Matt Kettler wrote: >Philip Prindeville wrote: > > >>I recently saw an email get bounced that was legitimately coming >>from Microsoft: >> >>Nov 13 14:59:26 mail mimedefang.pl[19053]: helo: maila.microsoft.com >>(131.107.115.212) said "helo smtp.microsoft.com" >>Nov 13 14:59:26 mail sendmail[21067]: kADLxLLR021067: from=<[EMAIL >>PROTECTED]>, size=1207, class=0, nrcpts=1, msgid=<[EMAIL PROTECTED]>, >>bodytype=7BIT, proto=ESMTP, daemon=MTA-v4, relay=maila.microsoft.com >>[131.107.115.212] >>Nov 13 14:59:29 mail mimedefang.pl[20521]: kADLxLLR021067: hits=6.909, req=5, >>names=DNS_FROM_RFC_ABUSE,DNS_FROM_RFC_POST,L_WIN_CHARSET >>Nov 13 14:59:29 mail mimedefang.pl[20521]: >>MDLOG,kADLxLLR021067,spam,6.909,131.107.115.212,<[EMAIL PROTECTED]>,<[EMAIL >>PROTECTED]>,Out of Office: Software Development with Microsoft >>Nov 13 14:59:29 mail mimedefang.pl[20521]: filter: kADLxLLR021067: bounce=1 >>discard=1 >>Nov 13 14:59:29 mail mimedefang[5737]: kADLxLLR021067: Bouncing because >>filter instructed us to >>Nov 13 14:59:29 mail sendmail[21067]: kADLxLLR021067: Milter: data, >>reject=554 5.7.1 Message rejected; scored too high on the Spam test. >>Nov 13 14:59:29 mail sendmail[21067]: kADLxLLR021067: to=<[EMAIL PROTECTED]>, >>delay=00:00:03, pri=31207, stat=Message rejected; scored too high on the Spam >>test. >> >>I've put into my spamassassin/sa-mimedefang.cf file: >> >>whitelist_from_rcvd [EMAIL PROTECTED] smtp.microsoft.com >> >> >>What am I missing at this point? >> >>Does the 2nd arg to the whitelist_from_rcvd need to be >>maila.microsoft.com instead? >> >>And what do DNS_FROM_RFC_ABUSE and DNS_FROM_RFC_POST correspond to? >> >> >> >postmaster and abuse lists at rfc-ignorant.org. Both are wildly prone to >false positives and have been removed from the 3.2 devel branch. They >effectively list sites that violate the RFCs for mail hosts and refuse >mail sent to postmaster or abuse. > >That said, neither scores very high.. Assuming set3 (bayes and network) >the combined score in SA 3.1.x is only 1.908 points.. > >What's L_WIN_CHARSET.. that's not a stock rule I'm aware of. Looks like >an add-on to me, and probably the real culprit here. I found some >references to it from list conversations, and looks like it's trying to >match email with a windows-specific character set (windows-1252). But >it's not in any ruleset I can find anywhere. > > >Actually, it looks like a rule you yourself were developing back in >April.. What did you set the score to? >http://www.gossamer-threads.com/lists/spamassassin/users/72328 > > >
Yes, it's local. I set it to 4.85. Or maybe 4.99. But why isn't the whitelisting kick in? Could it be because: # nslookup # nslookup 131.107.115.212 Server: 205.171.3.65 Address: 205.171.3.65#53 Non-authoritative answer: 212.115.107.131.in-addr.arpa name = maila.microsoft.com. 212.115.107.131.in-addr.arpa name = smtp.microsoft.com. 212.115.107.131.in-addr.arpa name = mail1.microsoft.com. Authoritative answers can be found from: 107.131.in-addr.arpa nameserver = ns5.msft.net. 107.131.in-addr.arpa nameserver = ns1.msft.net. 107.131.in-addr.arpa nameserver = ns2.msft.net. 107.131.in-addr.arpa nameserver = ns3.msft.net. 107.131.in-addr.arpa nameserver = ns4.msft.net. ns1.msft.net internet address = 207.68.160.190 ns2.msft.net internet address = 65.54.240.126 ns3.msft.net internet address = 213.199.144.151 ns4.msft.net internet address = 207.46.66.126 ns5.msft.net internet address = 65.55.238.126 Server: 205.171.3.65 Address: 205.171.3.65#53 Non-authoritative answer: 212.115.107.131.in-addr.arpa name = maila.microsoft.com. 212.115.107.131.in-addr.arpa name = smtp.microsoft.com. 212.115.107.131.in-addr.arpa name = mail1.microsoft.com. Authoritative answers can be found from: 107.131.in-addr.arpa nameserver = ns5.msft.net. 107.131.in-addr.arpa nameserver = ns1.msft.net. 107.131.in-addr.arpa nameserver = ns2.msft.net. 107.131.in-addr.arpa nameserver = ns3.msft.net. 107.131.in-addr.arpa nameserver = ns4.msft.net. ns1.msft.net internet address = 207.68.160.190 ns2.msft.net internet address = 65.54.240.126 ns3.msft.net internet address = 213.199.144.151 ns4.msft.net internet address = 207.46.66.126 ns5.msft.net internet address = 65.55.238.126 # (how hard can it be to follow $%^&* RFC directions saying only one PTR record per address????) What's the fix here? Set the 2nd argument to the IP address instead? The man doesn't suggest you can do that. And I don't want to wildcard it as microsoft.com -- that's way too many potential hosts. -Philip > > >>Where do I get the descriptions of these tests, why some sites get >>tagged with them, etc? >> >> > > >