You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Toni Mueller <su...@oeko.net> on 2012/01/23 17:50:42 UTC

ham marked as spam: bogus IP in report

Hi,

recently, my spamassassin started to score system messages as spam,
mentioning IP numbers not in the email:



Return-Path: <xx...@w1.oeko.net>
Delivered-To: xxxxx@oeko.net
Received: from localhost (localhost [127.0.0.1])
        by w3.oeko.net (Postfix) with ESMTP id AB1E725CEA
        for <su...@oeko.net>; Sun, 22 Jan 2012 04:17:01 +0100 (CET)
X-Spam-Flag: YES
X-Spam-Score: 8.101
X-Spam-Level: ********
X-Spam-Status: Yes, score=8.101 tagged_above=-1 required=5
        tests=[CHECK_SPAMHAUS_ZEN=2, DKIM_ADSP_NXDOMAIN=0.8,
        NO_DNS_FOR_FROM=0.379, RCVD_IN_PBL=3.558, RCVD_IN_SORBS_DUL=0.001,
        RDNS_DYNAMIC=0.363, TO_NO_BRKTS_DYNIP=1] autolearn=unavailable
X-Spam-Report:
 *  0.4 NO_DNS_FOR_FROM DNS: Envelope sender has no MX or A DNS records
 *  2.0 CHECK_SPAMHAUS_ZEN RBL: SPAMHAUS_ZEN: IP is listed in Spamhaus' ZEN
 *      list
 *      [91.0.104.164 listed in zen.spamhaus.org]
 *  3.6 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL
 *  0.8 DKIM_ADSP_NXDOMAIN No valid author signature and domain not in DNS
 *  0.0 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP address
 *      [91.0.104.164 listed in dnsbl.sorbs.net]
 *  0.4 RDNS_DYNAMIC Delivered to internal network by host with
 *      dynamic-looking rDNS
 *  1.0 TO_NO_BRKTS_DYNIP TO_NO_BRKTS_DYNIP
Received: from w3.oeko.net ([127.0.0.1])
        by localhost (w3.oeko.net [127.0.0.1]) (amavisd-new, port 10024)
        with ESMTP id zbFw-kX9Fx8M for <su...@oeko.net>;
        Sun, 22 Jan 2012 04:17:01 +0100 (CET)
Received: from w1.oeko.net (w1.oeko.net [46.29.42.1])
        by w3.oeko.net (Postfix) with ESMTP
        for <su...@oeko.net>; Sun, 22 Jan 2012 04:17:01 +0100 (CET)
Received: by w1.oeko.net (Postfix)
        id 6697817DC8; Sun, 22 Jan 2012 04:17:01 +0100 (CET)
Delivered-To: xxxx@w1.oeko.net
Received: by w1.oeko.net (Postfix, from userid 118)
        id 637D417DC7; Sun, 22 Jan 2012 04:17:01 +0100 (CET)
From: root@w1.oeko.net (Cron Daemon)
To: hostmaster@w1.oeko.net
Subject: Cron <ns...@w1> test -x /usr/sbin/nsdc && /usr/sbin/nsdc patch (failed)
Content-Type: text/plain; charset=UTF-8
X-Cron-Env: <MAILTO=hostmaster>
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env: <HOME=/home/nsd>
X-Cron-Env: <PATH=/usr/bin:/bin>
X-Cron-Env: <LOGNAME=nsd>
Message-Id: <20...@w1.oeko.net>
Date: Sun, 22 Jan 2012 04:17:01 +0100 (CET)



The report prominently mentions the IP number 91.0.104.164, which has
absolutely nothing to do with us, and likewise, the server w1.oeko.net
_does_ actually have an A record. This is SpamAssassin 3.3.1 on
Debian/Squeeze, run from amavisd-new.


Am I looking at a bug in SA? And/Or, how do I debug this, please?



Kind regards,
--Toni++

Re: ham marked as spam: bogus IP in report

Posted by Mark Martinec <Ma...@ijs.si>.

Toni,

> recently, my spamassassin started to score system messages as spam,
> mentioning IP numbers not in the email:
> [...]
>  *  2.0 CHECK_SPAMHAUS_ZEN RBL: SPAMHAUS_ZEN: IP is listed in Spamhaus'
>  *      ZEN list
>  *      [91.0.104.164 listed in zen.spamhaus.org]
>  *  0.0 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP address
>  *      [91.0.104.164 listed in dnsbl.sorbs.net]
> 
> The report prominently mentions the IP number 91.0.104.164, which has
> absolutely nothing to do with us, and likewise, the server w1.oeko.net
> does actually have an A record. This is SpamAssassin 3.3.1 on
> Debian/Squeeze, run from amavisd-new.
>
> Am I looking at a bug in SA? And/Or, how do I debug this, please?

Which version of amavisd? If older than 2.7.0, perhaps results caching
was the culprit - assuming the mail body was exactly the same as of some
previous unrelated message, but with a different mail header section.
Try disabling it:  $enable_global_cache = 0;
Starting with 2.7.0 the results caching is no longer in use.

> I do see this IP number several times, but it tried to send a completely
> different email to someone else on my server.

It does sound similar to Bug 6617 in a way that it might reflect
events from some past message. But I agree it is not the same bug.

Kevin wrote:
| I'm guessing something in Amavis synthesizing a received header and 
| putting the wrong IP is more my guess.  SA isn't going to make up an IP 
| address to go check.

The only synthesized header fields by amavisd are Return-Path,
X-Envelope-To, and some X-Amavis-* (none of which contain an IP address).
The Received header fields as seen by SpamAssassin are only those
generated by MTA - the Received header field generated by amavisd
is only inserted as a last step during mail forwarding, after all checks
have already been done.

Did you check the message itself? Could it be the IP address in question
comes from some URL in a mail body?

> I was rather thinking along some memory corruption associated with
> threads (SA runs as a module in amavisd-new), but that would be well
> beyond my debugging skills, unfortunately.

No threads are in use. A crosstalk can potentially come from messages
previously checked by the same child process, or from borked DNS packets.

> tests=[... DKIM_ADSP_NXDOMAIN... NO_DNS_FOR_FROM
> The server w1.oeko.net does actually have an A record.

Unless this is indeed a result for caching, these two SA tests, along
with the made-up 91.0.104.164, might point a finger to a DNS issue.
Are you using a local recursive DNS server or some foreign service?
Any NAT or a small-office firewall involved?

  Mark

Re: ham marked as spam: bogus IP in report

Posted by Benny Pedersen <me...@junc.org>.

On Mon, 23 Jan 2012 17:50:42 +0100, Toni Mueller wrote:
> recently, my spamassassin started to score system messages as spam,
> mentioning IP numbers not in the email:

is your own ip listed as internal_networks or and trusted_networks, 
your own ip must be listed there, but this wont be stable if your own ip 
changes ;/

Re: ham marked as spam: bogus IP in report

Posted by Toni Mueller <su...@oeko.net>.

Hi,

On Mon, Jan 23, 2012 at 12:29:29PM -0500, Kevin A. McGrail wrote:
> My thoughts were definitely the threads in amavis getting mixed up.
> I would definitely look at that path because I'm sure if you do
> spamassassin -t -D on the mbox format email post-amavis, you'll find
> it doesn't repeat the wonkiness.

thanks for the idea. Right - this way, the email gets 0.0 points (=
correct, imho). So I should now go off hunting Amavisd...

Thanks a bunch for your help!

Kind regards,
--Toni++

Re: ham marked as spam: bogus IP in report

Posted by "Kevin A. McGrail" <KM...@PCCC.com>.

On 1/23/2012 12:25 PM, Toni Mueller wrote:
> Hi,
>
> On Mon, Jan 23, 2012 at 12:19:52PM -0500, darxus@chaosreigns.com wrote:
>> On 01/23, Toni Mueller wrote:
>>> I do see this IP number several times, but it tried to send a completely
>>> different email to someone else on my server.
>> I was just about to ask if it might be showing up in other emails, afraid
>> it might be related to:
>> https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6617
>> "FreeMail rule description shows emails from previous messages".
> hmmm... the address turns out to be a dynamic IP from Telekom (Germany),
> and the email in question was also a sysadmin notice of a user who has a
> small Linux gateway running (but no local mail on it). Thus I can
> certainly rule out freemail.
>
> I was rather thinking along some memory corruption associated with
> threads (SA runs as a module in amavisd-new), but that would be well
> beyond my debugging skills, unfortunately.
My thoughts were definitely the threads in amavis getting mixed up.  I 
would definitely look at that path because I'm sure if you do 
spamassassin -t -D on the mbox format email post-amavis, you'll find it 
doesn't repeat the wonkiness.

Re: ham marked as spam: bogus IP in report

Posted by Toni Mueller <su...@oeko.net>.

Hi,

On Mon, Jan 23, 2012 at 12:19:52PM -0500, darxus@chaosreigns.com wrote:
> On 01/23, Toni Mueller wrote:
> > I do see this IP number several times, but it tried to send a completely
> > different email to someone else on my server.
> 
> I was just about to ask if it might be showing up in other emails, afraid
> it might be related to:
> https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6617
> "FreeMail rule description shows emails from previous messages".

hmmm... the address turns out to be a dynamic IP from Telekom (Germany),
and the email in question was also a sysadmin notice of a user who has a
small Linux gateway running (but no local mail on it). Thus I can
certainly rule out freemail.

I was rather thinking along some memory corruption associated with
threads (SA runs as a module in amavisd-new), but that would be well
beyond my debugging skills, unfortunately.

Kind regards,
--Toni++

Re: ham marked as spam: bogus IP in report

Posted by "Kevin A. McGrail" <KM...@PCCC.com>.

On 1/23/2012 12:19 PM, darxus@chaosreigns.com wrote:
> On 01/23, Toni Mueller wrote:
>> On Mon, Jan 23, 2012 at 11:59:43AM -0500, Kevin A. McGrail wrote:
>>>> Am I looking at a bug in SA? And/Or, how do I debug this, please?
>>> Baffling.  Checking your maillogs, you don't see that IP anywhere?
>> I do see this IP number several times, but it tried to send a completely
>> different email to someone else on my server.
> I was just about to ask if it might be showing up in other emails, afraid
> it might be related to:
> https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6617
> "FreeMail rule description shows emails from previous messages".
>
> Ick.
I don't agree.  That bug shows email addresses that trigger freemail rules.

Triggering the IP rules doesn't sound related.

I'm guessing something in Amavis synthesizing a received header and 
putting the wrong IP is more my guess.  SA isn't going to make up an IP 
address to go check.

Regards,
KAM

Re: ham marked as spam: bogus IP in report

Posted by da...@chaosreigns.com.

On 01/23, Toni Mueller wrote:
> On Mon, Jan 23, 2012 at 11:59:43AM -0500, Kevin A. McGrail wrote:
> > > Am I looking at a bug in SA? And/Or, how do I debug this, please?
> > Baffling.  Checking your maillogs, you don't see that IP anywhere?
> 
> I do see this IP number several times, but it tried to send a completely
> different email to someone else on my server.

I was just about to ask if it might be showing up in other emails, afraid
it might be related to:
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6617
"FreeMail rule description shows emails from previous messages".

Ick.

-- 
"Begin at the beginning and go on till you come to the end; then stop."
- Lewis Carrol, Alice in Wonderland
http://www.ChaosReigns.com

Re: ham marked as spam: bogus IP in report

Posted by Toni Mueller <su...@oeko.net>.

On Mon, Jan 23, 2012 at 11:59:43AM -0500, Kevin A. McGrail wrote:
> > Am I looking at a bug in SA? And/Or, how do I debug this, please?
> Baffling.  Checking your maillogs, you don't see that IP anywhere?

I do see this IP number several times, but it tried to send a completely
different email to someone else on my server.

Kind regards,
--Toni++

Re: ham marked as spam: bogus IP in report

Posted by "Kevin A. McGrail" <KM...@PCCC.com>.

 > Am I looking at a bug in SA? And/Or, how do I debug this, please? 
Kind regards, --Toni++

Baffling.  Checking your maillogs, you don't see that IP anywhere?