On Thursday 13 July 2006 08:03, Carlos E. R. wrote:
The Wednesday 2006-07-12 at 18:28 +0200, Sandy Drobic wrote:
The basic understanding how smtp communication and restrictions work. You can't have fetchmail and RBLs both. Either you use fetchmail, accept all mail and discard or mark and deliver the mail, or you accept mails directly submitted to your server and then you can use RBLs, Postfix restrictions and all the luxury of your own smtp server.
You can't have the cake and eat it at the same time. (^-^)
Yes, I understand that, and from the logs, quite clearly, fetchmail retrieves the mail, hands it to procmail, which hands it to spamassassin (actually spamd) which then returns either spam or not spam to sendmail. Therefore the mail is always from the local server, which is trusted by sendmail. I have to download the message first before I can analyse it, I don't mind doing that, I just don't want to deliver it to the mailboxes if it is spam. Spamassassin actually works and filters out spam emails. It is only the RBL part of spamassassin that is not working, the rest is all working fine. Spamassassin/spamd is most likely looking at the wrong header line.
That can't be completely true: I'm using fetchmail and my spamassassin is using some rbl tests and catching spam that way. Look at a report (edited to avoid false triggers - I hope):
pts rule name description ---- ---------------------- -------------------------------------------------- 0.9 URI_NOVOWEL URI: URI hostname has long non-vowel sequence 5.0 BAYES_99 BODY: Bayesian spam probability is 99 to 100% [score: 1.0000] 1.0 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP address [169.207.88.67 listed in dnsbl.sorbs.net] 1.0 RCVD_IN_NJABL_DUL RBL: NJABL: dialup sender did non-local SMTP [169.207.88.67 listed in combined.njabl.org] 1.6 URIBL_SBL Contains an URL listed in the SBL blocklist [URIs: emerseddm dot com] 4.1 URIBL_JP_SURBL Contains an URL listed in the JP SURBL blocklist [URIs: emerseddm dot com] 2.1 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist [URIs: emerseddm dot com] 3.0 URIBL_OB_SURBL Contains an URL listed in the OB SURBL blocklist [URIs: emerseddm dot com] 4.5 URIBL_SC_SURBL Contains an URL listed in the SC SURBL blocklist [URIs: emerseddm dot com]
Notice that the scoring is a bit unfair: one url is scoring several times for the same motive.
Notice also that I have downgraded some scores, like the one for dynamic addresses: after all, I use one myself.
The thing is, the IP that SA checks is the one in the "Return-Path" header: <taxqlnsu at as14.nwbl1.wi.core.com>. The absurd thing is that it is not in fact a dynamic address:
cer@nimrodel:~> host as14.nwbl1.wi.core.com as14.nwbl1.wi.core.com has address 169.207.80.56 cer@nimrodel:~> host 169.207.80.56 56.80.207.169.in-addr.arpa domain name pointer as14.nwbl1.wi.core.com.
It has correct reverse DNS, can't be dynamic. But dnsbl.sorbs.net says it is.
The reverse lookup and spam listing of sorbs are two different kettle of fish. #nslookup 56.80.207.169.dnsbl.sorbs.net Server: 192.168.1.186 Address: 192.168.1.186#53 ** server can't find 56.80.207.169.dnsbl.sorbs.net: NXDOMAIN Not listed in sorbs and nslookup 169.207.80.56 Server: 192.168.1.186 Address: 192.168.1.186#53 Non-authoritative answer: 56.80.207.169.in-addr.arpa name = as14.nwbl1.wi.core.com. vs # nslookup 132.25.97.84.dnsbl.sorbs.net Server: 192.168.1.186 Address: 192.168.1.186#53 Non-authoritative answer: Name: 132.25.97.84.dnsbl.sorbs.net Address: 127.0.0.10 Listed in sorbs and Reverse lookup: nslookup 84.97.25.132 Server: 192.168.1.186 Address: 192.168.1.186#53 Non-authoritative answer: 132.25.97.84.in-addr.arpa name = 132.25.97-84.rev.gaoland.net the reverese lookup of both addresses succeeds, one is listed in sorbs, the other is not. This helped me understanding the problem better, but I still don't know how to fix it, how to force spamassassin to look at the very first received line like Received: from unknown (HELO keatingjones.com) (84.97.25.132) by anchovy2.45ru.net.au with SMTP; 9 Jul 2006 13:36:23 -0000 I know this was actually accepted by my ISP but I still would like spamassassin to look at it. Thanks Peter