Thx for the quick reply. No, I hardly changed the Ubuntu config at all and just to make sure I scanned all my spamassassin config files and there was no trusted_network setup.
Now I tested the same message on the console with spamassassin -D message.txt It gave me the same hit (RCVD_IN_NJABL_PROXY) but I'll post some of the debug messages that I figured might help: 30897] dbg: conf: trusted_networks are not configured; it is recommended that you configure trusted_networks manually [30897] dbg: received-header: parsed as [ ip=217.72.192.242 rdns=fmmailgate04.web.de helo=fmmailgate04.web.de by=xxx ident= envfrom=...@web.de intl=0 id=1MP2VJ-0002cW-7J auth= msa=0 ] [30897] dbg: received-header: do not trust any hosts from here on [30897] dbg: received-header: relay 217.72.192.242 trusted? no internal? no msa? no [30897] dbg: received-header: parsed as [ ip=213.39.158.25 rdns= helo= by=freemailng0206.web.de ident= envfrom= intl=0 id= auth=HTTP msa=0 ] [30897] dbg: received-header: relay 213.39.158.25 trusted? no internal? no msa? no [30897] dbg: metadata: X-Spam-Relays-Trusted: [30897] dbg: metadata: X-Spam-Relays-Untrusted: [ ip=217.72.192.242 rdns=fmmailgate04.web.de helo=fmmailgate04.web.de by=myMailServer ident= envfrom=...@web.de intl=0 id=1MP2VJ-0002cW-7J auth= msa=0 ] [ ip=213.39.158.25 rdns= helo= by=freemailng0206.web.de ident= envfrom= intl=0 id= auth=HTTP msa=0 ] [30897] dbg: metadata: X-Spam-Relays-Internal: [30897] dbg: metadata: X-Spam-Relays-External: [ ip=217.72.192.242 rdns=fmmailgate04.web.de helo=fmmailgate04.web.de by=myMailServer ident= envfrom=...@web.de intl=0 id=1MP2VJ-0002cW-7J auth= msa=0 ] [ ip=213.39.158.25 rdns= helo= by=freemailng0206.web.de ident= envfrom= intl=0 id= auth=HTTP msa=0 ] [30897] dbg: dns: IPs found: full-external: 217.72.192.242, 213.39.158.25 untrusted: 217.72.192.242, 213.39.158.25 originating: [30897] dbg: dns: only inspecting the following IPs: 213.39.158.25, 217.72.192.242 [30897] dbg: dns: launching DNS A query for 25.158.39.213.combined.njabl.org. in background [30897] dbg: async: starting: DNSBL-A, dns:A:25.158.39.213.combined.njabl.org. (timeout 15.0s, min 3.0s) [30897] dbg: dns: launching DNS A query for 242.192.72.217.combined.njabl.org. in background [30897] dbg: async: starting: DNSBL-A, dns:A:242.192.72.217.combined.njabl.org. (timeout 15.0s, min 3.0s) [30897] dbg: dns: hit <dns:25.158.39.213.combined.njabl.org> 127.0.0.9 [30897] dbg: dns: hit <dns:web.de> 217.72.195.42 [30897] dbg: dns: hit <dns:web.de?type=MX> 110 mx-ha02.web.de. [30897] dbg: dns: hit <dns:web.de?type=MX> 100 mx-ha01.web.de. [30897] dbg: dns: hit <dns:25.158.39.213.dnsbl.sorbs.net> 127.0.0.10 [30897] dbg: dns: hit <dns:242.192.72.217.list.dnswl.org> 127.0.5.0 [30897] dbg: dns: hit <dns:25.158.39.213.zen.spamhaus.org> 127.0.0.11 [30897] dbg: dns: hit <dns:web.de.fulldom.rfc-ignorant.org> 127.0.0.7 [30897] dbg: async: completed in 0.015 s: DNSBL-A, dns:A:25.158.39.213.combined.njabl.org. [30897] dbg: rules: ran header rule __LAST_UNTRUSTED_RELAY_NO_AUTH ======> got hit: "[ ip=217.72.192.242 rdns=fmmailgate04.web.de helo=fmmailgate04.web.de by=myMailServer ident= [30897] dbg: rules: ran header rule __DOS_RELAYED_EXT ======> got hit: "Received: from fmmailgate04.web.de ([217.72.192.242]) by myMailServer with esmtp (Exim 4.69) (envelope-from <x...@web.de>) id 1MP2VJ-0002cW-7J for myEmailAddress; Fri, 10 Jul 2009 00:54:17 +0200 [30897] dbg: rules: Received: from web.de by fmmailgate04.web.de (Postfix) with SMTP id 784E0617C621 for <myEmailAddress>; Fri, 10 Jul 2009 00:54:08 +0200 (CEST) So it seems that Spamassassin considers both IP Adresses as untrusted and then looks them up both rather than just the first one... Jari Fredriksson wrote: > >> >> I am using Spamassassin 3.2.4-1ubuntu1.1. Spamassassin is used by my Exim >> server with spamd. >> >> The problem is have is that sometimes I get RBL hits eventhrough the >> sender >> is using a valid smarthost. >> Example: >> Received: from fmmailgate04.web.de ([217.72.192.242]) >> by myMailServer with esmtp (Exim 4.69) >> (envelope-from <x...@web.de>) >> id 1MP2VJ-0002cW-7J >> for myEmailAddress; Fri, 10 Jul 2009 00:54:17 +0200 >> Received: from web.de >> by fmmailgate04.web.de (Postfix) with SMTP id 784E0617C621 >> for <myEmailAddress>; Fri, 10 Jul 2009 00:54:08 +0200 (CEST) >> Received: from [213.39.158.25] by freemailng0206.web.de with HTTP; >> Fri, 10 Jul 2009 00:54:06 +0200 >> Date: Fri, 10 Jul 2009 00:54:06 +0200 >> Message-Id: <1160922...@web.de> >> MIME-Version: 1.0 >> From: x...@web.de >> To: myExmailAdress >> Subject: blabla >> Precedence: fm-user >> Organization: http://freemail.web.de/ >> X-Provags-Id: >> V01U2FsdGVkX18lP5sKSYPx3TgWHEN1Z7L2NW5G+X9Sks0ysU4QuxLtgDrif >> soaQGoAe2gbxmEtxcXfIJQCtJ44ojT8Zmcm0H6ShN663CUEajdFvPtO4mHtn >> w== >> Content-Type: text/plain; charset=iso-8859-15 >> Content-Transfer-Encoding: quoted-printable >> X-Spam-Score: -0.4 (/) >> X-Spam-Report: Spam report: >> If you have any questions, see postmas...@dwsa.de for details. >> Content analysis details: (-0.4 points) >> pts rule name description >> ---- ---------------------- >> -------------------------------------------------- >> -2.6 BAYES_00 BODY: Bayesian spam probability is 0 to 1% >> [score: 0.0000] >> 1.4 MIME_QP_LONG_LINE RAW: Quoted-printable line longer than 76 >> chars >> 1.6 RCVD_IN_NJABL_PROXY RBL: NJABL: sender is an open proxy >> [213.39.158.25 listed in combined.njabl.org] >> -0.8 AWL AWL: From: address is in the auto white-list >> >> As you see the sender is using web.de (a large German freemail service) >> as >> a >> smarthost. The web.de server (217.72.192.242 ) which delivered the email >> to >> my exim is not listed in any rbl ist but the address the sender used to >> deliver the email to the web.de smarthost (213.39.158.25) is. >> >> As far as I understand SpamAssassin is supposed to just check the ip that >> directly delivered the email to my server but not the IP the email is >> originally from (as that woundn't make any sense as almost everyone is >> using >> dyn ips...). >> >> I would really appreciate some hints what is going wrong here and how to >> fix >> that. >> >> Thanks! >> >> Danusch >> -- >> View this message in context: >> http://www.nabble.com/rbl-dnsbl-seems-to-use-wrong-ip-sometimes-tp24443359p24443359.html >> Sent from the SpamAssassin - Users mailing list archive at Nabble.com. >> > > And web.de is NOT in your trusted_networks? > > > -- View this message in context: http://www.nabble.com/rbl-dnsbl-seems-to-use-wrong-ip-sometimes-tp24443359p24443678.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
