At 07:43 PM 11/23/2004, Greg Earle wrote:Neither mailserver is NAT'ed. What could I have misconfigured?
Not sure.. dump a message through spamassassin -D and see how it's handling your Received: headers
Lines like these are relevant (this set illustrates the bug):
debug: received-header: parsed as [ ip=61.249.100.210 rdns=pp.kolumbus.fi helo=pp.kolumbus.fi by=xanadu.evi-inc.com ident= envfrom= intl=0 id=i66Ern95106902 ]
debug: looking up A records for 'xanadu.evi-inc.com'
debug: A records for 'xanadu.evi-inc.com': 192.168.50.2
debug: looking up A records for 'xanadu.evi-inc.com'
debug: A records for 'xanadu.evi-inc.com': 192.168.50.2
debug: received-header: 'by' xanadu.evi-inc.com has reserved IP 192.168.50.2
debug: received-header: 'by' xanadu.evi-inc.com has no public IPs
debug: received-header: relay 61.249.100.210 trusted? yes internal? no
debug: metadata: X-Spam-Relays-Trusted: [ ip=61.249.100.210 rdns=pp.kolumbus.fi helo=pp.kolumbus.fi by=xanadu.evi-inc.com ident= envfrom= in
tl=0 id=i66Ern95106902 ]
debug: metadata: X-Spam-Relays-Untrusted:
OK, here's what I get:
mipl:1:46 [/tmp] # spamassassin -D < SunTrust_spam |& egrep -i received\|records\|Relays
debug: received-header: parsed as [ ip=137.78.38.32 rdns=mipl.jpl.nasa.gov helo=mipl.jpl.nasa.gov by=miplnew.JPL.NASA.GOV ident= envfrom= intl=0 id=000269AE.41A2E06E.0000203E ]
debug: received-header: parsed as [ ip=137.78.160.64 rdns=eis-msg-mx01.jpl.nasa.gov helo=eis-msg-mx01.jpl.nasa.gov by=mipl.jpl.nasa.gov ident= envfrom= intl=0 id=XAA21874 ]
debug: looking up A records for 'miplnew.JPL.NASA.GOV'
debug: A records for 'miplnew.JPL.NASA.GOV': 137.78.38.109
debug: received-header: 'from' 137.78.38.32 is near to first 'by'
debug: received-header: relay 137.78.38.32 trusted? yes internal? no
debug: received-header: 'from' 137.78.160.64 is near to first 'by'
debug: received-header: relay 137.78.160.64 trusted? yes internal? no
debug: metadata: X-Spam-Relays-Trusted: [ ip=137.78.38.32 rdns=mipl.jpl.nasa.gov helo=mipl.jpl.nasa.gov by=miplnew.JPL.NASA.GOV ident= envfrom= intl=0 id=000269AE.41A2E06E.0000203E ] [ ip=137.78.160.64 rdns=eis-msg-mx01.jpl.nasa.gov helo=eis-msg-mx01.jpl.nasa.gov by=mipl.jpl.nasa.gov ident= envfrom= intl=0 id=XAA21874 ]
debug: metadata: X-Spam-Relays-Untrusted:
debug: SPF: message was delivered entirely via trusted relays, not required
debug: SPF: message was delivered entirely via trusted relays, not required
Received: from localhost by miplnewold.jpl.nasa.gov
Received: from mipl.jpl.nasa.gov (mipl.jpl.nasa.gov [::ffff:137.78.38.32])
Received: from eis-msg-mx01.jpl.nasa.gov (eis-msg-mx01.jpl.nasa.gov [137.78.160.64])
Received: from cpe-69-75-17-251.hawaii.rr.com by eis-msg-mx01.jpl.nasa.gov; Mon, 22 Nov 2004 22:07:57 -0800
This makes me suspicious of this ALL_TRUSTED rule - in other words, here's a blatant SPAM that was sent from a RoadRunner customer in Hawai'i (perhaps as a relay, but also perhaps the originator) and went through two discernable "relays" - JPL's main mail relay and my local group mail server. So it got tagged with a positive score for ALL_TRUSTED ... when to me that fact is of no interest to whether it was SPAM or not.
Of course, the whole thing is somewhat moot - after learning it as SPAM and adding SARE_SPOOF, this SPAM went up in score from 4.9 yesterday to 57.7 today because of SARE_FORGED_SUNTRUST, lol :)
(I still have no clue how the From: address ended up in the AWL, but I just manually removed it.)
Thanks to kelson and Matt for their help.
- Greg
