You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Andrew Hearn <an...@aaisp.net.uk> on 2007/12/14 13:26:40 UTC

Not sure why DOS_OE_TO_MX fired

Hello,

I'm not sure why DOS_OE_TO_MX fired on this message, as the headers say
it was delivered to b.painless.aaisp.net.uk which relayed it on to
z.hopeless.aaisp.net.uk.

b.painless isn't the MX for the domain...

Any ideas? -Thanks!


Return-path: <fi...@fionamurphy.net>
Envelope-to: andrew@aaisp.net.uk
Delivery-date: Fri, 14 Dec 2007 11:45:39 +0000
Received: from [2001:8b0:0:81::51bb:5134] (helo=b.painless.aaisp.net.uk)
	by z.hopeless.aaisp.net.uk with esmtp (Exim 4.63)
	(envelope-from <fi...@fionamurphy.net>)
	id 1J38z2-0004B8-FV
	for andrew@aaisp.net.uk; Fri, 14 Dec 2007 11:45:39 +0000
Received: from [217.169.3.9] (helo=DFTJ542J)
	by b.painless.aaisp.net.uk with smtp (Exim 4.62)
	(envelope-from <fi...@fionamurphy.net>)
	id 1J38z2-00036f-7g
	for andrew@aaisp.net.uk; Fri, 14 Dec 2007 11:45:36 +0000
Message-ID: <00...@DFTJ542J>
From: "Fiona Murphy" <fi...@fionamurphy.net>
To: <an...@aaisp.net.uk>
Subject: website emergency!
Date: Fri, 14 Dec 2007 11:45:33 -0000
MIME-Version: 1.0
Content-Type: multipart/alternative;
	boundary="----=_NextPart_000_00AF_01C83E46.D5CB6A50"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.3138
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198
X-Virus-Scanned: Clear (Version: ClamAV 0.91.2/5116/Fri Dec 14 07:14:39
2007, by smtp.aaisp.net.uk)
X-AA-SMTP-Time-Scanned:YES
X-Spam-Score: 4.0 ++++
X-AASpam-Report: Spam detection software, running on the system
"b.spamless.aaisp.net.uk", has
	processed this message.
	This message scored (4.0 points and 4.6 are required to mark as spam)
	pts  rule name              description
	---- ----------------------
--------------------------------------------------
	1.2 HTML_MESSAGE           BODY: HTML included in message
	0.0 BAYES_50               BODY: Bayesian spam probability is 40 to 60%
	[score: 0.5071]
	0.0 NO_VIRUS_FOUND         There were no viruses found in this message
by ClamAV
	2.8 DOS_OE_TO_MX           Delivered direct to MX with OE headers

Re: Not sure why DOS_OE_TO_MX fired

Posted by "Daryl C. W. O'Shea" <sp...@dostech.ca>.

Andrew Hearn wrote:
> Hello,
> 
> I'm not sure why DOS_OE_TO_MX fired on this message, as the headers say
> it was delivered to b.painless.aaisp.net.uk which relayed it on to
> z.hopeless.aaisp.net.uk.
> 
> b.painless isn't the MX for the domain...

SA support for IPv6 is currently non-existent so the top most received 
header is ignored.

> Any ideas? -Thanks!

Only use IPv4 for your MX(es).  Not only did it cause a problem in this 
case, but all of your incoming spam is scoring lower than it should 
since SA is not able to do DNSBL tests on the connecting relays.

Daryl


> Return-path: <fi...@fionamurphy.net>
> Envelope-to: andrew@aaisp.net.uk
> Delivery-date: Fri, 14 Dec 2007 11:45:39 +0000
> Received: from [2001:8b0:0:81::51bb:5134] (helo=b.painless.aaisp.net.uk)
> 	by z.hopeless.aaisp.net.uk with esmtp (Exim 4.63)
> 	(envelope-from <fi...@fionamurphy.net>)
> 	id 1J38z2-0004B8-FV
> 	for andrew@aaisp.net.uk; Fri, 14 Dec 2007 11:45:39 +0000
> Received: from [217.169.3.9] (helo=DFTJ542J)
> 	by b.painless.aaisp.net.uk with smtp (Exim 4.62)
> 	(envelope-from <fi...@fionamurphy.net>)
> 	id 1J38z2-00036f-7g
> 	for andrew@aaisp.net.uk; Fri, 14 Dec 2007 11:45:36 +0000
> Message-ID: <00...@DFTJ542J>
> From: "Fiona Murphy" <fi...@fionamurphy.net>
> To: <an...@aaisp.net.uk>
> Subject: website emergency!
> Date: Fri, 14 Dec 2007 11:45:33 -0000
> MIME-Version: 1.0
> Content-Type: multipart/alternative;
> 	boundary="----=_NextPart_000_00AF_01C83E46.D5CB6A50"
> X-Priority: 3
> X-MSMail-Priority: Normal
> X-Mailer: Microsoft Outlook Express 6.00.2900.3138
> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198
> X-Virus-Scanned: Clear (Version: ClamAV 0.91.2/5116/Fri Dec 14 07:14:39
> 2007, by smtp.aaisp.net.uk)
> X-AA-SMTP-Time-Scanned:YES
> X-Spam-Score: 4.0 ++++
> X-AASpam-Report: Spam detection software, running on the system
> "b.spamless.aaisp.net.uk", has
> 	processed this message.
> 	This message scored (4.0 points and 4.6 are required to mark as spam)
> 	pts  rule name              description
> 	---- ----------------------
> --------------------------------------------------
> 	1.2 HTML_MESSAGE           BODY: HTML included in message
> 	0.0 BAYES_50               BODY: Bayesian spam probability is 40 to 60%
> 	[score: 0.5071]
> 	0.0 NO_VIRUS_FOUND         There were no viruses found in this message
> by ClamAV
> 	2.8 DOS_OE_TO_MX           Delivered direct to MX with OE headers

RE: Not sure why DOS_OE_TO_MX fired

Posted by Giampaolo Tomassoni <g....@libero.it>.

> -----Original Message-----
> From: Andrew Hearn [mailto:andrew.hearn@aaisp.net.uk]
> Sent: Friday, December 14, 2007 1:27 PM
> To: users@spamassassin.apache.org
> Subject: Not sure why DOS_OE_TO_MX fired
> 
> Hello,
> 
> I'm not sure why DOS_OE_TO_MX fired on this message, as the headers say
> it was delivered to b.painless.aaisp.net.uk which relayed it on to
> z.hopeless.aaisp.net.uk.
> 
> b.painless isn't the MX for the domain...
> 
> Any ideas? -Thanks!

I bet 2001:8b0:0:81::51bb:5134 or 217.169.3.9 is in your internal_networks,
right?

If this is the case, the header rule __DOS_SINGLE_EXT_RELAY fires on this
message, since it only looks to external relays.

My suggestion is to put both 2001:8b0:0:81::51bb:5134 AND 217.169.3.9 into
your internal network, or you may put 2001:8b0:0:81::51bb:5134 in the
trusted network and 217.169.3.9 in your internal. However, you should obtain
either none or both the servers in your external network. This means you are
going not to check you outgoing messages against some URIBL services, but
anyway it is quite silly to check them if you are the provider: that way,
your may risk to block yourself all the outgoing traffic...

Giampaolo

> 
> 
> Return-path: <fi...@fionamurphy.net>
> Envelope-to: andrew@aaisp.net.uk
> Delivery-date: Fri, 14 Dec 2007 11:45:39 +0000
> Received: from [2001:8b0:0:81::51bb:5134]
> (helo=b.painless.aaisp.net.uk)
> 	by z.hopeless.aaisp.net.uk with esmtp (Exim 4.63)
> 	(envelope-from <fi...@fionamurphy.net>)
> 	id 1J38z2-0004B8-FV
> 	for andrew@aaisp.net.uk; Fri, 14 Dec 2007 11:45:39 +0000
> Received: from [217.169.3.9] (helo=DFTJ542J)
> 	by b.painless.aaisp.net.uk with smtp (Exim 4.62)
> 	(envelope-from <fi...@fionamurphy.net>)
> 	id 1J38z2-00036f-7g
> 	for andrew@aaisp.net.uk; Fri, 14 Dec 2007 11:45:36 +0000
> Message-ID: <00...@DFTJ542J>
> From: "Fiona Murphy" <fi...@fionamurphy.net>
> To: <an...@aaisp.net.uk>
> Subject: website emergency!
> Date: Fri, 14 Dec 2007 11:45:33 -0000
> MIME-Version: 1.0
> Content-Type: multipart/alternative;
> 	boundary="----=_NextPart_000_00AF_01C83E46.D5CB6A50"
> X-Priority: 3
> X-MSMail-Priority: Normal
> X-Mailer: Microsoft Outlook Express 6.00.2900.3138
> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198
> X-Virus-Scanned: Clear (Version: ClamAV 0.91.2/5116/Fri Dec 14 07:14:39
> 2007, by smtp.aaisp.net.uk)
> X-AA-SMTP-Time-Scanned:YES
> X-Spam-Score: 4.0 ++++
> X-AASpam-Report: Spam detection software, running on the system
> "b.spamless.aaisp.net.uk", has
> 	processed this message.
> 	This message scored (4.0 points and 4.6 are required to mark as
> spam)
> 	pts  rule name              description
> 	---- ----------------------
> --------------------------------------------------
> 	1.2 HTML_MESSAGE           BODY: HTML included in message
> 	0.0 BAYES_50               BODY: Bayesian spam probability is 40
> to 60%
> 	[score: 0.5071]
> 	0.0 NO_VIRUS_FOUND         There were no viruses found in this
> message
> by ClamAV
> 	2.8 DOS_OE_TO_MX           Delivered direct to MX with OE headers