whitelist_from_rcvd question - SpamAssassin

This is a discussion on whitelist_from_rcvd question - SpamAssassin ; "whitelist_from_rcvd *@greencovesprings.com 75-145-201-209-Jacksonville.hfc.comcastbusiness.net" is in my local.cf yet a message with the following headers didn't match. Any ideas? Return-Path: Received: from [75.145.201.209] (75-145-201-209-Jacksonville.hfc.comcastbusiness.net [75.145.201.209] (may be forged)) by mail.electronet.net (8.14.2/8.14.2) with ESMTP id m54DeD5V009962 for ; Wed, 4 Jun 2008 ...

+ Reply to Thread
Results 1 to 5 of 5

Thread: whitelist_from_rcvd question

  1. whitelist_from_rcvd question

    "whitelist_from_rcvd *@greencovesprings.com
    75-145-201-209-Jacksonville.hfc.comcastbusiness.net"

    is in my local.cf yet a message with the following headers didn't match.
    Any ideas?

    Return-Path:
    Received: from [75.145.201.209]
    (75-145-201-209-Jacksonville.hfc.comcastbusiness.net [75.145.201.209] (may
    be forged))
    by mail.electronet.net (8.14.2/8.14.2) with ESMTP id m54DeD5V009962
    for ; Wed, 4 Jun 2008 09:40:19 -0400
    From: "Gregg Griffin"


    The rules that did match are below. I'm running sendmail 8.14.2 with SA
    v3.2.4.

    X-Spam-Score: 5.221 (*****)
    BOTNET,HELO_EQ_IP_ADDR,HTML_MESSAGE,RDNS_NONE,UNPA RSEABLE_RELAY



    Jason A. Bertoch
    Network Administrator
    jason@electronet.net
    Electronet Broadband Communications
    3411 Capital Medical Blvd.
    Tallahassee, FL 32308
    (V) 850.222.0229 (F) 850.222.8771


  2. Error while sa-learning

    Hey list,

    I get lots of these errors while passing a mbox file to sa-learn for
    spam learning:

    Malformed UTF-8 character (unexpected non-continuation byte 0x72,
    immediately after start byte 0xf3) in transliteration (tr///) at
    /usr/lib/perl5/site_perl/5.8.3/Mail/SpamAssassin/Message.pm line 1049.
    Malformed UTF-8 character (unexpected non-continuation byte 0x20,
    immediately after start byte 0xe1) in transliteration (tr///) at
    /usr/lib/perl5/site_perl/5.8.3/Mail/SpamAssassin/Message.pm line 1050.

    with variations in non-continuation byte and start byte, but all in
    lines 1049 and 1059 of Message.pm
    The process finishes well and tokens are learned, so I assume it's some
    of the messages within the mbox file that are somehow corrupted.
    It started today after I added a bunch of new spammy msgs I collected.
    What does the error mean and how can I identify the mails with the problem?

    Regards
    /Diego


  3. RE: whitelist_from_rcvd question

    > -----Original Message-----
    > On Mon, 9 Jun 2008, Jason Bertoch wrote:
    >
    > > "whitelist_from_rcvd *@greencovesprings.com
    > > 75-145-201-209-Jacksonville.hfc.comcastbusiness.net"
    > >
    > > is in my local.cf yet a message with the following headers didn't

    > match.
    > > Any ideas?

    >
    > Did you restart spamd?
    >
    > You might try just
    >
    > whitelist_from_rcvd *@greencovesprings.com comcastbusiness.net
    >


    Yes, all mail services were restarted. However, I just found that running
    the message through SA manually seems to match on the whitelist entry. Let
    me check with the list of the software I'm using to call SA.


    Thanks


  4. Re: whitelist_from_rcvd question

    On Mon, 9 Jun 2008, Jason Bertoch wrote:

    > "whitelist_from_rcvd *@greencovesprings.com
    > 75-145-201-209-Jacksonville.hfc.comcastbusiness.net"
    >
    > is in my local.cf yet a message with the following headers didn't match.
    > Any ideas?
    >
    > Return-Path:
    > Received: from [75.145.201.209]
    > (75-145-201-209-Jacksonville.hfc.comcastbusiness.net [75.145.201.209] (may
    > be forged))
    > by mail.electronet.net (8.14.2/8.14.2) with ESMTP id m54DeD5V009962
    > for ; Wed, 4 Jun 2008 09:40:19 -0400
    > From: "Gregg Griffin"
    >
    >
    > The rules that did match are below. I'm running sendmail 8.14.2 with SA
    > v3.2.4.
    >
    > X-Spam-Score: 5.221 (*****)
    > BOTNET,HELO_EQ_IP_ADDR,HTML_MESSAGE,RDNS_NONE,UNPA RSEABLE_RELAY


    whitelist_from_rcvd only works for hosts that have a valid DNS map, both
    forward & reverse. This is to prevent spammers from forging a
    DNS reverse map to exploit a known whitelist_from_rcvd.

    As your host '[75.145.201.209]' only has a reverse map (no forward map
    for that name) you cannot use whitelist_from_rcvd.

    # host 75.145.201.209
    209.201.145.75.in-addr.arpa domain name pointer 75-145-201-209-Jacksonville.hfc.comcastbusiness.net.
    # host 75-145-201-209-Jacksonville.hfc.comcastbusiness.net.
    Host 75-145-201-209-Jacksonville.hfc.comcastbusiness.net not found: 3(NXDOMAIN)

    So if you can get Comcast to put in a valid DNS forward map for that
    host name it should work.

    --
    Dave Funk University of Iowa
    College of Engineering
    319/335-5751 FAX: 319/384-0549 1256 Seamans Center
    Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
    #include
    Better is not better, 'standard' is better. B{


  5. RE: whitelist_from_rcvd question


    > whitelist_from_rcvd only works for hosts that have a valid DNS map, both
    > forward & reverse. This is to prevent spammers from forging a
    > DNS reverse map to exploit a known whitelist_from_rcvd.
    >
    > As your host '[75.145.201.209]' only has a reverse map (no forward map
    > for that name) you cannot use whitelist_from_rcvd.
    >
    > # host 75.145.201.209
    > 209.201.145.75.in-addr.arpa domain name pointer 75-145-201-209-
    > Jacksonville.hfc.comcastbusiness.net.
    > # host 75-145-201-209-Jacksonville.hfc.comcastbusiness.net.
    > Host 75-145-201-209-Jacksonville.hfc.comcastbusiness.net not found:
    > 3(NXDOMAIN)
    >
    > So if you can get Comcast to put in a valid DNS forward map for that
    > host name it should work.
    >


    I think the problem is caused by the program I'm using to call SA. If I
    feed the message to SA directly from the command line, it matches the
    whitelist and stops processing more rules. To me, this implies
    whitelist_from_rcvd doesn't really care about full circle rDNS.

    If I'm wrong on this assessment, I can stop bothering my other list.
    However, since we know that nobody can get the big ISP's to do anything
    about forward or reverse DNS, what would be the appropriate way to whitelist
    this sender? Unfortunately, the sender has botched their SPF record(s) so
    that option is out.


    [3106] dbg: spf: checking to see if the message has a Received-SPF header
    that we can use
    [3106] dbg: spf: using Mail::SPF for SPF checks
    [3106] dbg: spf: checking HELO (helo=!75.145.201.209!, ip=75.145.201.209)
    [3106] dbg: spf: cannot check HELO of '!75.145.201.209!', skipping
    [3106] dbg: spf: already checked for Received-SPF headers, proceeding with
    DNS based checks
    [3106] dbg: spf: checking EnvelopeFrom (helo=!75.145.201.209!,
    ip=75.145.201.209, envfrom=ggriffin@greencovesprings.com)
    [3106] dbg: spf: query for
    ggriffin@greencovesprings.com/75.145.201.209/!75.145.201.209!: result:
    permerror, comment: , text: Redundant applicable 'v=spf1' sender policies
    found
    [3106] dbg: spf: def_spf_whitelist_from: already checked spf and didn't get
    pass, skipping whitelist check
    [3106] dbg: spf: whitelist_from_spf: already checked spf and didn't get
    pass, skipping whitelist check


+ Reply to Thread