You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Marcin Mirosław <ma...@mejor.pl> on 2015/05/05 10:51:22 UTC
Ignoring Received: header added by real MTA
Hi!
I'm ashamed to ask because this problem is like boomerang but still
can't find solution. I'm reading e.g.:
http://spamassassin.1065346.n5.nabble.com/How-to-ignore-multiple-Received-headers-td52450.html
I set trusted_networks but I can't see how can it helps (and it doesn't
work as I wish). I'm using Exim and I'm connecting to spamd to check
mail status. Headers of problematic email are:
Delivery-date: Tue, 05 May 2015 08:22:49 +0200
Received: from v034244.home.net.pl ([89.161.182.208])
by poczta.cibet.pl with smtp (Exim 4.84)
(envelope-from <xx...@yyyyyyy.pl>)
id 1YpWFk-0001BY-EC
for spamtrap@cibet.pl; Tue, 05 May 2015 08:22:49 +0200
Received: from public-gprs514716.centertel.pl (31.61.129.221) (HELO Toszzzz)
by yyyyyyy.home.pl (89.161.182.208) with SMTP (IdeaSmtpServer v0.80)
id ea61105d60d70d9d; Tue, 5 May 2015 08:22:44 +0200
and SA report for this:
X-Spam-Report: X-Spam-ASN: AS12824 89.161.128.0/17
X-Szczegoly:(mohikanin.in.cibet.pl)(6.9 points)
pts rule name description
---- ---------------------- ---------------------------------------------
0.8 RCVD_IN_SORBS_WEB RBL: SORBS: nadawca posiada nadu<BF>ywany
serwer WWW
[31.61.129.221 listed in dnsbl.sorbs.net]
-1.9 BAYES_00 BODY: Bayesowskie prawdopodobie<F1>stwo
spamu wynosi 0 do 1%
[score: 0.0011]
2.1 HTML_IMAGE_ONLY_12 BODY: HTML: grafika i 1000-1200 bajt<F3>w
s<B3><F3>w
0.0 HTML_MESSAGE BODY: Wiadomo<B6><E6> zawiera kod HTML
3.3 RCVD_IN_SBL_CSS RBL: Received via a relay in Spamhaus SBL-CSS
[31.61.129.221 listed in zen.spamhaus.org]
0.0 HTML_SHORT_LINK_IMG_2 HTML is very short with a linked image
1.0 KAM_HTMLNOISE Spam containing useless HTML padding
0.0 LR_RCVD_NOT_IN_IPREPDNS Sender not listed at
http://www.chaosreigns.com/iprep/
0.6 LR_SHORT Has URI and short body
1.0 KAM_LAZY_DOMAIN_SECURITY Sending domain does not have any
anti-forgery methods
0.0 T_REMOTE_IMAGE Message contains an external image
My goal is to configure SA to not check IP of client (in this example
31.61.129.221).
I'm reading https://wiki.apache.org/spamassassin/TrustPath ,
_RELAYSUNTRUSTED_ gives: X-RelaysUntrusted [ ip=89.161.182.208
rdns=v034244.home.net.pl helo=v034244.home.net.pl by=poczta.cibet.pl
ident= envfrom=xxxx@yyyyy.pl intl=0 id=1YpWFk-0001BY-EC auth= msa=0 ] [
ip=31.61.129.221 rdns=public-gprs514716.centertel.pl
helo=public-gprs514716.centertel.pl by=hosttelekom.home.pl ident=
envfrom= intl=0 id=ea61105d60d70d9d auth= msa=0 ]
but still can find what configuration would give me needed behavior.
Thanks for advices.
Marcin
Re: Ignoring Received: header added by real MTA
Posted by Marcin Mirosław <ma...@mejor.pl>.
W dniu 2015-05-05 o 22:07, Benny Pedersen pisze:
> Marcin Mirosław skrev den 2015-05-05 21:21:
>
>>>> My goal is to configure SA to not check IP of client (in this example
>>>> 31.61.129.221).
>>>
>>> Can you elaborate about what's going on here? What do the two hand-overs
>>> represent? What do you mean by "real MTA"?
>>
>> Thanks for both answers. I'll try to describe it using ascii art:
>> ------------------------------ --------------------------
>> |random user sending email |sends email |89.161.182.208 from this |
>> |(in my case: 31.61.129.221) |----------->|MTA I'm getting email |
>> ------------------------------ --------------------------
>>
>> --------------------------
>> --->|my MTA -poczta.cibet.pl |
>> --------------------------
>>
>>
>> So it's not important for my if address 31.61.129.221 is on any rbl
>> because I'm not getting email directly from this ip. It's important for
>> me if server 89.161.182.208 (which directly connects to my mta) is in
>> any RBL. I'd like SA to check only ip which diectly connects to my
>> server against RBL.
>
> please show the problem in spamassassin
>
> are 31.61.129.221 a smtp auth user ?, in this case you should NOT add
> this ip to trusted_networks since the client ip would be your server ip
> in spamassassin
In 99% yes. Header with ip 31.61.129.221 was added by external MTA so I
can't trust in 100%.
> spamassassin -D -t sample-msg-file 2>&1 | less
>
> in less press s to save test results, post this results headers so we
> can help solve it, what mta are you using ?, and how is spamassassin
> used in mta ?
In my first email I sended report from SA. Now 31.61.129.221 isn't
listed by Spamhaus SBL-CSS, I suspect that pasting another report from
SA would makes more problem.
I'm thinking how to describe my problem in different way...
Re: Ignoring Received: header added by real MTA
Posted by Benny Pedersen <me...@junc.eu>.
Marcin Mirosław skrev den 2015-05-05 21:21:
>>> My goal is to configure SA to not check IP of client (in this example
>>> 31.61.129.221).
>>
>> Can you elaborate about what's going on here? What do the two
>> hand-overs
>> represent? What do you mean by "real MTA"?
>
> Thanks for both answers. I'll try to describe it using ascii art:
> ------------------------------ --------------------------
> |random user sending email |sends email |89.161.182.208 from this |
> |(in my case: 31.61.129.221) |----------->|MTA I'm getting email |
> ------------------------------ --------------------------
>
> --------------------------
> --->|my MTA -poczta.cibet.pl |
> --------------------------
>
>
> So it's not important for my if address 31.61.129.221 is on any rbl
> because I'm not getting email directly from this ip. It's important for
> me if server 89.161.182.208 (which directly connects to my mta) is in
> any RBL. I'd like SA to check only ip which diectly connects to my
> server against RBL.
please show the problem in spamassassin
are 31.61.129.221 a smtp auth user ?, in this case you should NOT add
this ip to trusted_networks since the client ip would be your server ip
in spamassassin
spamassassin -D -t sample-msg-file 2>&1 | less
in less press s to save test results, post this results headers so we
can help solve it, what mta are you using ?, and how is spamassassin
used in mta ?
> Marcin
Re: Ignoring Received: header added by real MTA
Posted by Reindl Harald <h....@thelounge.net>.
Am 05.05.2015 um 21:38 schrieb Marcin Mirosław:
> W dniu 2015-05-05 o 21:28, Reindl Harald pisze:
>>
>> Am 05.05.2015 um 21:21 schrieb Marcin Mirosław:
>>> Thanks for both answers. I'll try to describe it using ascii art:
>>> ------------------------------ --------------------------
>>> |random user sending email |sends email |89.161.182.208 from this |
>>> |(in my case: 31.61.129.221) |----------->|MTA I'm getting email |
>>> ------------------------------ --------------------------
>>>
>>> --------------------------
>>> --->|my MTA -poczta.cibet.pl |
>>> --------------------------
>>>
>>> So it's not important for my if address 31.61.129.221 is on any rbl
>>> because I'm not getting email directly from this ip. It's important for
>>> me if server 89.161.182.208 (which directly connects to my mta) is in
>>> any RBL
>>
>> and who's MTA is 89.161.182.208?
>
> It's not mine MTA. It is MTA used by someone on the world.
>
>> if it's a known machine realying mail for you it *is* important if
>> 31.61.129.221 is on a RBL - hence put 89.161.182.208 in trusted_networks
then fix your internal_networks and trusted_networks settings
https://spamassassin.apache.org/full/3.4.x/doc/Mail_SpamAssassin_Conf.html
> I'm thinking about removing all Received headers from email except added
> by my MTA, storing it, sending email to spamd and restoring headers. But
> it looks like using a sledgehammer to crack a nut:)
there is no reason to do so, a correctly configured SA would not to
ddep-header inspection over all received headers - this all sounds like
a config problem and until now AFAIK it's not clear hwo did you glue SA
into your mailserver
Re: Ignoring Received: header added by real MTA
Posted by Benny Pedersen <me...@junc.eu>.
Marcin Mirosław skrev den 2015-05-05 21:56:
> RCVD_IN_SBL_CSS. It looks that "lastexternal" is what I'm looking for.
> Is it possible to add '-lastexternal' to all RBL?
would be contra productive
in local.cf:
internal_networks <all-mta-ips>
trusted_networks <all-mta-ips>
# whitelist rbl ips that hits to much on rbl when its listed in dnswl
trusted_networks <ip-that-is-hitting-on-rbl-skip-local-check>
please note that trusted_networks is also skipped for whitelist hits :=)
Re: Ignoring Received: header added by real MTA
Posted by Marcin Mirosław <ma...@mejor.pl>.
W dniu 06.05.2015 o 14:46, Kevin A. McGrail pisze:
> On 5/5/2015 3:56 PM, Marcin Mirosław wrote:
>> W dniu 2015-05-05 o 21:47, Kevin A. McGrail pisze:
>>> On 5/5/2015 3:38 PM, Marcin Mirosław wrote:
>>>> I'm thinking about removing all Received headers from email except
>>>> added
>>>> by my MTA, storing it, sending email to spamd and restoring headers.
>>>> But
>>>> it looks like using a sledgehammer to crack a nut:)
>>> What RBL are you concerned about specifically because some RBLs do deep
>>> header parsing which you can change with lastexternal?
>> RCVD_IN_SBL_CSS. It looks that "lastexternal" is what I'm looking for.
>> Is it possible to add '-lastexternal' to all RBL?
> Different RBLs are designed differently so it's not a one size fits all
> question & answer.
>
> CSS is designed for ISPs... http://www.spamhaus.org/css/
>
> As such, a deep header parsing might be appropriate.
Hi!
Thank you all for explanations, "deep header inspection" is the reason
of such behavior. Good information is my configuration of SA is correct:)
Marcin
Re: Ignoring Received: header added by real MTA
Posted by "Kevin A. McGrail" <KM...@PCCC.com>.
On 5/5/2015 3:56 PM, Marcin Mirosław wrote:
> W dniu 2015-05-05 o 21:47, Kevin A. McGrail pisze:
>> On 5/5/2015 3:38 PM, Marcin Mirosław wrote:
>>> I'm thinking about removing all Received headers from email except added
>>> by my MTA, storing it, sending email to spamd and restoring headers. But
>>> it looks like using a sledgehammer to crack a nut:)
>> What RBL are you concerned about specifically because some RBLs do deep
>> header parsing which you can change with lastexternal?
> RCVD_IN_SBL_CSS. It looks that "lastexternal" is what I'm looking for.
> Is it possible to add '-lastexternal' to all RBL?
Different RBLs are designed differently so it's not a one size fits all
question & answer.
CSS is designed for ISPs... http://www.spamhaus.org/css/
As such, a deep header parsing might be appropriate.
Regards,
KAM
Re: Ignoring Received: header added by real MTA
Posted by Marcin Mirosław <ma...@mejor.pl>.
W dniu 2015-05-05 o 21:47, Kevin A. McGrail pisze:
> On 5/5/2015 3:38 PM, Marcin Mirosław wrote:
>> I'm thinking about removing all Received headers from email except added
>> by my MTA, storing it, sending email to spamd and restoring headers. But
>> it looks like using a sledgehammer to crack a nut:)
> What RBL are you concerned about specifically because some RBLs do deep
> header parsing which you can change with lastexternal?
RCVD_IN_SBL_CSS. It looks that "lastexternal" is what I'm looking for.
Is it possible to add '-lastexternal' to all RBL?
Re: Ignoring Received: header added by real MTA
Posted by "Kevin A. McGrail" <KM...@PCCC.com>.
On 5/5/2015 3:38 PM, Marcin Mirosław wrote:
> I'm thinking about removing all Received headers from email except added
> by my MTA, storing it, sending email to spamd and restoring headers. But
> it looks like using a sledgehammer to crack a nut:)
What RBL are you concerned about specifically because some RBLs do deep
header parsing which you can change with lastexternal?
Re: Ignoring Received: header added by real MTA
Posted by Marcin Mirosław <ma...@mejor.pl>.
W dniu 2015-05-05 o 21:28, Reindl Harald pisze:
>
>
> Am 05.05.2015 um 21:21 schrieb Marcin Mirosław:
>> Thanks for both answers. I'll try to describe it using ascii art:
>> ------------------------------ --------------------------
>> |random user sending email |sends email |89.161.182.208 from this |
>> |(in my case: 31.61.129.221) |----------->|MTA I'm getting email |
>> ------------------------------ --------------------------
>>
>> --------------------------
>> --->|my MTA -poczta.cibet.pl |
>> --------------------------
>>
>>
>> So it's not important for my if address 31.61.129.221 is on any rbl
>> because I'm not getting email directly from this ip. It's important for
>> me if server 89.161.182.208 (which directly connects to my mta) is in
>> any RBL
>
> and who's MTA is 89.161.182.208?
It's not mine MTA. It is MTA used by someone on the world.
> if it's a known machine realying mail for you it *is* important if
> 31.61.129.221 is on a RBL - hence put 89.161.182.208 in trusted_networks
I'm thinking about removing all Received headers from email except added
by my MTA, storing it, sending email to spamd and restoring headers. But
it looks like using a sledgehammer to crack a nut:)
Marcin
Re: Ignoring Received: header added by real MTA
Posted by Reindl Harald <h....@thelounge.net>.
Am 05.05.2015 um 21:21 schrieb Marcin Mirosław:
> Thanks for both answers. I'll try to describe it using ascii art:
> ------------------------------ --------------------------
> |random user sending email |sends email |89.161.182.208 from this |
> |(in my case: 31.61.129.221) |----------->|MTA I'm getting email |
> ------------------------------ --------------------------
>
> --------------------------
> --->|my MTA -poczta.cibet.pl |
> --------------------------
>
>
> So it's not important for my if address 31.61.129.221 is on any rbl
> because I'm not getting email directly from this ip. It's important for
> me if server 89.161.182.208 (which directly connects to my mta) is in
> any RBL
and who's MTA is 89.161.182.208?
if it's a known machine realying mail for you it *is* important if
31.61.129.221 is on a RBL - hence put 89.161.182.208 in trusted_networks
Re: Ignoring Received: header added by real MTA
Posted by RW <rw...@googlemail.com>.
On Tue, 05 May 2015 21:21:58 +0200
Marcin Miros?aw wrote:
>
> So it's not important for my if address 31.61.129.221 is on any rbl
> because I'm not getting email directly from this ip. It's important
> for me if server 89.161.182.208 (which directly connects to my mta)
> is in any RBL. I'd like SA to check only ip which diectly connects to
> my server against RBL.
Mostly that's what happens because most lists contain compromised hosts
on dynamic addresses. A deep hit could be a dynamic address transferred
to another machine, but a hit on the last external is either
compromised or a dynamic address delivering direct to MX - which is
also suspicious.
RCVD_IN_SORBS_WEB contains servers that could be abused, and
RCVD_IN_SBL_CSS contains addresses controlled by spammers and used for
snowshoe spam. In neither case should these be dynamic addresses, so
the risk of doing deep scans is much smaller.
If it's causing you a problem you could redefine them in your local
rules them to be "last-external" - take a look at how RCVD_IN_XBL is
defined.
Re: Ignoring Received: header added by real MTA
Posted by Marcin Mirosław <ma...@mejor.pl>.
W dniu 2015-05-05 o 20:29, RW pisze:
> On Tue, 05 May 2015 10:51:22 +0200
> Marcin Miros?aw wrote:
>
>> Hi!
>> I'm ashamed to ask because this problem is like boomerang but still
>> can't find solution. I'm reading e.g.:
>> http://spamassassin.1065346.n5.nabble.com/How-to-ignore-multiple-Received-headers-td52450.html
>>
>> I set trusted_networks but I can't see how can it helps (and it
>> doesn't work as I wish). I'm using Exim and I'm connecting to spamd
>> to check mail status. Headers of problematic email are:
>>
>> Delivery-date: Tue, 05 May 2015 08:22:49 +0200
>> Received: from v034244.home.net.pl ([89.161.182.208])
>> by poczta.cibet.pl with smtp (Exim 4.84)
>> (envelope-from <xx...@yyyyyyy.pl>)
>> id 1YpWFk-0001BY-EC
>> for spamtrap@cibet.pl; Tue, 05 May 2015 08:22:49 +0200
>> Received: from public-gprs514716.centertel.pl (31.61.129.221) (HELO
>> Toszzzz) by yyyyyyy.home.pl (89.161.182.208) with SMTP
>> (IdeaSmtpServer v0.80) id ea61105d60d70d9d; Tue, 5 May 2015 08:22:44
>> +0200
>>
>> ...
>> My goal is to configure SA to not check IP of client (in this example
>> 31.61.129.221).
>
> Can you elaborate about what's going on here? What do the two hand-overs
> represent? What do you mean by "real MTA"?
Thanks for both answers. I'll try to describe it using ascii art:
------------------------------ --------------------------
|random user sending email |sends email |89.161.182.208 from this |
|(in my case: 31.61.129.221) |----------->|MTA I'm getting email |
------------------------------ --------------------------
--------------------------
--->|my MTA -poczta.cibet.pl |
--------------------------
So it's not important for my if address 31.61.129.221 is on any rbl
because I'm not getting email directly from this ip. It's important for
me if server 89.161.182.208 (which directly connects to my mta) is in
any RBL. I'd like SA to check only ip which diectly connects to my
server against RBL.
Marcin
Re: Ignoring Received: header added by real MTA
Posted by RW <rw...@googlemail.com>.
On Tue, 05 May 2015 10:51:22 +0200
Marcin Miros?aw wrote:
> Hi!
> I'm ashamed to ask because this problem is like boomerang but still
> can't find solution. I'm reading e.g.:
> http://spamassassin.1065346.n5.nabble.com/How-to-ignore-multiple-Received-headers-td52450.html
>
> I set trusted_networks but I can't see how can it helps (and it
> doesn't work as I wish). I'm using Exim and I'm connecting to spamd
> to check mail status. Headers of problematic email are:
>
> Delivery-date: Tue, 05 May 2015 08:22:49 +0200
> Received: from v034244.home.net.pl ([89.161.182.208])
> by poczta.cibet.pl with smtp (Exim 4.84)
> (envelope-from <xx...@yyyyyyy.pl>)
> id 1YpWFk-0001BY-EC
> for spamtrap@cibet.pl; Tue, 05 May 2015 08:22:49 +0200
> Received: from public-gprs514716.centertel.pl (31.61.129.221) (HELO
> Toszzzz) by yyyyyyy.home.pl (89.161.182.208) with SMTP
> (IdeaSmtpServer v0.80) id ea61105d60d70d9d; Tue, 5 May 2015 08:22:44
> +0200
>
> ...
> My goal is to configure SA to not check IP of client (in this example
> 31.61.129.221).
Can you elaborate about what's going on here? What do the two hand-overs
represent? What do you mean by "real MTA"?
Re: Ignoring Received: header added by real MTA
Posted by Benny Pedersen <me...@junc.eu>.
Marcin Mirosław skrev den 2015-05-05 10:51:
> My goal is to configure SA to not check IP of client (in this example
> 31.61.129.221).
local.cf:
trusted_networks 31.61.129.221/32
reload spamd or other glue for spamassassin