You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by John Stimson via users <us...@spamassassin.apache.org> on 2022/12/26 20:44:14 UTC
DNSWL_HI testing wrong Received header?
Hello,
I have lately seen an increase in the number of spam messages passing
spamassassin. Checking the X-Spam-Status header, I see that the common
reason they are all passing is that they hit the DNSWL_HI test to get a
-5 adjustment to their spam score. However, when I check the IP address
of the server that my domain received the message directly from, that IP
address is not in the DNSWL high trust database. There are forged
Received headers lower down, for Gmail or Hotmail servers, and I suspect
that those are the IPs being checked in the DNSWL_HI test. Otherwise I
don't know why DNSWL_HI is being triggered.
My second question is where to report an SMTP server that passes SPF,
but is passing spam with forged Received headers.
Here's an example header:
Return-Path: <>
X-Original-To:john@idsfa.net
Delivered-To:john@idsfa.net
Received: from localhost (localhost [127.0.0.1])
by idsfa.net (Postfix) with ESMTP id 29F168C0136
for<jo...@idsfa.net>; Sun, 22 May 2022 20:12:17 -0700 (PDT)
X-Spam-Flag: NO
X-Spam-Score: 4.319
X-Spam-Level: ****
X-Spam-Status: No, score=4.319 tagged_above=-5 required=6.31
tests=[ACT_NOW_CAPS=0.1, BAYES_99=3.5, BAYES_999=0.2,
DKIM_INVALID=0.1, DKIM_SIGNED=0.1, HTML_FONT_SIZE_LARGE=0.001,
HTML_MESSAGE=0.001, HTML_MIME_NO_HTML_TAG=0.377, MIME_HTML_ONLY=0.1,
PYZOR_CHECK=1.392, RCVD_IN_BL_SPAMCOP_NET=1.347, RCVD_IN_DNSWL_HI=-5,
RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_VALIDITY_RPBL=1.31, RDNS_NONE=0.793,
SPF_HELO_PASS=-0.001, T_DATE_IN_FUTURE_96_Q=0.01,
T_SCC_BODY_TEXT_LINE=-0.01] autolearn=no autolearn_force=no
Authentication-Results: harlie.idsfa.net (amavisd-new);
dkim=fail (2048-bit key) reason="fail (message has been altered)"
header.d=hotmail.com
Received: from idsfa.net ([127.0.0.1])
by localhost (harlie.idsfa.net [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id GXmcEm9KlHEF for<jo...@idsfa.net>;
Sun, 22 May 2022 20:12:16 -0700 (PDT)
Received-SPF: Pass (helo) identity=helo; client-ip=85.204.116.245; helo=aznavrchol.cz; envelope-from=<>; receiver=<UNKNOWN>
Authentication-Results: idsfa.net;
dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=hotmail.comheader.i=@hotmail.com header.b="JRELNzNe";
dkim-atps=neutral
Received: from aznavrchol.cz (unknown [85.204.116.245])
by idsfa.net (Postfix) with ESMTP id 2EF948C00FC
for<jo...@idsfa.net>; Sun, 22 May 2022 20:12:15 -0700 (PDT)
Received: from 10.196.243.97
by atlas113.aol.mail.bf1.yahoo.com with HTTPS; Mon, 16 May 2033 09:37:50 +0000
X-Originating-Ip: [40.92.91.45]
Received-SPF: pass (domain of hotmail.com designates 40.92.91.45 as permitted sender)
Authentication-Results: atlas113.aol.mail.bf1.yahoo.com;
dkim=passheader.i=@hotmail.com header.s=selector1;
spf=pass smtp.mailfrom=hotmail.com;
dmarc=pass(p=NONE) header.from=hotmail.com;
X-Apparently-To:john@idsfa.net; Mon, 16 May 2033 09:37:50 +0000
Re: DNSWL_HI testing wrong Received header?
Posted by Benny Pedersen <me...@junc.eu>.
John Stimson via users skrev den 2022-12-26 21:44:
> Here's an example header:
X-Originating-Ip: [40.92.91.45]
this header is expanded in spamassassin and sure currently gives
https://dnswl.org/s/?s=1357
i consider trust here not good to use forged header info to whitelist
ips, when this ip is not in recieved header
X-Originating-Ip should not be used for whitelists, only for blacklist
rbl, even on only blacklist its unsafe to use, rules maintainers can
remove it, now that spamassassin 4.0.0 is out :)
read "perldoc Mail::SpamAssassin::Conf" to see how this header is
included, and remove it
Re: DNSWL_HI testing wrong Received header?
Posted by Benny Pedersen <me...@junc.eu>.
John Stimson via users skrev den 2022-12-26 21:44:
> My second question is where to report an SMTP server that passes SPF,
> but is passing spam with forged Received headers.
>
> Here's an example header:
Received: from aznavrchol.cz (unknown [85.204.116.245])
by idsfa.net (Postfix) with ESMTP id 2EF948C00FC
for <jo...@idsfa.net>; Sun, 22 May 2022 20:12:15 -0700 (PDT)
this is not listed in dnswl.org
https://multirbl.valli.org/lookup/85.204.116.245.html
have you setup trusted_networks, internal_networks, msa_networks correct
in spamassassin ?
if you can confirm it uses other headers for dnswl.org then remove this
headers before spamassassin see it, thats the forged header imho X-* and
friends there :=)