RCVD_ILLEGAL_IP question(s) - SpamAssassin

This is a discussion on RCVD_ILLEGAL_IP question(s) - SpamAssassin ; Howdy folks, I'm experiencing a problem with some people (myself included) who are not properly receiving their Consumer's Energy bills. Rather, the bills are being marked as spam and sent into their SPAM folders. One of the two things being ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: RCVD_ILLEGAL_IP question(s)

  1. RCVD_ILLEGAL_IP question(s)

    Howdy folks,

    I'm experiencing a problem with some people (myself included) who are not
    properly receiving their Consumer's Energy bills. Rather, the bills are
    being marked as spam and sent into their SPAM folders. One of the two
    things being marked by the Spam-Report are RCVD_ILLEGAL_IP

    I found the function that does the checking for this information in the
    Mail-Spamassassin (or perl-spamassassin-3.2.1-1) package. We have this
    installed out of RPMs for OpenSuSE 10.2 (both x86 and amd64)

    Here is the function:

    sub check_for_illegal_ip {
    my ($self, $pms) = @_;

    foreach my $rcvd ( @{$pms->{relays_untrusted}} ) {
    # (note this might miss some hits if the Received.pm skips any invalid
    IPs)
    foreach my $check ( $rcvd->{ip}, $rcvd->{by} ) {
    return 1 if ($check =~ /^

    (?:[01257]|(?!127.0.0.)127|22[3-9]|2[3-9]\d|[12]\d{3,}|[3-9]\d\d+)\.\d+\.\d+\.\d+
    $/x);
    }
    }
    return 0;
    }

    I'm having a hard time understanding the regex myself. Our network admin
    is actually the person who brought the issue to my attention, I didn't
    even realize I wasn't receiving my own bills and I imagine other folks are
    not either. Here are the headers from the message with some info REDACTED
    to avoid robots crawling for email addresses. Our network admin says the
    IP is certainly a legal one, and it pings for us as well as for other
    people. Anyway, here's another paste:

    ----[begin paste]----
    Return-path:
    X-Spam-Flag: YES
    X-Spam-Checker-Version: SpamAssassin 3.2.1 (2007-05-02) on
    mx03.mail.msu.edu
    X-Spam-Level: *****
    X-Spam-Status: Yes, score=5.3 required=5.0 tests=INVALID_TZ_EST,
    RCVD_ILLEGAL_IP shortcircuit=no autolearn=disabled version=3.2.1
    X-Spam-Report:
    * 2.1 INVALID_TZ_EST Invalid date in header (wrong EST timezone)
    * 3.2 RCVD_ILLEGAL_IP Received: contains illegal IP address
    Envelope-to: REDACTED@msu.edu
    Delivery-date: Fri, 01 Aug 2008 06:15:17 -0400
    Received: from mail.consumersenergy.com ([67.59.61.131]
    helo=dmzhpu01.cpco.com)
    by mx03.mail.msu.edu with esmtp (Exim 4.63 #1)
    id 1KOrfJ-00026T-Cg
    for marti259@msu.edu; Fri, 01 Aug 2008 06:15:17 -0400
    Received: from cmsenergy.com (ecpadm@prmhpu63.ce.corp.com [1.226.208.65])
    by dmzhpu01.cpco.com (8.11.1/8.11.1) with ESMTP id m71AFGJ28409
    for ; Fri, 1 Aug 2008 06:15:17 -0400 (EDT)
    Date: Fri, 1 Aug 2008 05:14:38 -0400 (EST)
    From: "eServices"
    Subject: Consumers Energy bill ready to view
    To: marti259@msu.edu
    Reply-To: "eServices"
    Message-ID:
    MIME-Version: 1.0
    Importance: Normal
    X-Priority: 3 (Normal)
    X-Mailer: SAP Web Application Server 7.00
    Content-Type: text/plain;
    charset="us-ascii"
    Content-Transfer-Encoding: quoted-printable
    Content-Description: Consumers Energy bill ready to view
    X-Virus: None found by Clam AV

    ----[end paste]----

    I'm guessing the IP address in question is: 1.226.208.65

    While it certainly is not within a range I see all that often, I am
    assured by our hostmaster that it is legit. Another one I've seen is
    1.226.208.61

    Any ideas on why this is being picked up incorrectly? Or are we way off
    base, and it is indeed *wrong?* I am admittedly kind of new to dealing
    with the inner-workings of SpamAssassin. I took the job as a mail admin
    a couple of years ago, and SA has simply *worked* as setup by the previous
    admin. I'll be glad to dig around, but I'm still kind of learning it.

    Thanks for any ideas.

    Regards,
    ../brm


  2. Re: RCVD_ILLEGAL_IP question(s)

    Folks,

    Thanks for your responses thus-far. It seems that my head is floating in
    the clouds today and I appear to be dreaming half of this situation. A
    couple of months ago, as I said, our network admin pointed out this
    problem to me. I can no longer find the email he sent me where he stated
    this and that and the other, nor can I even find my response back to him.
    I remember doing a bunch of "homework" on the issue when I became aware of
    the issue and it has been awhile since I looked upon it again.

    Everything I described previous was from memory. I swear to you all I was
    able to ping one of those IP addresses, and I even remember looking at
    ARIN. Well it appears that I am dead wrong! Heh! I really have no idea
    how I've misinformed myself so badly. Anyway, I am contacting Consumers
    Energy about the matter now, their postmaster too.

    I appreciate all the input, but I guess we can consider this matter
    closed.

    Move along, nothing to see here...
    ../brm


+ Reply to Thread