Hi
I just noticed some inconsistency in a filtered spam on my server.
The IPs in the reported RBL/WL don't match the IPs in the message
header...??
I'm using SA 3.1.8 and amavisd-new
SpamAssassin report (shortened):
pts rule name description
---- ---------------------- -------------------------------------------
0.1 FORGED_RCVD_HELO Received: contains a forged HELO
1.4 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail)
[SPF failed: Please see
http://www.openspf.org/why.html?sender=agamemnon%40edomex.com&ip=213.203.223.10&receiver=server.mindblow.ch]
1.6 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net
[Blocked - see <http://www.spamcop.net/bl.shtml?75.137.98.139>]
-0.1 RCVD_IN_DNSWL RBL: Received via whitelisted address, see
http://www.dnswl.org/
[213.203.223.10 listed in list.dnswl.org]
1.5 RCVD_IN_SORBS_WEB RBL: SORBS: sender is a abuseable web server
[75.137.98.139 listed in dnsbl.sorbs.net]
------------------------- BEGIN HEADERS -----------------------------
Return-Path: <[EMAIL PROTECTED]>
X-Greylist: whitelisted by SQLgrey-1.6.7
Received: from gate01.nexlink.ch (gate01.nexlink.ch [80.86.198.160])
(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
(Client did not present a certificate)
by server.mindblow.ch (Postfix) with ESMTP id 7CAD8D6A1
for <[EMAIL PROTECTED]>; Fri, 22 Jun 2007 13:04:15 +0200 (CEST)
Received: from mail03.nexlink.ch ([10.51.9.3])
by gate01.nexlink.ch (8.13.1/8.13.1) with ESMTP id l5MB4Deu006418
for <[EMAIL PROTECTED]>; Fri, 22 Jun 2007 13:04:15 +0200
Received: from lb2 ([10.52.0.2] helo=mail.messaging.ch)
by mail03.nexlink.ch with esmtp (Exim 4.63)
(envelope-from <[EMAIL PROTECTED]>)
id 1I1gw0-0001kB-UE; Fri, 22 Jun 2007 13:04:13 +0200
Received: from 24-151-201-36.dhcp.jcsn.tn.charter.com ([24.151.201.36])
by mail.messaging.ch with
id Eb4G1X00H0ndMzs0000000; Fri, 22 Jun 2007 13:04:30 +0200
X-IMP: RBL SBL+XBL: 0.00,RBL SPAMCOP: 0.00,RBL SORBS: 0.10,RBL MAPS_ORDB:
0.00,URL RHS: 0.00,URL SURBL: 0.00,cmae[100|Undefined:Undefined]
X-POSSIBLE-SPAM: 100
X-CLOUDMARK-SPAM-SCORE: 100.00
Date: Fri, 22 Jun 2007 17:02:13 +0500
From: "Daniel" <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Message-ID: <[EMAIL PROTECTED]>
Subject: [SPAM?] [DEL] Ich habe die beste Casino-Seite entdeckt !
MIME-Version: 1.0
Content-Type: text/html; charset=iso-8859-1
Content-Transfer-Encoding: 7bit
-------------------------- END HEADERS ------------------------------
But 213.203.223.10 is my.dynamic-net.ch which this mail didn't pass through
And 75.137.98.139 is 75-137-98-139.dhcp.gnvl.sc.charter.com
It seems to me, that two mail headers got confused .. maybe two lookups were
performed simultaneously and the wrong results collected???
Matt
