Hello,
I have lately seen an increase in the number of spam messages passing
spamassassin. Checking the X-Spam-Status header, I see that the common
reason they are all passing is that they hit the DNSWL_HI test to get a
-5 adjustment to their spam score. However, when I check the IP address
of the server that my domain received the message directly from, that IP
address is not in the DNSWL high trust database. There are forged
Received headers lower down, for Gmail or Hotmail servers, and I suspect
that those are the IPs being checked in the DNSWL_HI test. Otherwise I
don't know why DNSWL_HI is being triggered.
My second question is where to report an SMTP server that passes SPF,
but is passing spam with forged Received headers.
Here's an example header:
Return-Path: <>
X-Original-To:j...@idsfa.net
Delivered-To:j...@idsfa.net
Received: from localhost (localhost [127.0.0.1])
by idsfa.net (Postfix) with ESMTP id 29F168C0136
for<j...@idsfa.net>; Sun, 22 May 2022 20:12:17 -0700 (PDT)
X-Spam-Flag: NO
X-Spam-Score: 4.319
X-Spam-Level: ****
X-Spam-Status: No, score=4.319 tagged_above=-5 required=6.31
tests=[ACT_NOW_CAPS=0.1, BAYES_99=3.5, BAYES_999=0.2,
DKIM_INVALID=0.1, DKIM_SIGNED=0.1, HTML_FONT_SIZE_LARGE=0.001,
HTML_MESSAGE=0.001, HTML_MIME_NO_HTML_TAG=0.377, MIME_HTML_ONLY=0.1,
PYZOR_CHECK=1.392, RCVD_IN_BL_SPAMCOP_NET=1.347, RCVD_IN_DNSWL_HI=-5,
RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_VALIDITY_RPBL=1.31, RDNS_NONE=0.793,
SPF_HELO_PASS=-0.001, T_DATE_IN_FUTURE_96_Q=0.01,
T_SCC_BODY_TEXT_LINE=-0.01] autolearn=no autolearn_force=no
Authentication-Results: harlie.idsfa.net (amavisd-new);
dkim=fail (2048-bit key) reason="fail (message has been altered)"
header.d=hotmail.com
Received: from idsfa.net ([127.0.0.1])
by localhost (harlie.idsfa.net [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id GXmcEm9KlHEF for<j...@idsfa.net>;
Sun, 22 May 2022 20:12:16 -0700 (PDT)
Received-SPF: Pass (helo) identity=helo; client-ip=85.204.116.245; helo=aznavrchol.cz;
envelope-from=<>; receiver=<UNKNOWN>
Authentication-Results: idsfa.net;
dkim=fail reason="signature verification failed" (2048-bit key; unprotected)
header.d=hotmail.comheader.i=@hotmail.com header.b="JRELNzNe";
dkim-atps=neutral
Received: from aznavrchol.cz (unknown [85.204.116.245])
by idsfa.net (Postfix) with ESMTP id 2EF948C00FC
for<j...@idsfa.net>; Sun, 22 May 2022 20:12:15 -0700 (PDT)
Received: from 10.196.243.97
by atlas113.aol.mail.bf1.yahoo.com with HTTPS; Mon, 16 May 2033 09:37:50 +0000
X-Originating-Ip: [40.92.91.45]
Received-SPF: pass (domain of hotmail.com designates 40.92.91.45 as permitted
sender)
Authentication-Results: atlas113.aol.mail.bf1.yahoo.com;
dkim=passheader.i=@hotmail.com header.s=selector1;
spf=pass smtp.mailfrom=hotmail.com;
dmarc=pass(p=NONE) header.from=hotmail.com;
X-Apparently-To:j...@idsfa.net; Mon, 16 May 2033 09:37:50 +0000