Wolfgang Rosenauer
2018-08-18 09:49:47 UTC
Hi,
I'm running Postfix + amavisd-new + spamassassin on my mailserver(s) and my users have access to a webmail system to send mails.
Just recently I got an unexpected spam classifiation from an outgoing mail which I do not really fully understand:
First upstream SMTP client IP address: [148.251.71.226]
Received from: 148.251.71.226
-> this is my webmail system which sends mail as a client via Submission and SMTP AUTH.
Return-Path: <anonymized> mailto:***@rosenauer.org
From: anonymized
Message-ID: <***@ox.an-netz.de> mailto:***@ox.an-netz.de
X-Mailer: Open-Xchange Mailer v7.10.0-Rev12
Subject: Re: Anfrage
Not quarantined.
The message WILL BE relayed to:
<anonymized> mailto:***@aon.at
Spam scanner report:
Spam detection software, running on the system "my mailserver",
has identified this incoming email as possible spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
postmaster for details.
Content preview:
Content analysis details: (7.2 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
0.0 HTML_MESSAGE BODY: HTML included in message
3.6 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL
[80.187.102.207 listed in zen.spamhaus.org]
0.7 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL
1.6 RCVD_IN_BRBL_LASTEXT RBL: No description available.
[80.187.102.207 listed in bb.barracudacentral.org]
1.3 RDNS_NONE Delivered to internal network by a host with no rDNS
The IP listed above is the dialup IP used send the mail via the webmailer. It is rightfully listed in PBL because it's "dialup".
But it only is listed/used as X-Originating-IP.
So this is a fully legitimate mail as it was sent authenticated.
I was quite a bit surprised. I guess (haven't checked yet) that I can workaround this issue by whitelisting something. I also would be interested in pointers to that but I'm wondering also from a more general point of view if looking at X-Originating-IP for RBLs really makes sense?
I already tag and filter authenticated delivered mail as originating and send it to a different amavis port and tag it there as "ORIGINATING" policy.
$policy_bank{'ORIGINATING'} = { # mail supposedly originating from our users
originating => 1, # declare that mail was submitted by our smtp client
allow_disclaimers => 0, # enables disclaimer insertion if available
virus_admin_maps => ["virusalert\@$mydomain"],
spam_admin_maps => ["virusalert\@$mydomain"],
warnbadhsender => 1,
smtpd_discard_ehlo_keywords => ['8BITMIME'],
bypass_banned_checks_maps => [1], # allow sending any file names and types
terminate_dsn_on_notify_success => 0, # don't remove NOTIFY=SUCCESS option
};
Any indicators about this issue? Does it make sense? How to fix it?
Thanks,
Wolfgang
I'm running Postfix + amavisd-new + spamassassin on my mailserver(s) and my users have access to a webmail system to send mails.
Just recently I got an unexpected spam classifiation from an outgoing mail which I do not really fully understand:
First upstream SMTP client IP address: [148.251.71.226]
Received from: 148.251.71.226
-> this is my webmail system which sends mail as a client via Submission and SMTP AUTH.
Return-Path: <anonymized> mailto:***@rosenauer.org
From: anonymized
Message-ID: <***@ox.an-netz.de> mailto:***@ox.an-netz.de
X-Mailer: Open-Xchange Mailer v7.10.0-Rev12
Subject: Re: Anfrage
Not quarantined.
The message WILL BE relayed to:
<anonymized> mailto:***@aon.at
Spam scanner report:
Spam detection software, running on the system "my mailserver",
has identified this incoming email as possible spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
postmaster for details.
Content preview:
Content analysis details: (7.2 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
0.0 HTML_MESSAGE BODY: HTML included in message
3.6 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL
[80.187.102.207 listed in zen.spamhaus.org]
0.7 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL
1.6 RCVD_IN_BRBL_LASTEXT RBL: No description available.
[80.187.102.207 listed in bb.barracudacentral.org]
1.3 RDNS_NONE Delivered to internal network by a host with no rDNS
The IP listed above is the dialup IP used send the mail via the webmailer. It is rightfully listed in PBL because it's "dialup".
But it only is listed/used as X-Originating-IP.
So this is a fully legitimate mail as it was sent authenticated.
I was quite a bit surprised. I guess (haven't checked yet) that I can workaround this issue by whitelisting something. I also would be interested in pointers to that but I'm wondering also from a more general point of view if looking at X-Originating-IP for RBLs really makes sense?
I already tag and filter authenticated delivered mail as originating and send it to a different amavis port and tag it there as "ORIGINATING" policy.
$policy_bank{'ORIGINATING'} = { # mail supposedly originating from our users
originating => 1, # declare that mail was submitted by our smtp client
allow_disclaimers => 0, # enables disclaimer insertion if available
virus_admin_maps => ["virusalert\@$mydomain"],
spam_admin_maps => ["virusalert\@$mydomain"],
warnbadhsender => 1,
smtpd_discard_ehlo_keywords => ['8BITMIME'],
bypass_banned_checks_maps => [1], # allow sending any file names and types
terminate_dsn_on_notify_success => 0, # don't remove NOTIFY=SUCCESS option
};
Any indicators about this issue? Does it make sense? How to fix it?
Thanks,
Wolfgang