You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Ryan Thompson <sp...@sasknow.com> on 2004/07/09 18:05:53 UTC
More DYNABLOCK / trusted_networks
OK... So this topic is an oldie, but a goodie. :-)
I couldn't find this scenario in the Wiki or Google.
System: SA2.63, spamass-milter, sendmail, FreeBSD 4.9
We had a FP reported this morning mostly as the result of a
RCVD_IN_DYNABLOCK misfire. Here are the Received: headers as produced by
spamassassin -d :
>From removedtoprotecttheinnocent@hotmail.com Fri Jul 9 09:38:15 2004
Return-Path: <re...@hotmail.com>
Received: from hotmail.com (bay22-dav15.bay22.hotmail.com [64.4.16.195])
by earl.sasknow.net (8.12.9p2/8.12.9)
Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC;
Thu, 8 Jul 2004 21:45:40 -0700
Received: from 64.110.200.117 by bay22-dav15.bay22.hotmail.com with DAV;
Fri, 09 Jul 2004 04:45:40 +0000
X-Originating-IP: [64.110.200.117]
64.110.200.117 does indeed belong to a dialup block of a local ISP.
However, they did correctly relay through Hotmail. Running this
through spamassassin -D -t , I saw (among other things), the following:
debug: looking up PTR record for '64.110.200.117'
debug: PTR for '64.110.200.117': 'hsdbrg64-110-200-117.sasknet.sk.ca'
debug: received-header: parsed as [ ip=64.110.200.117 rdns=hsdbrg64-110-200-117.sasknet.sk.ca helo= by=bay22-dav15.bay22.hotmail.com ident= ]
debug: received-header: relay 64.110.200.117 trusted? no
debug: all '*From' addrs: removedtoprotecttheinnocent@hotmail.com
debug: running header regexp tests; score so far=0
debug: running body-text per-line regexp tests; score so far=0.799
debug: bayes corpus size: nspam = 18020, nham = 12410
debug: uri tests: Done uriRE
[... snip several debug: tokenize: lines ...]
debug: tokenize: header tokens for *r = " 64.110.200 by bay22-dav15.bay22.hotmail.com DAV; "
debug: tokenize: header tokens for *r = " 64.110.200 by bay22-dav15.bay22.hotmail.com DAV; mail pickup service by hotmail.com Microsoft SMTPSVC; "
debug: time cannot be parsed: from hotmail.com (bay22-dav15.bay22.hotmail.com [64.4.16.195]) by earl.sasknow.net (8.12.9p2/8.12.9)
The last line, there, caused me to think that the top Received: header
was being ignored. earl.sasknow.net is our spam filter server, and it's
in trusted_networks, too. We're using spamass-milter, and that's not the
real Received: header that ends up in the final message. (The real one
eventually contains the date, ESMTP ID, and some envelope information).
Then, I manually appended a date to the top Received: header. The "time
cannot be parsed" disappeared from the debug output, and the DYNABLOCK
test (correctly) did not hit.
Does anyone know offhand at what point that temporary Received: header
is being added? I guess it needs some modification.
- Ryan
--
Ryan Thompson <ry...@sasknow.com>
SaskNow Technologies - http://www.sasknow.com
901-1st Avenue North - Saskatoon, SK - S7K 1Y4
Tel: 306-664-3600 Fax: 306-244-7037 Saskatoon
Toll-Free: 877-727-5669 (877-SASKNOW) North America