On Sat, 2009-07-11 at 12:52 -0700, an anonymous Nabble user wrote:
> The problem is have is that sometimes I get RBL hits eventhrough the sender
> is using a valid smarthost.
Some DNSBLs are *meant* to do deep parsing. PBL style ones are not, and
only check the last external, submitting hop. Exactly due to what you
mentioned, dial-up end-user IPs are ok, as long as they submit to their
SMTPs, not directly to the MX. Open Proxys and stuff are an entirely
different story, and worth scoring on sight, wherever they appear.
> X-Spam-Score: -0.4 (/)
> X-Spam-Report: Spam report:
> -2.6 BAYES_00 BODY: Bayesian spam probability is 0 to 1%
> [score: 0.0000]
> 1.4 MIME_QP_LONG_LINE RAW: Quoted-printable line longer than 76
> chars
> 1.6 RCVD_IN_NJABL_PROXY RBL: NJABL: sender is an open proxy
> [213.39.158.25 listed in combined.njabl.org]
> -0.8 AWL AWL: From: address is in the auto white-list
Not a FP, even scored below 0. There's nothing wrong with this.
> As you see the sender is using web.de (a large German freemail service) as a
> smarthost. The web.de server (217.72.192.242 ) which delivered the email to
> my exim is not listed in any rbl ist but the address the sender used to
> deliver the email to the web.de smarthost (213.39.158.25) is.
Apparently it's an open proxy, ready and willing to relay ANY spam to
ANYone. That *is* worth scoring. Fix the open proxy.
> As far as I understand SpamAssassin is supposed to just check the ip that
> directly delivered the email to my server but not the IP the email is
> originally from (as that woundn't make any sense as almost everyone is using
> dyn ips...).
Nope. You're understanding wrong, some tests are deliberately meant to
do deep-parsing.
> I would really appreciate some hints what is going wrong here and how to fix
> that.
Score -0.4. What do you feel like "fixing"?
guenther
--
char *t="\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
