Hi,
Am Donnerstag, den 08.12.2016, 16:25 +0000 schrieb RW:
> On Thu, 08 Dec 2016 16:54:26 +0100
> Marcus Schopen wrote:
>
> > Hi,
> >
> > some of my users forward external mails to my host. In some cases
> > those forwarding hosts don't filter spam. How do I parse back through
> > forwarding headers to find the true source IP and run dnsrbl checks on
> > that IP. I don't want to reject those mails in case of spam, so that
> > the forwarding host will become a backscatter, but just marking them.
> > I tried to set the forwarding host IPs to trusted_networks, which
> > helps with wrong dnswl.org checks, but RBL checks are disabled then.
> > Any ideas how to handle that?
>
> You need to put them in internal networks for spamassassin to do
> last-external checks.
Thanks to all for helping!
The forwarded mails go this way:
Scammer -> 62.146.106.13[2-3] -> 62.146.106.2[1-6] -> MY_IP
My current setup looks like this now:
-----------
trusted_networks MY_IP
# udag.de forwarding: forwarding servers connecting MY_IP
trusted_networks 62.146.106.21
trusted_networks 62.146.106.22
trusted_networks 62.146.106.23
trusted_networks 62.146.106.24
trusted_networks 62.146.106.25
trusted_networks 62.146.106.26
# udag.de forwarding: original receiving servers
trusted_networks 62.146.106.132
trusted_networks 62.146.106.133
-----------
I didn't set any internal_networks, because "If trusted_networks is set
and internal_networks is not, the value of trusted_networks will be used
for this parameter."[1], so in my understanding my internal_networks are
equal to trusted_networks.
After adding above rules to my SA config I checked some incoming mails
and filtering seems to be correct. The forwarding servers
62.146.106.2[1-6] are not listed e.g. on SPAMCOP, INPS.de etc. so it
must be the scammer's IP and DNSWL check doesn't come up with a
RCVD_IN_DNSWL_LOW hit, which one gets if 62.146.106.2[1-6] hosts are
checked directly:
--------
Dec 9 18:55:09 server mimedefang.pl[19467]: uB9Ht5SU012194:
MDLOG,uB9Ht5SU012194,spam,22.67 BAYES_50 DIGEST_MULTIPLE DKIM_SIGNED
FROM_EXCESS_BASE64 HTML_IMAGE_ONLY_24 HTML_MESSAGE MIME_HTML_ONLY
PYZOR_CHECK RAZOR2_CF_RANGE_51_100 RAZOR2_CF_RANGE_E8_51_100
RAZOR2_CHECK RCVD_IN_BL_SPAMCOP_NET RCVD_IN_BRBL_LASTEXT
RCVD_IN_DNSBL_INPS_DE RCVD_IN_SBL RCVD_IN_SBL_CSS RP_MATCHES_RCVD
T_DKIM_INVALID URIBL_ABUSE_SURBL URIBL_BLACK URIBL_DBL_SPAM URIBL_SBL
URIBL_SBL_A,62.146.106.23,<srs0
+jcbd=xy=r-resources.com=noreply-n-ztzccx-mspy.k...@udag.de>,<mar...@mydomain.de>,Subject
...
--------
I checked another user, who's forwarding mails from ISP Strato to my
host and there is a strange received header set by forwarder side. In
this case mails go this way:
Scammer -> 81.169.145.98 -> 81.169.146.14[4-9] -> MY_IP
But receiving IP smtp.rzone.de[81.169.145.98] never comes up in the
Received header. The header looks like this:
-----
Received: from srv544.mailer-service.de ([62.138.228.44])
by smtp.rzone.de (RZmta 39.10 OK)
with ESMTP id A02f69sB9H4Aw9o
for <mar...@mydomain.de>;
Fri, 9 Dec 2016 18:04:10 +0100 (CET)
-----
How can SA parse for back to the original receiving host IP
smtp.rzone.de[81.169.145.98], if they just come up with "smtp.rzone.de
(RZmta 39.10 OK)". Would that nevertheless work or is it in this case
only possible to put the outgoing servers 81.169.146.14[4-9] to my
trusted_networks and does that make sense at all then?
Ciao
Marcus
[1]
https://spamassassin.apache.org/full/3.4.x/doc/Mail_SpamAssassin_Conf.html
--
,---- [ Marcus Schopen ]
| (0>
| //\
| V_/_ D-33602 Bielefeld
|
`----
