Re: how to parse back through forwarding headers to find the true source IP

2016-12-09 Thread Marcus Schopen 
Hi,

Am Donnerstag, den 08.12.2016, 16:25 + schrieb RW:
> On Thu, 08 Dec 2016 16:54:26 +0100
> Marcus Schopen wrote:
> 
> > Hi,
> > 
> > some of my users forward external mails to my host. In some cases
> > those forwarding hosts don't filter spam. How do I parse back through
> > forwarding headers to find the true source IP and run dnsrbl checks on
> > that IP. I don't want to reject those mails in case of spam, so that
> > the forwarding host will become a backscatter, but just marking them.
> > I tried to set the forwarding host IPs to trusted_networks, which
> > helps with wrong dnswl.org checks, but RBL checks are disabled then.
> > Any ideas how to handle that?
> 
> You need to put them in internal networks for spamassassin to do
> last-external checks. 

Thanks to all for helping!

The forwarded mails go this way:

Scammer -> 62.146.106.13[2-3] -> 62.146.106.2[1-6] -> MY_IP

My current setup looks like this now:

---
trusted_networks MY_IP

# udag.de forwarding: forwarding servers connecting MY_IP
trusted_networks 62.146.106.21
trusted_networks 62.146.106.22
trusted_networks 62.146.106.23
trusted_networks 62.146.106.24
trusted_networks 62.146.106.25
trusted_networks 62.146.106.26

# udag.de forwarding: original receiving servers 
trusted_networks 62.146.106.132
trusted_networks 62.146.106.133
---

I didn't set any internal_networks, because "If trusted_networks is set
and internal_networks is not, the value of trusted_networks will be used
for this parameter."[1], so in my understanding my internal_networks are
equal to trusted_networks.

After adding above rules to my SA config I checked some incoming mails
and filtering seems to be correct. The forwarding servers
62.146.106.2[1-6] are not listed e.g. on SPAMCOP, INPS.de etc. so it
must be the scammer's IP and DNSWL check doesn't come up with a
RCVD_IN_DNSWL_LOW hit, which one gets if 62.146.106.2[1-6] hosts are
checked directly:


Dec  9 18:55:09 server mimedefang.pl[19467]: uB9Ht5SU012194:
MDLOG,uB9Ht5SU012194,spam,22.67 BAYES_50 DIGEST_MULTIPLE DKIM_SIGNED
FROM_EXCESS_BASE64 HTML_IMAGE_ONLY_24 HTML_MESSAGE MIME_HTML_ONLY
PYZOR_CHECK RAZOR2_CF_RANGE_51_100 RAZOR2_CF_RANGE_E8_51_100
RAZOR2_CHECK RCVD_IN_BL_SPAMCOP_NET RCVD_IN_BRBL_LASTEXT
RCVD_IN_DNSBL_INPS_DE RCVD_IN_SBL RCVD_IN_SBL_CSS RP_MATCHES_RCVD
T_DKIM_INVALID URIBL_ABUSE_SURBL URIBL_BLACK URIBL_DBL_SPAM URIBL_SBL
URIBL_SBL_A,62.146.106.23,,,Subject
 ...


I checked another user, who's forwarding mails from ISP Strato to my
host and there is a strange received header set by forwarder side. In
this case mails go this way:

Scammer -> 81.169.145.98 -> 81.169.146.14[4-9] -> MY_IP

But receiving IP smtp.rzone.de[81.169.145.98] never comes up in the
Received header. The header looks like this:

-
Received: from srv544.mailer-service.de ([62.138.228.44])
by smtp.rzone.de (RZmta 39.10 OK)
with ESMTP id A02f69sB9H4Aw9o
for ;
Fri, 9 Dec 2016 18:04:10 +0100 (CET)
-

How can SA parse for back to the original receiving host IP
smtp.rzone.de[81.169.145.98], if they just come up with "smtp.rzone.de
(RZmta 39.10 OK)". Would that nevertheless work or is it in this case
only possible to put the outgoing servers 81.169.146.14[4-9] to my
trusted_networks and does that make sense at all then?

Ciao
Marcus


[1]
https://spamassassin.apache.org/full/3.4.x/doc/Mail_SpamAssassin_Conf.html


-- 
 , [ Marcus Schopen ] 
|  (0>   
|  //\ 
|  V_/_  D-33602 Bielefeld
|
 `

Which Net::DSN for SpamAssassin-3.4.1

2016-12-09 Thread Mike Grau 
Hello all

I'm confused ... what is the "recommended" version of Net::DNS to use
with an unpatched SpamAssassin-3.4.1? Or are there patches I ought to
apply for, say, Net::DNS 1.06?

Thanks! -- Mike G.