On Sat, 17 Jun 2017 08:55:48 -0700 (MST) hmiller wrote: > Hi, > > Commonly RCVD_IN_ rules are checking the last untrusted relay,
Most positive scoring rules check the last-external. > but > RCVD_IN_SORBS_WEB is apparently doing all Received hops. > > Received: from host (host [2.2.2.2]) #The last untrusted relay > Received: from [192.168.1.100] ([1.1.1.1]) #Authenticated MUA > > I would expect it to check only 2.2.2.2 (the last untrusted hop), but > in this case 1.1.1.1 was listed in SORBS_WEB and was scored 1.50. In theory it seems reasonable: describe RCVD_IN_SORBS_WEB SORBS: sender is an abusable web server An abused web-server may relay through a separate mail server. And since web servers usually have static addresses it shouldn't be a problem to do a deep check. However in this case it looks like a dynamic address has got into list. If this is common, it may be necessary to make it last-external. It may be worth creating a separate last-external rule and see what happens to the scores.
