DNSWL_HI testing wrong Received header?

[John Stimson via users]

Hello,

I have lately seen an increase in the number of spam messages passing 
spamassassin.  Checking the X-Spam-Status header, I see that the common 
reason they are all passing is that they hit the DNSWL_HI test to get a 
-5 adjustment to their spam score. However, when I check the IP address 
of the server that my domain received the message directly from, that IP 
address is not in the DNSWL high trust database.  There are forged 
Received headers lower down, for Gmail or Hotmail servers, and I suspect 
that those are the IPs being checked in the DNSWL_HI test. Otherwise I 
don't know why DNSWL_HI is being triggered.

My second question is where to report an SMTP server that passes SPF, 
but is passing spam with forged Received headers.

Here's an example header:

Return-Path: <>
X-Original-To:j...@idsfa.net
Delivered-To:j...@idsfa.net
Received: from localhost (localhost [127.0.0.1])
        by idsfa.net (Postfix) with ESMTP id 29F168C0136
        for<j...@idsfa.net>; Sun, 22 May 2022 20:12:17 -0700 (PDT)
X-Spam-Flag: NO
X-Spam-Score: 4.319
X-Spam-Level: ****
X-Spam-Status: No, score=4.319 tagged_above=-5 required=6.31
        tests=[ACT_NOW_CAPS=0.1, BAYES_99=3.5, BAYES_999=0.2,
        DKIM_INVALID=0.1, DKIM_SIGNED=0.1, HTML_FONT_SIZE_LARGE=0.001,
        HTML_MESSAGE=0.001, HTML_MIME_NO_HTML_TAG=0.377, MIME_HTML_ONLY=0.1,
        PYZOR_CHECK=1.392, RCVD_IN_BL_SPAMCOP_NET=1.347, RCVD_IN_DNSWL_HI=-5,
        RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_VALIDITY_RPBL=1.31, RDNS_NONE=0.793,
        SPF_HELO_PASS=-0.001, T_DATE_IN_FUTURE_96_Q=0.01,
        T_SCC_BODY_TEXT_LINE=-0.01] autolearn=no autolearn_force=no
Authentication-Results: harlie.idsfa.net (amavisd-new);
        dkim=fail (2048-bit key) reason="fail (message has been altered)"
        header.d=hotmail.com
Received: from idsfa.net ([127.0.0.1])
        by localhost (harlie.idsfa.net [127.0.0.1]) (amavisd-new, port 10024)
        with ESMTP id GXmcEm9KlHEF for<j...@idsfa.net>;
        Sun, 22 May 2022 20:12:16 -0700 (PDT)
Received-SPF: Pass (helo) identity=helo; client-ip=85.204.116.245; helo=aznavrchol.cz; 
envelope-from=<>; receiver=<UNKNOWN>
Authentication-Results: idsfa.net;
        dkim=fail reason="signature verification failed" (2048-bit key; unprotected) 
header.d=hotmail.comheader.i=@hotmail.com  header.b="JRELNzNe";
        dkim-atps=neutral
Received: from aznavrchol.cz (unknown [85.204.116.245])
        by idsfa.net (Postfix) with ESMTP id 2EF948C00FC
        for<j...@idsfa.net>; Sun, 22 May 2022 20:12:15 -0700 (PDT)
Received: from 10.196.243.97
 by atlas113.aol.mail.bf1.yahoo.com with HTTPS; Mon, 16 May 2033 09:37:50 +0000
X-Originating-Ip: [40.92.91.45]
Received-SPF: pass (domain of hotmail.com designates 40.92.91.45 as permitted 
sender)
Authentication-Results: atlas113.aol.mail.bf1.yahoo.com;
 dkim=passheader.i=@hotmail.com  header.s=selector1;
 spf=pass smtp.mailfrom=hotmail.com;
 dmarc=pass(p=NONE) header.from=hotmail.com;
X-Apparently-To:j...@idsfa.net; Mon, 16 May 2033 09:37:50 +0000