On 08/14/2013 03:49 PM, Nigel Smith wrote:
Hi,SpamAssassin version 3.3.2 running on Perl version 5.14.2 3.2.0-49-generic #75-Ubuntu SMP Tue Jun 18 17:39:32 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux (ubuntu 12.04LTS) I'm having some major problems at the moment with people who send mail via their corporate email platforms hosted on Microsoft's Bigfish (a.ka. FrontBridge, or whatever they're choosing to call it today !). The problem seems to be a conflict something in one of the headers Microsoft add : X-Forefront-Antispam-Report-Untrusted: SFV:NSPM;SFS:(24454002)(377454003)(51704005)(199002)(189002)(16406001)(54356001)(69226001)(74876001)(79102001)(4396001)(81542001)(49866001)(47736001)(47446002)(31966008)(74662001)(74502001)(81342001)(76482001)(80976001)(56776001)(54316002)(53806001)(74706001)(77096001)(56816003)(66066001)(80022001)(65816001)(77982001)(59766001)(74366001)(51856001)(46102001)(36756003)(63696002)(50986001)(47976001)(19580395003)(19580405001)(83072001)(76796001)(83322001)(33656001)(76786001)(81686001)(81816001);DIR:OUT;SFP:;SCL:1;SRVR:BLUPR03MB003;H:BLUPR03MB001.namprd03.prod.outlook.com;CLIP:10.10.114.156;RD:InfoNoRecords;A:1;MX:1;LANG:en; x-originating-ip: [10.10.114.156] X-MS-Exchange-CrossPremises-originalclientipaddress: 10.10.114.156 And one of my SA rules : # Locally hosted Spamhaus score __RCVD_IN_ZEN 0 header ITS_RCVD_IN_ZEN eval:check_rbl('zen', 'zen.dnsbl.') describe ITS_RCVD_IN_ZEN Received via a relay in Spamhaus Zen tflags ITS_RCVD_IN_ZEN net reuse ITS_RCVD_IN_ZEN score ITS_RCVD_IN_ZEN 30.0 This triggers : * 30 ITS_RCVD_IN_ZEN RBL: Received via a relay in Spamhaus Zen * [10.10.114.156 listed in zen.dnsbl] The only place that IP can be found (i.e. cat spam-97InS+5ooirt | grep "10.10.114.156") is in the three headers above. The rcvd lines do not match.
YOu're rule sort of dangerous as it may list PBL stuff on non last-external, etc,
You're safest bet is to setup your recursor to forward all you spamhaus queries to you local rblsnd instace and stick to the stock SA spamhaus rules.
ITS_RCVD_IN_ZEN should be __ITS_RCVD_IN_ZEN and not be scored.... etc (see 20_dnsbl_tests.cf for rule logic)
