check_rbl digging too deep

Mon, 24 Jun 2019 15:15:51 -0700

We had an inbound message get rejected because it was sent from a cell phone, shouldn't SA be checking the most recent hop? Is there a way to make this the default? 

I have this in local.cf:
header    RCVD_IN_rbl2spamhausz   eval:check_rbl('spamhausz', 'zen.spamhaus.org.') 
score     RCVD_IN_rbl2spamhausz   3.5
2019-06-23 10:18:19 1hf4G0-0002xm-Vu H=st43p00im-zteg10073401.me.com [17.58.63.181]:53270 I=[1.1.1.1]:25 X=TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no F=<jtsomedud...@icloud.com> rejected after DATA: Call Katy Computer $ 
Envelope-from: <jtsomedud...@icloud.com>
Envelope-to: <kevin.somed...@somedomain.com>
P Received: from st43p00im-zteg10073401.me.com ([17.58.63.181]:53270)
        by mx6.filter1.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) 
        (Exim 4.91)
        (envelope-from <jtsomedud...@icloud.com>)
        id 1hf4G0-0002xm-Vu
        for kevin.somed...@somedomain.com; Sun, 23 Jun 2019 10:18:17 -0500
  DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=icloud.com;
        s=04042017; t=1561303096;
        bh=r2TrvoaceRP0b+VFuQY+IGTZNdeyIP+gpz7yR0zojuM=;
h=Content-Type:From:Mime-Version:Date:Subject:Message-Id:To;
b=zvUTXxLFQN3PkKNuMqWkXrN5nmfErusd+BJLae3e5oWTBwHhLPo49ojGUOtMZKsrN
dCj6bSPMuRW2TNPvSvqrP+ONFxDAkR73efrESuX6FkDDRDisDxJrG1RX5EEtogrDGu
0JePNiPvpQbNHia1El2B1IF1sREdBrdywIUBcJbOYWdxBHccCJVeuV56RaFjk1D2Xw
kg9ebd39jn0lXnifQDhoK0bfiW6IQ3VisLxrcDHby9xforIWwSrX+/T2UOlI5TN2Bb
mUFsu/TylzkmK4Ngdb1Pyu16F7wt0y8PBaKfOJpZDuW+b4CYZg/VbSlVGuRI7qJGLM
         2UhwHomJLGxZA==
P Received: from [10.87.198.48] (mobile-166-172-61-102.mycingular.net [166.172.61.102])         by st43p00im-zteg10073401.me.com (Postfix) with ESMTPSA id 34C735E01E0         for <kevin.somed...@somedomain.com>; Sun, 23 Jun 2019 15:18:16 +0000 (UTC) 
  Content-Type: text/plain; charset=utf-8
  Content-Transfer-Encoding: quoted-printable
F From: JOHN somedude <jtsomedud...@icloud.com>
  Mime-Version: 1.0 (1.0)
  Date: Sun, 23 Jun 2019 11:18:14 -0400
  Subject: Very nice
I Message-Id: <8d5bef14-0283-47de-a819-60d2797cc...@icloud.com>
T To: kevin.somed...@somedomain.com
  X-Mailer: iPad Mail (16F203)
  X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2019-06-23_12:,, 
 signatures=0
  X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=1 malwarescore=0 
 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 mlxscore=0
 mlxlogscore=284 adultscore=0 classifier=spam adjust=0 reason=mlx
 scancount=1 engine=8.0.1-1812120000 definitions=main-1906230132
  X-Spam-Score: 9.8

 Content analysis details:   (9.8 points, 8.5 required)

  pts rule name              description
 ---- ---------------------- -------------------------------------------------- 
  0.2 URIBL_BLOCKED          ADMINISTRATOR NOTICE: The query to URIBL was
                             blocked.  See
http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
                              for more information.
                             [URIs: icloud.com]
  3.5 RCVD_IN_rbl2spamhausz  RBL: No description available.
                             [166.172.61.102 listed in zen.spamhaus.org]
  0.8 RCVD_IN_rbl2dnsbl_2    RBL: No description available.
                             [166.172.61.102 listed in dnsbl2.uceprotect.net] 
 -0.7 RCVD_IN_DNSWL_LOW      RBL: Sender listed at https://www.dnswl.org/,
                             low trust
                             [17.58.63.181 listed in list.dnswl.org]
  1.2 RCVD_IN_UCEPROTECT2    RBL: Network listed in
                             dnsbl-2.uceprotect.net
                             [NET 17.58.63.0/24 is UCEPROTECT-Level2 listed] 
                             [because 5 abusers are hosted by]
                             [APPLE-ENGINEERING - Apple Inc., US/AS714 there.]                [See: <http://www.uceprotect.net/rblcheck.php?ipr=17.58.63.181>] 
  1.2 RCVD_IN_UCEPROTECT1    RBL: Listed in dnsbl-1.uceprotect.net
                             [IP 17.58.63.181 is UCEPROTECT-Level 1 listed.]                 [See <http://www.uceprotect.net/rblcheck.php?ipr=17.58.63.181>] 
  1.0 RCVD_IN_rbl2unsubscore RBL: No description available.
                             [17.58.63.181 listed in ubl.unsubscore.com]
  0.9 RCVD_IN_BS_SPAM        RBL: BACKSCATTERER: sender is a spam source
                             [17.58.63.181 listed in ips.backscatterer.org]
 -1.2 FREEMAIL_FROM          Sender email is commonly abused enduser mail
                             provider (jtsomedudesr[at]icloud.com)
 -0.1 SPF_PASS               SPF: sender matches SPF record
  0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
 -0.8 DKIM_VALID_AU          Message has a valid DKIM or DK signature from
                             author's domain
  0.1 DKIM_SIGNED            Message has a DKIM or DK signature, not necessarily 
                             valid
 -0.8 DKIM_VALID             Message has at least one valid DKIM or DK signature 
 -0.1 DKIM_VALID_EF          Message has a valid DKIM or DK signature from
                             envelope-from domain

--
John Schmerold
Katy Computer Systems, Inc
https://katycomputer.com
St Louis

Reply via email to