Results 1 to 4 of 4

Thread: SpamAssassin test: RCVD_IN_DNSWL_MED

  1. #1
    Join Date
    May 2010
    Posts
    12
    Rep Power
    5

    Default SpamAssassin test: RCVD_IN_DNSWL_MED

    Possibly I should take this question to the SpamAssassin mailing lists, but figured I'd try it here first. My server received a bunch of spam that got through both Postini and SpamAssassin. The relevant headers are:

    Code:
    Return-Path: subornationjc5601@rnacpa.com
    Received: from 10.10.22.10 (LHLO mx.mydomain.com) (10.10.22.10) by
     mx.mydomain.com with LMTP; Tue, 29 Jun 2010 12:04:39 -0400 (EDT)
    Received: from localhost (localhost.localdomain [127.0.0.1])
    	by mx.mydomain.com (Postfix) with ESMTP id 139194CA8017;
    	Tue, 29 Jun 2010 12:04:38 -0400 (EDT)
    X-Virus-Scanned: amavisd-new at wsl-mx1.mydomain.com
    X-Spam-Flag: NO
    X-Spam-Score: 2.134
    X-Spam-Level: **
    X-Spam-Status: No, score=2.134 tagged_above=-10 required=4.2
    	tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, MIME_HTML_ONLY=1.457,
    	RCVD_IN_BL_SPAMCOP_NET=1.96, RCVD_IN_DNSWL_MED=-4,
    	URIBL_AB_SURBL=1.86, URIBL_BLACK=1.955, URIBL_WS_SURBL=1.5]
    Received: from mx.mydomain.com ([127.0.0.1])
    	by localhost (mx.mydomain.com [127.0.0.1]) (amavisd-new, port 10024)
    	with ESMTP id U4eRmNZatcv5; Tue, 29 Jun 2010 12:04:03 -0400 (EDT)
    Received: from psmtp.com (exprod5mx244.postini.com [64.18.0.164])
    	by mx.mydomain.com (Postfix) with SMTP id 4AC044CA8010
    	for <inwood@mydomain.com>; Tue, 29 Jun 2010 12:03:53 -0400 (EDT)
    Received: from source ([93.74.74.171]) by exprod5mx244.postini.com ([64.18.4.14]) with SMTP;
    	Tue, 29 Jun 2010 12:04:00 EDT
    Received: from 93.74.74.171 (port=6472 helo=[NETBOOKMSI])
    	by inbound30.exchangedefender.com with asmtp 
    	id 8F2729-000401-95
    	for inwood@mydomain.com; Tue, 29 Jun 2010 19:03:40 +0200
    Message-ID: <409D29E6.0409664@rnacpa.com>
    Date: Tue, 29 Jun 2010 19:03:40 +0200
    From: "mydomain.com" <support@mydomain.com>
    MIME-Version: 1.0
    To: inwood@mydomain.com
    Subject: Reset your mydomain.com password
    Content-Disposition: inline
    Content-Transfer-Encoding: binary
    Content-Type: text/html; charset=iso-8859-1
    X-Spam: Not detected
    X-Mras: OK
    X-pstn-levels:     (S: 3.52628/99.90000 CV:99.9000 FC:95.5390 LC:95.5390 R:95.9108 P:95.9108 M:97.0282 C:98.6951 )
    X-pstn-settings: 5 (2.0000:2.0000) s cv gt3 gt2 gt1 r p m c 
    X-pstn-addresses: from <support@mydomain.com> [db-null]

    From the looks of it, the reason it passed SpamAssassin is because the RCVD_IN_DNSWL_MED test tacked on -4 to the score. The originating IP address is 93.74.74.171, but when I checked, that URL is not in the DNSWL whitelist. So, why did this test pass? My only guess is that rather than (or in addition to) checking the original IP address, it checked the next one in the received chain, which would be Postini. Since Postini is in the whitelist, it gave the mail an extra -4. Does that make any sense? If not, why is it giving -4 to an IP not in the list? Thanks!

  2. #2
    Join Date
    Jun 2010
    Posts
    2
    Rep Power
    5

    Default SA DNSBL lookups is almost exclusively MX peer only.

    SpamAssassin does DNSBL lookups almost exclusively on the peer of your
    MX. In this case postini's IP. Doing "deep header parsing" for more lookups
    is against the Terms and Conditions of most DNSBLs (eg: PBL, CBL, XBL
    etc.) and will generally cause unacceptable numbers of false positives.

    So, when Postini leaks, DNSBLs won't help you.

    You'd be best off bumping up the scores for SURBL hits a few notches and/or
    inhibiting the DNSWL listing of Postini.

  3. #3
    Join Date
    May 2010
    Posts
    12
    Rep Power
    5

    Default

    Thanks for the reply! I'm not sure I understand though. The Postini IP is neither the first received header (that would be the spammer's IP, 93.74.74.171) nor the last received header (that would be localhost, 127.0.0.1). Are you saying it just goes back to the first peer seen before localhost? That seems strange, especially because that will only rarely be the actual origin of the message. In my case, that will ALWAYS be Postini, which would make the RCVD_IN_DNSWL_MED test completely useless. I'm sure I'm not the only one with this type of setup. But I guess it doesn't make sense to check the first received header either, as that can very easily be spoofed. The only "legitimate" peer is the most recent one.

    I guess I need to go through some mails and see if that's really the case (that RCVD_IN_DNSWL_MED is being applied to everything). If so, it sounds like I need to disable ALL blacklist/whitelist rules, as they will only be applied against Postini. I guess it makes sense that all such rules need to be applied by Postini, and all I can effectively do on my side are message-text heuristics.

    Thanks!

  4. #4
    Join Date
    Jun 2010
    Posts
    2
    Rep Power
    5

    Default DNSBL lookups in SA

    Sorry, didn't realize that you were a Postini customer. I thought that this
    email was outbound from Postini to your MX, not inbound to you via your MX to
    Postini.

    That changes things.

    You have to educate SA where your "perimeter" is - namely, the Postini
    inbounds. Once you've done that, SA will be doing the DNSBL lookups
    on Postini's peer - namely, the hop that got the email to Postini.

    See: TrustedRelays - Spamassassin Wiki

Similar Threads

  1. Spamassassin: How to test homemade rules?
    By Tenshi in forum Administrators
    Replies: 11
    Last Post: 06-29-2010, 01:37 PM
  2. got error while running query
    By jayarajmohan in forum Administrators
    Replies: 16
    Last Post: 02-03-2010, 10:20 PM
  3. Error: Generic Test Failure
    By handband2 in forum Administrators
    Replies: 0
    Last Post: 08-08-2008, 10:16 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •