I recently installed Postfix 2 RBL checks. I have been watching my mail log
looking for a reject. I know the tests are working since spamcop was down for
a while and I got a warning message in my log.
I think I understand what is happening, but would appreciate a confirmation.
Postfix checks the connection ip whereas SA checks the originating ip (or does
SA check all Received ips)? Hence, a forwarded spam will mask itself from the
Postfix RBL check if the connection ip is not listed?
A message arrives and is processed by Postfix. The message was sent via a
redhat mailing list:
Jul 17 11:29:06 www postfix/smtpd[25334]: connect from
hormel.redhat.com[66.187.233.30]
Jul 17 11:29:06 www postfix/smtpd[25334]: 97159E033D:
client=hormel.redhat.com[66.187.233.30]
Jul 17 11:29:07 www postfix/cleanup[25336]: 97159E033D:
message-id=<[EMAIL PROTECTED]>
Jul 17 11:29:07 www postfix/nqmgr[2286]: 97159E033D:
from=<[EMAIL PROTECTED]>, size=3863, nrcpt=1 (queue active)
Jul 17 11:29:07 www postfix/smtpd[25334]: disconnect from
hormel.redhat.com[66.187.233.30]
Jul 17 11:29:09 www postfix/local[25338]: 97159E033D:
to=<[EMAIL PROTECTED]>, orig_to=<[EMAIL PROTECTED]>, relay=local,
delay=3, status=sent ("|IFS=' '&&exec /usr/bin/procmail -f-||exit 75 ")
Postfix checks the connection ip for RBL and finds it is OK and sends it on
its way.
SA starts up and checks the entire message and finds an RBL error in the
origination ip:
Jul 17 11:29:07 www spamd[25348]: processing message
<[EMAIL PROTECTED]> for REMOVED:505.
Jul 17 11:29:08 www spamd[25348]: identified spam (5.0/5.0) for REMOVED:505 in
1.8 seconds, 3956 bytes.
The headers for the message are:
>From [EMAIL PROTECTED] Thu Jul 17 11:29:07 2003
Return-Path: <[EMAIL PROTECTED]>
X-Original-To: [EMAIL PROTECTED]
Delivered-To: [EMAIL PROTECTED]
Received: from hormel.redhat.com (hormel.redhat.com [66.187.233.30])
by www.mm-vanecek.cc (Postfix) with ESMTP id 97159E033D
for <[EMAIL PROTECTED]>; Thu, 17 Jul 2003 11:29:06 -0500 (CDT)
Received: from listman.rdu-colo.redhat.com (listman.rdu-colo.redhat.com
[10.255.18.100])
by hormel.redhat.com (Postfix) with SMTP
id B1F37788D5; Thu, 17 Jul 2003 12:28:43 -0400 (EDT)
Received: from int-mx1.corp.redhat.com (nat-pix.rdu.redhat.com [10.255.18.200])
by listman.rdu-colo.redhat.com (8.11.6/8.11.6) with ESMTP id h6HGDgl24115
for <[EMAIL PROTECTED]>; Thu, 17 Jul 2003 12:13:42 -0400
Received: (from [EMAIL PROTECTED])
by int-mx1.corp.redhat.com (8.11.6/8.11.6) id h6HGDwZ09020
for [EMAIL PROTECTED]; Thu, 17 Jul 2003 12:13:58 -0400
Received: from mx1.redhat.com (mx1.redhat.com [172.16.48.31])
by int-mx1.corp.redhat.com (8.11.6/8.11.6) with SMTP id h6HGDwI09016
for <[EMAIL PROTECTED]>; Thu, 17 Jul 2003 12:13:58 -0400
Received: from imo-r04.mx.aol.com (imo-r04.mx.aol.com [152.163.225.100])
by mx1.redhat.com (8.11.6/8.11.6) with SMTP id h6HGDvH05211
for <[EMAIL PROTECTED]>; Thu, 17 Jul 2003 12:13:57 -0400
Received: from [EMAIL PROTECTED]
by imo-r04.mx.aol.com (mail_out_v36_r1.1.) id e.1a2.17c0b9b7 (15898)
for <[EMAIL PROTECTED]>; Thu, 17 Jul 2003 12:13:45 -0400 (EDT)
Received: from cs.com (mow-d17.webmail.aol.com [205.188.139.133]) by
air-id09.mx.aol.com (v95.1) with ESMTP id MAILINID91-3e1a3f16cb39190; Thu, 17
Jul 2003 12:13:45 -0400
From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
MIME-Version: 1.0
Message-ID: <[EMAIL PROTECTED]>
X-Mailer: Atlas Mailer 2.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
X-loop: [EMAIL PROTECTED]
Sender: [EMAIL PROTECTED]
Errors-To: [EMAIL PROTECTED]
X-BeenThere: [EMAIL PROTECTED]
X-Mailman-Version: 2.0.13
Precedence: list
Reply-To: [EMAIL PROTECTED]
List-Help: <mailto:[EMAIL PROTECTED]>
List-Post: <mailto:[EMAIL PROTECTED]>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/shrike-list>,
<mailto:[EMAIL PROTECTED]>
List-Id: <shrike-list.redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/shrike-list>,
<mailto:[EMAIL PROTECTED]>
List-Archive: <https://www.redhat.com/archives/shrike-list/>
Date: Thu, 17 Jul 2003 12:13:45 -0400
X-Spam-Status: Yes, hits=5.0 required=5.0
tests=EMAIL_ATTRIBUTION,FROM_ENDS_IN_NUMS,NO_REAL_NAME,
RCVD_IN_BL_SPAMCOP_NET,X_LOOP
version=2.55-ccrules1
X-Spam-Level: xxxxx
X-Spam-Checker-Version: SpamAssassin 2.55-ccrules1 (1.174.2.19-2003-05-19-exp)
X-Spam-Report: ---- Start SpamAssassin results
5.00 hits, 5 required;
* 0.0 -- Has a X-Loop header
* 0.8 -- From: does not include a real name
* 0.7 -- From: ends in numbers
* -0.5 -- BODY: Contains what looks like an email attribution
* 4.0 -- RBL: Received via a relay in bl.spamcop.net
[RBL check: found 133.139.188.205.bl.spamcop.net.]
---- End of SpamAssassin results
X-Spam-Flag: YES
Subject: *****SPAM***** Re: Orinoco Gold card
Even more reason to have SA running!!
-------------------------------------------------------
This SF.net email is sponsored by: VM Ware
With VMware you can run multiple operating systems on a single machine.
WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the
same time. Free trial click here: http://www.vmware.com/wl/offer/345/0
_______________________________________________
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
