You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Brian Martinez <sa...@thematrix.cl.msu.edu> on 2008/08/13 21:21:51 UTC
RCVD_ILLEGAL_IP question(s)
Howdy folks,
I'm experiencing a problem with some people (myself included) who are not
properly receiving their Consumer's Energy bills. Rather, the bills are
being marked as spam and sent into their SPAM folders. One of the two
things being marked by the Spam-Report are RCVD_ILLEGAL_IP
I found the function that does the checking for this information in the
Mail-Spamassassin (or perl-spamassassin-3.2.1-1) package. We have this
installed out of RPMs for OpenSuSE 10.2 (both x86 and amd64)
Here is the function:
sub check_for_illegal_ip {
my ($self, $pms) = @_;
foreach my $rcvd ( @{$pms->{relays_untrusted}} ) {
# (note this might miss some hits if the Received.pm skips any invalid
IPs)
foreach my $check ( $rcvd->{ip}, $rcvd->{by} ) {
return 1 if ($check =~ /^
(?:[01257]|(?!127.0.0.)127|22[3-9]|2[3-9]\d|[12]\d{3,}|[3-9]\d\d+)\.\d+\.\d+\.\d+
$/x);
}
}
return 0;
}
I'm having a hard time understanding the regex myself. Our network admin
is actually the person who brought the issue to my attention, I didn't
even realize I wasn't receiving my own bills and I imagine other folks are
not either. Here are the headers from the message with some info REDACTED
to avoid robots crawling for email addresses. Our network admin says the
IP is certainly a legal one, and it pings for us as well as for other
people. Anyway, here's another paste:
----[begin paste]----
Return-path: <RE...@cmsenergy.com>
X-Spam-Flag: YES
X-Spam-Checker-Version: SpamAssassin 3.2.1 (2007-05-02) on
mx03.mail.msu.edu
X-Spam-Level: *****
X-Spam-Status: Yes, score=5.3 required=5.0 tests=INVALID_TZ_EST,
RCVD_ILLEGAL_IP shortcircuit=no autolearn=disabled version=3.2.1
X-Spam-Report:
* 2.1 INVALID_TZ_EST Invalid date in header (wrong EST timezone)
* 3.2 RCVD_ILLEGAL_IP Received: contains illegal IP address
Envelope-to: REDACTED@msu.edu
Delivery-date: Fri, 01 Aug 2008 06:15:17 -0400
Received: from mail.consumersenergy.com ([67.59.61.131]
helo=dmzhpu01.cpco.com)
by mx03.mail.msu.edu with esmtp (Exim 4.63 #1)
id 1KOrfJ-00026T-Cg
for marti259@msu.edu; Fri, 01 Aug 2008 06:15:17 -0400
Received: from cmsenergy.com (ecpadm@prmhpu63.ce.corp.com [1.226.208.65])
by dmzhpu01.cpco.com (8.11.1/8.11.1) with ESMTP id m71AFGJ28409
for <RE...@msu.edu>; Fri, 1 Aug 2008 06:15:17 -0400 (EDT)
Date: Fri, 1 Aug 2008 05:14:38 -0400 (EST)
From: "eServices" <RE...@cmsenergy.com>
Subject: Consumers Energy bill ready to view
To: marti259@msu.edu
Reply-To: "eServices" <RE...@cmsenergy.com>
Message-ID: <AD...@cmsenergy.com>
MIME-Version: 1.0
Importance: Normal
X-Priority: 3 (Normal)
X-Mailer: SAP Web Application Server 7.00
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Content-Description: Consumers Energy bill ready to view
X-Virus: None found by Clam AV
----[end paste]----
I'm guessing the IP address in question is: 1.226.208.65
While it certainly is not within a range I see all that often, I am
assured by our hostmaster that it is legit. Another one I've seen is
1.226.208.61
Any ideas on why this is being picked up incorrectly? Or are we way off
base, and it is indeed *wrong?* I am admittedly kind of new to dealing
with the inner-workings of SpamAssassin. I took the job as a mail admin
a couple of years ago, and SA has simply *worked* as setup by the previous
admin. I'll be glad to dig around, but I'm still kind of learning it.
Thanks for any ideas.
Regards,
./brm
Re: RCVD_ILLEGAL_IP question(s)
Posted by Brian Martinez <sa...@thematrix.cl.msu.edu>.
Folks,
Thanks for your responses thus-far. It seems that my head is floating in
the clouds today and I appear to be dreaming half of this situation. A
couple of months ago, as I said, our network admin pointed out this
problem to me. I can no longer find the email he sent me where he stated
this and that and the other, nor can I even find my response back to him.
I remember doing a bunch of "homework" on the issue when I became aware of
the issue and it has been awhile since I looked upon it again.
Everything I described previous was from memory. I swear to you all I was
able to ping one of those IP addresses, and I even remember looking at
ARIN. Well it appears that I am dead wrong! Heh! I really have no idea
how I've misinformed myself so badly. Anyway, I am contacting Consumers
Energy about the matter now, their postmaster too.
I appreciate all the input, but I guess we can consider this matter
closed.
Move along, nothing to see here... ;)
./brm
RE: RCVD_ILLEGAL_IP question(s)
Posted by Giampaolo Tomassoni <g....@libero.it>.
Addresses in the 1.0.0.0/8 are reserved by IANA (note: not reserved for
intranet use, just reserved) and shouldn't be used by anybody (either in
internet or in an intranet), not even a "power" company.
Probably the best approach here is to whitelist the sender. Of course, I
would suggest CMS Energy to fix the addresses of their non-conforming
intranet/DMZ servers...
Giampaolo
# whois 1.226.208.65
OrgName: Internet Assigned Numbers Authority
OrgID: IANA
Address: 4676 Admiralty Way, Suite 330
City: Marina del Rey
StateProv: CA
PostalCode: 90292-6695
Country: US
NetRange: 1.0.0.0 - 1.255.255.255
CIDR: 1.0.0.0/8
NetName: RESERVED-9
NetHandle: NET-1-0-0-0-1
Parent:
NetType: IANA Reserved
Comment:
RegDate:
Updated: 2002-09-12
OrgAbuseHandle: IANA-IP-ARIN
OrgAbuseName: Internet Corporation for Assigned Names and Number
OrgAbusePhone: +1-310-301-5820
OrgAbuseEmail: abuse@iana.org
OrgTechHandle: IANA-IP-ARIN
OrgTechName: Internet Corporation for Assigned Names and Number
OrgTechPhone: +1-310-301-5820
OrgTechEmail: abuse@iana.org
# ARIN WHOIS database, last updated 2008-08-12 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.
> -----Original Message-----
> From: Brian Martinez [mailto:sa-user@thematrix.cl.msu.edu]
> Sent: Wednesday, August 13, 2008 9:22 PM
> To: users@spamassassin.apache.org
> Subject: RCVD_ILLEGAL_IP question(s)
>
> Howdy folks,
>
> I'm experiencing a problem with some people (myself included) who are
> not
> properly receiving their Consumer's Energy bills. Rather, the bills
> are
> being marked as spam and sent into their SPAM folders. One of the two
> things being marked by the Spam-Report are RCVD_ILLEGAL_IP
>
> I found the function that does the checking for this information in the
> Mail-Spamassassin (or perl-spamassassin-3.2.1-1) package. We have this
> installed out of RPMs for OpenSuSE 10.2 (both x86 and amd64)
>
> Here is the function:
>
> sub check_for_illegal_ip {
> my ($self, $pms) = @_;
>
> foreach my $rcvd ( @{$pms->{relays_untrusted}} ) {
> # (note this might miss some hits if the Received.pm skips any
> invalid
> IPs)
> foreach my $check ( $rcvd->{ip}, $rcvd->{by} ) {
> return 1 if ($check =~ /^
>
> (?:[01257]|(?!127.0.0.)127|22[3-9]|2[3-9]\d|[12]\d{3,}|[3-
> 9]\d\d+)\.\d+\.\d+\.\d+
> $/x);
> }
> }
> return 0;
> }
>
> I'm having a hard time understanding the regex myself. Our network
> admin
> is actually the person who brought the issue to my attention, I didn't
> even realize I wasn't receiving my own bills and I imagine other folks
> are
> not either. Here are the headers from the message with some info
> REDACTED
> to avoid robots crawling for email addresses. Our network admin says
> the
> IP is certainly a legal one, and it pings for us as well as for other
> people. Anyway, here's another paste:
>
> ----[begin paste]----
> Return-path: <RE...@cmsenergy.com>
> X-Spam-Flag: YES
> X-Spam-Checker-Version: SpamAssassin 3.2.1 (2007-05-02) on
> mx03.mail.msu.edu
> X-Spam-Level: *****
> X-Spam-Status: Yes, score=5.3 required=5.0 tests=INVALID_TZ_EST,
> RCVD_ILLEGAL_IP shortcircuit=no autolearn=disabled version=3.2.1
> X-Spam-Report:
> * 2.1 INVALID_TZ_EST Invalid date in header (wrong EST timezone)
> * 3.2 RCVD_ILLEGAL_IP Received: contains illegal IP address
> Envelope-to: REDACTED@msu.edu
> Delivery-date: Fri, 01 Aug 2008 06:15:17 -0400
> Received: from mail.consumersenergy.com ([67.59.61.131]
> helo=dmzhpu01.cpco.com)
> by mx03.mail.msu.edu with esmtp (Exim 4.63 #1)
> id 1KOrfJ-00026T-Cg
> for marti259@msu.edu; Fri, 01 Aug 2008 06:15:17 -0400
> Received: from cmsenergy.com (ecpadm@prmhpu63.ce.corp.com
> [1.226.208.65])
> by dmzhpu01.cpco.com (8.11.1/8.11.1) with ESMTP id m71AFGJ28409
> for <RE...@msu.edu>; Fri, 1 Aug 2008 06:15:17 -0400 (EDT)
> Date: Fri, 1 Aug 2008 05:14:38 -0400 (EST)
> From: "eServices" <RE...@cmsenergy.com>
> Subject: Consumers Energy bill ready to view
> To: marti259@msu.edu
> Reply-To: "eServices" <RE...@cmsenergy.com>
> Message-ID: <AD...@cmsenergy.com>
> MIME-Version: 1.0
> Importance: Normal
> X-Priority: 3 (Normal)
> X-Mailer: SAP Web Application Server 7.00
> Content-Type: text/plain;
> charset="us-ascii"
> Content-Transfer-Encoding: quoted-printable
> Content-Description: Consumers Energy bill ready to view
> X-Virus: None found by Clam AV
>
> ----[end paste]----
>
> I'm guessing the IP address in question is: 1.226.208.65
>
> While it certainly is not within a range I see all that often, I am
> assured by our hostmaster that it is legit. Another one I've seen is
> 1.226.208.61
>
> Any ideas on why this is being picked up incorrectly? Or are we way
> off
> base, and it is indeed *wrong?* I am admittedly kind of new to dealing
> with the inner-workings of SpamAssassin. I took the job as a mail
> admin
> a couple of years ago, and SA has simply *worked* as setup by the
> previous
> admin. I'll be glad to dig around, but I'm still kind of learning it.
>
> Thanks for any ideas.
>
> Regards,
> ./brm