whitelist_from_rcvd Not Working
I'm trying to get the following line to work in my user_prefs file: whitelist_from_rcvd *bankofamerica.com bankofamerica.com Of course, this works: whitelist_from *bankofamerica.com So, the simple whitelist_from works, but the whitelist_from_rcvd does not work. Why is this? Looks like I have some kind of RDNS problem, I run this command to test this premise: cat ham.mbox | spamassassin -dtD temp 2temp2 When I run the above command, I get the following lines in temp2: Aug 29 05:38:06.860 [3328] dbg: config: trusted_networks are not configured; it is recommended that you configure trusted_networks manually Aug 29 05:38:06.862 [3328] dbg: received-header: parsed as [ ip=68.232.194.1 rdns= helo=ealerts.bankofamerica.com by=box458.bluehost.com ident= envfrom= bounce-30_html-349212922-232599-73720-39...@bounce.ealerts.bankofamerica.com intl=0 id=1ZUW6y-0005yO-RQ auth= msa=0 ] Aug 29 05:38:06.862 [3328] dbg: received-header: do not trust any hosts from here on Aug 29 05:38:06.862 [3328] dbg: received-header: relay 68.232.194.1 trusted? no internal? no msa? no Aug 29 05:38:06.863 [3328] dbg: metadata: X-Spam-Relays-Trusted: Aug 29 05:38:06.864 [3328] dbg: metadata: X-Spam-Relays-Untrusted: [ ip=68.232.194.1 rdns= helo=ealerts.bankofamerica.com by=box458.bluehost.com ident= envfrom= bounce-30_html-349212922-232599-73720-39...@bounce.ealerts.bankofamerica.com intl=0 id=1ZUW6y-0005yO-RQ auth= msa=0 ] Aug 29 05:38:06.864 [3328] dbg: metadata: X-Spam-Relays-Internal: Aug 29 05:38:06.864 [3328] dbg: metadata: X-Spam-Relays-External: [ ip=68.232.194.1 rdns= helo=ealerts.bankofamerica.com by=box458.bluehost.com ident= envfrom= bounce-30_html-349212922-232599-73720-39...@bounce.ealerts.bankofamerica.com intl=0 id=1ZUW6y-0005yO-RQ auth= msa=0 ] I notice that the above line has a 'rdns=' which would seem to suggest that rdns did not work, right? I barely know what rdns is, so that's why I'm asking such a basic question. The above debug lines also mentions bankofamerica.com. Bank of America is my credit card company. The above ham email is a ham credit card email. Of course, I also get spoof Bank of America emails that are spam. I'd like to be able to differentiate the real from the fake, thus my interest in whitelist_from_rcvd. I run spamassassin under Debian Linux and Kmail is my email client. Kmail filters my email through spamassassin. My email is retrieved from my hosting company, Bluehost via SMTP Bluehost has the actual email server, not me. The only thing Im running on my computer is Kmail and spamassassin. Also, I run my own DNS server because I'm told that this is necessary to conserve resources for certain blocklists. I notice all my ham emails have the following false positive: 0.8 RDNS_NONE Delivered to internal network by a host with no rDNS Here's the heart of my question: Am I failing to do RDNS or is it my hosting company Bluehost? I assume that they know what they are doing, so it must be me. Here's my version of spamassassin: spamassassin -V SpamAssassin version 3.3.1 running on Perl version 5.10.1 Is there anything I can configure to get this to work correctly? Is it spamassassin that needs configuration? Is it the DNS server I run at the same time I run spamassassin and Kmail that needs to be configured? Do I need to go into my hosting account and configure something? I'm a bit lost as to what to do next. I tried this: internal_networks 68.232.194.1 trusted_networks 68.232.194.1 However, I suspect that setting the internal_networks and the trusted_networks is not the right way to do things. The 68.232.194.1 IP address is from the above debug lines and is probably specific to Bank of America only, right? So it is really not part of my trusted network, right? By the way. The above 2 lines for internal_networks and trusted_networks did work. I suspect, though, that this is a hack that is too specific to be a good general solution. Thanks to anyone who has read this far! All answers are appreciated! I know very little about either spamassassin or RDNS. Ed
Re: whitelist_from_rcvd Not Working
Am 29.08.2015 um 12:40 schrieb websiterepairguy.: I'm trying to get the following line to work in my user_prefs file: whitelist_from_rcvd*bankofamerica.com http://bankofamerica.com/bankofamerica.com http://bankofamerica.com/ Of course, this works: whitelist_from*bankofamerica.com http://bankofamerica.com/ So, the simple whitelist_from works, but the whitelist_from_rcvd does not work. Why is this? Looks like I have some kind of RDNS problem, I run this command to test this premise: helo=ealerts.bankofamerica.com by=box458.bluehost.com bankofamerica.com != bluehost.com they use SPF, so just whitlist_auth is what you want bankofamerica.com. 3600IN TXT v=spf1 include:_txspf.bankofamerica.com include:_vaspf.bankofamerica.com include:_newspf.bankofamerica.com ~all ealerts.bankofamerica.com. 3600 IN TXT v=spf1 include:cust-spf.exacttarget.com -all signature.asc Description: OpenPGP digital signature
Re: whitelist_from_rcvd Not Working
Am 29.08.2015 um 13:46 schrieb RW: On Sat, 29 Aug 2015 12:45:27 +0200 Reindl Harald wrote: Am 29.08.2015 um 12:40 schrieb websiterepairguy.: I'm trying to get the following line to work in my user_prefs file: whitelist_from_rcvd*bankofamerica.com http://bankofamerica.com/bankofamerica.com http://bankofamerica.com/ Of course, this works: whitelist_from*bankofamerica.com http://bankofamerica.com/ So, the simple whitelist_from works, but the whitelist_from_rcvd does not work. Why is this? Looks like I have some kind of RDNS problem, I run this command to test this premise: helo=ealerts.bankofamerica.com by=box458.bluehost.com bankofamerica.com != bluehost.com The by=box458.bluehost.com is not relevant, the problem is the rdn= . SpamAssassin doesn't do its own rdns lookups, so if the information isn't recorded in the received header by the server you can't use whitelist_from_rcvd agreed in conext of rdns, but even if it is resolved, the machines sending as @ealerts.bankofamerica.com don't have a RDNS ending with bankofamerica.com whitelist_from_rcvd is not really maintainable for 3rd party senders which may change their network and cloudservices at any point of time while whitelist_auth is agnostic to that as long as the domain-owner takes care in his SPF-records signature.asc Description: OpenPGP digital signature
Re: whitelist_from_rcvd Not Working
On Sat, 29 Aug 2015 13:57:02 +0200 Reindl Harald wrote: Am 29.08.2015 um 13:46 schrieb RW: On Sat, 29 Aug 2015 12:45:27 +0200 Reindl Harald wrote: helo=ealerts.bankofamerica.com by=box458.bluehost.com bankofamerica.com != bluehost.com The by=box458.bluehost.com is not relevant, the problem is the rdn= . SpamAssassin doesn't do its own rdns lookups, so if the information isn't recorded in the received header by the server you can't use whitelist_from_rcvd agreed in conext of rdns, but even if it is resolved, the machines sending as @ealerts.bankofamerica.com don't have a RDNS ending with bankofamerica.com $ dig +short -x 68.232.194.1 mta.ealerts.bankofamerica.com.
Re: whitelist_from_rcvd Not Working
On Sat, 29 Aug 2015 12:45:27 +0200 Reindl Harald wrote: Am 29.08.2015 um 12:40 schrieb websiterepairguy.: I'm trying to get the following line to work in my user_prefs file: whitelist_from_rcvd*bankofamerica.com http://bankofamerica.com/bankofamerica.com http://bankofamerica.com/ Of course, this works: whitelist_from*bankofamerica.com http://bankofamerica.com/ So, the simple whitelist_from works, but the whitelist_from_rcvd does not work. Why is this? Looks like I have some kind of RDNS problem, I run this command to test this premise: helo=ealerts.bankofamerica.com by=box458.bluehost.com bankofamerica.com != bluehost.com The by=box458.bluehost.com is not relevant, the problem is the rdn= . SpamAssassin doesn't do its own rdns lookups, so if the information isn't recorded in the received header by the server you can't use whitelist_from_rcvd.
Re: whitelist_from_rcvd not working, WAIDW
On Fri, 27 Feb 2015, Ian Zimmerman wrote:
Header of test message, massaged for privacy, is here:
http://pastebin.com/EV6g15aN
I have this in user_prefs:
trusted_networks 198.1.2.3/32
[...lots snipped...]
whitelist_from_rcvd *@wetransfer.com *.wetransfer.com
Why is the whitelist not firing?
whitelist_from_rcvd can be a bit fragile because it depends upon
multiple factors (trust chain, full-circle-DNS) working correctly.
First thing, that second parameter is not an address but part
of a DNS name, so use 'wetransfer.com' instead of that *.wet...
second thing, check to see if your trust chain is working as you
expect. whitelist_from_rcvd is applied at the point of the
first trusted relay (IE where the last untrusted hands the
message to the first trusted relay). Add the 'X-Spam-Relays-Trusted'
and 'X-Spam-Relays-Untrusted' pseduo headers to your report
to see if things are working as expected.
Note that a DNS fubar (even temporary) will break whitelist_from_rcvd.
Also if the sender changes MSP, it will break thus is a maintanance
head-ache.
I see that message has a valid DKIM signature, why not use
whitelist_auth. Same goodness with less head-aches.
--
Dave Funk University of Iowa
dbfunk (at) engineering.uiowa.eduCollege of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include std_disclaimer.h
Better is not better, 'standard' is better. B{
Re: whitelist_from_rcvd not working, WAIDW
On Sat, 28 Feb 2015 13:37:29 +0100, Mark Martinec mark.martinec...@ijs.si wrote: Ian trusted_networks 198.1.2.3/32 Ian [...lots snipped...] Ian whitelist_from_rcvd *@wetransfer.com *.wetransfer.com Mark It seems the: Mark Received: (from itz@localhost) Mark by myalias.trusted.mx (8.14.4/8.14.4/Submit) id t1N7YK8O020727 Mark for i...@my.post.office; Sun, 22 Feb 2015 23:34:20 -0800 Mark is breaking a trust chain. It shouldn't. I forgot to add that all of the following resolve to 198.1.2.3: my.domain my.trusted.mx myalias.trusted.mx -- Please *no* private copies of mailing list or newsgroup messages. Rule 420: All persons more than eight miles high to leave the court. Local Variables: mode:claws-external End:
Re: whitelist_from_rcvd not working, WAIDW
Am 27.02.2015 um 22:11 schrieb Ian Zimmerman: Header of test message, massaged for privacy, is here: http://pastebin.com/EV6g15aN I have this in user_prefs: trusted_networks 198.1.2.3/32 [...lots snipped...] whitelist_from_rcvd *@wetransfer.com *.wetransfer.com Why is the whitelist not firing? not sure about that but sure taht you trained your bayes completly wrong and you should fix that instead work around it with whitelists - a that non-working bayes does his poison not only for wetransfer and i assume you train not enough ham X-Spam-Tests: BAYES_99=3.5,BAYES_999=0.2 for wetransfer? [root@localhost:~]$ cat maillog | grep wetransfer | grep BAYES_00 | wc -l 208 [root@localhost:~]$ cat maillog | grep wetransfer | grep BAYES_50 | wc -l 0 [root@localhost:~]$ cat maillog | grep wetransfer | grep BAYES_60 | wc -l 0 [root@localhost:~]$ cat maillog | grep wetransfer | grep BAYES_80 | wc -l 0 [root@localhost:~]$ cat maillog | grep wetransfer | grep BAYES_90 | wc -l 0 [root@localhost:~]$ cat maillog | grep wetransfer | grep BAYES_95 | wc -l 0 [root@localhost:~]$ cat maillog | grep wetransfer | grep BAYES_99 | wc -l 0 BAYES_00 45915 77.68 % BAYES_05 7271.23 % BAYES_20 8871.50 % BAYES_40 9441.59 % BAYES_50 6406 10.83 % BAYES_60 6361.07 % BAYES_80 4670.79 % BAYES_95 3420.57 % BAYES_99 27814.70 % BAYES_999 24294.10 % Delivered:56241 SpamAssassin: 4680 signature.asc Description: OpenPGP digital signature
Re: whitelist_from_rcvd not working, WAIDW
Am 28.02.2015 um 16:53 schrieb Ian Zimmerman: On Sat, 28 Feb 2015 13:37:29 +0100, Mark Martinec mark.martinec...@ijs.si wrote: Ian trusted_networks 198.1.2.3/32 Ian [...lots snipped...] Ian whitelist_from_rcvd *@wetransfer.com *.wetransfer.com Mark It seems the: Mark Received: (from itz@localhost) Mark by myalias.trusted.mx (8.14.4/8.14.4/Submit) id t1N7YK8O020727 Mark for i...@my.post.office; Sun, 22 Feb 2015 23:34:20 -0800 Mark is breaking a trust chain. It shouldn't. I forgot to add that all of the following resolve to 198.1.2.3: my.domain my.trusted.mx myalias.trusted.mx not true: Received: from myalias.trusted.mx (localhost [127.0.0.1]) 127.0.0.1 != 198.1.2.3 and *what are* all that Received: hops and where is SA running in that chain? SpamAssassin should always be the first hop receiving messages from the WAN signature.asc Description: OpenPGP digital signature
Re: whitelist_from_rcvd not working, WAIDW
http://pastebin.com/EV6g15aN I have this in user_prefs: trusted_networks 198.1.2.3/32 [...lots snipped...] whitelist_from_rcvd *@wetransfer.com *.wetransfer.com Why is the whitelist not firing? It seems the: Received: (from itz@localhost) by myalias.trusted.mx (8.14.4/8.14.4/Submit) id t1N7YK8O020727 for i...@my.post.office; Sun, 22 Feb 2015 23:34:20 -0800 is breaking a trust chain. Mark
Re: whitelist_from_rcvd not working, WAIDW
Ian Zimmerman skrev den 2015-02-28 16:53: On Sat, 28 Feb 2015 13:37:29 +0100, Mark Martinec mark.martinec...@ijs.si wrote: Ian trusted_networks 198.1.2.3/32 Ian [...lots snipped...] Ian whitelist_from_rcvd *@wetransfer.com *.wetransfer.com Mark It seems the: Mark Received: (from itz@localhost) Mark by myalias.trusted.mx (8.14.4/8.14.4/Submit) id t1N7YK8O020727 Mark for i...@my.post.office; Sun, 22 Feb 2015 23:34:20 -0800 Mark is breaking a trust chain. It shouldn't. I forgot to add that all of the following resolve to 198.1.2.3: my.domain my.trusted.mx myalias.trusted.mx but sendmail did not add a ip in submit recieved header check this mail here what postfix do :=)
whitelist_from_rcvd not working, WAIDW
Header of test message, massaged for privacy, is here: http://pastebin.com/EV6g15aN I have this in user_prefs: trusted_networks 198.1.2.3/32 [...lots snipped...] whitelist_from_rcvd *@wetransfer.com *.wetransfer.com Why is the whitelist not firing? -- Please *no* private copies of mailing list or newsgroup messages. Rule 420: All persons more than eight miles high to leave the court. Local Variables: mode:claws-external End:
Re: CommuniGate Pro Received header (was: whitelist_from_rcvd not working)
SM wrote: This is the standard CommuniGate Pro Received: header. When HELO matches the hostname, this header always looks this way, with the word verified added to it. SpamAssassin is not parsing that Received: header as one with a hostname which has been verified. [dd] Yes. See attached patch. There is a minor problem with your patch. The helo= appears empty. I think you can safely put that $rdns = $1; $helo = $1 Post a bug report about the CommuniGate Pro Received header not being parsed correctly. -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN sip:[EMAIL PROTECTED]
Re: CommuniGate Pro Received header (was: whitelist_from_rcvd not working)
SM wrote: Hi Victor, At 21:40 09-04-2008, Victor Sudakov wrote: This is the standard CommuniGate Pro Received: header. When HELO matches the hostname, this header always looks this way, with the word verified added to it. SpamAssassin is not parsing that Received: header as one with a hostname which has been verified. When HELO does not match the hostname, the header looks different: Received: from [213.183.100.11] (HELO blablabla.ru) by relay2.tomsk.ru (CommuniGate Pro SMTP 5.1.13) with ESMTP id 9853037 for [EMAIL PROTECTED]; Thu, 10 Apr 2008 11:26:20 +0700 That's the only CommuniGate Pro Received header format parsed currently. Neither. It's a feature. Perhaps we need a patch for Received.pm? Yes. See attached patch. Your patch has applied cleanly. whitelist_from_rcvd now works, but not quite in the manner I have expected. In fact, it works only if the relay is NOT in the trusted_networks list. I wonder if this is by design. In my opinion, whitelisting should always work. Post a bug report about the CommuniGate Pro Received header not being parsed correctly. I will as soon as the trusted_networks issue is cleared. -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN sip:[EMAIL PROTECTED]
Re: CommuniGate Pro Received header (was: whitelist_from_rcvd not working)
At 23:03 09-04-2008, Victor Sudakov wrote: whitelist_from_rcvd now works, but not quite in the manner I have expected. In fact, it works only if the relay is NOT in the trusted_networks list. Can you post the debug output? I wonder if this is by design. In my opinion, whitelisting should always work. You can only trust the Received: headers inserted by your mail servers. Regards, -sm
Re: CommuniGate Pro Received header (was: whitelist_from_rcvd not working)
SM wrote: whitelist_from_rcvd now works, but not quite in the manner I have expected. In fact, it works only if the relay is NOT in the trusted_networks list. Can you post the debug output? In this case 212.73.124.135 is trusted so the sender was not whitelisted!!! http://vas.tomsk.ru/sa2.txt And here is what happens when I remove 212.73.124.135 from the trusted list, the sender got whitelisted: http://vas.tomsk.ru/sa3.txt I wonder if this is by design. In my opinion, whitelisting should always work. You can only trust the Received: headers inserted by your mail servers. The topmost Received: header is always inserted by my mail server. But if the relay mentioned in this topmost header is in the list of trusted_networks, whitelist_from_rcvd does not work. -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN sip:[EMAIL PROTECTED]
Re: whitelist_from_rcvd not working
SM wrote: At 22:02 08-04-2008, Victor Sudakov wrote: I have the following rule in local.cf: whitelist_from_rcvd [EMAIL PROTECTED] dtdm.tomsk.ru Please help me figure out why the rule does not work. Below is a sample message where I think the rule should work but actually does not. [snip] Received: from mail.sibptus.tomsk.ru [212.73.124.5] by admin.sibptus.tomsk.ru with POP3 (fetchmail-6.3.8) for [EMAIL PROTECTED] (single-drop); Tue, 08 Apr 2008 15:08:02 +0700 (OMSST) Received: from gw.dtdm.tomsk.ru ([213.183.100.11] verified) by relay2.tomsk.ru (CommuniGate Pro SMTP 5.1.13) with ESMTPS id 9838562 for [EMAIL PROTECTED]; Tue, 08 Apr 2008 15:05:54 +0700 That rule does not match the host in the Received: header. The host shows up as an IP address. No, the host shows up as gw.dtdm.tomsk.ru which matches dtdm.tomsk.ru. You could use: whitelist_auth [EMAIL PROTECTED] as the domain has SFP records. Unfortunately not all domains I want to whitelist have SPF records. The message above was an example. -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN sip:[EMAIL PROTECTED]
Re: whitelist_from_rcvd not working
Victor Sudakov wrote: I have the following rule in local.cf: whitelist_from_rcvd [EMAIL PROTECTED] dtdm.tomsk.ru Please help me figure out why the rule does not work. Below is a sample message where I think the rule should work but actually does not. [snip] Received: from mail.sibptus.tomsk.ru [212.73.124.5] by admin.sibptus.tomsk.ru with POP3 (fetchmail-6.3.8) for [EMAIL PROTECTED] (single-drop); Tue, 08 Apr 2008 15:08:02 +0700 (OMSST) Received: from gw.dtdm.tomsk.ru ([213.183.100.11] verified) by relay2.tomsk.ru (CommuniGate Pro SMTP 5.1.13) with ESMTPS id 9838562 for [EMAIL PROTECTED]; Tue, 08 Apr 2008 15:05:54 +0700 That rule does not match the host in the Received: header. The host shows up as an IP address. No, the host shows up as gw.dtdm.tomsk.ru which matches dtdm.tomsk.ru. The debug output is here: http://vas.tomsk.ru/sa.txt -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN sip:[EMAIL PROTECTED]
Re: whitelist_from_rcvd not working
SM wrote: At 22:02 08-04-2008, Victor Sudakov wrote: I have the following rule in local.cf: whitelist_from_rcvd [EMAIL PROTECTED] dtdm.tomsk.ru Please help me figure out why the rule does not work. Below is a sample message where I think the rule should work but actually does not. [snip] Received: from mail.sibptus.tomsk.ru [212.73.124.5] by admin.sibptus.tomsk.ru with POP3 (fetchmail-6.3.8) for [EMAIL PROTECTED] (single-drop); Tue, 08 Apr 2008 15:08:02 +0700 (OMSST) Received: from gw.dtdm.tomsk.ru ([213.183.100.11] verified) by relay2.tomsk.ru (CommuniGate Pro SMTP 5.1.13) with ESMTPS id 9838562 for [EMAIL PROTECTED]; Tue, 08 Apr 2008 15:05:54 +0700 That rule does not match the host in the Received: header. The host shows up as an IP address. On 09.04.08 14:59, Victor Sudakov wrote: No, the host shows up as gw.dtdm.tomsk.ru which matches dtdm.tomsk.ru. afaik it only matches if 212.73.124.5 is in your internal_domains, otherwise the first Received: line is checked -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. WinError #9: Out of error messages.
Re: whitelist_from_rcvd not working
Hi Victor, At 00:59 09-04-2008, Victor Sudakov wrote: No, the host shows up as gw.dtdm.tomsk.ru which matches dtdm.tomsk.ru. You can see how the Received headers in the message are parsed by saving the entire message to a file and running it through SpamAssassin: spamassassin -t -D filename The output will show whether the host matches dtdm.tomsk.ru. Regards, -sm
Re: whitelist_from_rcvd not working
On Wed, 9 Apr 2008, Victor Sudakov wrote:
SM wrote:
At 22:02 08-04-2008, Victor Sudakov wrote:
I have the following rule in local.cf:
whitelist_from_rcvd [EMAIL PROTECTED] dtdm.tomsk.ru
[snip..]
Received: from mail.sibptus.tomsk.ru [212.73.124.5]
by admin.sibptus.tomsk.ru with POP3 (fetchmail-6.3.8)
for [EMAIL PROTECTED] (single-drop); Tue, 08 Apr 2008
15:08:02 +0700 (OMSST)
Received: from gw.dtdm.tomsk.ru ([213.183.100.11] verified)
by relay2.tomsk.ru (CommuniGate Pro SMTP 5.1.13)
with ESMTPS id 9838562 for [EMAIL PROTECTED]; Tue, 08 Apr 2008
15:05:54 +0700
That rule does not match the host in the Received: header. The host
shows up as an IP address.
No, the host shows up as gw.dtdm.tomsk.ru which matches dtdm.tomsk.ru.
To prevent forgeries from exploiting whitelist_from_rcvd SA checks
the DNS reverse -and- forward maps of the IP address in the Received:
header. If they do not match the domain specified in the
whitelist_from_rcvd rule it does not apply.
Your IP address in that header, [213.183.100.11], has a DNS reverse map
of dtu.net.tomline.ru which does -NOT- match the domain dtdm.tomsk.ru
in your rule thus SA will not accept that for whitelist_from_rcvd.
You have two choices, either get 213.183.100.11 to DNS map to
gw.dtdm.tomsk.ru or use some other whitelist method such as
whitelist_from_spf (which will work as there are matching SPF
records published for dtdm.tomsk.ru)
--
Dave Funk University of Iowa
dbfunk (at) engineering.uiowa.eduCollege of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include std_disclaimer.h
Better is not better, 'standard' is better. B{
Re: whitelist_from_rcvd not working
Matus UHLAR - fantomas wrote: SM wrote: At 22:02 08-04-2008, Victor Sudakov wrote: I have the following rule in local.cf: whitelist_from_rcvd [EMAIL PROTECTED] dtdm.tomsk.ru Please help me figure out why the rule does not work. Below is a sample message where I think the rule should work but actually does not. [snip] Received: from mail.sibptus.tomsk.ru [212.73.124.5] by admin.sibptus.tomsk.ru with POP3 (fetchmail-6.3.8) for [EMAIL PROTECTED] (single-drop); Tue, 08 Apr 2008 15:08:02 +0700 (OMSST) Received: from gw.dtdm.tomsk.ru ([213.183.100.11] verified) by relay2.tomsk.ru (CommuniGate Pro SMTP 5.1.13) with ESMTPS id 9838562 for [EMAIL PROTECTED]; Tue, 08 Apr 2008 15:05:54 +0700 That rule does not match the host in the Received: header. The host shows up as an IP address. On 09.04.08 14:59, Victor Sudakov wrote: No, the host shows up as gw.dtdm.tomsk.ru which matches dtdm.tomsk.ru. afaik it only matches if 212.73.124.5 is in your internal_domains, otherwise the first Received: line is checked The first Received: line should be ignored by SA because it was inserted by fetchmail. But if you insist... I have removed the first Received: line and run the message through spamassassin -t again. The result is exactly the same, the whitelist_from_rcvd still does not work. Any more ideas? I think it is easy to reproduce the problem. OK, below is the message again without the first Received: line. Please run it through SA. Why doesn't whitelist_from_rcvd work? == From sudakov Tue Apr 8 15:08:02 2008 X-Virus-Scanned: by clamd daemon 0.91.2 for FreeBSD at relay2.tomsk.ru X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on meow.tomsk.su X-Spam-Level: X-Spam-Status: No, score=4.7 required=5.0 tests=BAYES_00,MISSING_HEADERS, MISSING_SUBJECT,TRACKER_ID,TVD_SPACE_RATIO autolearn=no version=3.2.4 Return-Path: [EMAIL PROTECTED] Received: from gw.dtdm.tomsk.ru ([213.183.100.11] verified) by relay2.tomsk.ru (CommuniGate Pro SMTP 5.1.13) with ESMTPS id 9838562 for [EMAIL PROTECTED]; Tue, 08 Apr 2008 15:05:54 +0700 Received-SPF: pass receiver=relay2.tomsk.ru; client-ip=213.183.100.11; [EMAIL PROTECTED] Received: from root by gw.dtdm.tomsk.ru with local (Exim 4.67 (FreeBSD)) (envelope-from [EMAIL PROTECTED]) id 1Jj8pm-00033X-KY for [EMAIL PROTECTED]; Tue, 08 Apr 2008 15:05:38 +0700 Message-Id: [EMAIL PROTECTED] From: [EMAIL PROTECTED] Date: Tue, 08 Apr 2008 15:05:38 +0700 X-SpamProbe: GOOD 0.0003774 1cae503bd9d0b131eaddef3cb3f12c45 Status: RO Content-Length: 37 Lines: 1 93202240-0542-11dd-9f2c-00016cd36bbf == -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN sip:[EMAIL PROTECTED]
Re: whitelist_from_rcvd not working
SM wrote: No, the host shows up as gw.dtdm.tomsk.ru which matches dtdm.tomsk.ru. You can see how the Received headers in the message are parsed by saving the entire message to a file and running it through SpamAssassin: spamassassin -t -D filename The output will show whether the host matches dtdm.tomsk.ru. Yes, the output is here http://vas.tomsk.ru/sa.txt since yesterday. Which lines show whether the host matches dtdm.tomsk.ru and why? I am not so experienced at analysing SA debug output, that's why I have asked for help. Thanks in advance for any input. -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN sip:[EMAIL PROTECTED]
Re: whitelist_from_rcvd not working
Dave Funk wrote: I have the following rule in local.cf: whitelist_from_rcvd [EMAIL PROTECTED] dtdm.tomsk.ru [snip..] Received: from mail.sibptus.tomsk.ru [212.73.124.5] by admin.sibptus.tomsk.ru with POP3 (fetchmail-6.3.8) for [EMAIL PROTECTED] (single-drop); Tue, 08 Apr 2008 15:08:02 +0700 (OMSST) Received: from gw.dtdm.tomsk.ru ([213.183.100.11] verified) by relay2.tomsk.ru (CommuniGate Pro SMTP 5.1.13) with ESMTPS id 9838562 for [EMAIL PROTECTED]; Tue, 08 Apr 2008 15:05:54 +0700 That rule does not match the host in the Received: header. The host shows up as an IP address. No, the host shows up as gw.dtdm.tomsk.ru which matches dtdm.tomsk.ru. To prevent forgeries from exploiting whitelist_from_rcvd SA checks the DNS reverse -and- forward maps of the IP address in the Received: header. If they do not match the domain specified in the whitelist_from_rcvd rule it does not apply. Your IP address in that header, [213.183.100.11], has a DNS reverse map of dtu.net.tomline.ru which does -NOT- match the domain dtdm.tomsk.ru in your rule thus SA will not accept that for whitelist_from_rcvd. OK, this was a poor example. Here is a better one. Let's start anew :) The rule is whitelist_from_rcvd [EMAIL PROTECTED] mncs.tomsk.ru The relay is mncs.tomsk.ru, as you see, whose forward and reverse DNS mapping is correct. Why does the rule not work with the message below? = From [EMAIL PROTECTED] Thu Mar 27 14:13:24 2008 X-Virus-Scanned: by clamd daemon 0.91.2 for FreeBSD at relay2.tomsk.ru X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on meow.tomsk.su X-Spam-Level: *** X-Spam-Status: No, score=3.4 required=5.0 tests=AWL,BAYES_50,HTML_MESSAGE, MIME_HTML_MOSTLY,MISSING_SUBJECT,TVD_SPACE_RATIO autolearn=no version=3.2.4 Return-Path: [EMAIL PROTECTED] Received: from mncs.tomsk.ru ([212.73.124.135] verified) by relay2.tomsk.ru (CommuniGate Pro SMTP 5.1.13) with ESMTP id 9786656 for [EMAIL PROTECTED]; Thu, 27 Mar 2008 15:08:17 +0600 Received: from w2kermolovichi (w2kermolovichi.tom.transneft.ru [10.65.2.125]) by mncs.tomsk.ru (8.13.4/8.13.4) with SMTP id m2R97s5f024889 for [EMAIL PROTECTED]; Thu, 27 Mar 2008 15:07:54 +0600 Message-ID: [EMAIL PROTECTED] From: =?koi8-r?B?6cfP0tggIOXSzc/Mz9fJ3g==?= [EMAIL PROTECTED] To: =?koi8-r?B?68HC2dvF1yDyz83BziDuycvPzMHF18ne?= [EMAIL PROTECTED] Subject: Date: Thu, 27 Mar 2008 12:08:01 +0300 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary==_NextPart_000_003D_01C89003.3466C0B0 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1914 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1914 X-Virus-Scanned: ClamAV 0.92/6404/Thu Mar 27 01:31:21 2008 on mncs.tomsk.ru X-Virus-Status: Clean X-Spam-Status: No, score=-102.2 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00, HTML_MESSAGE,MIME_HTML_MOSTLY,MISSING_SUBJECT,TVD_SPACE_RATIO, USER_IN_WHITELIST autolearn=no version=3.2.3 X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on mncs.tomsk.ru = -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN sip:[EMAIL PROTECTED]
Re: whitelist_from_rcvd not working
Hi Victor, At 19:38 09-04-2008, Victor Sudakov wrote: Yes, the output is here Sorry, I missed that. Which lines show whether the host matches dtdm.tomsk.ru and why? From your output: dbg: received-header: found fetchmail marker outside trusted area, ignored The Received header inserted by Fetchmail is ignored. This URL explains why http://wiki.apache.org/spamassassin/WhitelistFromRcvdAndTrust dbg: received-header: found fetchmail marker outside trusted area, ignored dbg: received-header: parsed as [ ip=213.183.100.11 rdns= helo=gw.dtdm.tomsk.ru by=relay2.tomsk.ru ident= envfrom= intl=0 id=9838562 auth= msa=0 ] dbg: received-header: relay 213.183.100.11 trusted? no internal? no msa? no dbg: metadata: X-Spam-Relays-Trusted: dbg: metadata: X-Spam-Relays-Untrusted: [ ip=213.183.100.11 rdns= helo=gw.dtdm.tomsk.ru by=relay2.tomsk.ru ident= envfrom= intl=0 id=9838562 auth= msa=0 ] dbg: metadata: X-Spam-Relays-Internal: dbg: metadata: X-Spam-Relays-External: [ ip=213.183.100.11 rdns= helo=gw.dtdm.tomsk.ru by=relay2.tomsk.ru ident= envfrom= intl=0 id=9838562 auth= msa=0 ] gw.dtdm.tomsk.ru was found as a helo in the Received headers. It won't be used for the whitelisting. The rdns is empty. SpamAssassin needs that to match against your rule. None of these Received header match a trust path, i.e. they have not been detected as being added by a MTA which is trusted. The trust path should be fixed by adding: trusted_networks 213.183.100.11 As Dave Funk pointed out, the reverse DNS for 213.183.100.11 points to dtu.net.tomline.ru.The forward and reverse DNS should match. You'll have to fix that as well. Regards, -sm
Re: whitelist_from_rcvd not working
Hi Victor, At 19:54 09-04-2008, Victor Sudakov wrote: OK, this was a poor example. Here is a better one. Let's start anew :) The rule is whitelist_from_rcvd [EMAIL PROTECTED] mncs.tomsk.ru The relay is mncs.tomsk.ru, as you see, whose forward and reverse DNS mapping is correct. The forward and reverse DNS mapping for that host is correct. Why does the rule not work with the message below? = From [EMAIL PROTECTED] Thu Mar 27 14:13:24 2008 X-Virus-Scanned: by clamd daemon 0.91.2 for FreeBSD at relay2.tomsk.ru X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on meow.tomsk.su X-Spam-Level: *** X-Spam-Status: No, score=3.4 required=5.0 tests=AWL,BAYES_50,HTML_MESSAGE, MIME_HTML_MOSTLY,MISSING_SUBJECT,TVD_SPACE_RATIO autolearn=no version=3.2.4 Return-Path: [EMAIL PROTECTED] Received: from mncs.tomsk.ru ([212.73.124.135] verified) by relay2.tomsk.ru (CommuniGate Pro SMTP 5.1.13) with ESMTP id 9786656 for [EMAIL PROTECTED]; Thu, 27 Mar 2008 15:08:17 +0600 That's because there isn't a hostname in the Received header. The mncs.tomsk.ru appearing in there is the helo. See whether the absence of the hostname is because of a CommuniGate Pro configuration problem or a DNS problem (the host doesn't get the correct answer when doing a reverse DNS). Regards, -sm
Re: whitelist_from_rcvd not working
Victor Sudakov wrote: OK, this was a poor example. Here is a better one. Let's start anew :) The rule is whitelist_from_rcvd [EMAIL PROTECTED] mncs.tomsk.ru The relay is mncs.tomsk.ru, as you see, whose forward and reverse DNS mapping is correct. Why does the rule not work with the message below? An interesting observation. Below is the Received header and how it was parsed. Received: from mncs.tomsk.ru ([212.73.124.135] verified) by relay2.tomsk.ru (CommuniGate Pro SMTP 5.1.13) with ESMTP id 9786656 for [EMAIL PROTECTED]; Thu, 27 Mar 2008 15:08:17 +0600 [53938] dbg: received-header: parsed as [ ip=212.73.124.135 rdns= helo=mncs.tomsk.ru by=relay2.tomsk.ru ident= envfrom= intl=0 id=9786656 auth= msa=0 ] I think the problem may be that 'rdns' is empty for some reason. But why it is empty I don't know. Any ideas? Perhaps a bug in SpamAssassin/Message/Metadata/Received.pm ? -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN sip:[EMAIL PROTECTED]
Re: whitelist_from_rcvd not working
SM wrote: [dd] dbg: received-header: found fetchmail marker outside trusted area, ignored dbg: received-header: parsed as [ ip=213.183.100.11 rdns= helo=gw.dtdm.tomsk.ru by=relay2.tomsk.ru ident= envfrom= intl=0 id=9838562 auth= msa=0 ] dbg: received-header: relay 213.183.100.11 trusted? no internal? no msa? no dbg: metadata: X-Spam-Relays-Trusted: dbg: metadata: X-Spam-Relays-Untrusted: [ ip=213.183.100.11 rdns= helo=gw.dtdm.tomsk.ru by=relay2.tomsk.ru ident= envfrom= intl=0 id=9838562 auth= msa=0 ] dbg: metadata: X-Spam-Relays-Internal: dbg: metadata: X-Spam-Relays-External: [ ip=213.183.100.11 rdns= helo=gw.dtdm.tomsk.ru by=relay2.tomsk.ru ident= envfrom= intl=0 id=9838562 auth= msa=0 ] gw.dtdm.tomsk.ru was found as a helo in the Received headers. It won't be used for the whitelisting. The rdns is empty. The question is _why_ it is empty. See the other example with mncs.tomsk.ru, especialy my last message. SpamAssassin needs that to match against your rule. None of these Received header match a trust path, i.e. they have not been detected as being added by a MTA which is trusted. The trust path should be fixed by adding: trusted_networks 213.183.100.11 No, 213.183.100.11 is not a trusted relay. Anyway, forget it, the problem is not there. As Dave Funk pointed out, the reverse DNS for 213.183.100.11 points to dtu.net.tomline.ru.The forward and reverse DNS should match. You'll have to fix that as well. Look at the example with mncs.tomsk.ru please. The forward and reverse DNS match for this relay, but rdns is still empty. I am inclined to think it is a parsing bug. -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN sip:[EMAIL PROTECTED]
Re: whitelist_from_rcvd not working
SM wrote: OK, this was a poor example. Here is a better one. Let's start anew :) The rule is whitelist_from_rcvd [EMAIL PROTECTED] mncs.tomsk.ru The relay is mncs.tomsk.ru, as you see, whose forward and reverse DNS mapping is correct. The forward and reverse DNS mapping for that host is correct. Why does the rule not work with the message below? = From [EMAIL PROTECTED] Thu Mar 27 14:13:24 2008 X-Virus-Scanned: by clamd daemon 0.91.2 for FreeBSD at relay2.tomsk.ru X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on meow.tomsk.su X-Spam-Level: *** X-Spam-Status: No, score=3.4 required=5.0 tests=AWL,BAYES_50,HTML_MESSAGE, MIME_HTML_MOSTLY,MISSING_SUBJECT,TVD_SPACE_RATIO autolearn=no version=3.2.4 Return-Path: [EMAIL PROTECTED] Received: from mncs.tomsk.ru ([212.73.124.135] verified) by relay2.tomsk.ru (CommuniGate Pro SMTP 5.1.13) with ESMTP id 9786656 for [EMAIL PROTECTED]; Thu, 27 Mar 2008 15:08:17 +0600 That's because there isn't a hostname in the Received header. The mncs.tomsk.ru appearing in there is the helo. This is the standard CommuniGate Pro Received: header. When HELO matches the hostname, this header always looks this way, with the word verified added to it. When HELO does not match the hostname, the header looks different: Received: from [213.183.100.11] (HELO blablabla.ru) by relay2.tomsk.ru (CommuniGate Pro SMTP 5.1.13) with ESMTP id 9853037 for [EMAIL PROTECTED]; Thu, 10 Apr 2008 11:26:20 +0700 See whether the absence of the hostname is because of a CommuniGate Pro configuration problem or a DNS problem (the host doesn't get the correct answer when doing a reverse DNS). Neither. It's a feature. Perhaps we need a patch for Received.pm? I think exim does the same if HELO matches the hostname. This is a sample exim header: Received: from relay2.tomsk.ru ([212.73.124.8]) by gw.dtdm.tomsk.ru with esmtps (SSLv3:DES-CBC3-SHA:168) (Exim 4.67 (FreeBSD)) (envelope-from [EMAIL PROTECTED]) id 1JjoVV-0008Wl-8E for [EMAIL PROTECTED]; Thu, 10 Apr 2008 11:35:29 +0700 -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN sip:[EMAIL PROTECTED]
CommuniGate Pro Received header (was: whitelist_from_rcvd not working)
Hi Victor, At 21:40 09-04-2008, Victor Sudakov wrote: This is the standard CommuniGate Pro Received: header. When HELO matches the hostname, this header always looks this way, with the word verified added to it. SpamAssassin is not parsing that Received: header as one with a hostname which has been verified. When HELO does not match the hostname, the header looks different: Received: from [213.183.100.11] (HELO blablabla.ru) by relay2.tomsk.ru (CommuniGate Pro SMTP 5.1.13) with ESMTP id 9853037 for [EMAIL PROTECTED]; Thu, 10 Apr 2008 11:26:20 +0700 That's the only CommuniGate Pro Received header format parsed currently. Neither. It's a feature. Perhaps we need a patch for Received.pm? Yes. See attached patch. Post a bug report about the CommuniGate Pro Received header not being parsed correctly. Regards, -sm communigatercv.diff Description: Binary data
whitelist_from_rcvd not working
Colleagues, I have the following rule in local.cf: whitelist_from_rcvd [EMAIL PROTECTED] dtdm.tomsk.ru Please help me figure out why the rule does not work. Below is a sample message where I think the rule should work but actually does not. Perhaps someone with experience could run it through spamassassin -D. From sudakov Tue Apr 8 15:08:02 2008 X-Virus-Scanned: by clamd daemon 0.91.2 for FreeBSD at relay2.tomsk.ru X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on meow.tomsk.su X-Spam-Level: X-Spam-Status: No, score=4.7 required=5.0 tests=BAYES_00,MISSING_HEADERS, MISSING_SUBJECT,TRACKER_ID,TVD_SPACE_RATIO autolearn=no version=3.2.4 Return-Path: [EMAIL PROTECTED] Received: from mail.sibptus.tomsk.ru [212.73.124.5] by admin.sibptus.tomsk.ru with POP3 (fetchmail-6.3.8) for [EMAIL PROTECTED] (single-drop); Tue, 08 Apr 2008 15:08:02 +0700 (OMSST) Received: from gw.dtdm.tomsk.ru ([213.183.100.11] verified) by relay2.tomsk.ru (CommuniGate Pro SMTP 5.1.13) with ESMTPS id 9838562 for [EMAIL PROTECTED]; Tue, 08 Apr 2008 15:05:54 +0700 Received-SPF: pass receiver=relay2.tomsk.ru; client-ip=213.183.100.11; [EMAIL PROTECTED] Received: from root by gw.dtdm.tomsk.ru with local (Exim 4.67 (FreeBSD)) (envelope-from [EMAIL PROTECTED]) id 1Jj8pm-00033X-KY for [EMAIL PROTECTED]; Tue, 08 Apr 2008 15:05:38 +0700 Message-Id: [EMAIL PROTECTED] From: [EMAIL PROTECTED] Date: Tue, 08 Apr 2008 15:05:38 +0700 X-SpamProbe: GOOD 0.0003774 1cae503bd9d0b131eaddef3cb3f12c45 Status: RO Content-Length: 37 Lines: 1 93202240-0542-11dd-9f2c-00016cd36bbf Thanks in advance for any input. I am using SpamAssassin-3.2.4_2 from the FreeBSD ports collection, perl-5.8.8, FreeBSD 6.2. -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN sip:[EMAIL PROTECTED]
Re: whitelist_from_rcvd not working
Hi Victor, At 22:02 08-04-2008, Victor Sudakov wrote: I have the following rule in local.cf: whitelist_from_rcvd [EMAIL PROTECTED] dtdm.tomsk.ru Please help me figure out why the rule does not work. Below is a sample message where I think the rule should work but actually does not. [snip] Received: from mail.sibptus.tomsk.ru [212.73.124.5] by admin.sibptus.tomsk.ru with POP3 (fetchmail-6.3.8) for [EMAIL PROTECTED] (single-drop); Tue, 08 Apr 2008 15:08:02 +0700 (OMSST) Received: from gw.dtdm.tomsk.ru ([213.183.100.11] verified) by relay2.tomsk.ru (CommuniGate Pro SMTP 5.1.13) with ESMTPS id 9838562 for [EMAIL PROTECTED]; Tue, 08 Apr 2008 15:05:54 +0700 That rule does not match the host in the Received: header. The host shows up as an IP address. You could use: whitelist_auth [EMAIL PROTECTED] as the domain has SFP records. Don't forget to enable the Mail::SpamAssassin::Plugins::SPF plugin if you use the above. Regards, -sm
Re: Whitelist_from_rcvd not working
Loren Wilton wrote: d) Most of you guys are going to say Get a decent MTA. Some of you might Didn't you say you were using qmail? Or am I misremembering/misinterpreting? If you are using qmail for MTA, I'm reasonably sure I recall discussion of patches to qmail to make it Do The Right Thing that are available on some web site. The discussion I seem to recall is that it does the Wrong Thing by default, but someone had a functional and (I think) simple fix. Received: from gadental.org [67.104.179.147] by mail.visioncomm.net with ESMTP (SMTPD32-8.15) id A16054AA0026; Thu, 03 Jan 2008 15:11:12 -0500 ... I'd say this is an IMail server.
RE: Whitelist_from_rcvd not working
I thought the received header looked funny, so I hand-typed one and got the same result. Actually, if you look at the botnet messages (with either header), the IP, RDNS and HELO have captured identically. I believe that means the header was parsed correctly by SA. The three lines in the debug log following those botnet entries may bear on this. It says skipping whitelist check. If an SPF failure causes whitelist_from_rcvd to be skipped, then that's a bug. Any comments before I move this discussion over to bugzilla? Dan Interesting lines (from -D with either header; full list http://www.visioncomm.net/temp/080104Debug2.txt): ... [9060] dbg: Botnet: starting [9060] dbg: Botnet: no trusted relays [9060] dbg: Botnet: get_relay didn't find RDNS [9060] dbg: Botnet: IP is '169.200.184.174' [9060] dbg: Botnet: RDNS is 'sls-sn-smtp-pmail3.wachovia.com' [9060] dbg: Botnet: HELO is 'sls-sn-smtp-pmail3.wachovia.com' [9060] dbg: Botnet: sender '[EMAIL PROTECTED]' [9060] dbg: Botnet: miss (none) [9060] dbg: rules: ran eval rule __ENV_AND_HDR_FROM_MATCH == got hit (1) [9060] dbg: spf: def_spf_whitelist_from: already checked spf and didn't get pass, skipping whitelist check [9060] dbg: spf: whitelist_from_spf: already checked spf and didn't get pass, skipping whitelist check ... Original received header: Received: from sls-sn-smtp-pmail3.wachovia.com [169.200.184.174] by mail.visioncomm.net with ESMTP (SMTPD32-8.15) id A1253F3B0064; Wed, 02 Jan 2008 03:53:57 -0500 Hacked received header: Received: from 169.200.184.174 (EHLO sls-sn-smtp-pmail3.wachovia.com (169.200.184.174) by mail.visioncomm.net with ESMTP (SMTPD32-8.15) id A1253F3B0064; Wed, 02 Jan 2008 03:53:57 -0500 User_prefs: whitelist_from_rcvd [EMAIL PROTECTED] sls-sn-smtp-pmail3.wachovia.com whitelist_from_rcvd [EMAIL PROTECTED] wachovia.com whitelist_from_rcvd *wachovia.com wachovia.com -Original Message- From: Loren Wilton [mailto:[EMAIL PROTECTED] Sent: Friday, January 04, 2008 7:21 PM To: users@spamassassin.apache.org Subject: Re: Whitelist_from_rcvd not working It occurs to me to wonder about Received: from sls-sn-smtp-pmail3.wachovia.com [169.200.184.174] by mail.visioncomm.net with ESMTP I only see one symbolic wachovia name in that header. Shouldn't there be a HELO name or the like assocated with 169.200.184.174? Loren
Re: Whitelist_from_rcvd not working
[9060] dbg: Botnet: starting [9060] dbg: Botnet: no trusted relays [9060] dbg: Botnet: get_relay didn't find RDNS [9060] dbg: Botnet: IP is '169.200.184.174' [9060] dbg: Botnet: RDNS is 'sls-sn-smtp-pmail3.wachovia.com' [9060] dbg: Botnet: HELO is 'sls-sn-smtp-pmail3.wachovia.com' [9060] dbg: Botnet: sender '[EMAIL PROTECTED]' [9060] dbg: Botnet: miss (none) These are Botnet plugin messages, they have nothing to do with the normal whitelist_from_rcvd check. [9060] dbg: spf: def_spf_whitelist_from: already checked spf and didn't get pass, skipping whitelist check [9060] dbg: spf: whitelist_from_spf: already checked spf and didn't get pass, skipping whitelist check This is whitelist_from_spf, not whitelist_from_rcvd, and what it concludes here shouldn't have an effect on anything else. Original received header: Received: from sls-sn-smtp-pmail3.wachovia.com [169.200.184.174] by mail.visioncomm.net with ESMTP (SMTPD32-8.15) id A1253F3B0064; Wed, 02 Jan 2008 03:53:57 -0500 Hacked received header: Received: from 169.200.184.174 (EHLO sls-sn-smtp-pmail3.wachovia.com (169.200.184.174) by mail.visioncomm.net with ESMTP (SMTPD32-8.15) id A1253F3B0064; Wed, 02 Jan 2008 03:53:57 -0500 It appears to me that there is a missing parend in the hacked header, and probably it should have been more like Received: from 169.200.184.174 (EHLO sls-sn-smtp-pmail3.wachovia.com [169.200.184.174]) by mail.visioncomm.net with ESMTP (SMTPD32-8.15) id A1253F3B0064; Wed, 02 Jan 2008 03:53:57 -0500 Moving on to other parts of the debug output that are maybe more interesting: [9060] dbg: metadata: X-Spam-Relays-Trusted: There are no trusted relays. [9060] dbg: metadata: X-Spam-Relays-Untrusted: [ ip=169.200.184.174 rdns= helo=sls-sn-smtp-pmail3.wachovia.com by=mail.visioncomm.net ident= envfrom= intl=0 id= A1253F3B0064 auth= msa=0 ] [ ip=172.21.194.240 rdns=p9mpw011.csm.fub.com helo=p9mpw011 by=sls-sn-smtp-pmail3.wachovia.com ident= envfrom= intl=0 id=m028ruM17943 auth= msa=0 ] The first untrusted relay (169.200.184.174) has a HELO but doesn't have an RDNS. I'm not positive, but I think you need both to get whitelist_from_recvd to work. [9060] dbg: metadata: X-Spam-Relays-Internal: [9060] dbg: metadata: X-Spam-Relays-External: [ ip=169.200.184.174 rdns= helo=sls-sn-smtp-pmail3.wachovia.com by=mail.visioncomm.net ident= envfrom= intl=0 id=A 1253F3B0064 auth= msa=0 ] [ ip=172.21.194.240 rdns=p9mpw011.csm.fub.com helo=p9mpw011 by=sls-sn-smtp-pmail3.wachovia.com ident= envfrom= intl=0 id=m028ruM17943 auth= msa=0 ]
RE: Whitelist_from_rcvd not working
Thanks for catching the missing paren. Fixing it didn't change the result, unfortunately. Received: from 169.200.184.174 (EHLO sls-sn-smtp-pmail3.wachovia.com) (169.200.184.174) by mail.visioncomm.net with ESMTP (SMTPD32-8.15) id A1253F3B0064; Wed, 02 Jan 2008 03:53:57 -0500 I agree an SPF issue shouldn't affect a whitelist_from_rcvd check, that's just a wild guess on my part that there may be a bug. I don't know where else to look. What I'd really like is for someone else to confirm that the check fails on their installation before I open a bug report. Loren Wilton appears to have run my email with my user_prefs, but didn't provide the -D output. Dan -Original Message- From: Loren Wilton [mailto:[EMAIL PROTECTED] Sent: Saturday, January 05, 2008 9:47 AM To: users@spamassassin.apache.org Subject: Re: Whitelist_from_rcvd not working [9060] dbg: Botnet: starting [9060] dbg: Botnet: no trusted relays [9060] dbg: Botnet: get_relay didn't find RDNS [9060] dbg: Botnet: IP is '169.200.184.174' [9060] dbg: Botnet: RDNS is 'sls-sn-smtp-pmail3.wachovia.com' [9060] dbg: Botnet: HELO is 'sls-sn-smtp-pmail3.wachovia.com' [9060] dbg: Botnet: sender '[EMAIL PROTECTED]' [9060] dbg: Botnet: miss (none) These are Botnet plugin messages, they have nothing to do with the normal whitelist_from_rcvd check. [9060] dbg: spf: def_spf_whitelist_from: already checked spf and didn't get pass, skipping whitelist check [9060] dbg: spf: whitelist_from_spf: already checked spf and didn't get pass, skipping whitelist check This is whitelist_from_spf, not whitelist_from_rcvd, and what it concludes here shouldn't have an effect on anything else. Original received header: Received: from sls-sn-smtp-pmail3.wachovia.com [169.200.184.174] by mail.visioncomm.net with ESMTP (SMTPD32-8.15) id A1253F3B0064; Wed, 02 Jan 2008 03:53:57 -0500 Hacked received header: Received: from 169.200.184.174 (EHLO sls-sn-smtp-pmail3.wachovia.com (169.200.184.174) by mail.visioncomm.net with ESMTP (SMTPD32-8.15) id A1253F3B0064; Wed, 02 Jan 2008 03:53:57 -0500 It appears to me that there is a missing parend in the hacked header, and probably it should have been more like Received: from 169.200.184.174 (EHLO sls-sn-smtp-pmail3.wachovia.com [169.200.184.174]) by mail.visioncomm.net with ESMTP (SMTPD32-8.15) id A1253F3B0064; Wed, 02 Jan 2008 03:53:57 -0500 Moving on to other parts of the debug output that are maybe more interesting: [9060] dbg: metadata: X-Spam-Relays-Trusted: There are no trusted relays. [9060] dbg: metadata: X-Spam-Relays-Untrusted: [ ip=169.200.184.174 rdns= helo=sls-sn-smtp-pmail3.wachovia.com by=mail.visioncomm.net ident= envfrom= intl=0 id= A1253F3B0064 auth= msa=0 ] [ ip=172.21.194.240 rdns=p9mpw011.csm.fub.com helo=p9mpw011 by=sls-sn-smtp-pmail3.wachovia.com ident= envfrom= intl=0 id=m028ruM17943 auth= msa=0 ] The first untrusted relay (169.200.184.174) has a HELO but doesn't have an RDNS. I'm not positive, but I think you need both to get whitelist_from_recvd to work. [9060] dbg: metadata: X-Spam-Relays-Internal: [9060] dbg: metadata: X-Spam-Relays-External: [ ip=169.200.184.174 rdns= helo=sls-sn-smtp-pmail3.wachovia.com by=mail.visioncomm.net ident= envfrom= intl=0 id=A 1253F3B0064 auth= msa=0 ] [ ip=172.21.194.240 rdns=p9mpw011.csm.fub.com helo=p9mpw011 by=sls-sn-smtp-pmail3.wachovia.com ident= envfrom= intl=0 id=m028ruM17943 auth= msa=0 ]
Re: Whitelist_from_rcvd not working
Dan Barker wrote: [9060] dbg: metadata: X-Spam-Relays-Trusted: There are no trusted relays. [9060] dbg: metadata: X-Spam-Relays-Untrusted: [ ip=169.200.184.174 rdns= helo=sls-sn-smtp-pmail3.wachovia.com by=mail.visioncomm.net ident= envfrom= intl=0 id= A1253F3B0064 auth= msa=0 ] [ ip=172.21.194.240 rdns=p9mpw011.csm.fub.com helo=p9mpw011 by=sls-sn-smtp-pmail3.wachovia.com ident= envfrom= intl=0 id=m028ruM17943 auth= msa=0 ] The first untrusted relay (169.200.184.174) has a HELO but doesn't have an RDNS. I'm not positive, but I think you need both to get whitelist_from_recvd to work. You don't need both. You DO need RDNS, and the second parameter must match a substring of that reverse DSN lookup. To quote the manpage: The first parameter is the address to whitelist, and the second is a string to match the relay's rDNS. So, helo has nothing to do with it at all.
RE: Whitelist_from_rcvd not working
Matt: I finally got the rule to fire by hacking the header. Nothing has changed on the MTA for years, and it's hard for me to believe all these rules failed in 3.1.7. Maybe they did. My logs don't go back that far (I only save 2 weeks - sacs be ignored hereg). Maybe the SA parser is doing something better now that's catching an error my MTA's had for years. I'll dig further and come up with something. Either a workaround, a fix to the MTA or a request to understand this received header format. Btw, your comments about no rdns got me to find for the rdns lines in the debug and I found the dbg: received-header: parsed as ... lines. Now, I can hack away at the received header and the user_prefs until I understand what will and won't parse, and then figure out if there's a reason to request a change or an easy fix in the MTA. Thanks for all the help. Dan -Original Message- From: Matt Kettler [mailto:[EMAIL PROTECTED] Sent: Saturday, January 05, 2008 12:39 PM To: Dan Barker Subject: Re: Whitelist_from_rcvd not working Dan Barker wrote: I don't know why you'd think there is no rDNS. dig -x 169.200.184.174 Says: sls-sn-smtp-pmail3.wachovia.com. Is there some place in the received header it needs to be that it's not? Yes. Look at SA's parse: [9060] dbg: metadata: X-Spam-Relays-Untrusted: [ ip=169.200.184.174 rdns= helo=sls-sn-smtp-pmail3.wachovia.com by=mail.visioncomm.net ident= envfrom= intl=0 id= Note that rdns= part.. that doesn't mean the RDNS equals the helo, it means there's no RDNS name at all. Now look at your header: Received: from 169.200.184.174 (EHLO sls-sn-smtp-pmail3.wachovia.com) (169.200.184.174) by mail.visioncomm.net with ESMTP (SMTPD32-8.15) id A1253F3B0064; Wed, 02 Jan 2008 03:53:57 -0500 The first clause following the from should be the RDNS name in this qmail-esq format for headers. You've got an IP address there, so SA assumes there's no RDNS. In fact, looking at that header, where would you expect SA would be getting the RDNS name from? The only thing resembling a hostname is the HELO, and that's not trustable. This style should be formatted as: from rdns name (helo specifier, optional) (ip address) by.. Which isn't entirely standard, but it's what qmail does, so SA understands it. Normally IPs are also in []'s, but qmail doesn't do that.. In your header, both the IP and the reverse DNS clause contain 169.200.184.174, so that's read as there's no RDNS at all. Compare with this normal qmail generated header: Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 05 Jan 2008 06:58:33 -0800 Or one that's more typical of sendmail/postfix looks like: Received: from w10.plaxo.com (w10.plaxo.com [10.1.1.19]) by mx06.plaxo.com (Postfix) with QMQP id 742362806D In that format it's from rdns name (helo name[ip address]) SA should understand either one.
RE: Whitelist_from_rcvd not working
I had some old, 3.1.7 files saved for a VBounce question last summer. They show: Header: Received: from vsmtp107.tin.it [212.216.176.208] by mail.visioncomm.net with ESMTP (SMTPD32-8.15) id A08C12EF0080; Wed, 15 Aug 2007 15:14:20 -0400 ... Debug lines: ... [2456] dbg: generic: SpamAssassin version 3.1.7 ... [2456] dbg: received-header: parsed as [ ip=212.216.176.208 rdns=vsmtp106.tin.it helo=vsmtp107.tin.it by=mail.visioncomm.net ident= envfrom= intl=0 id=A08C12EF0080 auth= ] ... My new, 3.2.3 files show: Header: Received: from sls-sn-smtp-pmail3.wachovia.com [169.200.184.174] by mail.visioncomm.net with ESMTP (SMTPD32-8.15) id A1253F3B0064; Wed, 02 Jan 2008 03:53:57 -0500 Debug lines: ... [9060] dbg: generic: SpamAssassin version 3.2.3 ... [9060] dbg: received-header: parsed as [ ip=169.200.184.174 rdns= helo=sls-sn-smtp-pmail3.wachovia.com by=mail.visioncomm.net ident= envfrom= intl=0 id=A1253F3B0064 auth= msa=0 ] ... So. I'm not losing my mindg. SA's parser is different. rDNS used to work from this format of received header in 3.1.7 and does not work in 3.2.3. Now, is this a bug or am I screwed? Dan
Re: Whitelist_from_rcvd not working
I had some old, 3.1.7 files saved for a VBounce question last summer. They show: Header: Received: from vsmtp107.tin.it [212.216.176.208] by mail.visioncomm.net with ESMTP (SMTPD32-8.15) id A08C12EF0080; Wed, 15 Aug 2007 15:14:20 -0400 Debug lines: ... [2456] dbg: received-header: parsed as [ ip=212.216.176.208 rdns=vsmtp106.tin.it helo=vsmtp107.tin.it by=mail.visioncomm.net ident= envfrom= intl=0 id=A08C12EF0080 auth= ] So. I'm not losing my mindg. SA's parser is different. rDNS used to work from this format of received header in 3.1.7 and does not work in 3.2.3. Now, is this a bug or am I screwed? I think the first thing would be a search of bugzilla. There have been a number of changes to received header parsing over the last 6 months or so. Many of those have been to catch formats that were not correctly parsed before. I think one or more of them may have been to correct header MISparsing. My question would be whether that vsmtp107.tin.it really is the RDNS or whether it is something else. If it isn't the RDNS then it was previously being misparsed, and things are fixed now. If it really is the RDSN... I don't personally know enough about headers to say one way or the other. I do think I recall a number of comments about qmail making rather nonstandard headers by default, and I think there are some patches to make them more regular. I don't know if that would affect matters here or not. Bug 5460 looks like it might be related. Loren
RE: Whitelist_from_rcvd not working
Eureka! Problem solved/hacked/understood/whatever.
a) My MTA is crap, and puts the HELO name and IP in the received header, but
no rDNS.
a1) This P.O.S. MTA has an option to Check rDNS. It will check for you,
and then return SUCCESS or FAILURE on the existence of a PTR or A record
(does not look at the CONTENTS of the record!#?! ), but does not report the
findings in the header at all. What were they thinking?
b) SpamAssassin at 3.1.7 parsed these headers incorrectly making
whitelist_from_rcvd operate on helo names. Operate very effectively, I might
add.
c) For now, I've hacked Received.pm (17 lines before the final call to
make_relay_as_string; line 1226 here) with:
# Hack for stupid MTA that DOESN'T put lookup in header
if ($rdns eq '') {
$rdns = $helo;
}
d) Most of you guys are going to say Get a decent MTA. Some of you might
say, there may be lots of folks whose whitelist_from_rcvd quit with 3.2.3.
My question for the latter group is: Should I submit an enhancement request
to have a whitelist_from_helo added to SpamAssassin? It's far stupider than
whitelist_from_rcvd, but far more useful (based on my previous results) than
whitelist_from (until the spammers read this note, that isg). A mass
change of whitelist_from_rcvd to whitelist_from_helo is far easier than
rolling out a new MTA for all my clients (although I should do that anyhow,
huh?).
e) Can we get SpamAssassin to optionally do the rDNS lookup? The IP is
there. The comment in the source, we know the MTA always does lookups, is
obviously incorrect.
f) Note to the botnet folks - botnet uses the helo name too! And it's not
using what SA parsed. I guess it's reparsing the header itself
wrong/different/enhanced.
Dan
My Headers
Received: from helo.domain.tld [0.1.2.3] by mail.visioncomm.net ...
Correct headers
Received: from helo.domain.tld (rdns.domain.tld [0.1.2.3]) by
mail.visioncomm.net ...
Re: Whitelist_from_rcvd not working
From: Loren Wilton [EMAIL PROTECTED]
Sent: Saturday, 2008, January 05 10:37
I had some old, 3.1.7 files saved for a VBounce question last summer.
They
show:
Header:
Received: from vsmtp107.tin.it [212.216.176.208] by mail.visioncomm.net
with
ESMTP
(SMTPD32-8.15) id A08C12EF0080; Wed, 15 Aug 2007 15:14:20 -0400
Debug lines:
...
[2456] dbg: received-header: parsed as [ ip=212.216.176.208
rdns=vsmtp106.tin.it helo=vsmtp107.tin.it by=mail.visioncomm.net ident=
envfrom= intl=0 id=A08C12EF0080 auth= ]
So. I'm not losing my mindg. SA's parser is different. rDNS used to
work
from this format of received header in 3.1.7 and does not work in 3.2.3.
Now, is this a bug or am I screwed?
I think the first thing would be a search of bugzilla. There have been a
number of changes to received header parsing over the last 6 months or so.
Many of those have been to catch formats that were not correctly parsed
before. I think one or more of them may have been to correct header
MISparsing.
My question would be whether that vsmtp107.tin.it really is the RDNS or
whether it is something else. If it isn't the RDNS then it was previously
being misparsed, and things are fixed now. If it really is the RDSN... I
don't personally know enough about headers to say one way or the other. I
do think I recall a number of comments about qmail making rather
nonstandard headers by default, and I think there are some patches to make
them more regular. I don't know if that would affect matters here or not.
Bug 5460 looks like it might be related.
[jdow@ ~]$ host vsmtp107.tin.it
vsmtp107.tin.it has address 212.216.176.210
[jdow@ ~]$ host 212.216.176.210
210.176.216.212.in-addr.arpa domain name pointer vsmtp107.tin.it.
It would appear that the DNS/rDNS is correct.
(I've noticed whitelist_from_rcvd is pointless with AOL, though.)
{^_^}
Re: Whitelist_from_rcvd not working
d) Most of you guys are going to say Get a decent MTA. Some of you might Didn't you say you were using qmail? Or am I misremembering/misinterpreting? If you are using qmail for MTA, I'm reasonably sure I recall discussion of patches to qmail to make it Do The Right Thing that are available on some web site. The discussion I seem to recall is that it does the Wrong Thing by default, but someone had a functional and (I think) simple fix. Loren
RE: Whitelist_from_rcvd not working
Dan McDonald points out that gadental.org has a mismatched rDNS and posits that is the reason whitelist_from_rcvd fails. So, here is a different email with the same symptom, but with matched rDNS. [EMAIL PROTECTED]:~$ dig -x 169.200.184.174 174.184.200.169.in-addr.arpa. 3600 IN PTR sls-sn-smtp-pmail3.wachovia.com. [EMAIL PROTECTED]:~$ dig sls-sn-smtp-pmail3.wachovia.com sls-sn-smtp-pmail3.wachovia.com. 3597 IN A 169.200.184.174 User_Prefs not needed, whitelist_from_rcvd * wachovia.com is in local.cf (full listing at http://www.visioncomm.net/temp/080104Local.txt): Headers (full mail http://www.visioncomm.net/temp/080104Email2.txt): X-Envelope-From:[EMAIL PROTECTED] Received: from sls-sn-smtp-pmail3.wachovia.com [169.200.184.174] by mail.visioncomm.net with ESMTP (SMTPD32-8.15) id A1253F3B0064; Wed, 02 Jan 2008 03:53:57 -0500 Received: from p9mpw011 (p9mpw011.csm.fub.com [172.21.194.240]) by sls-sn-smtp-pmail3.wachovia.com (8.11.7p3+Sun/8.9.0) with ESMTP id m028ruM17943 for [EMAIL PROTECTED]; Wed, 2 Jan 2008 03:53:56 -0500 (EST) Message-ID: [EMAIL PROTECTED] Date: Wed, 2 Jan 2008 03:53:56 -0500 (EST) From: Wachovia Alerts [EMAIL PROTECTED] ... Debug (full listing http://www.visioncomm.net/temp/080104Debug2.txt): Report: X-Spam-Status: No, score=-5.1 required=5.0 tests=BAYES_00=-2.599, HTML_MESSAGE=0.001,MIME_HTML_ONLY=1.457,RCVD_IN_DNSWL_MED=-4 autolearn=unavailable version=3.2.3 Tia [again] Dan -Original Message- From: McDonald, Dan [mailto:[EMAIL PROTECTED] Sent: Friday, January 04, 2008 9:22 AM To: users@spamassassin.apache.org Subject: Re: Whitelist_from_rcvd not working On Fri, 2008-01-04 at 09:12 -0500, Dan Barker wrote: My whitelist_from_rcvd tags don't hit. I believe this has been happening since my upgrade from 3.1.7 to 3.2.3. I don't see anything interesting in -D, but I can get it to show an error if I mis-spell it whitelist_fxxxrom_rcvd, so I know (besides the debug lines saying so) it's parsing my User_Prefs. Maybe my MTA is formatting the received lines in an un-understandable way? I don't know where to look besides: User_Prefs: whitelist_from_rcvd [EMAIL PROTECTED] gadental.org Whitelist_from_rcvd only works when the forward and reverse addresses match. That's to keep spammers from publishing whatever reverse address they want (because they are authoritative for the reverse zone) and sneaking right through your whitelist... If gadental is unwilling to fix their reverse zone, you might ask them to publish an SPF record and then use whitelist_from_spf instead -- Daniel J McDonald, CCIE #2495, CISSP #78281, CNX Austin Energy http://www.austinenergy.com
Re: Whitelist_from_rcvd not working
On Fri, 2008-01-04 at 09:12 -0500, Dan Barker wrote: My whitelist_from_rcvd tags don't hit. I believe this has been happening since my upgrade from 3.1.7 to 3.2.3. I don't see anything interesting in -D, but I can get it to show an error if I mis-spell it whitelist_fxxxrom_rcvd, so I know (besides the debug lines saying so) it's parsing my User_Prefs. Maybe my MTA is formatting the received lines in an un-understandable way? I don't know where to look besides: User_Prefs: whitelist_from_rcvd [EMAIL PROTECTED] gadental.org Whitelist_from_rcvd only works when the forward and reverse addresses match. That's to keep spammers from publishing whatever reverse address they want (because they are authoritative for the reverse zone) and sneaking right through your whitelist... If gadental is unwilling to fix their reverse zone, you might ask them to publish an SPF record and then use whitelist_from_spf instead -- Daniel J McDonald, CCIE #2495, CISSP #78281, CNX Austin Energy http://www.austinenergy.com signature.asc Description: This is a digitally signed message part
Whitelist_from_rcvd not working
My whitelist_from_rcvd tags don't hit. I believe this has been happening since my upgrade from 3.1.7 to 3.2.3. I don't see anything interesting in -D, but I can get it to show an error if I mis-spell it whitelist_fxxxrom_rcvd, so I know (besides the debug lines saying so) it's parsing my User_Prefs. Maybe my MTA is formatting the received lines in an un-understandable way? I don't know where to look besides: User_Prefs: whitelist_from_rcvd [EMAIL PROTECTED] gadental.org Headers (full mail http://www.visioncomm.net/temp/080104Email.txt): X-Envelope-From: [EMAIL PROTECTED] Received: from gadental.org [67.104.179.147] by mail.visioncomm.net with ESMTP (SMTPD32-8.15) id A16054AA0026; Thu, 03 Jan 2008 15:11:12 -0500 ... From: Lisa Chandler [EMAIL PROTECTED] ... Debug (full listing http://www.visioncomm.net/temp/080104Debug.txt): [9164] dbg: config: using C:\Documents and Settings\dbarker/.spamassassin/user_prefs for user prefs file [9164] dbg: config: read file C:\Documents and Settings\dbarker/.spamassassin/user_prefs Report: Content analysis details: (8.0 points, 5.0 required) pts rule name description -- -- 5.0 BOTNET Relay might be a spambot or virusbot [botnet0.8,ip=67.104.179.147,rdns=gadental.org,maildomain=gadental.org,baddn s] 0.0 HTML_MESSAGE BODY: HTML included in message 3.0 BAYES_95 BODY: Bayesian spam probability is 95 to 99% [score: 0.9749] Just in case there is something [else] I've done silly, my local.cf is at http://www.visioncomm.net/temp/080104Local.txt): tia Dan
RE: Whitelist_from_rcvd not working
whitelist_from_rcvd [EMAIL PROTECTED] sls-sn-smtp-pmail3.wachovia.com gives the same result (ie, nothing in debug nor report). Dan -Original Message- From: McDonald, Dan [mailto:[EMAIL PROTECTED] Sent: Friday, January 04, 2008 10:28 AM To: users@spamassassin.apache.org Subject: RE: Whitelist_from_rcvd not working On Fri, 2008-01-04 at 09:50 -0500, Dan Barker wrote: Dan McDonald points out that gadental.org has a mismatched rDNS and posits that is the reason whitelist_from_rcvd fails. So, here is a different email with the same symptom, but with matched rDNS. [EMAIL PROTECTED]:~$ dig -x 169.200.184.174 174.184.200.169.in-addr.arpa. 3600 IN PTR sls-sn-smtp-pmail3.wachovia.com. [EMAIL PROTECTED]:~$ dig sls-sn-smtp-pmail3.wachovia.com sls-sn-smtp-pmail3.wachovia.com. 3597 IN A 169.200.184.174 User_Prefs not needed, whitelist_from_rcvd * wachovia.com That's not the correct syntax. You want whitelist_from_rcvd [EMAIL PROTECTED] sls-sn-smtp-pmail3.wachovia.com But wachovia does publish an SPF record, so a better solution would be: score USER_IN_SPF_WHITELIST -10.000 whitelist_from_spf [EMAIL PROTECTED] -- Daniel J McDonald, CCIE #2495, CISSP #78281, CNX Austin Energy http://www.austinenergy.com
RE: Whitelist_from_rcvd not working
On Fri, 2008-01-04 at 09:50 -0500, Dan Barker wrote: Dan McDonald points out that gadental.org has a mismatched rDNS and posits that is the reason whitelist_from_rcvd fails. So, here is a different email with the same symptom, but with matched rDNS. [EMAIL PROTECTED]:~$ dig -x 169.200.184.174 174.184.200.169.in-addr.arpa. 3600 IN PTR sls-sn-smtp-pmail3.wachovia.com. [EMAIL PROTECTED]:~$ dig sls-sn-smtp-pmail3.wachovia.com sls-sn-smtp-pmail3.wachovia.com. 3597 IN A 169.200.184.174 User_Prefs not needed, whitelist_from_rcvd * wachovia.com That's not the correct syntax. You want whitelist_from_rcvd [EMAIL PROTECTED] sls-sn-smtp-pmail3.wachovia.com But wachovia does publish an SPF record, so a better solution would be: score USER_IN_SPF_WHITELIST -10.000 whitelist_from_spf [EMAIL PROTECTED] -- Daniel J McDonald, CCIE #2495, CISSP #78281, CNX Austin Energy http://www.austinenergy.com signature.asc Description: This is a digitally signed message part
Re: Whitelist_from_rcvd not working
Dan Barker wrote: whitelist_from_rcvd [EMAIL PROTECTED] sls-sn-smtp-pmail3.wachovia.com gives the same result (ie, nothing in debug nor report). I think that should work. Try 'spamassassin --lint' to make sure that there isn't a syntax error in the file somewhere that is preventing the configuration from being read. Try this: whitelist_from_rcvd [EMAIL PROTECTED] wachovia.com In any case running the message through 'spamassassin -tD' should produce something interesting in the debug output. My guess is that the configuration is not being read by SA. Either the entire file is not being read or there is a syntax error that is preventing it from being used. Bob
RE: Whitelist_from_rcvd not working
Still no joy. Prefs: whitelist_from_rcvd [EMAIL PROTECTED] sls-sn-smtp-pmail3.wachovia.com whitelist_from_rcvd [EMAIL PROTECTED] wachovia.com whitelist_from_rcvd *wachovia.com wachovia.com Debug http://www.visioncomm.net/temp/080104Debug3.txt. Report: [8840] dbg: check: is spam? score=-5.141 required=5 [8840] dbg: check: tests=BAYES_00,HTML_MESSAGE,MIME_HTML_ONLY,RCVD_IN_DNSWL_MED Weirder and weirder. Dan -Original Message- From: Bob Proulx [mailto:[EMAIL PROTECTED] Sent: Friday, January 04, 2008 1:45 PM To: Dan Barker Cc: users@spamassassin.apache.org Subject: Re: Whitelist_from_rcvd not working Dan Barker wrote: whitelist_from_rcvd [EMAIL PROTECTED] sls-sn-smtp-pmail3.wachovia.com gives the same result (ie, nothing in debug nor report). I think that should work. Try 'spamassassin --lint' to make sure that there isn't a syntax error in the file somewhere that is preventing the configuration from being read. Try this: whitelist_from_rcvd [EMAIL PROTECTED] wachovia.com In any case running the message through 'spamassassin -tD' should produce something interesting in the debug output. My guess is that the configuration is not being read by SA. Either the entire file is not being read or there is a syntax error that is preventing it from being used. Bob
Re: Whitelist_from_rcvd not working
Dan Barker wrote: Debug http://www.visioncomm.net/temp/080104Debug3.txt. What is the name of the file that you have your configuration in? Do you see it in the debug output? Is this it? [8840] dbg: config: using C:\Documents and Settings\dbarker/.spamassassin/user_prefs for user prefs file You have this line: [8840] dbg: eval: all '*From' addrs: [EMAIL PROTECTED] On a message that I construct with whitelist_from_rcvd I have this: [13168] dbg: eval: all '*From' addrs: [EMAIL PROTECTED] [EMAIL PROTECTED] [13168] dbg: rules: address [EMAIL PROTECTED] matches (def_)whitelist_from_rcvd [EMAIL PROTECTED] example.com At this point I would be inclined to force a syntax error right next to that line so that the error would certainly be seen if it were being read and processed. If you see the error then you know that file is being parsed and used. If not then you would know that your edits were simply not having any effect. whitelist_from_rcvd [EMAIL PROTECTED] sls-sn-smtp-pmail3.wachovia.com whitelist_from_rcvd [EMAIL PROTECTED] wachovia.com whitelist_from_rcvd *wachovia.com wachovia.com Wildcards should work there. But perhaps try an explicit address for debug testing. whitelist_from_rcvd [EMAIL PROTECTED] wachovia.com Bob
Re: Whitelist_from_rcvd not working
Dan Barker wrote: My whitelist_from_rcvd tags don't hit. I believe this has been happening since my upgrade from 3.1.7 to 3.2.3. snip Just in case there is something [else] I've done silly, my local.cf is at http://www.visioncomm.net/temp/080104Local.txt): Here's what may be a thoroughly stupid question -- what does your local network look like? $ host mail.visioncomm.net mail.visioncomm.net has address 74.254.46.133 Is that server behind a NAT router, or does it actually have that IP address configured? If so, what happens if you add 74.254.46.133 to local_networks and trusted_networks? Hope this helps, James. -- E-mail: james@ | Right lads, we've got 45 minutes to score 37 goals. aprilcottage.co.uk | No problem with that -- the other team just did.
RE: Whitelist_from_rcvd not working
It's NATted. I'll add the public versions and see. (Assuming you mean internal_networks - If you mean local_networks I'll have to do some researchg). Change made: trusted_networks 74.254.46.133/32 74.254.46.165/32 172.24.0.0/13 207.101.65.90/32 internal_networks 74.254.46.133/32 74.254.46.165/32 172.24.0.0/13 --lint OK. No help: [9420] dbg: check: is spam? score=-5.141 required=5 [9420] dbg: check: tests=BAYES_00,HTML_MESSAGE,MIME_HTML_ONLY,RCVD_IN_DNSWL_MED Dan -Original Message- From: James Wilkinson [mailto:[EMAIL PROTECTED] Sent: Friday, January 04, 2008 5:13 PM To: users@spamassassin.apache.org Subject: Re: Whitelist_from_rcvd not working Dan Barker wrote: My whitelist_from_rcvd tags don't hit. I believe this has been happening since my upgrade from 3.1.7 to 3.2.3. snip Just in case there is something [else] I've done silly, my local.cf is at http://www.visioncomm.net/temp/080104Local.txt): Here's what may be a thoroughly stupid question -- what does your local network look like? $ host mail.visioncomm.net mail.visioncomm.net has address 74.254.46.133 Is that server behind a NAT router, or does it actually have that IP address configured? If so, what happens if you add 74.254.46.133 to local_networks and trusted_networks? Hope this helps, James. -- E-mail: james@ | Right lads, we've got 45 minutes to score 37 goals. aprilcottage.co.uk | No problem with that -- the other team just did.
RE: Whitelist_from_rcvd not working
If someone could run a -D on this email/User_prefs and send me the debug log, I'll see where in your log whitelist_from_rcvd does something and look at mine in the same area. It may not help but it would certainly give me a hint (I hope). Is there a deeper (more complete messages) version of -D to make it tell me what SA is checking and not? Dan Email: http://www.visioncomm.net/temp/080104Email2.txt) Prefs: whitelist_from_rcvd [EMAIL PROTECTED] sls-sn-smtp-pmail3.wachovia.com whitelist_from_rcvd [EMAIL PROTECTED] wachovia.com whitelist_from_rcvd *wachovia.com wachovia.com -Original Message- From: Dan Barker [mailto:[EMAIL PROTECTED] Sent: Friday, January 04, 2008 5:48 PM To: users@spamassassin.apache.org Subject: RE: Whitelist_from_rcvd not working It's NATted. I'll add the public versions and see. (Assuming you mean internal_networks - If you mean local_networks I'll have to do some researchg). Change made: trusted_networks 74.254.46.133/32 74.254.46.165/32 172.24.0.0/13 207.101.65.90/32 internal_networks 74.254.46.133/32 74.254.46.165/32 172.24.0.0/13 --lint OK. No help: [9420] dbg: check: is spam? score=-5.141 required=5 [9420] dbg: check: tests=BAYES_00,HTML_MESSAGE,MIME_HTML_ONLY,RCVD_IN_DNSWL_MED Dan -Original Message- From: James Wilkinson [mailto:[EMAIL PROTECTED] Sent: Friday, January 04, 2008 5:13 PM To: users@spamassassin.apache.org Subject: Re: Whitelist_from_rcvd not working Dan Barker wrote: My whitelist_from_rcvd tags don't hit. I believe this has been happening since my upgrade from 3.1.7 to 3.2.3. snip Just in case there is something [else] I've done silly, my local.cf is at http://www.visioncomm.net/temp/080104Local.txt): Here's what may be a thoroughly stupid question -- what does your local network look like? $ host mail.visioncomm.net mail.visioncomm.net has address 74.254.46.133 Is that server behind a NAT router, or does it actually have that IP address configured? If so, what happens if you add 74.254.46.133 to local_networks and trusted_networks? Hope this helps, James. -- E-mail: james@ | Right lads, we've got 45 minutes to score 37 goals. aprilcottage.co.uk | No problem with that -- the other team just did.
Re: Whitelist_from_rcvd not working
[9420] dbg: check: is spam? score=-5.141 required=5 [9420] dbg: check: tests=BAYES_00,HTML_MESSAGE,MIME_HTML_ONLY,RCVD_IN_DNSWL_MED How the heck did you get 5+ points with those tests hitting??? Content analysis details: (-0.5 points, 5.0 required) pts rule name description -- -- -4.0 RCVD_IN_DNSWL_MED RBL: Sender listed at http://www.dnswl.org/, medium trust [169.200.184.174 listed in list.dnswl.org] 0.0 HTML_MESSAGE BODY: HTML included in message 0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60% [score: 0.5095] 0.9 MIME_HTML_ONLY BODY: Message only has text/html MIME parts 2.0 NOT_TO_ME Mail is not addressed to me 0.6 HELO_MISMATCH_COM HELO_MISMATCH_COM This is what I get running your message with your three whitelist lines in my user_prefs file. Essentially the same as yours, but I don't get bayes_00, and if I take the 2.6 points off from local rules I would get close to a -3 score, not 5.1! Loren
Re: whitelist_from and whitelist_from_rcvd not working
Hi Thanks for your mail, On Mon, Dec 04, 2006 at 02:58:56PM -0500, Robert Swan wrote: I had a similar problem with SA not reading a specific .cf file. I basically created a new greylist.cf file and copied the test over and it worked, and of coarse make sure it is in the right folder... Might be worth a try I have done this, but the issue is still occurring. Has anyone else seen this or have any suggestions? Robert Regards, Mark Peace he would say instead of goodbyepeace my brother. -Original Message- From: Mark Adams [mailto:[EMAIL PROTECTED] Sent: Monday, December 04, 2006 12:56 PM To: [EMAIL PROTECTED] Cc: users@spamassassin.apache.org Subject: Re: whitelist_from and whitelist_from_rcvd not working On Sun, Dec 03, 2006 at 05:55:24PM +0100, mouss wrote: Mark Adams wrote: Hi All, Spamassassin 3.1.4-1 Currently have entries like the following in the local.cf file whitelist_from [EMAIL PROTECTED] and whitelist_from [EMAIL PROTECTED] But mail is still picked up as spam for the [EMAIL PROTECTED] Have also tried the following; whitelist_from_rcvd [EMAIL PROTECTED] domain.com and whitelist_from_rcvd [EMAIL PROTECTED] domain.com But nothing seems to work? has anyone got any advice on this? do you have always_trust_envelope_sender 1 ? No I don't have this setting
RE: whitelist_from and whitelist_from_rcvd not working
I had a similar problem with SA not reading a specific .cf file. I basically created a new greylist.cf file and copied the test over and it worked, and of coarse make sure it is in the right folder... Might be worth a try Robert Peace he would say instead of goodbyepeace my brother. -Original Message- From: Mark Adams [mailto:[EMAIL PROTECTED] Sent: Monday, December 04, 2006 12:56 PM To: [EMAIL PROTECTED] Cc: users@spamassassin.apache.org Subject: Re: whitelist_from and whitelist_from_rcvd not working On Sun, Dec 03, 2006 at 05:55:24PM +0100, mouss wrote: Mark Adams wrote: Hi All, Spamassassin 3.1.4-1 Currently have entries like the following in the local.cf file whitelist_from [EMAIL PROTECTED] and whitelist_from [EMAIL PROTECTED] But mail is still picked up as spam for the [EMAIL PROTECTED] Have also tried the following; whitelist_from_rcvd [EMAIL PROTECTED] domain.com and whitelist_from_rcvd [EMAIL PROTECTED] domain.com But nothing seems to work? has anyone got any advice on this? do you have always_trust_envelope_sender 1 ? No I don't have this setting
Re: whitelist_from and whitelist_from_rcvd not working
Mark Adams wrote: Hi All, Spamassassin 3.1.4-1 Currently have entries like the following in the local.cf file whitelist_from [EMAIL PROTECTED] and whitelist_from [EMAIL PROTECTED] But mail is still picked up as spam for the [EMAIL PROTECTED] Have also tried the following; whitelist_from_rcvd [EMAIL PROTECTED] domain.com and whitelist_from_rcvd [EMAIL PROTECTED] domain.com But nothing seems to work? has anyone got any advice on this? do you have always_trust_envelope_sender 1 ?
whitelist_from and whitelist_from_rcvd not working
Hi All, Spamassassin 3.1.4-1 Currently have entries like the following in the local.cf file whitelist_from [EMAIL PROTECTED] and whitelist_from [EMAIL PROTECTED] But mail is still picked up as spam for the [EMAIL PROTECTED] Have also tried the following; whitelist_from_rcvd [EMAIL PROTECTED] domain.com and whitelist_from_rcvd [EMAIL PROTECTED] domain.com But nothing seems to work? has anyone got any advice on this? Any help appreciated. Regards, Mark
RE: whitelist_from_rcvd not working
From my understanding the whitelist entry should contain and address then the domain whitelist_from_rcvd [EMAIL PROTECTED] cecinfo.org -Original Message- From: Robert Fitzpatrick [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 10, 2006 9:13 AM To: users@spamassassin.apache.org Subject: whitelist_from_rcvd not working Can someone point out what I am doing wrong hereI have this in my local.cf file: whitelist_from_rcvd [EMAIL PROTECTED] mail*.magnetmail.net But messages are getting blocked that I believe should match this? May 5 14:54:19 esmtp postfix/smtpd[994]: 9315B7FA20: client=mail10.magnetmail.net[209.18.70.10] May 5 14:54:20 esmtp postfix/cleanup[3083]: 9315B7FA20: message-id=[EMAIL PROTECTED] May 5 14:54:36 esmtp postfix/qmgr[39594]: 9315B7FA20: from=, size=55412, nrcpt=1 (queue active) May 5 14:54:47 esmtp amavis[3767]: (03767-02-2) Blocked SPAM, [209.18.70.10] - [EMAIL PROTECTED], quarantine: spam-u95sUSnhhshW.gz, Message-ID: [EMAIL PROTECTED], mail_id: u95sUSnhhshW, Hits: 7.069, 11177 ms May 5 14:54:47 esmtp postfix/smtp[2820]: 9315B7FA20: to=[EMAIL PROTECTED], relay=127.0.0.1[127.0.0.1], delay=28, status=sent (250 2.5.0 Ok, id=03767-02-2, BOUNCE) May 5 14:54:47 esmtp postfix/qmgr[39594]: 9315B7FA20: removed -- Robert
whitelist_from_rcvd not working
Can someone point out what I am doing wrong hereI have this in my local.cf file: whitelist_from_rcvd [EMAIL PROTECTED] mail*.magnetmail.net But messages are getting blocked that I believe should match this? May 5 14:54:19 esmtp postfix/smtpd[994]: 9315B7FA20: client=mail10.magnetmail.net[209.18.70.10] May 5 14:54:20 esmtp postfix/cleanup[3083]: 9315B7FA20: message-id=[EMAIL PROTECTED] May 5 14:54:36 esmtp postfix/qmgr[39594]: 9315B7FA20: from=, size=55412, nrcpt=1 (queue active) May 5 14:54:47 esmtp amavis[3767]: (03767-02-2) Blocked SPAM, [209.18.70.10] - [EMAIL PROTECTED], quarantine: spam-u95sUSnhhshW.gz, Message-ID: [EMAIL PROTECTED], mail_id: u95sUSnhhshW, Hits: 7.069, 11177 ms May 5 14:54:47 esmtp postfix/smtp[2820]: 9315B7FA20: to=[EMAIL PROTECTED], relay=127.0.0.1[127.0.0.1], delay=28, status=sent (250 2.5.0 Ok, id=03767-02-2, BOUNCE) May 5 14:54:47 esmtp postfix/qmgr[39594]: 9315B7FA20: removed -- Robert
Re: whitelist_from_rcvd not working
Robert Fitzpatrick wrote: Can someone point out what I am doing wrong hereI have this in my local.cf file: whitelist_from_rcvd [EMAIL PROTECTED] mail*.magnetmail.net But messages are getting blocked that I believe should match this? What about the below suggests this mail is [EMAIL PROTECTED] The below suggests that the message is from (A bounce), but is being delivered to [EMAIL PROTECTED] May 5 14:54:19 esmtp postfix/smtpd[994]: 9315B7FA20: client=mail10.magnetmail.net[209.18.70.10] May 5 14:54:20 esmtp postfix/cleanup[3083]: 9315B7FA20: message-id=[EMAIL PROTECTED] May 5 14:54:36 esmtp postfix/qmgr[39594]: 9315B7FA20: from=, size=55412, nrcpt=1 (queue active) May 5 14:54:47 esmtp amavis[3767]: (03767-02-2) Blocked SPAM, [209.18.70.10] - [EMAIL PROTECTED], quarantine: spam-u95sUSnhhshW.gz, Message-ID: [EMAIL PROTECTED], mail_id: u95sUSnhhshW, Hits: 7.069, 11177 ms May 5 14:54:47 esmtp postfix/smtp[2820]: 9315B7FA20: to=[EMAIL PROTECTED], relay=127.0.0.1[127.0.0.1], delay=28, status=sent (250 2.5.0 Ok, id=03767-02-2, BOUNCE) May 5 14:54:47 esmtp postfix/qmgr[39594]: 9315B7FA20: removed
Re: whitelist_from_rcvd not working for me
James Long wrote: James Long wrote: In my SpamAssassin-3.1.0 (p5-Mail-SpamAssassin-3.1.0_6) local.cf, I use: ... trusted_networks 127.0.0.0/8 65.75.198.48/28 63.105.30.37/32 ^^ Your IP for the ns.museum.rain.com comes back as 65.75.198.49, are you sure this is correct? I think what is happening here is sa isn't finding a local server, and gives up. My guess is that adding/changing that to .49 will help. The first Received by statement is this (last server) by ns.museum.rain.com (8.13.4/8.13.4) with ESMTP id When doing a lookup this is what I get (your internal DNS may be diff.): Name:ns.museum.rain.com Address: 65.75.198.49 HTH -- Thanks, JamesDR Thanks for your reply. My understanding is that 65.75.198.48/28 means that all IPs in that subnet will be trusted. Your DNS server returns the correct IP for ns.museum.rain.com. The /32 is another server at a colo site. I trust that server. Are you saying that ns.museum.rain.com's own IP should not be listed as a trusted server? Earlier advice I received from this list suggested that it should be. Clarification appreciated. Jim Yeah, I missed the /28 ... Long weekend, need to reply to email's after plenty of sleep :-D Sorry for the confusion. -- Thanks, James
whitelist_from_rcvd not working for me
In my SpamAssassin-3.1.0 (p5-Mail-SpamAssassin-3.1.0_6) local.cf, I use: ... trusted_networks 127.0.0.0/8 65.75.198.48/28 63.105.30.37/32 ... whitelist_from_rcvd [EMAIL PROTECTED] ns.umpquanet.com ... yet messages that I had hoped would match that whitelist entry are not. How can I fix this? Thanks! Jim From [EMAIL PROTECTED] Sun Mar 12 11:09:27 2006 Received: from ns.umpquanet.com (ns.umpquanet.com [63.105.30.37]) by ns.museum.rain.com (8.13.4/8.13.4) with ESMTP id k2CJ9L90046330 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO) for [EMAIL PROTECTED]; Sun, 12 Mar 2006 11:09:21 -0800 (PST) (envelope-from [EMAIL PROTECTED]) Received: from ns.umpquanet.com (localhost [127.0.0.1]) by ns.umpquanet.com (8.13.4/8.13.4) with ESMTP id k2CJ9McY065173 for [EMAIL PROTECTED]; Sun, 12 Mar 2006 11:09:22 -0800 (PST) (envelope-from [EMAIL PROTECTED]) Received: (from [EMAIL PROTECTED]) by ns.umpquanet.com (8.13.4/8.13.4/Submit) id k2CJ9LT4065172 for [EMAIL PROTECTED]; Sun, 12 Mar 2006 11:09:21 -0800 (PST) (envelope-from james) Date: Sun, 12 Mar 2006 11:09:21 -0800 (PST) From: James Long [EMAIL PROTECTED] Message-Id: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: test X-Spam-Status: No, score=0.0 required=5.0 tests=UNPARSEABLE_RELAY autolearn=failed version=3.1.0 X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on ns.museum.rain.com X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-2.0.2 (ns.museum.rain.com [65.75.198.50]); Sun, 12 Mar 2006 11:09:27 -0800 (PST)
Re: whitelist_from_rcvd not working for me
James Long wrote: In my SpamAssassin-3.1.0 (p5-Mail-SpamAssassin-3.1.0_6) local.cf, I use: ... trusted_networks 127.0.0.0/8 65.75.198.48/28 63.105.30.37/32 ^^ Your IP for the ns.museum.rain.com comes back as 65.75.198.49, are you sure this is correct? I think what is happening here is sa isn't finding a local server, and gives up. My guess is that adding/changing that to .49 will help. The first Received by statement is this (last server) by ns.museum.rain.com (8.13.4/8.13.4) with ESMTP id When doing a lookup this is what I get (your internal DNS may be diff.): Name:ns.museum.rain.com Address: 65.75.198.49 HTH -- Thanks, JamesDR smime.p7s Description: S/MIME Cryptographic Signature
Re: whitelist_from_rcvd not working for me
James Long wrote: In my SpamAssassin-3.1.0 (p5-Mail-SpamAssassin-3.1.0_6) local.cf, I use: ... trusted_networks 127.0.0.0/8 65.75.198.48/28 63.105.30.37/32 ^^ Your IP for the ns.museum.rain.com comes back as 65.75.198.49, are you sure this is correct? I think what is happening here is sa isn't finding a local server, and gives up. My guess is that adding/changing that to .49 will help. The first Received by statement is this (last server) by ns.museum.rain.com (8.13.4/8.13.4) with ESMTP id When doing a lookup this is what I get (your internal DNS may be diff.): Name:ns.museum.rain.com Address: 65.75.198.49 HTH -- Thanks, JamesDR Thanks for your reply. My understanding is that 65.75.198.48/28 means that all IPs in that subnet will be trusted. Your DNS server returns the correct IP for ns.museum.rain.com. The /32 is another server at a colo site. I trust that server. Are you saying that ns.museum.rain.com's own IP should not be listed as a trusted server? Earlier advice I received from this list suggested that it should be. Clarification appreciated. Jim
Re: whitelist_from_rcvd not working for me
On 3/12/2006 2:21 PM, James Long wrote: In my SpamAssassin-3.1.0 (p5-Mail-SpamAssassin-3.1.0_6) local.cf, I use: ... trusted_networks 127.0.0.0/8 65.75.198.48/28 63.105.30.37/32 ... whitelist_from_rcvd [EMAIL PROTECTED] ns.umpquanet.com ... yet messages that I had hoped would match that whitelist entry are not. How can I fix this? SA can't parse the first (oldest) received header. Since that header is a local submission header, I wouldn't worry about it. Mail sent via SMTP should have all of it's headers parsed correctly and your whitelist_from_rcvd should work. My understanding is that 65.75.198.48/28 means that all IPs in that subnet will be trusted. Your DNS server returns the correct IP for ns.museum.rain.com. The /32 is another server at a colo site. I trust that server. Yeah 65.75.198.48/28 covers 65.75.198.48-63. Are you saying that ns.museum.rain.com's own IP should not be listed as a trusted server? Earlier advice I received from this list suggested that it should be. No, it must be listed, as it is now. Daryl
Re: whitelist_from_rcvd not working for me
On 3/12/2006 2:21 PM, James Long wrote: In my SpamAssassin-3.1.0 (p5-Mail-SpamAssassin-3.1.0_6) local.cf, I use: ... trusted_networks 127.0.0.0/8 65.75.198.48/28 63.105.30.37/32 ... whitelist_from_rcvd [EMAIL PROTECTED] ns.umpquanet.com ... yet messages that I had hoped would match that whitelist entry are not. How can I fix this? SA can't parse the first (oldest) received header. Since that header is a local submission header, I wouldn't worry about it. Mail sent via SMTP should have all of it's headers parsed correctly and your whitelist_from_rcvd should work. Yet, it doesn't. One of the nightly server log messages has been getting rejected because SA thinks it is spam, and doesn't see the whitelist_from_rcvd entry for it. (sendmail log below) No, it must be listed, as it is now. Okay, so I feel comfortable that my trusted_networks line is correct. On to troubleshooting the whitelist_from_rcvd. BTW, is there an easy way to troubleshoot this from the command line, with perhaps a sample message in a text file that I can just use as input to SA, so that I don't have to use up bandwidth and also put a large number of test messages into my mailbox? Is it as simple as 'spamassassin -t textfilename' ? Thanks again, Jim Sendmail log excerpt from ns.museum.rain.com: Mar 12 03:04:26 ns sm-mta[44915]: NOQUEUE: connect from ns.umpquanet.com [63.105.30.37] Mar 12 03:04:26 ns sm-mta[44915]: k2CB4QKW044915: Milter (spamassassin): init success to negotiate Mar 12 03:04:26 ns sm-mta[44915]: k2CB4QKW044915: Milter (greylist): init success to negotiate Mar 12 03:04:26 ns sm-mta[44915]: k2CB4QKW044915: Milter: connect to filters Mar 12 03:04:26 ns sm-mta[44915]: k2CB4QKW044915: milter=spamassassin, action=connect, continue Mar 12 03:04:26 ns sm-mta[44915]: k2CB4QKW044915: milter=greylist, action=connect, continue Mar 12 03:04:26 ns sm-mta[44915]: k2CB4QKW044915: --- 220 ns.museum.rain.com ESMTP Sendmail 8.13.4/8.13.4; Sun, 12 Mar 2006 03:04:26 -0800 (PST) Mar 12 03:04:26 ns sm-mta[44915]: k2CB4QKW044915: -- EHLO ns.umpquanet.com Mar 12 03:04:26 ns sm-mta[44915]: k2CB4QKW044915: milter=spamassassin, action=helo, continue Mar 12 03:04:26 ns sm-mta[44915]: k2CB4QKW044915: --- 250-ns.museum.rain.com Hello ns.umpquanet.com [63.105.30.37], pleased to meet you Mar 12 03:04:26 ns sm-mta[44915]: k2CB4QKW044915: --- 250-ENHANCEDSTATUSCODES Mar 12 03:04:26 ns sm-mta[44915]: k2CB4QKW044915: --- 250-PIPELINING Mar 12 03:04:26 ns sm-mta[44915]: k2CB4QKW044915: --- 250-8BITMIME Mar 12 03:04:26 ns sm-mta[44915]: k2CB4QKW044915: --- 250-SIZE Mar 12 03:04:26 ns sm-mta[44915]: k2CB4QKW044915: --- 250-DSN Mar 12 03:04:26 ns sm-mta[44915]: k2CB4QKW044915: --- 250-ETRN Mar 12 03:04:26 ns sm-mta[44915]: k2CB4QKW044915: --- 250-STARTTLS Mar 12 03:04:26 ns sm-mta[44915]: k2CB4QKW044915: --- 250-DELIVERBY Mar 12 03:04:26 ns sm-mta[44915]: k2CB4QKW044915: --- 250 HELP Mar 12 03:04:26 ns sm-mta[44915]: k2CB4QKW044915: -- STARTTLS Mar 12 03:04:26 ns sm-mta[44915]: k2CB4QKW044915: --- 220 2.0.0 Ready to start TLS Mar 12 03:04:26 ns sm-mta[44915]: STARTTLS=server, get_verify: 0 get_peer: 0x0 Mar 12 03:04:26 ns sm-mta[44915]: STARTTLS=server, relay=ns.umpquanet.com [63.105.30.37], version=TLSv1/SSLv3, verify=NO, cipher=DHE-DSS-AES256-SHA, bits=256/256 Mar 12 03:04:26 ns sm-mta[44915]: STARTTLS=server, cert-subject=, cert-issuer=, verifymsg=ok Mar 12 03:04:26 ns sm-mta[44915]: k2CB4QKW044915: -- EHLO ns.umpquanet.com Mar 12 03:04:26 ns sm-mta[44915]: k2CB4QKX044915: milter=spamassassin, action=helo, continue Mar 12 03:04:26 ns sm-mta[44915]: k2CB4QKX044915: --- 250-ns.museum.rain.com Hello ns.umpquanet.com [63.105.30.37], pleased to meet you Mar 12 03:04:26 ns sm-mta[44915]: k2CB4QKX044915: --- 250-ENHANCEDSTATUSCODES Mar 12 03:04:26 ns sm-mta[44915]: k2CB4QKX044915: --- 250-PIPELINING Mar 12 03:04:26 ns sm-mta[44915]: k2CB4QKX044915: --- 250-8BITMIME Mar 12 03:04:26 ns sm-mta[44915]: k2CB4QKX044915: --- 250-SIZE Mar 12 03:04:26 ns sm-mta[44915]: k2CB4QKX044915: --- 250-DSN Mar 12 03:04:26 ns sm-mta[44915]: k2CB4QKX044915: --- 250-ETRN Mar 12 03:04:26 ns sm-mta[44915]: k2CB4QKX044915: --- 250-DELIVERBY Mar 12 03:04:26 ns sm-mta[44915]: k2CB4QKX044915: --- 250 HELP Mar 12 03:04:26 ns sm-mta[44915]: k2CB4QKX044915: -- MAIL From:[EMAIL PROTECTED] SIZE=9162 Mar 12 03:04:26 ns sm-mta[44915]: k2CB4QKX044915: Milter: senders: [EMAIL PROTECTED] Mar 12 03:04:26 ns sm-mta[44915]: k2CB4QKX044915: milter=spamassassin, action=mail, continue Mar 12 03:04:26 ns sm-mta[44915]: k2CB4QKX044915: milter=greylist, action=mail, continue Mar 12 03:04:26 ns sm-mta[44915]: k2CB4QKX044915: --- 250 2.1.0 [EMAIL PROTECTED]... Sender ok Mar 12 03:04:26 ns sm-mta[44915]: k2CB4QKX044915: -- RCPT To:[EMAIL PROTECTED] Mar 12 03:04:26 ns sm-mta[44915]: k2CB4QKX044915: Milter: rcpts: [EMAIL PROTECTED] Mar 12 03:04:26 ns sm-mta[44915]: k2CB4QKX044915: milter=spamassassin, action=rcpt, continue Mar 12 03:04:26
Re: whitelist_from_rcvd not working for me
On 3/12/2006 8:13 PM, James Long wrote: Mail sent via SMTP should have all of it's headers parsed correctly and your whitelist_from_rcvd should work. Yet, it doesn't. One of the nightly server log messages has been getting rejected because SA thinks it is spam, and doesn't see the whitelist_from_rcvd entry for it. (sendmail log below) OK, to I should have wrote Mail submitted and not Mail sent above. In any case, if you can change your local submission header so that it doesn't include the (envelope-from james) part, it'll be successfully parsed. ie. If you can change your Sendmail config so that it generates headers that look like this instead: Received: (from [EMAIL PROTECTED]) by ns.umpquanet.com (8.13.4/8.13.4/Submit) id k2CJ9LT4065172 for [EMAIL PROTECTED]; Sun, 12 Mar 2006 11:09:21 -0800 (PST) If your headers, as they are now, are from a default configuration, please open a bug about them not being parsed at: http://issues.apache.org/SpamAssassin/ BTW, is there an easy way to troubleshoot this from the command line, with perhaps a sample message in a text file that I can just use as input to SA, so that I don't have to use up bandwidth and also put a large number of test messages into my mailbox? Is it as simple as 'spamassassin -t textfilename' ? Yeah. Daryl
