On 29/07/18 14:36, Matus UHLAR - fantomas wrote:
On Sunday 29 July 2018 at 12:17:07, Sebastian Arcus wrote:
I've been having a number of emails recently from Yahoo and AOL senders
hitting the RCVD_NUMERIC_HELO rule. I'm trying to understand what is
going on:
1. First off, the rule hits on the EHLO line - which means the it is an
authenticated SMTP submission.
On 29/07/18 11:28, Antony Stone wrote:
Er, what?
No, EHLO simply means "Hello, I'm capable of doing ESMTP".
On 29.07.18 12:29, Sebastian Arcus wrote:
Looking again at it - the 82.132.242.82 is registered as O2/Telefonica
wireless broadband. I wonder if this is a 3G/4G connection - which in
UK always has a private IP address - at the mobile phone level. Maybe
that's why the confusion - the MUA on the mobile phone thinks it is
10.7.54.227 (which it is), but the Yahoo server can only see the
public IP 80.132.242.82, which belongs to the O2 gateway. Could that
explain that particular header?
it does.
Received: from 82.132.242.82 (EHLO [10.7.54.227]) ([82.132.242.82])
by smtp409.mail.ir2.yahoo.com (Oath Hermes SMTP Server) with
ESMTPA ID 84be422cfd662692400891131b957bd8
for <destination.addr...@mydomain.co.uk>;
Mon, 23 Jul 2018 13:59:41 +0000 (UTC)
Looking at /usr/share/perl5/Mail/SpamAssassin/Plugin/RelayEval.pm
I guess it should not match:
my $rcvd = $pms->{relays_untrusted_str};
if ($rcvd) {
my $IP_ADDRESS = IPV4_ADDRESS;
my $IP_PRIVATE = IP_PRIVATE;
local $1;
if ($rcvd =~ /\bhelo=($IP_ADDRESS)(?=[\000-\040,;\[()<>]|\z)/i #
Bug 5878
&& $1 !~ /$IP_PRIVATE/) {
return 1;
}
but maybe I read wrong. Which SA version do you have?
I have:
# spamassassin --version
SpamAssassin version 4.0.0-r1823176
running on Perl version 5.26.2