Addresses in the 1.0.0.0/8 are reserved by IANA (note: not reserved for intranet use, just reserved) and shouldn't be used by anybody (either in internet or in an intranet), not even a "power" company.
Probably the best approach here is to whitelist the sender. Of course, I would suggest CMS Energy to fix the addresses of their non-conforming intranet/DMZ servers... Giampaolo # whois 1.226.208.65 OrgName: Internet Assigned Numbers Authority OrgID: IANA Address: 4676 Admiralty Way, Suite 330 City: Marina del Rey StateProv: CA PostalCode: 90292-6695 Country: US NetRange: 1.0.0.0 - 1.255.255.255 CIDR: 1.0.0.0/8 NetName: RESERVED-9 NetHandle: NET-1-0-0-0-1 Parent: NetType: IANA Reserved Comment: RegDate: Updated: 2002-09-12 OrgAbuseHandle: IANA-IP-ARIN OrgAbuseName: Internet Corporation for Assigned Names and Number OrgAbusePhone: +1-310-301-5820 OrgAbuseEmail: [EMAIL PROTECTED] OrgTechHandle: IANA-IP-ARIN OrgTechName: Internet Corporation for Assigned Names and Number OrgTechPhone: +1-310-301-5820 OrgTechEmail: [EMAIL PROTECTED] # ARIN WHOIS database, last updated 2008-08-12 19:10 # Enter ? for additional hints on searching ARIN's WHOIS database. > -----Original Message----- > From: Brian Martinez [mailto:[EMAIL PROTECTED] > Sent: Wednesday, August 13, 2008 9:22 PM > To: users@spamassassin.apache.org > Subject: RCVD_ILLEGAL_IP question(s) > > Howdy folks, > > I'm experiencing a problem with some people (myself included) who are > not > properly receiving their Consumer's Energy bills. Rather, the bills > are > being marked as spam and sent into their SPAM folders. One of the two > things being marked by the Spam-Report are RCVD_ILLEGAL_IP > > I found the function that does the checking for this information in the > Mail-Spamassassin (or perl-spamassassin-3.2.1-1) package. We have this > installed out of RPMs for OpenSuSE 10.2 (both x86 and amd64) > > Here is the function: > > sub check_for_illegal_ip { > my ($self, $pms) = @_; > > foreach my $rcvd ( @{$pms->{relays_untrusted}} ) { > # (note this might miss some hits if the Received.pm skips any > invalid > IPs) > foreach my $check ( $rcvd->{ip}, $rcvd->{by} ) { > return 1 if ($check =~ /^ > > (?:[01257]|(?!127.0.0.)127|22[3-9]|2[3-9]\d|[12]\d{3,}|[3- > 9]\d\d+)\.\d+\.\d+\.\d+ > $/x); > } > } > return 0; > } > > I'm having a hard time understanding the regex myself. Our network > admin > is actually the person who brought the issue to my attention, I didn't > even realize I wasn't receiving my own bills and I imagine other folks > are > not either. Here are the headers from the message with some info > REDACTED > to avoid robots crawling for email addresses. Our network admin says > the > IP is certainly a legal one, and it pings for us as well as for other > people. Anyway, here's another paste: > > ----[begin paste]---- > Return-path: <[EMAIL PROTECTED]> > X-Spam-Flag: YES > X-Spam-Checker-Version: SpamAssassin 3.2.1 (2007-05-02) on > mx03.mail.msu.edu > X-Spam-Level: ***** > X-Spam-Status: Yes, score=5.3 required=5.0 tests=INVALID_TZ_EST, > RCVD_ILLEGAL_IP shortcircuit=no autolearn=disabled version=3.2.1 > X-Spam-Report: > * 2.1 INVALID_TZ_EST Invalid date in header (wrong EST timezone) > * 3.2 RCVD_ILLEGAL_IP Received: contains illegal IP address > Envelope-to: [EMAIL PROTECTED] > Delivery-date: Fri, 01 Aug 2008 06:15:17 -0400 > Received: from mail.consumersenergy.com ([67.59.61.131] > helo=dmzhpu01.cpco.com) > by mx03.mail.msu.edu with esmtp (Exim 4.63 #1) > id 1KOrfJ-00026T-Cg > for [EMAIL PROTECTED]; Fri, 01 Aug 2008 06:15:17 -0400 > Received: from cmsenergy.com ([EMAIL PROTECTED] > [1.226.208.65]) > by dmzhpu01.cpco.com (8.11.1/8.11.1) with ESMTP id m71AFGJ28409 > for <[EMAIL PROTECTED]>; Fri, 1 Aug 2008 06:15:17 -0400 (EDT) > Date: Fri, 1 Aug 2008 05:14:38 -0400 (EST) > From: "eServices" <[EMAIL PROTECTED]> > Subject: Consumers Energy bill ready to view > To: [EMAIL PROTECTED] > Reply-To: "eServices" <[EMAIL PROTECTED]> > Message-ID: <[EMAIL PROTECTED]> > MIME-Version: 1.0 > Importance: Normal > X-Priority: 3 (Normal) > X-Mailer: SAP Web Application Server 7.00 > Content-Type: text/plain; > charset="us-ascii" > Content-Transfer-Encoding: quoted-printable > Content-Description: Consumers Energy bill ready to view > X-Virus: None found by Clam AV > > ----[end paste]---- > > I'm guessing the IP address in question is: 1.226.208.65 > > While it certainly is not within a range I see all that often, I am > assured by our hostmaster that it is legit. Another one I've seen is > 1.226.208.61 > > Any ideas on why this is being picked up incorrectly? Or are we way > off > base, and it is indeed *wrong?* I am admittedly kind of new to dealing > with the inner-workings of SpamAssassin. I took the job as a mail > admin > a couple of years ago, and SA has simply *worked* as setup by the > previous > admin. I'll be glad to dig around, but I'm still kind of learning it. > > Thanks for any ideas. > > Regards, > ./brm
