We had an inbound message get rejected because it was sent from a cell
phone, shouldn't SA be checking the most recent hop? Is there a way to
make this the default?
I have this in local.cf:
header RCVD_IN_rbl2spamhausz eval:check_rbl('spamhausz',
'zen.spamhaus.org.')
score RCVD_IN_rbl2spamhausz 3.5
2019-06-23 10:18:19 1hf4G0-0002xm-Vu H=st43p00im-zteg10073401.me.com
[17.58.63.181]:53270 I=[1.1.1.1]:25
X=TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no
F=<jtsomedudesr@icloud.com> rejected after DATA: Call Katy Computer $
Envelope-from: <jtsomedudesr@icloud.com>
Envelope-to: <kevin.somedude@somedomain.com>
P Received: from st43p00im-zteg10073401.me.com ([17.58.63.181]:53270)
by mx6.filter1.com with esmtps
(TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256)
(Exim 4.91)
(envelope-from <jtsomedudesr@icloud.com>)
id 1hf4G0-0002xm-Vu
for kevin.somedude@somedomain.com; Sun, 23 Jun 2019 10:18:17 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=icloud.com;
s=04042017; t=1561303096;
bh=r2TrvoaceRP0b+VFuQY+IGTZNdeyIP+gpz7yR0zojuM=;
h=Content-Type:From:Mime-Version:Date:Subject:Message-Id:To;
b=zvUTXxLFQN3PkKNuMqWkXrN5nmfErusd+BJLae3e5oWTBwHhLPo49ojGUOtMZKsrN
dCj6bSPMuRW2TNPvSvqrP+ONFxDAkR73efrESuX6FkDDRDisDxJrG1RX5EEtogrDGu
0JePNiPvpQbNHia1El2B1IF1sREdBrdywIUBcJbOYWdxBHccCJVeuV56RaFjk1D2Xw
kg9ebd39jn0lXnifQDhoK0bfiW6IQ3VisLxrcDHby9xforIWwSrX+/T2UOlI5TN2Bb
mUFsu/TylzkmK4Ngdb1Pyu16F7wt0y8PBaKfOJpZDuW+b4CYZg/VbSlVGuRI7qJGLM
2UhwHomJLGxZA==
P Received: from [10.87.198.48] (mobile-166-172-61-102.mycingular.net
[166.172.61.102])
by st43p00im-zteg10073401.me.com (Postfix) with ESMTPSA id
34C735E01E0
for <kevin.somedude@somedomain.com>; Sun, 23 Jun 2019 15:18:16
+0000 (UTC)
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
F From: JOHN somedude <jtsomedudesr@icloud.com>
Mime-Version: 1.0 (1.0)
Date: Sun, 23 Jun 2019 11:18:14 -0400
Subject: Very nice
I Message-Id: <8D5BEF14-0283-47DE-A819-60D2797CC6BE@icloud.com>
T To: kevin.somedude@somedomain.com
X-Mailer: iPad Mail (16F203)
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,,
definitions=2019-06-23_12:,,
signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0
suspectscore=1 malwarescore=0
phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 mlxscore=0
mlxlogscore=284 adultscore=0 classifier=spam adjust=0 reason=mlx
scancount=1 engine=8.0.1-1812120000 definitions=main-1906230132
X-Spam-Score: 9.8
Content analysis details: (9.8 points, 8.5 required)
pts rule name description
---- ----------------------
--------------------------------------------------
0.2 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was
blocked. See
http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
for more information.
[URIs: icloud.com]
3.5 RCVD_IN_rbl2spamhausz RBL: No description available.
[166.172.61.102 listed in zen.spamhaus.org]
0.8 RCVD_IN_rbl2dnsbl_2 RBL: No description available.
[166.172.61.102 listed in
dnsbl2.uceprotect.net]
-0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at https://www.dnswl.org/,
low trust
[17.58.63.181 listed in list.dnswl.org]
1.2 RCVD_IN_UCEPROTECT2 RBL: Network listed in
dnsbl-2.uceprotect.net
[NET 17.58.63.0/24 is UCEPROTECT-Level2
listed]
[because 5 abusers are hosted by]
[APPLE-ENGINEERING - Apple Inc., US/AS714
there.]
[See:
<http://www.uceprotect.net/rblcheck.php?ipr=17.58.63.181>]
1.2 RCVD_IN_UCEPROTECT1 RBL: Listed in dnsbl-1.uceprotect.net
[IP 17.58.63.181 is UCEPROTECT-Level 1
listed.]
[See
<http://www.uceprotect.net/rblcheck.php?ipr=17.58.63.181>]
1.0 RCVD_IN_rbl2unsubscore RBL: No description available.
[17.58.63.181 listed in ubl.unsubscore.com]
0.9 RCVD_IN_BS_SPAM RBL: BACKSCATTERER: sender is a spam source
[17.58.63.181 listed in ips.backscatterer.org]
-1.2 FREEMAIL_FROM Sender email is commonly abused enduser mail
provider (jtsomedudesr[at]icloud.com)
-0.1 SPF_PASS SPF: sender matches SPF record
0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record
-0.8 DKIM_VALID_AU Message has a valid DKIM or DK signature from
author's domain
0.1 DKIM_SIGNED Message has a DKIM or DK signature, not
necessarily
valid
-0.8 DKIM_VALID Message has at least one valid DKIM or DK
signature
-0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from
envelope-from domain
--
John Schmerold
Katy Computer Systems, Inc
https://katycomputer.com
St Louis
phone, shouldn't SA be checking the most recent hop? Is there a way to
make this the default?
I have this in local.cf:
header RCVD_IN_rbl2spamhausz eval:check_rbl('spamhausz',
'zen.spamhaus.org.')
score RCVD_IN_rbl2spamhausz 3.5
2019-06-23 10:18:19 1hf4G0-0002xm-Vu H=st43p00im-zteg10073401.me.com
[17.58.63.181]:53270 I=[1.1.1.1]:25
X=TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no
F=<jtsomedudesr@icloud.com> rejected after DATA: Call Katy Computer $
Envelope-from: <jtsomedudesr@icloud.com>
Envelope-to: <kevin.somedude@somedomain.com>
P Received: from st43p00im-zteg10073401.me.com ([17.58.63.181]:53270)
by mx6.filter1.com with esmtps
(TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256)
(Exim 4.91)
(envelope-from <jtsomedudesr@icloud.com>)
id 1hf4G0-0002xm-Vu
for kevin.somedude@somedomain.com; Sun, 23 Jun 2019 10:18:17 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=icloud.com;
s=04042017; t=1561303096;
bh=r2TrvoaceRP0b+VFuQY+IGTZNdeyIP+gpz7yR0zojuM=;
h=Content-Type:From:Mime-Version:Date:Subject:Message-Id:To;
b=zvUTXxLFQN3PkKNuMqWkXrN5nmfErusd+BJLae3e5oWTBwHhLPo49ojGUOtMZKsrN
dCj6bSPMuRW2TNPvSvqrP+ONFxDAkR73efrESuX6FkDDRDisDxJrG1RX5EEtogrDGu
0JePNiPvpQbNHia1El2B1IF1sREdBrdywIUBcJbOYWdxBHccCJVeuV56RaFjk1D2Xw
kg9ebd39jn0lXnifQDhoK0bfiW6IQ3VisLxrcDHby9xforIWwSrX+/T2UOlI5TN2Bb
mUFsu/TylzkmK4Ngdb1Pyu16F7wt0y8PBaKfOJpZDuW+b4CYZg/VbSlVGuRI7qJGLM
2UhwHomJLGxZA==
P Received: from [10.87.198.48] (mobile-166-172-61-102.mycingular.net
[166.172.61.102])
by st43p00im-zteg10073401.me.com (Postfix) with ESMTPSA id
34C735E01E0
for <kevin.somedude@somedomain.com>; Sun, 23 Jun 2019 15:18:16
+0000 (UTC)
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
F From: JOHN somedude <jtsomedudesr@icloud.com>
Mime-Version: 1.0 (1.0)
Date: Sun, 23 Jun 2019 11:18:14 -0400
Subject: Very nice
I Message-Id: <8D5BEF14-0283-47DE-A819-60D2797CC6BE@icloud.com>
T To: kevin.somedude@somedomain.com
X-Mailer: iPad Mail (16F203)
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,,
definitions=2019-06-23_12:,,
signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0
suspectscore=1 malwarescore=0
phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 mlxscore=0
mlxlogscore=284 adultscore=0 classifier=spam adjust=0 reason=mlx
scancount=1 engine=8.0.1-1812120000 definitions=main-1906230132
X-Spam-Score: 9.8
Content analysis details: (9.8 points, 8.5 required)
pts rule name description
---- ----------------------
--------------------------------------------------
0.2 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was
blocked. See
http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
for more information.
[URIs: icloud.com]
3.5 RCVD_IN_rbl2spamhausz RBL: No description available.
[166.172.61.102 listed in zen.spamhaus.org]
0.8 RCVD_IN_rbl2dnsbl_2 RBL: No description available.
[166.172.61.102 listed in
dnsbl2.uceprotect.net]
-0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at https://www.dnswl.org/,
low trust
[17.58.63.181 listed in list.dnswl.org]
1.2 RCVD_IN_UCEPROTECT2 RBL: Network listed in
dnsbl-2.uceprotect.net
[NET 17.58.63.0/24 is UCEPROTECT-Level2
listed]
[because 5 abusers are hosted by]
[APPLE-ENGINEERING - Apple Inc., US/AS714
there.]
[See:
<http://www.uceprotect.net/rblcheck.php?ipr=17.58.63.181>]
1.2 RCVD_IN_UCEPROTECT1 RBL: Listed in dnsbl-1.uceprotect.net
[IP 17.58.63.181 is UCEPROTECT-Level 1
listed.]
[See
<http://www.uceprotect.net/rblcheck.php?ipr=17.58.63.181>]
1.0 RCVD_IN_rbl2unsubscore RBL: No description available.
[17.58.63.181 listed in ubl.unsubscore.com]
0.9 RCVD_IN_BS_SPAM RBL: BACKSCATTERER: sender is a spam source
[17.58.63.181 listed in ips.backscatterer.org]
-1.2 FREEMAIL_FROM Sender email is commonly abused enduser mail
provider (jtsomedudesr[at]icloud.com)
-0.1 SPF_PASS SPF: sender matches SPF record
0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record
-0.8 DKIM_VALID_AU Message has a valid DKIM or DK signature from
author's domain
0.1 DKIM_SIGNED Message has a DKIM or DK signature, not
necessarily
valid
-0.8 DKIM_VALID Message has at least one valid DKIM or DK
signature
-0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from
envelope-from domain
--
John Schmerold
Katy Computer Systems, Inc
https://katycomputer.com
St Louis