Am 08.02.17 um 12:01 schrieb i...@lauf-forum.at:
[...]
What is the difference between the two mail headers? I don't see one.
The only difference I can see ist, that the nonspam mail has only the
IP of the sender in the header and the spam mail has also the reverse
DNS entry of the IP in the header.
The key difference is the transfer method: HTTP vs. HTTPS
I tested it with spamassassin 3.4.0. With your original header,
spamassassin parses the webmail client ip as untrusted:
Feb 8 12:32:46.189 [2306] dbg: received-header: parsed as [
ip=212.186.35.163 rdns=212-186-35-163.cable.dynamic.surfer.at
helo=212-186-35-163.cable.dynamic.surfer.at by=webmail.lauf-forum.at
ident= envfrom= intl=0 id= auth= msa=0 ]
Feb 8 12:32:46.189 [2306] dbg: received-header: do not trust any hosts
from here on
Feb 8 12:32:46.189 [2306] dbg: received-header: relay 212.186.35.163
trusted? no internal? no msa? no
If I change only HTTPS to HTTP in the first received header, thus:
Received: from 212-186-35-163.cable.dynamic.surfer.at
(212-186-35-163.cable.dynamic.surfer.at [212.186.35.163]) by
webmail.lauf-forum.at (Horde Framework) with HTTP; Tue, 07 Feb 2017
21:57:06 +0000
spamassassin gets it (see the auth=HTTP):
Feb 8 12:56:16.627 [2735] dbg: received-header: parsed as [
ip=212.186.35.163 rdns=212-186-35-163.cable.dynamic.surfer.at
helo=212-186-35-163.cable.dynamic.surfer.at by=webmail.lauf-forum.at
ident= envfrom= intl=0 id= auth=HTTP msa=0 ]
Feb 8 12:56:16.627 [2735] dbg: received-header: authentication method HTTP
Feb 8 12:56:16.627 [2735] dbg: received-header: relay 212.186.35.163
trusted? yes internal? yes msa? no
With the correct parsing spamassassin identifies the relay correctly as
trusted (ALL_TRUSTED fires for this mail) and therefore doesn't use
212.186.35.163 for IP checks.
It's a parsing error in spamassassin. I don't know wether it's fixed in
3.4.1.
Best regards,
Edda
