You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Schorny <a9...@nepwk.com> on 2011/11/02 15:23:46 UTC
How to ignore multiple Received: headers
Hello Guys.
I have the following problem:
A User sends an Email to my Spamassasin System and gets flagged as Spam.
The Email contains multiple received: headers
(IPs and Hostnames are changed by me)
Received: from myhost.com ([127.0.0.1])
by localhost (spamfilter.local [127.0.0.1]) (...)
with ESMTP id 59NKvpZmxmUc for <us...@myhost.com>;
Tue, 1 Nov 2011 22:30:34 +0100 (CET)
Received: from mailserver.provider.com (mailserver.provider.com [1.2.3.4])
by myhost.com (Postfix) with ESMTP id E36B31A4B633
for <us...@myhost.com>; Tue, 1 Nov 2011 22:30:33 +0100 (CET)
Received: from user.local (10-20-30-40.adsl.highway.telekom.at
[10.20.30.40])
by mailserver.provider.com (Postfix) with ESMTPA id B156729504E6
for <us...@myhost.com>; Tue, 1 Nov 2011 22:30:31 +0100 (CET)
The Problem is, that the Users dynamic IP (10.20.30.40) is blacklisted by
various Spamlists. It's a dynamic IP, so can be used by everyone... Now my
Spamassasin thinks, that this EMail was sent from a blacklisted IP, which
isn't really true. The Mailserver who sent the mail was
mailserver.provider.com (which of course is not blacklisted).
How do I tell Spamassasin to ignore the last received Header? Or are there
other solutions to this problem? It also happens quite often with emails
from cell phones (which always get the strangest dynamic IPs...).
Thanks!
--
View this message in context: http://old.nabble.com/How-to-ignore-multiple-Received%3A-headers-tp32766061p32766061.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: How to ignore multiple Received: headers
Posted by Christian Grunfeld <ch...@gmail.com>.
> The IP Addresses 1.2.3.4 and 10.20.30.40 are changed by me to protect the
> innocent ;)
> The real IP Addresses are of course not internal.
> 1.2.3.4 and 10.20.30.40 are really 80.*.*.*
yeah, I thought that 1.2.3.4 was the only changed. Private numbers can
appear in mail clients when they are in NATed networks, that is what I
said about 10.x.x.x.
> I don't know why 10.20.30.40 (the user's IP) even appears in the Mail Header
> because there runs no Mailserver at 10.20.30.40 - just the user's
> Thunderbird installation. But because it is a dynamic IP, there used to be a
> spam-sending Mailserver on that IP.
thunderbird also talks SMTP when sending mails and is correct that
client IP appears.
> Currently I think the Mailserver at 1.2.3.4 (the user's email provider)
> isn't correctly configured - because 10.20.30.40 shouldn't appear in the
> Mail Header.
answered.
Re: How to ignore multiple Received: headers
Posted by da...@chaosreigns.com.
On 11/02, Schorny wrote:
> The IP Addresses 1.2.3.4 and 10.20.30.40 are changed by me to protect the
> innocent ;)
> The real IP Addresses are of course not internal.
> 1.2.3.4 and 10.20.30.40 are really 80.*.*.*
What rule is it hitting?
--
"Force, my friends, is violence; the supreme authority
from which all other authority is derived."
- Michael Ironside, Starship Troopers
http://www.ChaosReigns.com
Re: How to ignore multiple Received: headers
Posted by Schorny <a9...@nepwk.com>.
Hi Guys.
The IP Addresses 1.2.3.4 and 10.20.30.40 are changed by me to protect the
innocent ;)
The real IP Addresses are of course not internal.
1.2.3.4 and 10.20.30.40 are really 80.*.*.*
I don't know why 10.20.30.40 (the user's IP) even appears in the Mail Header
because there runs no Mailserver at 10.20.30.40 - just the user's
Thunderbird installation. But because it is a dynamic IP, there used to be a
spam-sending Mailserver on that IP.
Currently I think the Mailserver at 1.2.3.4 (the user's email provider)
isn't correctly configured - because 10.20.30.40 shouldn't appear in the
Mail Header.
There are no open relays in that path - 1.2.3.4 (the user's email provider)
is running a (more or less) correctly configured mailserver und the user
needs to authentificate with that server to send emails. And on 1.2.3.4 (the
user's IP) are no mailservers running.
Thanks.
--
View this message in context: http://old.nabble.com/How-to-ignore-multiple-Received%3A-headers-tp32766061p32766898.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: How to ignore multiple Received: headers
Posted by Christian Grunfeld <ch...@gmail.com>.
ahh, i did not see he touched de IPs :p
2011/11/2 RW <rw...@googlemail.com>:
> On Wed, 2 Nov 2011 12:11:27 -0300
> Christian Grunfeld wrote:
>
>> 10.x.x.x /8 is private by RFC 1918 and shoud not be used to check the
>> legitimacy of a sender
>
> I don't think you can infer much from the addresses 1.2.3.4 and
> 10.20.30.40.
>
Re: How to ignore multiple Received: headers
Posted by RW <rw...@googlemail.com>.
On Wed, 2 Nov 2011 12:11:27 -0300
Christian Grunfeld wrote:
> 10.x.x.x /8 is private by RFC 1918 and shoud not be used to check the
> legitimacy of a sender
I don't think you can infer much from the addresses 1.2.3.4 and
10.20.30.40.
Re: How to ignore multiple Received: headers
Posted by Christian Grunfeld <ch...@gmail.com>.
10.x.x.x /8 is private by RFC 1918 and shoud not be used to check the
legitimacy of a sender
2011/11/2 Schorny <a9...@nepwk.com>:
>
> Hello Guys.
>
> I have the following problem:
> A User sends an Email to my Spamassasin System and gets flagged as Spam.
> The Email contains multiple received: headers
>
> (IPs and Hostnames are changed by me)
>
> Received: from myhost.com ([127.0.0.1])
> by localhost (spamfilter.local [127.0.0.1]) (...)
> with ESMTP id 59NKvpZmxmUc for <us...@myhost.com>;
> Tue, 1 Nov 2011 22:30:34 +0100 (CET)
> Received: from mailserver.provider.com (mailserver.provider.com [1.2.3.4])
> by myhost.com (Postfix) with ESMTP id E36B31A4B633
> for <us...@myhost.com>; Tue, 1 Nov 2011 22:30:33 +0100 (CET)
> Received: from user.local (10-20-30-40.adsl.highway.telekom.at
> [10.20.30.40])
> by mailserver.provider.com (Postfix) with ESMTPA id B156729504E6
> for <us...@myhost.com>; Tue, 1 Nov 2011 22:30:31 +0100 (CET)
>
> The Problem is, that the Users dynamic IP (10.20.30.40) is blacklisted by
> various Spamlists. It's a dynamic IP, so can be used by everyone... Now my
> Spamassasin thinks, that this EMail was sent from a blacklisted IP, which
> isn't really true. The Mailserver who sent the mail was
> mailserver.provider.com (which of course is not blacklisted).
>
> How do I tell Spamassasin to ignore the last received Header? Or are there
> other solutions to this problem? It also happens quite often with emails
> from cell phones (which always get the strangest dynamic IPs...).
>
> Thanks!
> --
> View this message in context: http://old.nabble.com/How-to-ignore-multiple-Received%3A-headers-tp32766061p32766061.html
> Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
>
>
Re: How to ignore multiple Received: headers
Posted by RW <rw...@googlemail.com>.
On Thu, 3 Nov 2011 06:59:14 -0700 (PDT)
Schorny wrote:
>
>
> Kelson Vibber-2 wrote:
> >
> > A matter of perspective: You don't need to tell SA to ignore the
> > last header, you need to tell it NOT to ignore the second one.
> > Generally speaking, SA checks blacklists against the first hop
> > outside your internal network. It sounds like your local SA has
> > decided that mailserver.provider.com is trusted, so instead of
> > starting there, it's starting at the next one out. (And yes, that
> > last Received: header should be there.)
> >
> > I agree with Matus UHLAR's advice: check the trust path settings.
> >
>
> Hi.
>
> Thank you. This sounds very good, but there are no trusted_networks
> configured. We only trust 127.0.0.1 and that is implicit. Therefore
> there is no trusted_networks line in our local.cf or any other .cf
> File. There are also no internal_networks lines.
I doubt it's anything to do with with *_networks
> @Darxus:
> The following rules are hitting:
> RCVD_IN_CBL, RCVD_IN_SBL_XBL, RCVD_IN_SORBS
> Which are IIRC all Spamlists we are checking.
By the look of it these are all custom rules, which you have
messed-up. e.g. SBL & XBL shouldn't be combined because you are
mixing a deep and non-deep list, and you are probably doing the same
thing with SORBS.
I would suggest you remove these custom rules and use those provided.
Re: How to ignore multiple Received: headers
Posted by Bowie Bailey <Bo...@BUC.com>.
On 11/3/2011 9:59 AM, Schorny wrote:
>
> Kelson Vibber-2 wrote:
>> A matter of perspective: You don't need to tell SA to ignore the last
>> header, you need to tell it NOT to ignore the second one. Generally
>> speaking, SA checks blacklists against the first hop outside your internal
>> network. It sounds like your local SA has decided that
>> mailserver.provider.com is trusted, so instead of starting there, it's
>> starting at the next one out. (And yes, that last Received: header should
>> be there.)
>>
>> I agree with Matus UHLAR's advice: check the trust path settings.
>>
> Hi.
>
> Thank you. This sounds very good, but there are no trusted_networks
> configured. We only trust 127.0.0.1 and that is implicit. Therefore there is
> no trusted_networks line in our local.cf or any other .cf File.
> There are also no internal_networks lines.
If you do not specify trusted_networks, then SA will take a guess. In
general, SA will treat the first non-internal IP address as your
mailserver and consider it trusted. For best results, you should always
specify trusted_networks in your config.
> Can you give me any other pointers where I can look or steps I can take get
> more information what goes wrong?
>
> We use Spamassasin as Part of an amavisd-new installation.
>
>
> @Darxus:
> The following rules are hitting:
> RCVD_IN_CBL, RCVD_IN_SBL_XBL, RCVD_IN_SORBS
> Which are IIRC all Spamlists we are checking.
>
> When I check manually, the user's IP is indeed listed there. The user's
> mailprovider's mailserver is of course not listed there.
Dynamic IP addresses are commonly listed in blacklists. The issue is
that SA shouldn't be checking that IP address against the blacklists in
the first place. Fix your trusted_networks and the problem should go away.
--
Bowie
Re: How to ignore multiple Received: headers
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
On 03.11.11 06:59, Schorny wrote:
>@Darxus:
>The following rules are hitting:
>RCVD_IN_CBL, RCVD_IN_SBL_XBL, RCVD_IN_SORBS
>Which are IIRC all Spamlists we are checking.
the RCVD_IN_CBL and RCVD_IN_SBL_XBL seem to be out of date.
Which version of spamasssassin and rules do you use?
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
LSD will make your ECS screen display 16.7 million colors
RE: How to ignore multiple Received: headers
Posted by Schorny <a9...@nepwk.com>.
Kelson Vibber-2 wrote:
>
> A matter of perspective: You don't need to tell SA to ignore the last
> header, you need to tell it NOT to ignore the second one. Generally
> speaking, SA checks blacklists against the first hop outside your internal
> network. It sounds like your local SA has decided that
> mailserver.provider.com is trusted, so instead of starting there, it's
> starting at the next one out. (And yes, that last Received: header should
> be there.)
>
> I agree with Matus UHLAR's advice: check the trust path settings.
>
Hi.
Thank you. This sounds very good, but there are no trusted_networks
configured. We only trust 127.0.0.1 and that is implicit. Therefore there is
no trusted_networks line in our local.cf or any other .cf File.
There are also no internal_networks lines.
Can you give me any other pointers where I can look or steps I can take get
more information what goes wrong?
We use Spamassasin as Part of an amavisd-new installation.
@Darxus:
The following rules are hitting:
RCVD_IN_CBL, RCVD_IN_SBL_XBL, RCVD_IN_SORBS
Which are IIRC all Spamlists we are checking.
When I check manually, the user's IP is indeed listed there. The user's
mailprovider's mailserver is of course not listed there.
Thank you!
--
View this message in context: http://old.nabble.com/How-to-ignore-multiple-Received%3A-headers-tp32766061p32772959.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
RE: How to ignore multiple Received: headers
Posted by Kelson Vibber <KV...@tollfreeforwarding.com>.
> -----Original Message-----
> >How do I tell Spamassasin to ignore the last received Header? Or are
> >there other solutions to this problem? It also happens quite often with
> >emails from cell phones (which always get the strangest dynamic IPs...).
A matter of perspective: You don't need to tell SA to ignore the last header, you need to tell it NOT to ignore the second one. Generally speaking, SA checks blacklists against the first hop outside your internal network. It sounds like your local SA has decided that mailserver.provider.com is trusted, so instead of starting there, it's starting at the next one out. (And yes, that last Received: header should be there.)
I agree with Matus UHLAR's advice: check the trust path settings.
> you apparently need to properly configure trusted_networks and
> internal_networks, see:
> http://wiki.apache.org/spamassassin/TrustPath
Re: How to ignore multiple Received: headers
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
On 02.11.11 07:23, Schorny wrote:
>Received: from myhost.com ([127.0.0.1])
> by localhost (spamfilter.local [127.0.0.1]) (...)
> with ESMTP id 59NKvpZmxmUc for <us...@myhost.com>;
> Tue, 1 Nov 2011 22:30:34 +0100 (CET)
>Received: from mailserver.provider.com (mailserver.provider.com [1.2.3.4])
> by myhost.com (Postfix) with ESMTP id E36B31A4B633
> for <us...@myhost.com>; Tue, 1 Nov 2011 22:30:33 +0100 (CET)
>Received: from user.local (10-20-30-40.adsl.highway.telekom.at
>[10.20.30.40])
> by mailserver.provider.com (Postfix) with ESMTPA id B156729504E6
> for <us...@myhost.com>; Tue, 1 Nov 2011 22:30:31 +0100 (CET)
>
>The Problem is, that the Users dynamic IP (10.20.30.40) is blacklisted by
>various Spamlists. It's a dynamic IP, so can be used by everyone... Now my
>Spamassasin thinks, that this EMail was sent from a blacklisted IP, which
>isn't really true. The Mailserver who sent the mail was
>mailserver.provider.com (which of course is not blacklisted).
>
>How do I tell Spamassasin to ignore the last received Header? Or are there
>other solutions to this problem? It also happens quite often with emails
>from cell phones (which always get the strangest dynamic IPs...).
you apparently need to properly configure trusted_networks and
internal_networks, see:
http://wiki.apache.org/spamassassin/TrustPath
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
REALITY.SYS corrupted. Press any key to reboot Universe.
Re: How to ignore multiple Received: headers
Posted by Benny Pedersen <me...@junc.org>.
On Wed, 2 Nov 2011 07:23:46 -0700 (PDT), Schorny wrote:
> How do I tell Spamassasin to ignore the last received Header? Or are
> there
> other solutions to this problem? It also happens quite often with
> emails
> from cell phones (which always get the strangest dynamic IPs...).
trusted_networks 10.0.0.0/8
feel free to add all rfc1918 as trusted, if you have spammers in
rfc1918 then its a local problem
cellphones shuld use smtp auth, shame on the ones that cant, its not a
problem in my nokia e51 :-)
Re: How to ignore multiple Received: headers
Posted by Martin Gregorie <ma...@gregorie.org>.
On Wed, 2011-11-02 at 07:23 -0700, Schorny wrote:
> The Problem is, that the Users dynamic IP (10.20.30.40) is blacklisted by
> various Spamlists. It's a dynamic IP, so can be used by everyone...
>
You mean its an open relay? If so then IMO its blacklisting is entirely
deserved. Tell your correspondents to use a more secure ISP.
Martin