why is SA testing my server in DNSBLs?

["Brian J. Murrell" <br...@interlinx.bc.ca>]

Hi All,

I was doing a bit of "spamassassin -D" testing with SA 3.2.4 and noticed
that it's running my own mail server name through various DNSBL tests.  

Here are the headers of the particular message I am testing:

>>From SamplePacks@snakerootz.net Tue Dec  2 05:24:59 2008
Return-Path: <cy...@linux.interlinx.bc.ca>
X-Sieve: CMU Sieve 2.2
X-Original-To: 4123f877c4e26f753a6eac2bf0dc8a42@interlinx.bc.ca
Delivered-To: 4123f877c4e26f753a6eac2bf0dc8a42@interlinx.bc.ca
Received: from johnstonsz.net (unknown [64.86.206.149]) by
 linux.interlinx.bc.ca (Postfix) with ESMTP id E0F4A86FF for
 <41...@interlinx.bc.ca>; Tue,  2 Dec 2008
 05:24:55 -0500 (EST)
Received: by johnstonsz.net (Postfix) with SMTP id 1C89413122ED for
 <41...@interlinx.bc.ca>; Tue,  2 Dec 2008
 05:25:54 -0500 (EST)
Subject: Shop On us - 1000 Wal-Mart GiftCard!
From: SamplePacks<Sa...@snakerootz.net>
Reply-to: <Sa...@snakerootz.net>
To: 4123f877c4e26f753a6eac2bf0dc8a42@interlinx.bc.ca
X-Priority: 5
X-Mailer: AlphaPlus 
Content-Type: text/html; charset=us-ascii;
Content-Disposition: inline
Message-Id: <20...@johnstonsz.net>
Date: Tue,  2 Dec 2008 05:25:54 -0500 (EST)
X-Evolution-Source: imap://brian@mail/
Content-Transfer-Encoding: 8bit
Mime-Version: 1.0

Here's the relevant bits of the SA debug:

[29986] dbg: received-header: parsed as [ ip=64.86.206.149 rdns= helo=johnstonsz.net by=linux.interlinx.bc.ca ident= envfrom= intl=0 id=E0F4A86FF auth= msa=0 ]
[29986] dbg: received-header: relay 64.86.206.149 trusted? no internal? no msa? no
[29986] dbg: metadata: X-Spam-Relays-Trusted: 
[29986] dbg: metadata: X-Spam-Relays-Untrusted: [ ip=64.86.206.149 rdns= helo=johnstonsz.net by=linux.interlinx.bc.ca ident= envfrom= intl=0 id=E0F4A86FF auth= msa=0 ]
[29986] dbg: metadata: X-Spam-Relays-Internal: 
[29986] dbg: metadata: X-Spam-Relays-External: [ ip=64.86.206.149 rdns= helo=johnstonsz.net by=linux.interlinx.bc.ca ident= envfrom= intl=0 id=E0F4A86FF auth= msa=0 ]

So it seems that the "by linux.interlinx.bc.ca" specification of what
should be the first "trusted" Received: header is being used later in
DNSBL tests:

[29986] dbg: dns: launching DNS A query for linux.interlinx.bc.ca.rhsbl.ahbl.org. in background
[29986] dbg: async: starting: DNSBL-A, dns:A:linux.interlinx.bc.ca.rhsbl.ahbl.org. (timeout 15.0s, min 3.0s)
[29986] dbg: dns: checking A and MX for host linux.interlinx.bc.ca
[29986] dbg: dns: launching DNS A query for linux.interlinx.bc.ca in background
[29986] dbg: async: starting: NO_DNS_FOR_FROM, DNSBL-A, dns:A:linux.interlinx.bc.ca (timeout 15.0s, min 3.0s)
[29986] dbg: dns: launching DNS MX query for linux.interlinx.bc.ca in background
[29986] dbg: async: starting: NO_DNS_FOR_FROM, DNSBL-MX, dns:MX:linux.interlinx.bc.ca (timeout 15.0s, min 3.0s)
...
[29986] dbg: dns: launching DNS A query for linux.interlinx.bc.ca.bl.open-whois.org. in background
[29986] dbg: async: starting: DNSBL-A, dns:A:linux.interlinx.bc.ca.bl.open-whois.org. (timeout 15.0s, min 3.0s)
...
[29986] dbg: dns: launching DNS A query for linux.interlinx.bc.ca.fulldom.rfc-ignorant.org. in background
[29986] dbg: async: starting: DNSBL-A, dns:A:linux.interlinx.bc.ca.fulldom.rfc-ignorant.org. (timeout 15.0s, min 3.0s)

I do (believe) I understand trusted_networks and internal_networks and
have them configured for my local installation, but given that Recieved:
header (which should be a trusted), how is SA to know that it's on the
internal or trusted networks list when it doesn't have the IP address of
the relay in it.  Maybe that is the crux of the problem.

My MTA is Postfix 2.5.1 FWIW.

Any ideas?

b.

RE: why is SA testing my server in DNSBLs?

["Brian J. Murrell" <br...@interlinx.bc.ca>]

On Tue, 2008-12-02 at 17:17 -0500, Rosenbaum, Larry M. wrote:
> 
> The checks it's doing below are all RHBL checks, so it's probably testing the Return-Path:.

Indeed, this was the case.  What's even better is that is only for the
case where I test out of my mailbox as that Return-Path: is only added
(in replacement) by local delivery.  Actual production testing of
incoming mail would have used the Return-Path: added by my receiving
MTA.

Thanx for the info!

b.

RE: why is SA testing my server in DNSBLs?

["Rosenbaum, Larry M." <ro...@ornl.gov>]

> From: Brian J. Murrell [mailto:brian@interlinx.bc.ca]
>
> Hi All,
>
> I was doing a bit of "spamassassin -D" testing with SA 3.2.4 and
> noticed
> that it's running my own mail server name through various DNSBL tests.
>
> Here are the headers of the particular message I am testing:
>
> >From SamplePacks@snakerootz.net Tue Dec  2 05:24:59 2008
> Return-Path: <cy...@linux.interlinx.bc.ca>

The checks it's doing below are all RHBL checks, so it's probably testing the Return-Path:.

> ...
> [29986] dbg: dns: launching DNS A query for
> linux.interlinx.bc.ca.rhsbl.ahbl.org. in background
> [29986] dbg: async: starting: DNSBL-A,
> dns:A:linux.interlinx.bc.ca.rhsbl.ahbl.org. (timeout 15.0s, min 3.0s)
> [29986] dbg: dns: checking A and MX for host linux.interlinx.bc.ca
> [29986] dbg: dns: launching DNS A query for linux.interlinx.bc.ca in
> background
> [29986] dbg: async: starting: NO_DNS_FOR_FROM, DNSBL-A,
> dns:A:linux.interlinx.bc.ca (timeout 15.0s, min 3.0s)
> [29986] dbg: dns: launching DNS MX query for linux.interlinx.bc.ca in
> background
> [29986] dbg: async: starting: NO_DNS_FOR_FROM, DNSBL-MX,
> dns:MX:linux.interlinx.bc.ca (timeout 15.0s, min 3.0s)
> ...
> [29986] dbg: dns: launching DNS A query for
> linux.interlinx.bc.ca.bl.open-whois.org. in background
> [29986] dbg: async: starting: DNSBL-A,
> dns:A:linux.interlinx.bc.ca.bl.open-whois.org. (timeout 15.0s, min
> 3.0s)
> ...
> [29986] dbg: dns: launching DNS A query for
> linux.interlinx.bc.ca.fulldom.rfc-ignorant.org. in background
> [29986] dbg: async: starting: DNSBL-A,
> dns:A:linux.interlinx.bc.ca.fulldom.rfc-ignorant.org. (timeout 15.0s,
> min 3.0s)