Hi I run an MTA (Hmailserver) that passes its mail through Spamassassin 3.4.1 on receiving emails. Currently the mail is 'collected' via POP from an external mail host, then put through SA, then subjects the email to its own internal anti-spam checks (such as SURBL and DNSBL lookups), and then dealt with accordingly based on the scores.
All normal stuff. * ENVIRONMENT* The EXTERNAL HOST mail server is in on a subnet 195.26.90.xxx, and as such I have marked this as an 'internal relay' in my MTA. This is so that when it does its internal antispam checks, it then ignores the received headers that fit this range and does its DNSBL checks on addresses that are not in this range. All good so far. *THE PROBLEM IN DETAIL* I have some confusion. See these headers to this email: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on mailserver X-Spam-Level: X-Spam-Status: No, score=-4.2 required=3.0 tests=BAYES_00,HTML_MESSAGE, KHOP_RCVD_UNTRUST,RCVD_IN_DNSWL_LOW,RCVD_IN_HOSTKARMA_W,RCVD_IN_HOSTKARMA_WL, RCVD_IN_MSPIKE_H2 autolearn=ham autolearn_force=no version=3.4.0 X-Spam-Report: * -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) * [195.26.90.72 listed in wl.mailspike.co] * -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at http://www.dnswl.org/, low * trust * [195.26.90.72 listed in list.dnswl.org] * -0.1 RCVD_IN_HOSTKARMA_W RBL: HostKarma: relay in white list (first pass) * [195.26.90.72 listed in hostkarma.junkemailfilter.co] * -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% * [score: 0.0000] * 0.0 HTML_MESSAGE BODY: HTML included in message * -2.0 RCVD_IN_HOSTKARMA_WL RBL: HostKarma: unique whitelisted * 0.5 KHOP_RCVD_UNTRUST DNS-whitelisted sender is not verified * X-hMailServer-ExternalAccount: POPdaily Return-Path: <char...@chaxxxxxridlan.co> Received: from mailin3.myhost.co (mailin3.myhost.co [195.26.90.113]) (authenticated user=sylves...@mydomain.co bits=0) by ms7.myhost.co (Cyrus v2.4.16-Kolab-2.4.16-1.el6) with LMTPSA (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256/256 verify=YES); Tue, 07 Jun 2016 13:31:04 +0100 X-Sieve: CMU Sieve 2.4 Received: from mailsub2.myhost.co ([195.26.90.72]) by mailin3.myhost.co with esmtps (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.85) (envelope-from <char...@chaxxxxxridlan.co>) id 1bAG9w-0001Sw-2s for sylves...@mydomain.co; Tue, 07 Jun 2016 13:31:04 +0100 Received: from [2.25.50.35] (helo=[192.168.1.249]) by mailsub2.myhost.co with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.85) (envelope-from <char...@chaxxxxxridlan.co>) id 1bAG9r-0002wq-Oo; Tue, 07 Jun 2016 13:31:03 +0100 From: Xxxxxxxxx <char...@chaxxxxxridlan.co> Mime-Version: 1.0 (Apple Message framework v1085) Content-Type: multipart/alternative; boundary=Apple-Mail-32--483328467 Subject: [SPAM] re white matt vinyl Date: Tue, 7 Jun 2016 13:30:59 +0100 References: <57554b88.1040...@mydomain.co>* -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) Date: Tue, 7 Jun 2016 13:30:59 +0100 References: <57554b88.1040...@mydomain.net> To: Liz Jones <liz.jo...@numbers-ltd.net> Message-Id: <b4193a46-b100-4a01-97ca-b85ef2ee7...@chaxxxxxxdlan.net> X-Mailer: Apple Mail (2.1085) X-hMailServer-Spam: YES X-hMailServer-Reason-1: Rejected by Spamhaus. - (Score: 5) X-hMailServer-Reason-Score: 5 Now you should note that the last 3 headers show that my MTA's internal spam checks show that the email is deemed suspect ("Rejected by Spamhaus") as [2.25.50.35] appears in Spamhaus blacklist. (Check and you wll see its in the PBL list). (My MTA doesnt say anything about the addresses 195.26.90.72 or 195.26.90.113 because, as I said, it has been advised this range is trusted and bypasses them). HOWEVER, and here are my questions please: 1, You can see that Spamassassin considered and evaluated the IP address 195.26.90.72 (as reported in its report). Now this is the SECOND received header in the list. And yet it doesnt evaluate the most recent (first on list) [195.26.90.113] which is also from the same range (only the final numbers differ). Why is this? Why one and not the other? (I note that in all cases this final/most recent relay is never checked by SA actually. Not a problem, very glad of it, but dont know why). 2, I also note that it didnt say anything about [2.25.50.35]. (It should also have found it in the Spamhaus BL just like the MTA did). FYI: There is nothing in my SA config that would affect thesem decisions. This is the entirety of my conf file: report_safe 0 add_header all Report _REPORT_ * score DRUGS_ERECTILE 10 dns_available yes rewrite_header Subject [_HITS_] trusted_networks 192.168.0. required_score 3.0 ifplugin Mail::SpamAssassin::Plugin::Shortcircuit shortcircuit USER_IN_WHITELIST on shortcircuit USER_IN_DEF_WHITELIST on shortcircuit ALL_TRUSTED on endif # Mail::SpamAssassin::Plugin::Shortcircuit *SUMMARY* Any help to explain why ony the 2nd address was evaluated and not the first, and why the 3rd on was not correctly found in Spamhaus would be appreciated. Thanks (I hope I havent managed to post this twice. Im still trying to understand how this mailing list operates). -- View this message in context: http://spamassassin.1065346.n5.nabble.com/Advice-why-one-relay-evaluated-and-not-the-other-tp121145.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
