Re: Problem with X-Originating-IP and PBL

Mon, 16 Feb 2015 07:12:23 -0800 

On 02/16/2015 04:01 PM, rsmits-l wrote:

On 02/09/2015 01:53 PM, Kevin A. McGrail wrote:

On 2/9/2015 7:43 AM, rsmits-l wrote:

I have been reading some threads on the Internet about problems with
the field "X-Originating-IP" and the Spamhaus PBL list. We are also
having this problem. I have installed a workaround for this but is not
working bulletproof.

I am wondering if there is a permanent solution for this ? I am
running : SpamAssassin version 3.3.1
running on Perl version 5.10.1
amavisd-new : amavisd-new-2.8.0 (20120630)

The workaround I have made :

header OFFICE365_01 Received =~ /\.outbound\.protection\.outlook\.com/i
header OFFICE365_02 x-originating-ip =~ /^\[/

But I am also seeing some real spam coming from Microsoft so this is
not bulletproof.

Has anyone got information ?


My guess is that if you check the email from the command line, it does
not fire against the RBL but something in the glue is either A)
synthesizing a header using the X-Originating-IP or the same IP; or B)
there is a logic case in SA that is hitting in the glue but not
otherwise.

Someone else was mentioning this a few days ago using spamass-milter, I
believe.

Can you test the email from the command line? Can you provide a sample
on pastebin?

Regards,
KAM


A late reply, but this week I started investigating why this happens. I
have edited a sample. If someone can take a look why the PBL is firing
here is would be great.

http://pastebin.com/xxFAPTay

Spamassassin output at my end is :

pts rule name description
---- ----------------------
--------------------------------------------------
10 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL
[151.66.59.47 listed in zen.spamhaus.org]
-0.1 OFFICE365_01 OFFICE365_01
0.0 FSL_HELO_NON_FQDN_1 FSL_HELO_NON_FQDN_1
-0.1 OFFICE365_02 OFFICE365_02
1.6 RCVD_IN_BRBL_LASTEXT RBL: RCVD_IN_BRBL_LASTEXT
[151.66.59.47 listed in bb.barracudacentral.org]
-10 OFFICE365_M OFFICE365_M
0.6 FORGED_OUTLOOK_TAGS Outlook can't send HTML in this format
1.5 TVD_SPACE_RATIO TVD_SPACE_RATIO
4.0 BOUNCE_MESSAGE MTA bounce message
0.1 ANY_BOUNCE_MESSAGE Message is some kind of bounce message

Greetings, Richard Smits.
Also some information. We use an ipv6 --> ipv4 converter. (ipv6-mx.tudelft.nl [130.161.6.14]
This is not part of our trusted network because we do not have an ipv6 spamchecker in place. Our amavisd config reads :
@mynetworks = qw ( 127.0.0.0/8 !130.161.6.14/32 130.161.0.0/16 131.180.0.0/16 192.87.166.0/24 10.200.12.0/24 10.200.20.0/24 ); 

Greetings.

Reply via email to