Bill, Thanks for the helpful reply. I performed a reverse lookup on several of the IPs, but didn't take the next step of looking up the name in the PTR.
Ken On 17 Sep 2015, at 15:35, Ken Johnson wrote: > Spamassassin is run by Exim. > > Spamassassin version: > X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) > X-SA-Exim-Version: 4.2.1 (built Mon, 26 Dec 2011 16:57:07 +0000) > from dpkg: spamassassin 3.4.0-2~bpo70+1 > > Platform: Debian 7.8 > > A recent surge in unfiltered spam made me re-examine log files. Every > message I found that generated a log entry like this: > > :2015-09-09 07:35:40 1ZZeb1-00053O-Hy SA: Action: scanned but message > isn't > spam: score=3.7 required=4.0 (scanned in 13/13 secs | Message-Id: > NDY1OGI4NmNhYjc3YTU3YmM3MzExYjBhMTY0MzY2ZWM_@URLTHATMUSTNOTBENAMED). > From > <info@URLTHATMUSTNOTBENAMED> (host=NULL [45.58.126.146]) for x...@y.com > > which included the string "(host=NULL " was a message I could safely > filter out. Or at least, could safely add two or three to the score. > > What condition or attribute of received mail corresponds to a log > entry of "host=NULL"? Bill Cole wrote: That precise wording seems to be an artifact of the Exim-SA plumbing (I've never seen SA itself generate "host=NULL" anywhere I use it) but based on the context and DNS fact, it would appear to be an indication that there is no valid hostname discernible for that IP address. In this specific case, the IP has a PTR record but the name in that PTR record has no A record confirming the name-IP relationship (or any records at all.)
