FWIW, it's hard to tell what's going on without *all* the Received headers. It should be fine, assuming the received hdrs are normal (apart from the HTTP vs SMTP difference). Here's what 2.60cvs doc says about using check_rbl:
=item Selecting all IPs except for the originating one
This is accomplished by naming the set 'foo-notfirsthop'. Useful for querying
against DNS lists which list dialup IP addresses; the first hop may be a
dialup, but as long as there is at least one more hop, via their outgoing
SMTP server, that's legitimate, and so should not gain points. If there
is only one hop, that will be queried anyway, as it should be relaying
via its outgoing SMTP server instead of sending directly to your MX.
Interesting.
I just stumbled on at least one case where this logic is somewhat flawed.
Free webmail user of a local domain sends a message to another local user. There is only one hop, so the rules are triggered and the message marked as spam due to the dialup reference. The top received line was added by my mailer AFTER SA scans the message and resubmits it through a local queue. (hostnames and user accts changed to protect the innocent)
Return-Path: <[EMAIL PROTECTED]>
Received: by mail.myserver.com (CommuniGate Pro PIPE 4.0.6)
with PIPE id 14286469; Fri, 18 Jul 2003 18:24:25 -0700
Received: from [208.170.95.132] (account <[EMAIL PROTECTED]>)
by mail.myserver.com (CommuniGate Pro WebUser 4.0.6)
with HTTP id 14286467 for <[EMAIL PROTECTED]>; Fri, 18 Jul 2003 18:24:17 -0700
From: "some user" <[EMAIL PROTECTED]>
Subject: **SPAM Score: 09.71** Re: *pounce*
To: "other user" <[EMAIL PROTECTED]>
X-Mailer: CommuniGate Pro Web Mailer v.4.0.6
Date: Fri, 18 Jul 2003 18:24:17 -0700
Message-ID: <[EMAIL PROTECTED]>
In-Reply-To: <[EMAIL PROTECTED]>
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 8bit
X-Spam-Flag: YES
X-Spam-Checker-Version: SpamAssassin 2.60-cvs (1.195-2003-06-30-exp) on
mail.myserver.com
X-Spam-Report: * 1.3 BANG_MONEY BODY: Talks about money with an exclamation!
* 3.7 MSGID_FROM_MTA_SHORT Message-Id was added by a relay
* 4.3 RCVD_IN_OSIRU_DIALUP RBL: OSIRU: sender is dial-up IP address
* [208.170.95.132 listed in relays.osirusoft.com]
* 1.0 RCVD_IN_SORBS RBL: SORBS: sender is listed in SORBS
* [208.170.95.132 listed in dnsbl.sorbs.net]
* 2.0 RCVD_IN_OSIRU RBL: OSIRU: Sent via relay in relays.osirusoft.com
* [208.170.95.132 listed in relays.osirusoft.com]
* -2.6 AWL AWL: Auto-whitelist adjustment
X-Spam-Status: Yes, hits=9.7 required=7.5 tests=AWL,BANG_MONEY,MSGID_FROM_MTA_SHORT,
RCVD_IN_OSIRU,RCVD_IN_OSIRU_DIALUP,RCVD_IN_SORBS autolearn=no
version=2.60-cvs
X-Spam-Level: xxxxxxxxx
X-TFF-CGPSA-Filter: Scanned
X-TFF-CGPSA-Version: 1.1b4 (mail.myserver.com)
I suppose I could detect this scenario in the rule that calls SA in the first place, but I actually DO want to run SA on messages sent from local webmail users to other local webmail users ([EMAIL PROTECTED] Nigerians...). The conditions for the SA rule are getting pretty darn long... multifaceted and multiconditional...
For now I have set RCVD_IN_OSIRU_DIALUP to 0 to minimize the consequences of this situation.
Thoughts?
-Dale
------------------------------------------------------- This SF.net email is sponsored by: VM Ware With VMware you can run multiple operating systems on a single machine. WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the same time. Free trial click here: http://www.vmware.com/wl/offer/345/0 _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
