Header Analysis Problem - SpamAssassin

This is a discussion on Header Analysis Problem - SpamAssassin ; ...

+ Reply to Thread
Results 1 to 7 of 7

Thread: Header Analysis Problem

  1. Re: Header Analysis Problem


  2. Re: Header Analysis Problem


  3. Header Analysis Problem

    Hello,

    I am getting these hits with the email below:

    AWL,
    FH_HELO_ALMOST_IP,
    HELO_DYNAMIC_SPLIT_IP,
    RCVD_IN_PBL

    Problem is in this "Received":
    Received: from 80.Red-88-31-96.staticIP.rima-tde.net ([88.31.96.80]) by
    owa1.cnio.es with Microsoft SMTPSVC(6.0.3790.3959);
    Tue, 17 Jun 2008 17:18:10 +0200

    Client in IP address 88.31.96.80 is sending mail using SMPT-Auth to
    "owa1.cnio.es", so this header is right.

    Problem is that SA is analyzing this "Received" and complaining about it
    as it is a dynamic IP address or so.

    Any way to solve this problem?



    # spamassassin < test
    Received: from localhost by flash2.cnio.es
    with SpamAssassin (version 3.2.5);
    Tue, 17 Jun 2008 18:04:15 +0200
    From: john doe
    To: Any One
    Subject: spam: Re: [Fwd: [Fwd: Delivery Status Notification (Failure)]]
    Date: Tue, 17 Jun 2008 17:18:02 +0200
    Message-Id: <4857D5AA.6020101@cnio.es>
    X-Spam-Flag: YES
    X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on flash2.cnio.es
    X-Spam-Level: ********
    X-Spam-Status: Yes, score=8.0 required=5.0 tests=AWL,FH_HELO_ALMOST_IP,
    HELO_DYNAMIC_SPLIT_IP,RCVD_IN_PBL,RDNS_NONE autolearn=no
    version=3.2.5
    MIME-Version: 1.0
    Content-Type: multipart/mixed; boundary="----------=_4857E07F.6924E393"

    This is a multi-part message in MIME format.

    ------------=_4857E07F.6924E393
    Content-Type: text/plain; charset="iso-8859-1"
    Content-Disposition: inline
    Content-Transfer-Encoding: 8bit

    This Email has been identified as spam. The original message has been
    attached to this so you can view it (if it isn't spam).

    Content analysis details: (8.0 points, 5.0 required)
    --------------------
    Este Email ha sido identificado como spam. El mensaje original ha sido
    adjuntado a esta notificacia su visualizaci caso de que no
    sea spam).

    Detalles del an?sis de contenido: (8.0 points, 5.0 required)



    ------------=_4857E07F.6924E393
    Content-Type: message/rfc822; x-spam-type=original
    Content-Description: original message before SpamAssassin
    Content-Disposition: inline
    Content-Transfer-Encoding: 8bit

    Received: from owa1.cnio.es (owa1.cnio.es [192.168.10.7])
    by flash2.cnio.es (ESMTP Server) with ESMTP
    for ; Tue, 17 Jun 2008
    17:18:15 +0200 (CEST)
    Received: from 80.Red-88-31-96.staticIP.rima-tde.net ([88.31.96.80]) by
    owa1.cnio.es with Microsoft SMTPSVC(6.0.3790.3959);
    Tue, 17 Jun 2008 17:18:10 +0200
    Message-ID: <4857D5AA.6020101@cnio.es>
    Date: Tue, 17 Jun 2008 17:18:02 +0200
    From: john doe
    User-Agent: Thunderbird 2.0.0.14 (Macintosh/20080421)
    MIME-Version: 1.0
    To: Any One
    Subject: Re: [Fwd: [Fwd: Delivery Status Notification (Failure)]]
    Content-Type: text/plain; charset=ISO-8859-1; format=flowed
    Content-Transfer-Encoding: 8bit

    some text


    ------------=_4857E07F.6924E393--



    Regards,
    Carlos Velasco


  4. Re: Header Analysis Problem

    mouss escribió:
    > Carlos Velasco wrote:
    >> Hello,
    >>
    >> I am getting these hits with the email below:
    >>
    >> AWL,
    >> FH_HELO_ALMOST_IP,
    >> HELO_DYNAMIC_SPLIT_IP,
    >> RCVD_IN_PBL
    >>
    >> Problem is in this "Received":
    >> Received: from 80.Red-88-31-96.staticIP.rima-tde.net ([88.31.96.80]) by
    >> owa1.cnio.es with Microsoft SMTPSVC(6.0.3790.3959);
    >> Tue, 17 Jun 2008 17:18:10 +0200
    >>
    >> Client in IP address 88.31.96.80 is sending mail using SMPT-Auth to
    >> "owa1.cnio.es", so this header is right.
    >>
    >> Problem is that SA is analyzing this "Received" and complaining about it
    >> as it is a dynamic IP address or so.
    >>
    >> Any way to solve this problem?

    >
    > set internal_networks.


    Well, the problem is that users can send from any Internet IP address as
    they do SMTP-Auth, so I can't use internal_networks or trusted_networks
    or msa_networks.


  5. Re: Header Analysis Problem

    mouss escribió:
    > Carlos Velasco wrote:
    >> mouss escribió:
    >>> Carlos Velasco wrote:
    >>>> Hello,
    >>>>
    >>>> I am getting these hits with the email below:
    >>>>
    >>>> AWL,
    >>>> FH_HELO_ALMOST_IP,
    >>>> HELO_DYNAMIC_SPLIT_IP,
    >>>> RCVD_IN_PBL
    >>>>
    >>>> Problem is in this "Received":
    >>>> Received: from 80.Red-88-31-96.staticIP.rima-tde.net ([88.31.96.80])by
    >>>> owa1.cnio.es with Microsoft SMTPSVC(6.0.3790.3959);
    >>>> Tue, 17 Jun 2008 17:18:10 +0200
    >>>>
    >>>> Client in IP address 88.31.96.80 is sending mail using SMPT-Auth to
    >>>> "owa1.cnio.es", so this header is right.
    >>>>
    >>>> Problem is that SA is analyzing this "Received" and complaining
    >>>> about it
    >>>> as it is a dynamic IP address or so.
    >>>>
    >>>> Any way to solve this problem?
    >>> set internal_networks.

    >> Well, the problem is that users can send from any Internet IP address
    >> as they do SMTP-Auth, so I can't use internal_networks or
    >> trusted_networks or msa_networks.
    >>

    > put the IP of owa1.cnio.es in internal_networks.


    It doesn't work. I think internal_networks matches the "from" IP
    address, not the "by". In debug relay 192.168.10.7 is matched as
    internal, but relay 88.31.96.80 not.

    [30937] dbg: received-header: parsed as [ ip=192.168.10.7
    rdns=owa1.cnio.es helo=owa1.cnio.es by=flash2.cnio.es ident= envfrom=
    intl=0 id= auth= msa=0 ]
    [30937] dbg: received-header: relay 192.168.10.7 trusted? yes internal?
    yes msa? no
    [30937] dbg: received-header: parsed as [ ip=88.31.96.80 rdns=
    helo=80.Red-88-31-96.staticIP.rima-tde.net by=owa1.cnio.es ident=
    envfrom= intl=0 id= auth= msa=0 ]
    [30937] dbg: received-header: relay 88.31.96.80 trusted? no internal? no
    msa? no
    [30937] dbg: metadata: X-Spam-Relays-Trusted: [ ip=192.168.10.7
    rdns=owa1.cnio.es helo=owa1.cnio.es by=flash2.cnio.es ident= envfrom=
    intl=1 id= auth= msa=0 ]
    [30937] dbg: metadata: X-Spam-Relays-Untrusted: [ ip=88.31.96.80 rdns=
    helo=80.Red-88-31-96.staticIP.rima-tde.net by=owa1.cnio.es ident=
    envfrom= intl=0 id= auth= msa=0 ]
    [30937] dbg: metadata: X-Spam-Relays-Internal: [ ip=192.168.10.7
    rdns=owa1.cnio.es helo=owa1.cnio.es by=flash2.cnio.es ident= envfrom=
    intl=1 id= auth= msa=0 ]
    [30937] dbg: metadata: X-Spam-Relays-External: [ ip=88.31.96.80 rdns=
    helo=80.Red-88-31-96.staticIP.rima-tde.net by=owa1.cnio.es ident=
    envfrom= intl=0 id= auth= msa=0 ]


  6. Re: Header Analysis Problem

    On 17.06.08 18:15, Carlos Velasco wrote:
    > I am getting these hits with the email below:
    >
    > AWL,
    > FH_HELO_ALMOST_IP,
    > HELO_DYNAMIC_SPLIT_IP,
    > RCVD_IN_PBL
    >
    > Problem is in this "Received":
    > Received: from 80.Red-88-31-96.staticIP.rima-tde.net ([88.31.96.80]) by
    > owa1.cnio.es with Microsoft SMTPSVC(6.0.3790.3959);
    > Tue, 17 Jun 2008 17:18:10 +0200
    >
    > Client in IP address 88.31.96.80 is sending mail using SMPT-Auth to
    > "owa1.cnio.es", so this header is right.


    However the headers do not contain any information about using SMTP auth,
    so the SA does not know about it.

    adding the IP of your msa_networks would help, but you must not do it if the
    server also acts as MX...
    --
    Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
    Warning: I wish NOT to receive e-mail advertising to this address.
    Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
    The 3 biggets disasters: Hiroshima 45, Tschernobyl 86, Windows 95


  7. Re: Header Analysis Problem

    Matus UHLAR - fantomas escribió:

    > However the headers do not contain any information about using SMTP auth,
    > so the SA does not know about it.


    Yes, that's the problem. "owa1.cnio.es" is a MS Exchange, I don't know
    how to do for it to put authentication information in the headers.

    I searched for Exchange and rfc3848 but no luck

    > adding the IP of your msa_networks would help, but you must not do it if the
    > server also acts as MX...


    I can't as the users can send from any Internet IP address


+ Reply to Thread