 24 Aug 2005 12:34:24 -0800
Received: from aptalaska.net (rdbck-static-150.palmer.mtaonline.net
[64.4.232.99]) by chang-prv.mtaonline.net with SMTP id j7OKWhSr008250
for matt.s@aptalaska.net; Wed, 24 Aug 2005 12:33:04 -0800 (AKDT)
dbg: received-header: parsed as [ ip=216.152.176.5
rdns=mail.mtaonline.net helo=chang-prv.mtaonline.net
by=larry.aptalaska.net ident= envfrom= intl=0 id=j7OKYOmT010820 auth= ]
dbg: received-header: relay 216.152.176.5 trusted? no internal? no
dbg: received-header: parsed as [ ip=64.4.232.99
rdns=rdbck-static-150.palmer.mtaonline.net helo=aptalaska.net
by=chang-prv.mtaonline.net ident= envfrom= intl=0 id=j7OKWhSr008250 auth= ]
dbg: received-header: relay 64.4.232.99 trusted? no internal? no
dbg: dns: launching DNS A query for 5.176.152.216.dnsbl.sorbs.net. in
background
dbg: dns: launching DNS A query for 33.232.4.64.dnsbl.sorbs.net. in
background
So what is a solution to this? Stop using dynamic rbls or is there a
way to make spamssassin only check the address one hop out from the
first trusted server?
Re: RBL checking checks originating IP which could be listed in sorbs
dynamic lists.
Posted by Matthew Schumacher <ma...@aptalaska.net>.
Matt Kettler wrote:
>
> Are you sure you have a problem?
>
> SA won't honor any SORBS_DUL results unless they specifically match the first
> untrusted host SA sees as it works backwards through the received path.
>
> However, all the other SORBS tests are valid for any IP in the received: path,
> so SA will query sorbs for all IPs.
>
> Unless your getting a RCVD_IN_SORBS_DUL match for relayed mail, you don't have a
> problem.
>
> However, there is one issue that might affect you. If SA never finds any trusted
> servers, it will check all IPs against the DUL. Fix your trusted_networks in
> this case. You *MUST* trust someone, if only your own mailserver. Many things in
> SA will break if you don't.
>
I guess I don't have a problem then, I assumed the SA treated all rbls
the same, which would cause problems in this case. I'll keep an eye on
it....
Thanks for the reply...
schu
Re: RBL checking checks originating IP which could be listed in sorbs
dynamic lists.
Posted by Matt Kettler <mk...@evi-inc.com>.
Matthew Schumacher wrote:
> List,
>
> I am noticing that SA checks all untrusted relays it finds in the header
> against the rbls. This is troubling because some rbls list dynamic
> addresses and claim that this doesn't cause problems as long as the
> dynamic user relays the message though their ISP, however SA checks both
> the ISP's mail system and users IP address against the rbls. This
> causes the dynamic address rbls to come up often even if the messages
> where not sent directly from the dynamic address.
>
> Here is an example:
>
> This header shows me (64.4.232.99) relaying my mail though the ISP
> (216.152.176.5), but then spamssassin checking the user, not just the
> ISP, against the RBLS:
>
> Received: from chang-prv.mtaonline.net (mail.mtaonline.net
> [216.152.176.5]) by larry.aptalaska.net with ESMTP id j7OKYOmT010820 for
> <ma...@aptalaska.net>; Wed, 24 Aug 2005 12:34:24 -0800
> Received: from aptalaska.net (rdbck-static-150.palmer.mtaonline.net
> [64.4.232.99]) by chang-prv.mtaonline.net with SMTP id j7OKWhSr008250
> for matt.s@aptalaska.net; Wed, 24 Aug 2005 12:33:04 -0800 (AKDT)
>
>
> dbg: received-header: parsed as [ ip=216.152.176.5
> rdns=mail.mtaonline.net helo=chang-prv.mtaonline.net
> by=larry.aptalaska.net ident= envfrom= intl=0 id=j7OKYOmT010820 auth= ]
> dbg: received-header: relay 216.152.176.5 trusted? no internal? no
>
> dbg: received-header: parsed as [ ip=64.4.232.99
> rdns=rdbck-static-150.palmer.mtaonline.net helo=aptalaska.net
> by=chang-prv.mtaonline.net ident= envfrom= intl=0 id=j7OKWhSr008250 auth= ]
> dbg: received-header: relay 64.4.232.99 trusted? no internal? no
>
> dbg: dns: launching DNS A query for 5.176.152.216.dnsbl.sorbs.net. in
> background
> dbg: dns: launching DNS A query for 33.232.4.64.dnsbl.sorbs.net. in
> background
>
> So what is a solution to this? Stop using dynamic rbls or is there a
> way to make spamssassin only check the address one hop out from the
> first trusted server?
Are you sure you have a problem?
SA won't honor any SORBS_DUL results unless they specifically match the first
untrusted host SA sees as it works backwards through the received path.
However, all the other SORBS tests are valid for any IP in the received: path,
so SA will query sorbs for all IPs.
Unless your getting a RCVD_IN_SORBS_DUL match for relayed mail, you don't have a
problem.
However, there is one issue that might affect you. If SA never finds any trusted
servers, it will check all IPs against the DUL. Fix your trusted_networks in
this case. You *MUST* trust someone, if only your own mailserver. Many things in
SA will break if you don't.