Re: rDNS problem

[Matt Kettler]

Jeff Koch wrote:
>
> Hi All
>
> Hopefully another pair of eyes can help find the reason for this rDNS
> error. Here's SA header message:
>
> *  1.0 RDNS_NONE Delivered to trusted network by a host with
> no rDNS
> Received: from unknown (HELO cronus.intersessions.com) (74.220.16.65)
>
> As far as I can tell 'cronus.intersessions.com' has reverse setup and
> it matches 74.220.16.65.
>
> What am I missing?
>
AFAIK SA doesn't go out and do it's own RDNS lookup for this. It trusts
your MTA's header (since it is a trusted host).

The MTA's header says the reverse DNS is "unknown". So, SA assumes it
failed lookup.

Might want to fix that first.

Re: rDNS problem (SOLVED)

[Benny Pedersen]

On Sat, November 22, 2008 02:23, mouss wrote:
> Jeff Koch a écrit :
>> As far as I can tell 'cronus.intersessions.com' has reverse setup and it
>> matches 74.220.16.65.
> there's no thing like "cronus.intersessions.com has reverse setup".
> really. reverse is for an IP.
>> What am I missing?
>
> a real MTA?

sendmail ?

PS: Jeff please dont CC me, you dont have a problem any longer
http://moensted.dk/spam/?addr=74.220.16.65&Submit=Submit

-- 
Benny Pedersen
Need more webspace ? http://www.servage.net/?coupon=cust37098

Re: rDNS problem

[mouss]

Jeff Koch a écrit :
> 
> Hi All
> 
> Hopefully another pair of eyes can help find the reason for this rDNS
> error. Here's SA header message:
> 
> *  1.0 RDNS_NONE Delivered to trusted network by a host with no
> rDNS
> Received: from unknown (HELO cronus.intersessions.com) (74.220.16.65)
> 

your _MTA_ decided to add a Received header with "unknown" as
the reverse DNS.

If uou don't like it, you can:
- use another MTA
- complain to the MTA vendor/developper/whomever

don't tell me you're still running qmail ;-p

> As far as I can tell 'cronus.intersessions.com' has reverse setup and it
> matches 74.220.16.65.

there's no thing like "cronus.intersessions.com has reverse setup".
really. reverse is for an IP.

> 
> What am I missing?

a real MTA?

Re: rDNS problem

[Jeff Koch]

Hi Benny:

Reverse DNS seems to work via dig and nslookup but the links, although 
indicating a problem, were not terribly helpful in explaining the cause. 
Apparently, you know more than I do. Perhaps you could reveal a little more 
info so we can get this straightened out. I would really appreciate it.


Jeff



At 07:53 PM 11/21/2008, you wrote:


On Sat, November 22, 2008 01:41, Jeff Koch wrote:

> How do I correct this problem? When I run 'nslookup 74.220.16.65' from
> various machines it shows the correct answer.

your computer, your problem :)

i showed 2 links, should i show more ?

--
Benny Pedersen
Need more webspace ? http://www.servage.net/?coupon=cust37098


Best Regards,

Jeff Koch, Intersessions 

Re: rDNS problem

[Len Conrad]

>How do I correct this problem? When I run 'nslookup 74.220.16.65' from various 
>machines it shows the correct answer.

dig cronus.intersessions.com. @ns.intersessions.com. +short
74.220.16.65

dig -x 74.220.16.65 @ns.intersessions.com. +short
cronus.intersessions.com.

so there is PTR+A "match".

delegation of the PTR is OK:

dig -x 74.220.16.65  +trace

; <<>> DiG 9.2.3 <<>> -x 74.220.16.65 +trace
;; global options:  printcmd
.   16937   IN  NS  h.root-servers.net.
.   16937   IN  NS  c.root-servers.net.
.   16937   IN  NS  b.root-servers.net.
.   16937   IN  NS  j.root-servers.net.
.   16937   IN  NS  g.root-servers.net.
.   16937   IN  NS  e.root-servers.net.
.   16937   IN  NS  d.root-servers.net.
.   16937   IN  NS  i.root-servers.net.
.   16937   IN  NS  k.root-servers.net.
.   16937   IN  NS  m.root-servers.net.
.   16937   IN  NS  f.root-servers.net.
.   16937   IN  NS  a.root-servers.net.
.   16937   IN  NS  l.root-servers.net.
;; Received 321 bytes from 207.203.133.65#53(207.203.133.65) in 3 ms

74.in-addr.arpa.86400   IN  NS  DILL.ARIN.NET.
74.in-addr.arpa.86400   IN  NS  BASIL.ARIN.NET.
74.in-addr.arpa.86400   IN  NS  Y.ARIN.NET.
74.in-addr.arpa.86400   IN  NS  Z.ARIN.NET.
74.in-addr.arpa.86400   IN  NS  INDIGO.ARIN.NET.
74.in-addr.arpa.86400   IN  NS  HENNA.ARIN.NET.
74.in-addr.arpa.86400   IN  NS  EPAZOTE.ARIN.NET.
74.in-addr.arpa.86400   IN  NS  CHIA.ARIN.NET.
;; Received 204 bytes from 192.33.4.12#53(c.root-servers.net) in 23 ms

16.220.74.in-addr.arpa. 86400   IN  NS  NS2.INTERSESSIONS.COM.
16.220.74.in-addr.arpa. 86400   IN  NS  NS.INTERSESSIONS.COM.
;; Received 95 bytes from 192.35.51.32#53(DILL.ARIN.NET) in 75 ms

65.16.220.74.in-addr.arpa. 10800 IN PTR cronus.intersessions.com.
16.220.74.in-addr.arpa. 10800   IN  NS  ns.intersessions.com.
16.220.74.in-addr.arpa. 10800   IN  NS  ns2.intersessions.com.
;; Received 148 bytes from 216.235.79.235#53(NS2.INTERSESSIONS.COM) in 38 ms

and delegation is also OK for the intersessions.com zone.

If there is a problem somewhere resolving the PTR, it's not with your NSs.

Len



__
IMGate OpenSource Mail Firewall www.IMGate.net

Re: rDNS problem

[Benny Pedersen]

On Sat, November 22, 2008 01:41, Jeff Koch wrote:

> How do I correct this problem? When I run 'nslookup 74.220.16.65' from
> various machines it shows the correct answer.

your computer, your problem :)

i showed 2 links, should i show more ?

-- 
Benny Pedersen
Need more webspace ? http://www.servage.net/?coupon=cust37098

Re: rDNS problem

[Francis Russell]

> RDNS_NONE is defined by the following rules:
> 
> meta RDNS_NONE  (__RDNS_NONE && !__CGATE_RCVD)
> header __RDNS_NONEX-Spam-Relays-Untrusted =~ /^[^\]]+ rdns= /
> header __CGATE_RCVD   Received =~ /by \S+ \(CommuniGate Pro/

OK, I'm going to have one more go. The RDNS_NONE rule is triggered by
the __RDNS_NONE rule above which is a regular expression. The header you
posted didn't match this rule so it's quite possible it has nothing to
do with the RDNS_NONE rule being triggered whatsoever.

Please post the full message headers.

Francis

Re: rDNS problem

[Jeff Koch]

Hi Benny:

How do I correct this problem? When I run 'nslookup 74.220.16.65' from 
various machines it shows the correct answer.



At 07:02 PM 11/21/2008, you wrote:


On Sat, November 22, 2008 00:22, Jeff Koch wrote:

> As far as I can tell 'cronus.intersessions.com' has reverse setup and it
> matches 74.220.16.65.
>
> What am I missing?

http://www.robtex.com/ip/74.220.16.65.html see the graph, no PTR, and no A 
there


http://www.robtex.com/dns/cronus.intersessions.com.html see graph :)

PTR and A works

--
Benny Pedersen
Need more webspace ? http://www.servage.net/?coupon=cust37098


Best Regards,

Jeff Koch, Intersessions 

Re: rDNS problem

[Benny Pedersen]

On Sat, November 22, 2008 00:31, Daniel J McDonald wrote:

> 74/8 was removed from the Bogon list in 2005, but maybe the recipient
> hasn't updated their bogon acl in bind...

rdns have nothing to do with rbl

-- 
Benny Pedersen
Need more webspace ? http://www.servage.net/?coupon=cust37098

Re: rDNS problem

[Benny Pedersen]

On Sat, November 22, 2008 00:22, Jeff Koch wrote:

> As far as I can tell 'cronus.intersessions.com' has reverse setup and it
> matches 74.220.16.65.
>
> What am I missing?

http://www.robtex.com/ip/74.220.16.65.html see the graph, no PTR, and no A there

http://www.robtex.com/dns/cronus.intersessions.com.html see graph :)

PTR and A works

-- 
Benny Pedersen
Need more webspace ? http://www.servage.net/?coupon=cust37098

Re: rDNS problem

[Francis Russell]

Jeff Koch wrote:

> Hopefully another pair of eyes can help find the reason for this rDNS
> error. Here's SA header message:
> 
> *  1.0 RDNS_NONE Delivered to trusted network by a host with no
> rDNS
> Received: from unknown (HELO cronus.intersessions.com) (74.220.16.65)
> 
> As far as I can tell 'cronus.intersessions.com' has reverse setup and it
> matches 74.220.16.65.
> 
> What am I missing?

Hi,

RDNS_NONE is defined by the following rules:

meta RDNS_NONE  (__RDNS_NONE && !__CGATE_RCVD)
header __RDNS_NONEX-Spam-Relays-Untrusted =~ /^[^\]]+ rdns= /
header __CGATE_RCVD   Received =~ /by \S+ \(CommuniGate Pro/

which means it was probably triggered by one of the headers you didn't
include.

Francis

Re: rDNS problem

[Daniel J McDonald]

On Fri, 2008-11-21 at 18:22 -0500, Jeff Koch wrote:
> Hi All
> 
> Hopefully another pair of eyes can help find the reason for this rDNS 
> error. Here's SA header message:
> 
>  *  1.0 RDNS_NONE Delivered to trusted network by a host with no rDNS
> Received: from unknown (HELO cronus.intersessions.com) (74.220.16.65)
> 
> As far as I can tell 'cronus.intersessions.com' has reverse setup and it 
> matches 74.220.16.65.
> 
> What am I missing?

74/8 was removed from the Bogon list in 2005, but maybe the recipient
hasn't updated their bogon acl in bind...

-- 
Daniel J McDonald, CCIE #2495, CISSP #78281, CNX
Austin Energy
http://www.austinenergy.com

rDNS problem

[Jeff Koch]

Hi All

Hopefully another pair of eyes can help find the reason for this rDNS 
error. Here's SA header message:


*  1.0 RDNS_NONE Delivered to trusted network by a host with no rDNS
Received: from unknown (HELO cronus.intersessions.com) (74.220.16.65)

As far as I can tell 'cronus.intersessions.com' has reverse setup and it 
matches 74.220.16.65.


What am I missing?




Best Regards,

Jeff Koch, Intersessions 

Re: Is spam volume really down

[Marc Perkel]

I noticed the size of my black list dropped by more that 1/3 this last week.

Re: Use of blacklist_form

[Kai Schaetzl]

Sujit Acharyya-Choudhury wrote on Fri, 21 Nov 2008 14:01:27 -:

> No I am talking about mails to our University with fake (or undesirable)
> address so that some of our users can reply-to them with their identities,
> i.e. usernames & passwords and there by allowing the spammer to steal
> the identities.

And what has this to do with "not marking as spam anything from our 
network"? You will need to explain details of what you do/mean and why it is 
a problem in this context, a few pieces of meat won't help.

Kai

-- 
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com

Re: Use of blacklist_form

[Steve Freegard]

Sujit Acharyya-Choudhury wrote:

No I am talking about mails to our University with fake (or undesirable) address so 
that some of our users can reply-to them with their identities, i.e. usernames 
& passwords and there by allowing the spammer to steal the identities.




What I meant that how can I stop people replying to e-mails from our
network, given that we don't tag them as spam


Do it in your MTA then... for example Sendmail; /etc/mail/access:

to:[EMAIL PROTECTED]REJECT
to:[EMAIL PROTECTED]REJECT

or

to:[EMAIL PROTECTED]ERROR:"550 Reply to a phishing 
drop-box rejected"

That will stop your MTA sending messages out to these mailboxes and 
instead the sender will get a DSN with the SMTP rejection text.


Modify to suit whichever MTA you use...

Regards,
Steve.

RE: Use of blacklist_form

[Sujit Acharyya-Choudhury]

No I am talking about mails to our University with fake (or undesirable) 
address so that some of our users can reply-to them with their identities, i.e. 
usernames & passwords and there by allowing the spammer to steal the identities.

Regards

Sujit



Sujit Choudhury
-Original Message-
From: Kai Schaetzl [mailto:[EMAIL PROTECTED] 
Sent: 21 November 2008 13:42
To: users@spamassassin.apache.org
Subject: Re: Use of blacklist_form

Sujit Acharyya-Choudhury wrote on Fri, 21 Nov 2008 13:00:06 -:

> > Also since we do not mark anything as Spam coming from our network
> (i.e. in local.cf we have trusted_networks 161.74/16)

That doesn't mean "not mark as spam"!

> What I meant that how can I stop people replying to e-mails from our
> network, given that we don't tag them as spam

I'm afraid, I'm with Ian here and still don't understand what you are 
doing or what your problem is. Are you talking about spam email with faked 
addresses originating from your network and sent to your network?

Kai

-- 
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com




--
The University of Westminster is a charity and a company limited by
guarantee.  Registration number: 977818 England.  Registered Office:
309 Regent Street, London W1B 2UW, UK.

Re: Use of blacklist_form

[Kai Schaetzl]

Sujit Acharyya-Choudhury wrote on Fri, 21 Nov 2008 13:00:06 -:

> > Also since we do not mark anything as Spam coming from our network
> (i.e. in local.cf we have trusted_networks 161.74/16)

That doesn't mean "not mark as spam"!

> What I meant that how can I stop people replying to e-mails from our
> network, given that we don't tag them as spam

I'm afraid, I'm with Ian here and still don't understand what you are 
doing or what your problem is. Are you talking about spam email with faked 
addresses originating from your network and sent to your network?

Kai

-- 
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com

Re: Is spam volume really down

[Richard Bishop]

> Is this news true ( spams down by 75% )
>
>
http://www.securecomputing.net.au/News/128340%2cspam-volumes-drop-75-percent-in-a-day.aspx
>
>

It seems that it is (at least from where I'm sitting).  Spam caught on our
filters dropped by around about 31% on 11/11/2008.  Graphing the about of
spam processed per hour there is a definite plummet around about the time
when McColo was pulled (9am EST / 14.00 GMT).

I've graphed the data in Excel and uploaded it to ImageShack:
http://img511.imageshack.us/img511/1235/mccologa6.gif  It seems to be
creeping back up slowly, certainly there was a spike on 14/11/2008
(Friday).  I wonder what caused that?

I'd certainly be interested if other people saw something similar.  On a
similar note, does anybody remember what happened on 16/02/2008?  The
amount of spam coming through our systems seemed to have jumped by 530%!



Regards


Richard

RE: Use of blacklist_form

[Sujit Acharyya-Choudhury]

> Also since we do not mark anything as Spam coming from our network
(i.e. in local.cf we have trusted_networks 161.74/16)

>how do I ensure that reply_to these mail addresses will work?

 

What I meant that how can I stop people replying to e-mails from our
network, given that we don't tag them as spam even if the reply_to
address is in the blacklist and without specifically blocking mail with
such address without using the MTA (which in our case is exim)

Sujit Choudhury 





From: Sujit Acharyya-Choudhury [mailto:[EMAIL PROTECTED] 
Sent: 21 November 2008 12:02
To: users@spamassassin.apache.org
Subject: Use of blacklist_form



Google Anti-phishing-email-reply
(http://code.google.com/p/anti-phishing-e-mail-reply
 ) contains reply
addresses being used in phishing campaigns.  I would like to use
blacklist_from and blacklist_to for these addresses.  I was wondering
whether blacklist_to and blacklist_form is still available in the
SpamAssassin version 3.2.5 and if that is the case what score do they
get?

Also since we do not mark anything as Spam coming from our network (i.e.
in local.cf we have trusted_networks as our own networks, how do I
ensure that reply_to these mail addresses will work?


Sujit Choudhury 


The University of Westminster is a charity and a company limited by
guarantee. Registration number: 977818 England. Registered Office: 309
Regent Street, London W1B 2UW.



--
The University of Westminster is a charity and a company limited by
guarantee.  Registration number: 977818 England.  Registered Office:
309 Regent Street, London W1B 2UW, UK.

Re: Use of blacklist_form

[McDonald, Dan]

On Fri, 2008-11-21 at 12:01 +, Sujit Acharyya-Choudhury wrote:
> Google Anti-phishing-email-reply
> (http://code.google.com/p/anti-phishing-e-mail-reply) contains reply
> addresses being used in phishing campaigns.  I would like to use
> blacklist_from and blacklist_to for these addresses.  I was wondering
> whether blacklist_to and blacklist_form is still available in the
> SpamAssassin version 3.2.5 and if that is the case what score do they
> get?

The scores are derived from:
score USER_IN_BLACKLIST 100.000
score USER_IN_BLACKLIST_TO 10.000


> Also since we do not mark anything as Spam coming from our network
> (i.e. in local.cf we have trusted_networks as our own networks, how do
> I ensure that reply_to these mail addresses will work?

I'm sorry, I can't parse this sentence - somewhere I lost an antecedent.
Can you explain your problem again?

-- 
Daniel J McDonald, CCIE #2495, CISSP #78281, CNX
Austin Energy
http://www.austinenergy.com



signature.asc
Description: This is a digitally signed message part

Re: Use of blacklist_form

[Ned Slider]

Sujit Acharyya-Choudhury wrote:

Google Anti-phishing-email-reply
(http://code.google.com/p/anti-phishing-e-mail-reply) contains reply
addresses being used in phishing campaigns.  I would like to use
blacklist_from and blacklist_to for these addresses. 




The correct URL is:

http://code.google.com/p/anti-phishing-email-reply/

Use of blacklist_form

[Sujit Acharyya-Choudhury]

Google Anti-phishing-email-reply
(http://code.google.com/p/anti-phishing-e-mail-reply) contains reply
addresses being used in phishing campaigns.  I would like to use
blacklist_from and blacklist_to for these addresses.  I was wondering
whether blacklist_to and blacklist_form is still available in the
SpamAssassin version 3.2.5 and if that is the case what score do they
get?
Also since we do not mark anything as Spam coming from our network (i.e.
in local.cf we have trusted_networks as our own networks, how do I
ensure that reply_to these mail addresses will work?


Sujit Choudhury



--
The University of Westminster is a charity and a company limited by
guarantee.  Registration number: 977818 England.  Registered Office:
309 Regent Street, London W1B 2UW, UK.

Re: Intermediate Relay checked against RBL

[Matus UHLAR - fantomas]

> Oliver Welter <[EMAIL PROTECTED]> wrote:
> >   2.2 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in
> > bl.spamcop.net [Blocked - see
> > ]
> >   1.1 RCVD_IN_SORBS_WEB  RBL: SORBS: sender is a abuseable web
> >  server [82.113.121.16 listed in
> > dnsbl.sorbs.net]

On 21.11.08 08:01, Cedric Knight, GreenNet wrote:
> In this situation, I'd add
>   trusted_networks 82.113.121.16/32
> to local.cf.  It looks like the O2 gateway has genuinely been abused.

Which is very common for GSM/* gateways, unless companies start taking care
(and blocking outgoing SMTP).

> If you are POP-before-SMTP authentication,
> http://wiki.apache.org/spamassassin/POPAuthPlugin can add to
> trusted_networks automatically.

Or, better use SMTP authentication (pop-before-smtp is not that safe), with
proper headers (so SA will know it was authenticated)

> >   1.3 MISSING_SUBJECTMissing Subject: header
> >   0.1 RDNS_NONE  Delivered to trusted network by a host
> > with no rDNS
> >   1.5 MSGID_FROM_MTA_HEADER  Message-Id was added by a relay
> 
> These look like some problem with the MUA.  You might want to check
> why the client isn't adding Message-Id and Subject headers.

seconded, just the RDNS_NONE is again the business of O2...

-- 
Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
The 3 biggets disasters: Hiroshima 45, Tschernobyl 86, Windows 95

Re: OT: Google alerts FP's

[Matus UHLAR - fantomas]

> On Tue, 2008-11-18 at 11:26 +0100, Matus UHLAR - fantomas wrote:
> > On 17.11.08 18:15, Mark Martinec wrote:
> > > > I have been using USER_IN_SPF_WHITELIST to whitelist mails from google
> > > > alerts
> > > > It had been working fine , but last 2-3 days I see that these mails dont
> > > > get an SPF-pass. Seems guys at google are using some other servers
> > > 
> > > whitelist_from_dkim  [EMAIL PROTECTED]
> > 
> > whitelist_auth should apply for both SPF and DKIM
> > 
> > (hmmm, what if the mail passes one check, but fails the another?)

On 21.11.08 15:46, ram wrote:
> The trusted networks setting was wrong on one of the servers. That
> messed up the SPF. 

I thought SPF checks are done on internal_networks boundary, or?

-- 
Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
M$ Win's are shit, do not use it !

Re: Question training the Bayse filter

[Thomas Zastrow]

Karsten Bräckelmann schrieb:





In short: More details and evidence, please. :)

  guenther


  


Dear Guenther,

thanks and sorry for the late answer. In the meantime, I trained the 
filter with a lot mor ham and spam, and now it works quite well. It 
seems so, that I definiteley had not enough ham. Anyway, thanks for the 
detailed answer.


Best wishes,

Tom

Re: OT: Google alerts FP's

[ram]

On Tue, 2008-11-18 at 11:26 +0100, Matus UHLAR - fantomas wrote:
> On 17.11.08 18:15, Mark Martinec wrote:
> > > I have been using USER_IN_SPF_WHITELIST to whitelist mails from google
> > > alerts
> > > It had been working fine , but last 2-3 days I see that these mails dont
> > > get an SPF-pass. Seems guys at google are using some other servers
> > 
> > whitelist_from_dkim  [EMAIL PROTECTED]
> 
> whitelist_auth should apply for both SPF and DKIM
> 
> (hmmm, what if the mail passes one check, but fails the another?)
> 

Oops sorry,
The trusted networks setting was wrong on one of the servers. That
messed up the SPF. 

Re: Intermediate Relay checked against RBL

[Justin Mason]

Cedric Knight, GreenNet writes:
> Oliver Welter <[EMAIL PROTECTED]> wrote:
> >   2.2 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in
> > bl.spamcop.net [Blocked - see
> > ]
> >   1.1 RCVD_IN_SORBS_WEB  RBL: SORBS: sender is a abuseable web
> >  server [82.113.121.16 listed in
> > dnsbl.sorbs.net]
> 
> In this situation, I'd add
>   trusted_networks 82.113.121.16/32
> to local.cf.  It looks like the O2 gateway has genuinely been abused.

Definitely.  It also appears in Spamcop and BRBL.

Also, you will need to add to trusted_networks any other gateways
between him and you, ie. 81.169.146.162, if it isn't already trusted.

--j.

Re: Intermediate Relay checked against RBL

[Cedric Knight, GreenNet]

Oliver Welter <[EMAIL PROTECTED]> wrote:
>   2.2 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in
> bl.spamcop.net [Blocked - see
> ]
>   1.1 RCVD_IN_SORBS_WEB  RBL: SORBS: sender is a abuseable web
>  server [82.113.121.16 listed in
> dnsbl.sorbs.net]

In this situation, I'd add
  trusted_networks 82.113.121.16/32
to local.cf.  It looks like the O2 gateway has genuinely been abused.

If you are POP-before-SMTP authentication,
http://wiki.apache.org/spamassassin/POPAuthPlugin can add to
trusted_networks automatically.

>   1.3 MISSING_SUBJECTMissing Subject: header
>   0.1 RDNS_NONE  Delivered to trusted network by a host
> with no rDNS
>   1.5 MSGID_FROM_MTA_HEADER  Message-Id was added by a relay

These look like some problem with the MUA.  You might want to check
why the client isn't adding Message-Id and Subject headers.

HTH

CK