Mailing List Archive

IP Address of DSL being marked down when using authenticated SMTP/office 365
I was always of the understanding that a senders IP address was irrelevant when sending using authenticated SMTP or say Office 365..

However, today I noticed a mail from someone using BT, whose broadband IP is blacklisted, was marked as spam even though it was sent through office 365, authenticated:

* 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was
* blocked. See
* http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
* for more information.
* [URIs: blah.com]
* 1.5 RCVD_IN_CBL RBL: Received via a relay in cbl.abuseat.org
* [Blocked - see <http://www.abuseat.org/lookup.cgi?ip=86.129.191.88>]
* -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2)
* [40.107.8.121 listed in wl.mailspike.net]
* -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at
* https://www.dnswl.org/, no trust
* [40.107.8.121 listed in list.dnswl.org]
* 1.5 RCVD_IN_SBL_XBL RBL: Received via a relay in Spamhaus SBL+XBL
* [86.129.191.88 listed in sbl-xbl.spamhaus.org]
* 3.6 RCVD_IN_SBL_CSS RBL: Received via a relay in Spamhaus SBL-CSS
* [86.129.191.88 listed in zen.spamhaus.org]
* 0.7 MR_NOT_ATTRIBUTED_IP Beta rule: an non-attributed IPv4 found in
* headers
* -0.7 SPF_HELO_PASS SPF: HELO matches SPF record
* -0.6 SPF_PASS SPF: sender matches SPF record
* 0.1 LONGWORD BODY: Uses overlong words
* 0.1 TW_VB BODY: Odd Letter Triples with VB
* -0.1 MD5_CONTENT BODY: Contains MD5 hash.
* 0.0 HTML_FONT_FACE_BAD BODY: HTML font face is not a word
* 0.0 HTML_IMAGE_RATIO_08 BODY: HTML has a low ratio of text to image
* area
* 0.0 HTML_MESSAGE BODY: HTML included in message
* 0.0 HTML_FONT_LOW_CONTRAST BODY: HTML font color similar or
* identical to background
* -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
* author's domain
* -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from
* envelope-from domain
* -1.5 DKIM_VALID Message has at least one valid DKIM or DK signature
* 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily
* valid
* 0.5 RDNS_NONE Delivered to internal network by a host with no rDNS
* 0.0 LOTS_OF_MONEY Huge... sums of money
* 0.1 RCVD_IN_SORBS No description available.

Looking at the headers below it seems the IP is only shown in one place:

x-originating-ip: [86.129.191.88]

not in the actual headers.. so is this a setup error on my part or a spam-assassin change? or a mistake?

Obviously I need to resolve/stop this to reduce false positives..

Kind Regards,

Jonathan Gilpin




Full headers are:



Return-path: <Michas@*************>
Envelope-to: jonathan@fluent.ltd.uk
Received: from [40.107.8.121] (port=28758 helo=EUR04-VI1-obe.outbound.protection.outlook.com)
by mail.fluent.ltd.uk with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256)
(Exim 4.92.3 (FreeBSD))
(envelope-from <Michas@blah.com>)
id 1khtN9-000MY4-Sb
for jonathan@fluent.ltd.uk; Wed, 25 Nov 2020 11:54:11 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=W28N/723guQOuCSXW1Naa+37KEO6bHZx26TLYZrztvBdCeaPxCdDFBIl+3XogEQ02FI6sgs8jyyEpdOu5r6pzv5VYaSLeSK3bKpVUBXJd81rrBOD6CP2v51wbJiZPqWtyjKitI1C4VspnqYd3MaT2P5zcxvMlFXoFwJ1zfBB+0KJ2+0VvmyKySB8QwiSPzoRmYbIWYSfx0kjBkkcXPlicxBsWp7Acnrejf7tOFMoG/G2MYjVyYlKgdr+eBYN3X/x8KBerjMoxKnko5Ifbr8C048UCIm8t4DwYW0edA+SCyoubaaA90Wb025nZ1m3Hw+DgUeH10Ry5meaUASxLaX0rw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=uG0lvf0QC6HBaYnHSOFl85l4r9bpThL5UiE/bSuehSU=;
b=aNFxANvz/1NKpFB4auemXGsVzoT9ZTmatvS6EE3J2/ixLDR/UVALA/aPOeYuKvh7N2c/yVeMFFRsTn36OyxIus6yh1k6yeVEfmxLCB4lbhANKWhDTJX89dINn90TArp6TIfBfqAw3JQP8LsvWFUFGqrwyfdUmcBmChwyFEKBjAkx5OpKnwKkkgcqkOu2tf2XuZ6byZ/CZB0COTWwlzb4PcRQIhb68OMHvhC7g4UZZm0HsS3WJQpLoOncQMPaYUEMKwjIReBXAGLq8AAR2DdCWTS/K9mGcV5kkYfcGj8tMnA3HHQ0hoHHJWhuoeMcpY50dYYG3XpUOPyj69ec/phlSA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is
104.40.229.156) smtp.rcpttodomain=fluent.ltd.uk smtp.mailfrom=blah.com;
dmarc=bestguesspass action=none header.from=blah.com; dkim=none (message
not signed); arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=blah.com;
s=selector2;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=uG0lvf0QC6HBaYnHSOFl85l4r9bpThL5UiE/bSuehSU=;
b=FrGoYe/6s3IKRB11KHYxB6lNtvb0bao75MycN+7aKBfDXpV1CEpblk80zn0+vg408wVgeH5EQhcMU05dhlJhnAUrCWcdUfWFpnkC9ytfhbppq0MkT/buDDT4iQVEdg6dpwhD/zSuo0hR7QFQr4yI3bNGs/h5KtSkYEkZT8j3FmI=
Received: from MR2P264CA0080.FRAP264.PROD.OUTLOOK.COM (2603:10a6:500:32::20)
by AS8PR10MB4533.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:20b:2b5::23) with
Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3589.22; Wed, 25 Nov
2020 11:54:07 +0000
Received: from VE1EUR03FT009.eop-EUR03.prod.protection.outlook.com
(2603:10a6:500:32:cafe::94) by MR2P264CA0080.outlook.office365.com
(2603:10a6:500:32::20) with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3611.20 via Frontend
Transport; Wed, 25 Nov 2020 11:54:07 +0000
X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 104.40.229.156)
smtp.mailfrom=blah.com; fluent.ltd.uk; dkim=none (message not signed)
header.d=none;fluent.ltd.uk; dmarc=bestguesspass action=none
header.from=blah.com;
Received-SPF: Pass (protection.outlook.com: domain of blah.com designates
104.40.229.156 as permitted sender) receiver=protection.outlook.com;
client-ip=104.40.229.156; helo=eu1.smtp.exclaimer.net;
Received: from eu1.smtp.exclaimer.net (104.40.229.156) by
VE1EUR03FT009.mail.protection.outlook.com (10.152.18.92) with Microsoft SMTP
Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id
15.20.3589.20 via Frontend Transport; Wed, 25 Nov 2020 11:54:06 +0000
Received: from EUR05-AM6-obe.outbound.protection.outlook.com (104.47.18.113)
by eu1.smtp.exclaimer.net (104.40.229.156) with Exclaimer Signature Manager
ESMTP Proxy eu1.smtp.exclaimer.net (tlsversion=TLS12,
tlscipher=TLS_ECDHE_WITH_AES256_SHA384); Wed, 25 Nov 2020 11:54:06 +0000
X-ExclaimerHostedSignatures-MessageProcessed: true
X-ExclaimerProxyLatency: 23783642
X-ExclaimerImprintLatency: 3521053
X-ExclaimerImprintAction: c8cf8f81e33e4173b5019c0de3b7dbfa
Content-Type: multipart/related;
boundary="----_=_NextPart_45edd4ec-206f-41a5-909b-f03baaa1763d"
Received: from AM6PR10MB2216.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:20b:51::18)
by AS8PR10MB4598.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:20b:2b5::22) with
Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3589.28; Wed, 25 Nov
2020 11:54:01 +0000
Received: from AM6PR10MB2216.EURPRD10.PROD.OUTLOOK.COM
([fe80::ad9b:7ad7:d894:265d]) by AM6PR10MB2216.EURPRD10.PROD.OUTLOOK.COM
([fe80::ad9b:7ad7:d894:265d%5]) with mapi id 15.20.3589.025; Wed, 25 Nov 2020
11:54:01 +0000
From: Michas Rapf <Michas@blah.com>
To: Jonathan Gilpin <jonathan@fluent.ltd.uk>
Thread-Topic: Comcast Abuse Report
Thread-Index: AQHWwyDbVkxJnu70vkWSP/mbjQ9CC6nYvQ04
Date: Wed, 25 Nov 2020 11:54:00 +0000
Message-ID:
<AM6PR10MB22161C3D102DEA421F6E65CAC6FA0@AM6PR10MB2216.EURPRD10.PROD.OUTLOOK.COM>
References:
<01EQXDVY8QWX916F51R51E718W.fbl@bounce.mailstream.senderscore.net>,<DFD39E7B-BC12-4EC0-9D43-39C97EB90B14@fluent.ltd.uk>
In-Reply-To: <DFD39E7B-BC12-4EC0-9D43-39C97EB90B14@fluent.ltd.uk>
Accept-Language: en-GB, en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Authentication-Results-Original: fluent.ltd.uk; dkim=none (message not signed)
header.d=none;fluent.ltd.uk; dmarc=none action=none header.from=blah.com;
x-originating-ip: [86.129.191.88]
x-ms-publictraffictype: Email
X-MS-Office365-Filtering-Correlation-Id: 39551bfc-0a24-4f5e-b8cb-08d89138d010
x-ms-traffictypediagnostic: AS8PR10MB4598:|AS8PR10MB4533:
X-Microsoft-Antispam-PRVS:
<AS8PR10MB4533CF58C4EB3D16F4BAE770C6FA0@AS8PR10MB4533.EURPRD10.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:8882;OLM:8882;
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam-Untrusted: BCL:0;
X-Microsoft-Antispam-Message-Info-Original:
AodMuHq3ZaW61ibAVvYcyN9wUHXbjrFo8MiITzhydRNYfsyi7cMhZxyFqdgd/K2c5VtKno6pQZPLEGjSCsLtxhAWLVHiFKL0Jy1E+d2XWWUUDGRnZp7/6qjsUWO27QqTkEX/6lEW4DVfdgxQYr614LtwC6jIkm3tSy1kufFeO9dbnzbiurarULDk6adMtFEeNwjVt6iIaX0fZvQbh/HBHF+dbztkwpNgYOirKV7NjzyQSAz1leOGTcbpfIFjT7P1BPerQ8oV4pAXYQf1O3N7bPjoZ5SBs/j451diWmOjFGn+ijRTCThpTte7KRXBswry1FnHUSPKF2Ca7kn2EemxVZL4vzToiS5dedYuDuFHu+uhzdS2SL77qg3LyxH3vC8QSSr6tZ48K/f8KFj6Whgykw==
X-Forefront-Antispam-Report-Untrusted:
CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:AM6PR10MB2216.EURPRD10.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(376002)(366004)(396003)(346002)(39840400004)(136003)(76236003)(478600001)(186003)(66946007)(3480700007)(8936002)(33656002)(9686003)(55016002)(83380400001)(26005)(52536014)(86362001)(7066003)(71200400001)(5660300002)(7116003)(16799955002)(6506007)(53546011)(2906002)(8676002)(316002)(7696005)(76116006)(19627405001)(66446008)(64756008)(6916009)(66476007)(166002)(66556008)(559001)(579004);DIR:OUT;SFP:1102;
x-ms-exchange-antispam-messagedata:
WWu2hxeCT4Zw57X3TzB0gTtaW2of+K6thAjvcc+d9cP5KF6AXsMViHfBiBmrjVTE/t2/N7/XqVIxniLVnzpGjQCjTlRIb2QAf9F5GqWgcjf+FRxMtVhm+mPDMFAhRhATl6I6B7sipSwCCK4eSSjxZjvNqVxYogxSvfyV3CW027V6sP/jz+owjqybM5ARTehxq5TL+b2RXshTtLk/yw4HXoATS9AeXvZLPhq0MCifToikthz0lpDqLCvg6dzH9AOXtd//YDbOipzK3OQPfx8P9EgRb4wTj7dqxIfdTAr0EQUAAYKco/sN7ZXbxbpCIex2Xl1GsaA3aQXgFzWFkl0BbeIr6fi2/5hGouH+ahMxZQxpC+sYS04aC1FEoNeKU9BNwIdOHGV0aGuBBMjeALGmUm4TXzkZxqvswlHbROQFeEyX0E4UNfPEQgohkUGjQgdlMVR5zu9oNcx4zDSYrSlMp1qtZgp2vMs7H1rjirnNzHDGOF4V9BRA+ItrfkH3w92jIFkX7u3nZ1tzaNTxpXG2Ue8cDD0U0mAHCxW7RDH5ZD+vArXb7NO4WwKqD6ph2E57QtkteF/BnJ8rHqzy5op2kiDYzShinxuEjSS7l4vKIoSf1A7vv7EyIKoAuCJAwKDFSdeofgpvZCIRkNwSHNfobop0LpHcBTN2VRxC95eB5rGXhXWOsfQd3SXQfw0EaCnwgX9Jf1zdGqXTwJycKttbmpsDiBMhNcAuzyeEQY9DzIcNbMf7U2UKDHcvu1Qx8ce0NUXhxnfrQ+DqzSPpUO3R/GWKkVWcno1WcM8LpHwDxPmrM/54T5rvaWzGXKMsPnp7ZUpXClVqHLWx8zLoRC9ulJ89hiR6vDYffwOQgr26Igo0+v8xjX+fB8nZoO7eIZLyn6Rd2o22f00qjZ/fMnLYEg==
x-ms-exchange-transport-forked: True
MIME-Version: 1.0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AS8PR10MB4598
X-EOPAttributedMessage: 0
X-MS-Exchange-Transport-CrossTenantHeadersStripped:
VE1EUR03FT009.eop-EUR03.prod.protection.outlook.com
X-MS-Office365-Filtering-Correlation-Id-Prvs:
925da4d8-d491-4078-39c2-08d89138cd03
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info:
6JGPEgxe1fCJmQ7o0AAKLaXanBxDlA5RQICgs6kWctg3o5mE56buF1tXj3bkqkSz2hoZeZHmXPNCexFQTLdH3W4F1w8UI3qCmz5lSsIu3ejDphcZRKyPS4gV68k4zlRPQAN30fqoBHrEZJMFupuUJtYeiuMqITRPlpPeMAwdSfkVGnKhQcia5Opou5saowCp3hyYyh58t4w0v0jKt578VsFWByEmFfuV0k9zvGbhzdFTjQKGf8UnEcWQklqQ6TbfSwsTffep37ZNimAAPxUNE+N7/3LdlRRda9Aus7WaPIodOklPyrgsJVartF69xQU5XAIQFpbIKFzqWrWBtT4q63kGgc7c8pqKR+o7Yc4u4KCoIUp1RXUU6AwJjL3EHv4Sjt9HVnPonQ7ftM82XfXwxJYVwO6vwSR40HPElcQktpTk1mEBmsUV1uHgB+meoULhmzy6TcQDUSXgIoWlLpnQ0uNFUtKgZv4dKsCDg6gCC4yNUK4I+cOCmAG/sOSBbRgn
X-Forefront-Antispam-Report:
CIP:104.40.229.156;CTRY:NL;LANG:en;SCL:1;SRV:;IPV:CAL;SFV:NSPM;H:eu1.smtp.exclaimer.net;PTR:eu1.smtp.exclaimer.net;CAT:NONE;SFS:(346002)(376002)(396003)(136003)(39840400004)(46966005)(8676002)(52536014)(33964004)(30864003)(7116003)(16799955002)(336012)(7696005)(6916009)(70206006)(47076004)(82310400003)(478600001)(76236003)(6506007)(8936002)(2906002)(53546011)(7636003)(7596003)(83380400001)(33656002)(356005)(26005)(186003)(19627405001)(166002)(66576008)(5660300002)(9686003)(55016002)(15974865002)(86362001)(316002)(7066003)(70586007)(3480700007)(130860200001)(579004)(559001);DIR:OUT;SFP:1102;
X-OriginatorOrg: blah.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 25 Nov 2020 11:54:06.3270
(UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 39551bfc-0a24-4f5e-b8cb-08d89138d010
X-MS-Exchange-CrossTenant-Id: 29330ce7-8bee-4b7f-96d8-1066707d22b5
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=29330ce7-8bee-4b7f-96d8-1066707d22b5;Ip=[104.40.229.156];Helo=[eu1.smtp.exclaimer.net]
X-MS-Exchange-CrossTenant-AuthSource:
VE1EUR03FT009.eop-EUR03.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AS8PR10MB4533
X-SA-Exim-Connect-IP: 40.107.8.121
X-SA-Exim-Mail-From: Michas@blah.com
Subject: Re: Comcast Abuse Report
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on as001.fluent.ltd.uk
X-Spam-Flag: YES
X-Spam-Level: *****
X-Spam-Status: Yes, score=5.0 required=4.4 tests=DKIM_SIGNED,DKIM_VALID,
DKIM_VALID_AU,DKIM_VALID_EF,HTML_FONT_FACE_BAD,HTML_FONT_LOW_CONTRAST,
HTML_IMAGE_RATIO_08,HTML_MESSAGE,LONGWORD,LOTS_OF_MONEY,MD5_CONTENT,
MR_NOT_ATTRIBUTED_IP,RCVD_IN_CBL,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,
RCVD_IN_SBL_CSS,RCVD_IN_SBL_XBL,RCVD_IN_SORBS,RDNS_NONE,SPF_HELO_PASS,
SPF_PASS,TW_VB,URIBL_BLOCKED autolearn=disabled version=3.4.4
X-Spam-Report:
* 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was
* blocked. See
* http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
* for more information.
* [URIs: blah.com]
* 1.5 RCVD_IN_CBL RBL: Received via a relay in cbl.abuseat.org
* [Blocked - see <http://www.abuseat.org/lookup.cgi?ip=86.129.191.88>]
* -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2)
* [40.107.8.121 listed in wl.mailspike.net]
* -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at
* https://www.dnswl.org/, no trust
* [40.107.8.121 listed in list.dnswl.org]
* 1.5 RCVD_IN_SBL_XBL RBL: Received via a relay in Spamhaus SBL+XBL
* [86.129.191.88 listed in sbl-xbl.spamhaus.org]
* 3.6 RCVD_IN_SBL_CSS RBL: Received via a relay in Spamhaus SBL-CSS
* [86.129.191.88 listed in zen.spamhaus.org]
* 0.7 MR_NOT_ATTRIBUTED_IP Beta rule: an non-attributed IPv4 found in
* headers
* -0.7 SPF_HELO_PASS SPF: HELO matches SPF record
* -0.6 SPF_PASS SPF: sender matches SPF record
* 0.1 LONGWORD BODY: Uses overlong words
* 0.1 TW_VB BODY: Odd Letter Triples with VB
* -0.1 MD5_CONTENT BODY: Contains MD5 hash.
* 0.0 HTML_FONT_FACE_BAD BODY: HTML font face is not a word
* 0.0 HTML_IMAGE_RATIO_08 BODY: HTML has a low ratio of text to image
* area
* 0.0 HTML_MESSAGE BODY: HTML included in message
* 0.0 HTML_FONT_LOW_CONTRAST BODY: HTML font color similar or
* identical to background
* -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
* author's domain
* -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from
* envelope-from domain
* -1.5 DKIM_VALID Message has at least one valid DKIM or DK signature
* 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily
* valid
* 0.5 RDNS_NONE Delivered to internal network by a host with no rDNS
* 0.0 LOTS_OF_MONEY Huge... sums of money
* 0.1 RCVD_IN_SORBS No description available.
X-SA-Exim-Version: 4.2
X-SA-Exim-Scanned: Yes (on mail.fluent.ltd.uk)
Re: IP Address of DSL being marked down when using authenticated SMTP/office 365 [ In reply to ]
Behavior referring to is known as deep header parsing and refers usually to
checking the received headers farther than the most recent relay.

As you mentioned it causes false positives with people using normal ISPs to
connect and getting marked despite a proper relay.

But yeah I don't know where that x originating IP header is coming from.
What are you using as your glued implement spam assassin?




On Wed, Nov 25, 2020, 09:05 Jonathan Gilpin <jonathan@fluent.ltd.uk> wrote:

>
> I was always of the understanding that a senders IP address was irrelevant
> when sending using authenticated SMTP or say Office 365..
>
> However, today I noticed a mail from someone using BT, whose broadband IP
> is blacklisted, was marked as spam even though it was sent through office
> 365, authenticated:
>
> * 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was
> * blocked. See
> * http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
> * for more information.
> * [URIs: blah.com]
> * 1.5 RCVD_IN_CBL RBL: Received via a relay in cbl.abuseat.org
> * [Blocked - see <http://www.abuseat.org/lookup.cgi?ip=86.129.191.88
> >]
> * -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2)
> * [40.107.8.121 listed in wl.mailspike.net]
> * -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at
> * https://www.dnswl.org/, no trust
> * [40.107.8.121 listed in list.dnswl.org]
> * 1.5 RCVD_IN_SBL_XBL RBL: Received via a relay in Spamhaus SBL+XBL
> * [86.129.191.88 listed in sbl-xbl.spamhaus.org]
> * 3.6 RCVD_IN_SBL_CSS RBL: Received via a relay in Spamhaus SBL-CSS
> * [86.129.191.88 listed in zen.spamhaus.org]
> * 0.7 MR_NOT_ATTRIBUTED_IP Beta rule: an non-attributed IPv4 found in
> * headers
> * -0.7 SPF_HELO_PASS SPF: HELO matches SPF record
> * -0.6 SPF_PASS SPF: sender matches SPF record
> * 0.1 LONGWORD BODY: Uses overlong words
> * 0.1 TW_VB BODY: Odd Letter Triples with VB
> * -0.1 MD5_CONTENT BODY: Contains MD5 hash.
> * 0.0 HTML_FONT_FACE_BAD BODY: HTML font face is not a word
> * 0.0 HTML_IMAGE_RATIO_08 BODY: HTML has a low ratio of text to image
> * area
> * 0.0 HTML_MESSAGE BODY: HTML included in message
> * 0.0 HTML_FONT_LOW_CONTRAST BODY: HTML font color similar or
> * identical to background
> * -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
> * author's domain
> * -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from
> * envelope-from domain
> * -1.5 DKIM_VALID Message has at least one valid DKIM or DK signature
> * 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily
> * valid
> * 0.5 RDNS_NONE Delivered to internal network by a host with no rDNS
> * 0.0 LOTS_OF_MONEY Huge... sums of money
> * 0.1 RCVD_IN_SORBS No description available.
>
> Looking at the headers below it seems the IP is only shown in one place:
>
> x-originating-ip: [86.129.191.88]
>
> not in the actual headers.. so is this a setup error on my part or a
> spam-assassin change? or a mistake?
>
> Obviously I need to resolve/stop this to reduce false positives..
>
> Kind Regards,
>
> Jonathan Gilpin
>
>
>
>
> Full headers are:
>
>
>
> Return-path: <Michas@*************>
> Envelope-to: jonathan@fluent.ltd.uk
> Received: from [40.107.8.121] (port=28758 helo=
> EUR04-VI1-obe.outbound.protection.outlook.com)
> by mail.fluent.ltd.uk with esmtps
> (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256)
> (Exim 4.92.3 (FreeBSD))
> (envelope-from <Michas@blah.com>)
> id 1khtN9-000MY4-Sb
> for jonathan@fluent.ltd.uk; Wed, 25 Nov 2020 11:54:11 +0000
> ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
>
> b=W28N/723guQOuCSXW1Naa+37KEO6bHZx26TLYZrztvBdCeaPxCdDFBIl+3XogEQ02FI6sgs8jyyEpdOu5r6pzv5VYaSLeSK3bKpVUBXJd81rrBOD6CP2v51wbJiZPqWtyjKitI1C4VspnqYd3MaT2P5zcxvMlFXoFwJ1zfBB+0KJ2+0VvmyKySB8QwiSPzoRmYbIWYSfx0kjBkkcXPlicxBsWp7Acnrejf7tOFMoG/G2MYjVyYlKgdr+eBYN3X/x8KBerjMoxKnko5Ifbr8C048UCIm8t4DwYW0edA+SCyoubaaA90Wb025nZ1m3Hw+DgUeH10Ry5meaUASxLaX0rw==
> ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=
> microsoft.com;
> s=arcselector9901;
>
> h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
> bh=uG0lvf0QC6HBaYnHSOFl85l4r9bpThL5UiE/bSuehSU=;
>
> b=aNFxANvz/1NKpFB4auemXGsVzoT9ZTmatvS6EE3J2/ixLDR/UVALA/aPOeYuKvh7N2c/yVeMFFRsTn36OyxIus6yh1k6yeVEfmxLCB4lbhANKWhDTJX89dINn90TArp6TIfBfqAw3JQP8LsvWFUFGqrwyfdUmcBmChwyFEKBjAkx5OpKnwKkkgcqkOu2tf2XuZ6byZ/CZB0COTWwlzb4PcRQIhb68OMHvhC7g4UZZm0HsS3WJQpLoOncQMPaYUEMKwjIReBXAGLq8AAR2DdCWTS/K9mGcV5kkYfcGj8tMnA3HHQ0hoHHJWhuoeMcpY50dYYG3XpUOPyj69ec/phlSA==
> ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip
> is
> 104.40.229.156) smtp.rcpttodomain=fluent.ltd.uk smtp.mailfrom=blah.com;
> dmarc=bestguesspass action=none header.from=blah.com; dkim=none (message
> not signed); arc=none
> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=blah.com;
> s=selector2;
>
> h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
> bh=uG0lvf0QC6HBaYnHSOFl85l4r9bpThL5UiE/bSuehSU=;
>
> b=FrGoYe/6s3IKRB11KHYxB6lNtvb0bao75MycN+7aKBfDXpV1CEpblk80zn0+vg408wVgeH5EQhcMU05dhlJhnAUrCWcdUfWFpnkC9ytfhbppq0MkT/buDDT4iQVEdg6dpwhD/zSuo0hR7QFQr4yI3bNGs/h5KtSkYEkZT8j3FmI=
> Received: from MR2P264CA0080.FRAP264.PROD.OUTLOOK.COM
> (2603:10a6:500:32::20)
> by AS8PR10MB4533.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:20b:2b5::23) with
> Microsoft SMTP Server (version=TLS1_2,
> cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3589.22; Wed, 25
> Nov
> 2020 11:54:07 +0000
> Received: from VE1EUR03FT009.eop-EUR03.prod.protection.outlook.com
> (2603:10a6:500:32:cafe::94) by MR2P264CA0080.outlook.office365.com
> (2603:10a6:500:32::20) with Microsoft SMTP Server (version=TLS1_2,
> cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3611.20 via
> Frontend
> Transport; Wed, 25 Nov 2020 11:54:07 +0000
> X-MS-Exchange-Authentication-Results: spf=pass (sender IP is
> 104.40.229.156)
> smtp.mailfrom=blah.com; fluent.ltd.uk; dkim=none (message not signed)
> header.d=none;fluent.ltd.uk; dmarc=bestguesspass action=none
> header.from=blah.com;
> Received-SPF: Pass (protection.outlook.com: domain of blah.com designates
> 104.40.229.156 as permitted sender) receiver=protection.outlook.com;
> client-ip=104.40.229.156; helo=eu1.smtp.exclaimer.net;
> Received: from eu1.smtp.exclaimer.net (104.40.229.156) by
> VE1EUR03FT009.mail.protection.outlook.com (10.152.18.92) with Microsoft
> SMTP
> Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id
> 15.20.3589.20 via Frontend Transport; Wed, 25 Nov 2020 11:54:06 +0000
> Received: from EUR05-AM6-obe.outbound.protection.outlook.com
> (104.47.18.113)
> by eu1.smtp.exclaimer.net (104.40.229.156) with Exclaimer Signature
> Manager
> ESMTP Proxy eu1.smtp.exclaimer.net (tlsversion=TLS12,
> tlscipher=TLS_ECDHE_WITH_AES256_SHA384); Wed, 25 Nov 2020 11:54:06 +0000
> X-ExclaimerHostedSignatures-MessageProcessed: true
> X-ExclaimerProxyLatency: 23783642
> X-ExclaimerImprintLatency: 3521053
> X-ExclaimerImprintAction: c8cf8f81e33e4173b5019c0de3b7dbfa
> Content-Type: multipart/related;
> boundary="----_=_NextPart_45edd4ec-206f-41a5-909b-f03baaa1763d"
> Received: from AM6PR10MB2216.EURPRD10.PROD.OUTLOOK.COM
> (2603:10a6:20b:51::18)
> by AS8PR10MB4598.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:20b:2b5::22) with
> Microsoft SMTP Server (version=TLS1_2,
> cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3589.28; Wed, 25
> Nov
> 2020 11:54:01 +0000
> Received: from AM6PR10MB2216.EURPRD10.PROD.OUTLOOK.COM
> ([fe80::ad9b:7ad7:d894:265d]) by AM6PR10MB2216.EURPRD10.PROD.OUTLOOK.COM
> ([fe80::ad9b:7ad7:d894:265d%5]) with mapi id 15.20.3589.025; Wed, 25 Nov
> 2020
> 11:54:01 +0000
> From: Michas Rapf <Michas@blah.com>
> To: Jonathan Gilpin <jonathan@fluent.ltd.uk>
> Thread-Topic: Comcast Abuse Report
> Thread-Index: AQHWwyDbVkxJnu70vkWSP/mbjQ9CC6nYvQ04
> Date: Wed, 25 Nov 2020 11:54:00 +0000
> Message-ID:
> <
> AM6PR10MB22161C3D102DEA421F6E65CAC6FA0@AM6PR10MB2216.EURPRD10.PROD.OUTLOOK.COM
> >
> References:
> <01EQXDVY8QWX916F51R51E718W.fbl@bounce.mailstream.senderscore.net>,<
> DFD39E7B-BC12-4EC0-9D43-39C97EB90B14@fluent.ltd.uk>
> In-Reply-To: <DFD39E7B-BC12-4EC0-9D43-39C97EB90B14@fluent.ltd.uk>
> Accept-Language: en-GB, en-US
> X-MS-Has-Attach:
> X-MS-TNEF-Correlator:
> Authentication-Results-Original: fluent.ltd.uk; dkim=none (message not
> signed)
> header.d=none;fluent.ltd.uk; dmarc=none action=none header.from=blah.com;
> x-originating-ip: [86.129.191.88]
> x-ms-publictraffictype: Email
> X-MS-Office365-Filtering-Correlation-Id:
> 39551bfc-0a24-4f5e-b8cb-08d89138d010
> x-ms-traffictypediagnostic: AS8PR10MB4598:|AS8PR10MB4533:
> X-Microsoft-Antispam-PRVS:
> <
> AS8PR10MB4533CF58C4EB3D16F4BAE770C6FA0@AS8PR10MB4533.EURPRD10.PROD.OUTLOOK.COM
> >
> x-ms-oob-tlc-oobclassifiers: OLM:8882;OLM:8882;
> X-MS-Exchange-SenderADCheck: 1
> X-Microsoft-Antispam-Untrusted: BCL:0;
> X-Microsoft-Antispam-Message-Info-Original:
>
> AodMuHq3ZaW61ibAVvYcyN9wUHXbjrFo8MiITzhydRNYfsyi7cMhZxyFqdgd/K2c5VtKno6pQZPLEGjSCsLtxhAWLVHiFKL0Jy1E+d2XWWUUDGRnZp7/6qjsUWO27QqTkEX/6lEW4DVfdgxQYr614LtwC6jIkm3tSy1kufFeO9dbnzbiurarULDk6adMtFEeNwjVt6iIaX0fZvQbh/HBHF+dbztkwpNgYOirKV7NjzyQSAz1leOGTcbpfIFjT7P1BPerQ8oV4pAXYQf1O3N7bPjoZ5SBs/j451diWmOjFGn+ijRTCThpTte7KRXBswry1FnHUSPKF2Ca7kn2EemxVZL4vzToiS5dedYuDuFHu+uhzdS2SL77qg3LyxH3vC8QSSr6tZ48K/f8KFj6Whgykw==
> X-Forefront-Antispam-Report-Untrusted:
> CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:
> AM6PR10MB2216.EURPRD10.PROD.OUTLOOK.COM
> ;PTR:;CAT:NONE;SFS:(376002)(366004)(396003)(346002)(39840400004)(136003)(76236003)(478600001)(186003)(66946007)(3480700007)(8936002)(33656002)(9686003)(55016002)(83380400001)(26005)(52536014)(86362001)(7066003)(71200400001)(5660300002)(7116003)(16799955002)(6506007)(53546011)(2906002)(8676002)(316002)(7696005)(76116006)(19627405001)(66446008)(64756008)(6916009)(66476007)(166002)(66556008)(559001)(579004);DIR:OUT;SFP:1102;
> x-ms-exchange-antispam-messagedata:
>
> WWu2hxeCT4Zw57X3TzB0gTtaW2of+K6thAjvcc+d9cP5KF6AXsMViHfBiBmrjVTE/t2/N7/XqVIxniLVnzpGjQCjTlRIb2QAf9F5GqWgcjf+FRxMtVhm+mPDMFAhRhATl6I6B7sipSwCCK4eSSjxZjvNqVxYogxSvfyV3CW027V6sP/jz+owjqybM5ARTehxq5TL+b2RXshTtLk/yw4HXoATS9AeXvZLPhq0MCifToikthz0lpDqLCvg6dzH9AOXtd//YDbOipzK3OQPfx8P9EgRb4wTj7dqxIfdTAr0EQUAAYKco/sN7ZXbxbpCIex2Xl1GsaA3aQXgFzWFkl0BbeIr6fi2/5hGouH+ahMxZQxpC+sYS04aC1FEoNeKU9BNwIdOHGV0aGuBBMjeALGmUm4TXzkZxqvswlHbROQFeEyX0E4UNfPEQgohkUGjQgdlMVR5zu9oNcx4zDSYrSlMp1qtZgp2vMs7H1rjirnNzHDGOF4V9BRA+ItrfkH3w92jIFkX7u3nZ1tzaNTxpXG2Ue8cDD0U0mAHCxW7RDH5ZD+vArXb7NO4WwKqD6ph2E57QtkteF/BnJ8rHqzy5op2kiDYzShinxuEjSS7l4vKIoSf1A7vv7EyIKoAuCJAwKDFSdeofgpvZCIRkNwSHNfobop0LpHcBTN2VRxC95eB5rGXhXWOsfQd3SXQfw0EaCnwgX9Jf1zdGqXTwJycKttbmpsDiBMhNcAuzyeEQY9DzIcNbMf7U2UKDHcvu1Qx8ce0NUXhxnfrQ+DqzSPpUO3R/GWKkVWcno1WcM8LpHwDxPmrM/54T5rvaWzGXKMsPnp7ZUpXClVqHLWx8zLoRC9ulJ89hiR6vDYffwOQgr26Igo0+v8xjX+fB8nZoO7eIZLyn6Rd2o22f00qjZ/fMnLYEg==
> x-ms-exchange-transport-forked: True
> MIME-Version: 1.0
> X-MS-Exchange-Transport-CrossTenantHeadersStamped: AS8PR10MB4598
> X-EOPAttributedMessage: 0
> X-MS-Exchange-Transport-CrossTenantHeadersStripped:
> VE1EUR03FT009.eop-EUR03.prod.protection.outlook.com
> X-MS-Office365-Filtering-Correlation-Id-Prvs:
> 925da4d8-d491-4078-39c2-08d89138cd03
> X-Microsoft-Antispam: BCL:0;
> X-Microsoft-Antispam-Message-Info:
>
> 6JGPEgxe1fCJmQ7o0AAKLaXanBxDlA5RQICgs6kWctg3o5mE56buF1tXj3bkqkSz2hoZeZHmXPNCexFQTLdH3W4F1w8UI3qCmz5lSsIu3ejDphcZRKyPS4gV68k4zlRPQAN30fqoBHrEZJMFupuUJtYeiuMqITRPlpPeMAwdSfkVGnKhQcia5Opou5saowCp3hyYyh58t4w0v0jKt578VsFWByEmFfuV0k9zvGbhzdFTjQKGf8UnEcWQklqQ6TbfSwsTffep37ZNimAAPxUNE+N7/3LdlRRda9Aus7WaPIodOklPyrgsJVartF69xQU5XAIQFpbIKFzqWrWBtT4q63kGgc7c8pqKR+o7Yc4u4KCoIUp1RXUU6AwJjL3EHv4Sjt9HVnPonQ7ftM82XfXwxJYVwO6vwSR40HPElcQktpTk1mEBmsUV1uHgB+meoULhmzy6TcQDUSXgIoWlLpnQ0uNFUtKgZv4dKsCDg6gCC4yNUK4I+cOCmAG/sOSBbRgn
> X-Forefront-Antispam-Report:
> CIP:104.40.229.156;CTRY:NL;LANG:en;SCL:1;SRV:;IPV:CAL;SFV:NSPM;H:
> eu1.smtp.exclaimer.net;PTR:eu1.smtp.exclaimer.net
> ;CAT:NONE;SFS:(346002)(376002)(396003)(136003)(39840400004)(46966005)(8676002)(52536014)(33964004)(30864003)(7116003)(16799955002)(336012)(7696005)(6916009)(70206006)(47076004)(82310400003)(478600001)(76236003)(6506007)(8936002)(2906002)(53546011)(7636003)(7596003)(83380400001)(33656002)(356005)(26005)(186003)(19627405001)(166002)(66576008)(5660300002)(9686003)(55016002)(15974865002)(86362001)(316002)(7066003)(70586007)(3480700007)(130860200001)(579004)(559001);DIR:OUT;SFP:1102;
> X-OriginatorOrg: blah.com
> X-MS-Exchange-CrossTenant-OriginalArrivalTime: 25 Nov 2020 11:54:06.3270
> (UTC)
> X-MS-Exchange-CrossTenant-Network-Message-Id:
> 39551bfc-0a24-4f5e-b8cb-08d89138d010
> X-MS-Exchange-CrossTenant-Id: 29330ce7-8bee-4b7f-96d8-1066707d22b5
> X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp:
> TenantId=29330ce7-8bee-4b7f-96d8-1066707d22b5;Ip=[104.40.229.156];Helo=[
> eu1.smtp.exclaimer.net]
> X-MS-Exchange-CrossTenant-AuthSource:
> VE1EUR03FT009.eop-EUR03.prod.protection.outlook.com
> X-MS-Exchange-CrossTenant-AuthAs: Anonymous
> X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
> X-MS-Exchange-Transport-CrossTenantHeadersStamped: AS8PR10MB4533
> X-SA-Exim-Connect-IP: 40.107.8.121
> X-SA-Exim-Mail-From: Michas@blah.com
> Subject: Re: Comcast Abuse Report
> X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on
> as001.fluent.ltd.uk
> X-Spam-Flag: YES
> X-Spam-Level: *****
> X-Spam-Status: Yes, score=5.0 required=4.4 tests=DKIM_SIGNED,DKIM_VALID,
> DKIM_VALID_AU,DKIM_VALID_EF,HTML_FONT_FACE_BAD,HTML_FONT_LOW_CONTRAST,
> HTML_IMAGE_RATIO_08,HTML_MESSAGE,LONGWORD,LOTS_OF_MONEY,MD5_CONTENT,
> MR_NOT_ATTRIBUTED_IP,RCVD_IN_CBL,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,
> RCVD_IN_SBL_CSS,RCVD_IN_SBL_XBL,RCVD_IN_SORBS,RDNS_NONE,SPF_HELO_PASS,
> SPF_PASS,TW_VB,URIBL_BLOCKED autolearn=disabled version=3.4.4
> X-Spam-Report:
> * 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was
> * blocked. See
> * http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
> * for more information.
> * [URIs: blah.com]
> * 1.5 RCVD_IN_CBL RBL: Received via a relay in cbl.abuseat.org
> * [Blocked - see <http://www.abuseat.org/lookup.cgi?ip=86.129.191.88
> >]
> * -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2)
> * [40.107.8.121 listed in wl.mailspike.net]
> * -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at
> * https://www.dnswl.org/, no trust
> * [40.107.8.121 listed in list.dnswl.org]
> * 1.5 RCVD_IN_SBL_XBL RBL: Received via a relay in Spamhaus SBL+XBL
> * [86.129.191.88 listed in sbl-xbl.spamhaus.org]
> * 3.6 RCVD_IN_SBL_CSS RBL: Received via a relay in Spamhaus SBL-CSS
> * [86.129.191.88 listed in zen.spamhaus.org]
> * 0.7 MR_NOT_ATTRIBUTED_IP Beta rule: an non-attributed IPv4 found in
> * headers
> * -0.7 SPF_HELO_PASS SPF: HELO matches SPF record
> * -0.6 SPF_PASS SPF: sender matches SPF record
> * 0.1 LONGWORD BODY: Uses overlong words
> * 0.1 TW_VB BODY: Odd Letter Triples with VB
> * -0.1 MD5_CONTENT BODY: Contains MD5 hash.
> * 0.0 HTML_FONT_FACE_BAD BODY: HTML font face is not a word
> * 0.0 HTML_IMAGE_RATIO_08 BODY: HTML has a low ratio of text to image
> * area
> * 0.0 HTML_MESSAGE BODY: HTML included in message
> * 0.0 HTML_FONT_LOW_CONTRAST BODY: HTML font color similar or
> * identical to background
> * -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
> * author's domain
> * -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from
> * envelope-from domain
> * -1.5 DKIM_VALID Message has at least one valid DKIM or DK signature
> * 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily
> * valid
> * 0.5 RDNS_NONE Delivered to internal network by a host with no rDNS
> * 0.0 LOTS_OF_MONEY Huge... sums of money
> * 0.1 RCVD_IN_SORBS No description available.
> X-SA-Exim-Version: 4.2
> X-SA-Exim-Scanned: Yes (on mail.fluent.ltd.uk)
>
>
Re: IP Address of DSL being marked down when using authenticated SMTP/office 365 [ In reply to ]
On Wed, 25 Nov 2020 14:05:21 +0000
Jonathan Gilpin wrote:

> I was always of the understanding that a senders IP address was
> irrelevant when sending using authenticated SMTP

Authentication is only relevant in your own trusted network.


> However, today I noticed a mail from someone using BT, whose
> broadband IP is blacklisted,

It's important to understand that there are two types of IP blocklist,
those that contain a substantial component of dynamic IPs and those
that don't. The former should only be used on the last-external IP
address, the other kind can be used on addresses from deep headers.

> * 1.5 RCVD_IN_CBL RBL: Received via a relay in
> cbl.abuseat.org

This is your own rule. My understanding is that CBL is currently the
same as the XBL list in the core rules. If that's correct then it has
has been misconfigured to look deep.

> * 1.5 RCVD_IN_SBL_XBL RBL: Received via a relay in Spamhaus
> SBL+XBL

There's no good reason to use this in SpamAssassin - it's all kinds of
wrong.


> * 3.6 RCVD_IN_SBL_CSS RBL: Received via a relay in Spamhaus
> SBL-CSS

This is a core rule and legitimately runs deep. This is probably a
mistake made by Spamhaus or possibly it was recently reassigned to a
dynamic pool.

> Looking at the headers below it seems the IP is only shown in one
> place:
>
> x-originating-ip: [86.129.191.88]

Usually this is a webmail client IP address. It's legitimate to use it
with the deep lists.
Re: IP Address of DSL being marked down when using authenticated SMTP/office 365 [ In reply to ]
The header: x-originating-ip: [86.129.191.88]

is being put in by office 365.. it is already in when our exim (FreeBSD Port Exim-sa-exim) receives the mail from Office 365..

IS there a way to make SpamAssassin ignore this x- header?

Jonathan


> On 25 Nov 2020, at 14:13, Kevin A. McGrail <kmcgrail@apache.org> wrote:
>
> Behavior referring to is known as deep header parsing and refers usually to checking the received headers farther than the most recent relay.
>
> As you mentioned it causes false positives with people using normal ISPs to connect and getting marked despite a proper relay.
>
> But yeah I don't know where that x originating IP header is coming from. What are you using as your glued implement spam assassin?
>
>
>
>
> On Wed, Nov 25, 2020, 09:05 Jonathan Gilpin <jonathan@fluent.ltd.uk <mailto:jonathan@fluent.ltd.uk>> wrote:
>
> I was always of the understanding that a senders IP address was irrelevant when sending using authenticated SMTP or say Office 365..
>
> However, today I noticed a mail from someone using BT, whose broadband IP is blacklisted, was marked as spam even though it was sent through office 365, authenticated:
>
> * 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was
> * blocked. See
> * http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block <http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block>
> * for more information.
> * [URIs: blah.com <http://blah.com/>]
> * 1.5 RCVD_IN_CBL RBL: Received via a relay in cbl.abuseat.org <http://cbl.abuseat.org/>
> * [Blocked - see <http://www.abuseat.org/lookup.cgi?ip=86.129.191.88 <http://www.abuseat.org/lookup.cgi?ip=86.129.191.88>>]
> * -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2)
> * [40.107.8.121 listed in wl.mailspike.net <http://wl.mailspike.net/>]
> * -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at
> * https://www.dnswl.org/ <https://www.dnswl.org/>, no trust
> * [40.107.8.121 listed in list.dnswl.org <http://list.dnswl.org/>]
> * 1.5 RCVD_IN_SBL_XBL RBL: Received via a relay in Spamhaus SBL+XBL
> * [86.129.191.88 listed in sbl-xbl.spamhaus.org <http://sbl-xbl.spamhaus.org/>]
> * 3.6 RCVD_IN_SBL_CSS RBL: Received via a relay in Spamhaus SBL-CSS
> * [86.129.191.88 listed in zen.spamhaus.org <http://zen.spamhaus.org/>]
> * 0.7 MR_NOT_ATTRIBUTED_IP Beta rule: an non-attributed IPv4 found in
> * headers
> * -0.7 SPF_HELO_PASS SPF: HELO matches SPF record
> * -0.6 SPF_PASS SPF: sender matches SPF record
> * 0.1 LONGWORD BODY: Uses overlong words
> * 0.1 TW_VB BODY: Odd Letter Triples with VB
> * -0.1 MD5_CONTENT BODY: Contains MD5 hash.
> * 0.0 HTML_FONT_FACE_BAD BODY: HTML font face is not a word
> * 0.0 HTML_IMAGE_RATIO_08 BODY: HTML has a low ratio of text to image
> * area
> * 0.0 HTML_MESSAGE BODY: HTML included in message
> * 0.0 HTML_FONT_LOW_CONTRAST BODY: HTML font color similar or
> * identical to background
> * -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
> * author's domain
> * -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from
> * envelope-from domain
> * -1.5 DKIM_VALID Message has at least one valid DKIM or DK signature
> * 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily
> * valid
> * 0.5 RDNS_NONE Delivered to internal network by a host with no rDNS
> * 0.0 LOTS_OF_MONEY Huge... sums of money
> * 0.1 RCVD_IN_SORBS No description available.
>
> Looking at the headers below it seems the IP is only shown in one place:
>
> x-originating-ip: [86.129.191.88]
>
> not in the actual headers.. so is this a setup error on my part or a spam-assassin change? or a mistake?
>
> Obviously I need to resolve/stop this to reduce false positives..
>
> Kind Regards,
>
> Jonathan Gilpin
>
>
>
>
> Full headers are:
>
>
>
> Return-path: <Michas@*************>
> Envelope-to: jonathan@fluent.ltd.uk <mailto:jonathan@fluent.ltd.uk>
> Received: from [40.107.8.121] (port=28758 helo=EUR04-VI1-obe.outbound.protection.outlook.com <http://eur04-vi1-obe.outbound.protection.outlook.com/>)
> by mail.fluent.ltd.uk <http://mail.fluent.ltd.uk/> with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256)
> (Exim 4.92.3 (FreeBSD))
> (envelope-from <Michas@blah.com <mailto:Michas@blah.com>>)
> id 1khtN9-000MY4-Sb
> for jonathan@fluent.ltd.uk <mailto:jonathan@fluent.ltd.uk>; Wed, 25 Nov 2020 11:54:11 +0000
> ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com <http://microsoft.com/>; cv=none;
> b=W28N/723guQOuCSXW1Naa+37KEO6bHZx26TLYZrztvBdCeaPxCdDFBIl+3XogEQ02FI6sgs8jyyEpdOu5r6pzv5VYaSLeSK3bKpVUBXJd81rrBOD6CP2v51wbJiZPqWtyjKitI1C4VspnqYd3MaT2P5zcxvMlFXoFwJ1zfBB+0KJ2+0VvmyKySB8QwiSPzoRmYbIWYSfx0kjBkkcXPlicxBsWp7Acnrejf7tOFMoG/G2MYjVyYlKgdr+eBYN3X/x8KBerjMoxKnko5Ifbr8C048UCIm8t4DwYW0edA+SCyoubaaA90Wb025nZ1m3Hw+DgUeH10Ry5meaUASxLaX0rw==
> ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com <http://microsoft.com/>;
> s=arcselector9901;
> h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
> bh=uG0lvf0QC6HBaYnHSOFl85l4r9bpThL5UiE/bSuehSU=;
> b=aNFxANvz/1NKpFB4auemXGsVzoT9ZTmatvS6EE3J2/ixLDR/UVALA/aPOeYuKvh7N2c/yVeMFFRsTn36OyxIus6yh1k6yeVEfmxLCB4lbhANKWhDTJX89dINn90TArp6TIfBfqAw3JQP8LsvWFUFGqrwyfdUmcBmChwyFEKBjAkx5OpKnwKkkgcqkOu2tf2XuZ6byZ/CZB0COTWwlzb4PcRQIhb68OMHvhC7g4UZZm0HsS3WJQpLoOncQMPaYUEMKwjIReBXAGLq8AAR2DdCWTS/K9mGcV5kkYfcGj8tMnA3HHQ0hoHHJWhuoeMcpY50dYYG3XpUOPyj69ec/phlSA==
> ARC-Authentication-Results: i=1; mx.microsoft.com <http://mx.microsoft.com/> 1; spf=pass (sender ip is
> 104.40.229.156) smtp.rcpttodomain=fluent.ltd.uk <http://fluent.ltd.uk/> smtp.mailfrom=blah.com <http://blah.com/>;
> dmarc=bestguesspass action=none header.from=blah.com <http://blah.com/>; dkim=none (message
> not signed); arc=none
> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=blah.com <http://blah.com/>;
> s=selector2;
> h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
> bh=uG0lvf0QC6HBaYnHSOFl85l4r9bpThL5UiE/bSuehSU=;
> b=FrGoYe/6s3IKRB11KHYxB6lNtvb0bao75MycN+7aKBfDXpV1CEpblk80zn0+vg408wVgeH5EQhcMU05dhlJhnAUrCWcdUfWFpnkC9ytfhbppq0MkT/buDDT4iQVEdg6dpwhD/zSuo0hR7QFQr4yI3bNGs/h5KtSkYEkZT8j3FmI=
> Received: from MR2P264CA0080.FRAP264.PROD.OUTLOOK.COM <http://mr2p264ca0080.frap264.prod.outlook.com/> (2603:10a6:500:32::20)
> by AS8PR10MB4533.EURPRD10.PROD.OUTLOOK.COM <http://as8pr10mb4533.eurprd10.prod.outlook.com/> (2603:10a6:20b:2b5::23) with
> Microsoft SMTP Server (version=TLS1_2,
> cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3589.22; Wed, 25 Nov
> 2020 11:54:07 +0000
> Received: from VE1EUR03FT009.eop-EUR03.prod.protection.outlook.com <http://eop-eur03.prod.protection.outlook.com/>
> (2603:10a6:500:32:cafe::94) by MR2P264CA0080.outlook.office365.com <http://mr2p264ca0080.outlook.office365.com/>
> (2603:10a6:500:32::20) with Microsoft SMTP Server (version=TLS1_2,
> cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3611.20 via Frontend
> Transport; Wed, 25 Nov 2020 11:54:07 +0000
> X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 104.40.229.156)
> smtp.mailfrom=blah.com <http://blah.com/>; fluent.ltd.uk <http://fluent.ltd.uk/>; dkim=none (message not signed)
> header.d=none;fluent.ltd.uk <http://fluent.ltd.uk/>; dmarc=bestguesspass action=none
> header.from=blah.com <http://blah.com/>;
> Received-SPF: Pass (protection.outlook.com <http://protection.outlook.com/>: domain of blah.com <http://blah.com/> designates
> 104.40.229.156 as permitted sender) receiver=protection.outlook.com <http://protection.outlook.com/>;
> client-ip=104.40.229.156; helo=eu1.smtp.exclaimer.net <http://eu1.smtp.exclaimer.net/>;
> Received: from eu1.smtp.exclaimer.net <http://eu1.smtp.exclaimer.net/> (104.40.229.156) by
> VE1EUR03FT009.mail.protection.outlook.com <http://ve1eur03ft009.mail.protection.outlook.com/> (10.152.18.92) with Microsoft SMTP
> Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id
> 15.20.3589.20 via Frontend Transport; Wed, 25 Nov 2020 11:54:06 +0000
> Received: from EUR05-AM6-obe.outbound.protection.outlook.com <http://eur05-am6-obe.outbound.protection.outlook.com/> (104.47.18.113)
> by eu1.smtp.exclaimer.net <http://eu1.smtp.exclaimer.net/> (104.40.229.156) with Exclaimer Signature Manager
> ESMTP Proxy eu1.smtp.exclaimer.net <http://eu1.smtp.exclaimer.net/> (tlsversion=TLS12,
> tlscipher=TLS_ECDHE_WITH_AES256_SHA384); Wed, 25 Nov 2020 11:54:06 +0000
> X-ExclaimerHostedSignatures-MessageProcessed: true
> X-ExclaimerProxyLatency: 23783642
> X-ExclaimerImprintLatency: 3521053
> X-ExclaimerImprintAction: c8cf8f81e33e4173b5019c0de3b7dbfa
> Content-Type: multipart/related;
> boundary="----_=_NextPart_45edd4ec-206f-41a5-909b-f03baaa1763d"
> Received: from AM6PR10MB2216.EURPRD10.PROD.OUTLOOK.COM <http://am6pr10mb2216.eurprd10.prod.outlook.com/> (2603:10a6:20b:51::18)
> by AS8PR10MB4598.EURPRD10.PROD.OUTLOOK.COM <http://as8pr10mb4598.eurprd10.prod.outlook.com/> (2603:10a6:20b:2b5::22) with
> Microsoft SMTP Server (version=TLS1_2,
> cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3589.28; Wed, 25 Nov
> 2020 11:54:01 +0000
> Received: from AM6PR10MB2216.EURPRD10.PROD.OUTLOOK.COM <http://am6pr10mb2216.eurprd10.prod.outlook.com/>
> ([fe80::ad9b:7ad7:d894:265d]) by AM6PR10MB2216.EURPRD10.PROD.OUTLOOK.COM <http://am6pr10mb2216.eurprd10.prod.outlook.com/>
> ([fe80::ad9b:7ad7:d894:265d%5]) with mapi id 15.20.3589.025; Wed, 25 Nov 2020
> 11:54:01 +0000
> From: Michas Rapf <Michas@blah.com <mailto:Michas@blah.com>>
> To: Jonathan Gilpin <jonathan@fluent.ltd.uk <mailto:jonathan@fluent.ltd.uk>>
> Thread-Topic: Comcast Abuse Report
> Thread-Index: AQHWwyDbVkxJnu70vkWSP/mbjQ9CC6nYvQ04
> Date: Wed, 25 Nov 2020 11:54:00 +0000
> Message-ID:
> <AM6PR10MB22161C3D102DEA421F6E65CAC6FA0@AM6PR10MB2216.EURPRD10.PROD.OUTLOOK.COM <mailto:AM6PR10MB22161C3D102DEA421F6E65CAC6FA0@AM6PR10MB2216.EURPRD10.PROD.OUTLOOK.COM>>
> References:
> <01EQXDVY8QWX916F51R51E718W.fbl@bounce.mailstream.senderscore.net <mailto:01EQXDVY8QWX916F51R51E718W.fbl@bounce.mailstream.senderscore.net>>,<DFD39E7B-BC12-4EC0-9D43-39C97EB90B14@fluent.ltd.uk <mailto:DFD39E7B-BC12-4EC0-9D43-39C97EB90B14@fluent.ltd.uk>>
> In-Reply-To: <DFD39E7B-BC12-4EC0-9D43-39C97EB90B14@fluent.ltd.uk <mailto:DFD39E7B-BC12-4EC0-9D43-39C97EB90B14@fluent.ltd.uk>>
> Accept-Language: en-GB, en-US
> X-MS-Has-Attach:
> X-MS-TNEF-Correlator:
> Authentication-Results-Original: fluent.ltd.uk <http://fluent.ltd.uk/>; dkim=none (message not signed)
> header.d=none;fluent.ltd.uk <http://fluent.ltd.uk/>; dmarc=none action=none header.from=blah.com <http://blah.com/>;
> x-originating-ip: [86.129.191.88]
> x-ms-publictraffictype: Email
> X-MS-Office365-Filtering-Correlation-Id: 39551bfc-0a24-4f5e-b8cb-08d89138d010
> x-ms-traffictypediagnostic: AS8PR10MB4598:|AS8PR10MB4533:
> X-Microsoft-Antispam-PRVS:
> <AS8PR10MB4533CF58C4EB3D16F4BAE770C6FA0@AS8PR10MB4533.EURPRD10.PROD.OUTLOOK.COM <mailto:AS8PR10MB4533CF58C4EB3D16F4BAE770C6FA0@AS8PR10MB4533.EURPRD10.PROD.OUTLOOK.COM>>
> x-ms-oob-tlc-oobclassifiers: OLM:8882;OLM:8882;
> X-MS-Exchange-SenderADCheck: 1
> X-Microsoft-Antispam-Untrusted: BCL:0;
> X-Microsoft-Antispam-Message-Info-Original:
> AodMuHq3ZaW61ibAVvYcyN9wUHXbjrFo8MiITzhydRNYfsyi7cMhZxyFqdgd/K2c5VtKno6pQZPLEGjSCsLtxhAWLVHiFKL0Jy1E+d2XWWUUDGRnZp7/6qjsUWO27QqTkEX/6lEW4DVfdgxQYr614LtwC6jIkm3tSy1kufFeO9dbnzbiurarULDk6adMtFEeNwjVt6iIaX0fZvQbh/HBHF+dbztkwpNgYOirKV7NjzyQSAz1leOGTcbpfIFjT7P1BPerQ8oV4pAXYQf1O3N7bPjoZ5SBs/j451diWmOjFGn+ijRTCThpTte7KRXBswry1FnHUSPKF2Ca7kn2EemxVZL4vzToiS5dedYuDuFHu+uhzdS2SL77qg3LyxH3vC8QSSr6tZ48K/f8KFj6Whgykw==
> X-Forefront-Antispam-Report-Untrusted:
> CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:AM6PR10MB2216.EURPRD10.PROD.OUTLOOK.COM <http://am6pr10mb2216.eurprd10.prod.outlook.com/>;PTR:;CAT:NONE;SFS:(376002)(366004)(396003)(346002)(39840400004)(136003)(76236003)(478600001)(186003)(66946007)(3480700007)(8936002)(33656002)(9686003)(55016002)(83380400001)(26005)(52536014)(86362001)(7066003)(71200400001)(5660300002)(7116003)(16799955002)(6506007)(53546011)(2906002)(8676002)(316002)(7696005)(76116006)(19627405001)(66446008)(64756008)(6916009)(66476007)(166002)(66556008)(559001)(579004);DIR:OUT;SFP:1102;
> x-ms-exchange-antispam-messagedata:
> WWu2hxeCT4Zw57X3TzB0gTtaW2of+K6thAjvcc+d9cP5KF6AXsMViHfBiBmrjVTE/t2/N7/XqVIxniLVnzpGjQCjTlRIb2QAf9F5GqWgcjf+FRxMtVhm+mPDMFAhRhATl6I6B7sipSwCCK4eSSjxZjvNqVxYogxSvfyV3CW027V6sP/jz+owjqybM5ARTehxq5TL+b2RXshTtLk/yw4HXoATS9AeXvZLPhq0MCifToikthz0lpDqLCvg6dzH9AOXtd//YDbOipzK3OQPfx8P9EgRb4wTj7dqxIfdTAr0EQUAAYKco/sN7ZXbxbpCIex2Xl1GsaA3aQXgFzWFkl0BbeIr6fi2/5hGouH+ahMxZQxpC+sYS04aC1FEoNeKU9BNwIdOHGV0aGuBBMjeALGmUm4TXzkZxqvswlHbROQFeEyX0E4UNfPEQgohkUGjQgdlMVR5zu9oNcx4zDSYrSlMp1qtZgp2vMs7H1rjirnNzHDGOF4V9BRA+ItrfkH3w92jIFkX7u3nZ1tzaNTxpXG2Ue8cDD0U0mAHCxW7RDH5ZD+vArXb7NO4WwKqD6ph2E57QtkteF/BnJ8rHqzy5op2kiDYzShinxuEjSS7l4vKIoSf1A7vv7EyIKoAuCJAwKDFSdeofgpvZCIRkNwSHNfobop0LpHcBTN2VRxC95eB5rGXhXWOsfQd3SXQfw0EaCnwgX9Jf1zdGqXTwJycKttbmpsDiBMhNcAuzyeEQY9DzIcNbMf7U2UKDHcvu1Qx8ce0NUXhxnfrQ+DqzSPpUO3R/GWKkVWcno1WcM8LpHwDxPmrM/54T5rvaWzGXKMsPnp7ZUpXClVqHLWx8zLoRC9ulJ89hiR6vDYffwOQgr26Igo0+v8xjX+fB8nZoO7eIZLyn6Rd2o22f00qjZ/fMnLYEg==
> x-ms-exchange-transport-forked: True
> MIME-Version: 1.0
> X-MS-Exchange-Transport-CrossTenantHeadersStamped: AS8PR10MB4598
> X-EOPAttributedMessage: 0
> X-MS-Exchange-Transport-CrossTenantHeadersStripped:
> VE1EUR03FT009.eop-EUR03.prod.protection.outlook.com <http://eop-eur03.prod.protection.outlook.com/>
> X-MS-Office365-Filtering-Correlation-Id-Prvs:
> 925da4d8-d491-4078-39c2-08d89138cd03
> X-Microsoft-Antispam: BCL:0;
> X-Microsoft-Antispam-Message-Info:
> 6JGPEgxe1fCJmQ7o0AAKLaXanBxDlA5RQICgs6kWctg3o5mE56buF1tXj3bkqkSz2hoZeZHmXPNCexFQTLdH3W4F1w8UI3qCmz5lSsIu3ejDphcZRKyPS4gV68k4zlRPQAN30fqoBHrEZJMFupuUJtYeiuMqITRPlpPeMAwdSfkVGnKhQcia5Opou5saowCp3hyYyh58t4w0v0jKt578VsFWByEmFfuV0k9zvGbhzdFTjQKGf8UnEcWQklqQ6TbfSwsTffep37ZNimAAPxUNE+N7/3LdlRRda9Aus7WaPIodOklPyrgsJVartF69xQU5XAIQFpbIKFzqWrWBtT4q63kGgc7c8pqKR+o7Yc4u4KCoIUp1RXUU6AwJjL3EHv4Sjt9HVnPonQ7ftM82XfXwxJYVwO6vwSR40HPElcQktpTk1mEBmsUV1uHgB+meoULhmzy6TcQDUSXgIoWlLpnQ0uNFUtKgZv4dKsCDg6gCC4yNUK4I+cOCmAG/sOSBbRgn
> X-Forefront-Antispam-Report:
> CIP:104.40.229.156;CTRY:NL;LANG:en;SCL:1;SRV:;IPV:CAL;SFV:NSPM;H:eu1.smtp.exclaimer.net <http://eu1.smtp.exclaimer.net/>;PTR:eu1.smtp.exclaimer.net <http://eu1.smtp.exclaimer.net/>;CAT:NONE;SFS:(346002)(376002)(396003)(136003)(39840400004)(46966005)(8676002)(52536014)(33964004)(30864003)(7116003)(16799955002)(336012)(7696005)(6916009)(70206006)(47076004)(82310400003)(478600001)(76236003)(6506007)(8936002)(2906002)(53546011)(7636003)(7596003)(83380400001)(33656002)(356005)(26005)(186003)(19627405001)(166002)(66576008)(5660300002)(9686003)(55016002)(15974865002)(86362001)(316002)(7066003)(70586007)(3480700007)(130860200001)(579004)(559001);DIR:OUT;SFP:1102;
> X-OriginatorOrg: blah.com <http://blah.com/>
> X-MS-Exchange-CrossTenant-OriginalArrivalTime: 25 Nov 2020 11:54:06.3270
> (UTC)
> X-MS-Exchange-CrossTenant-Network-Message-Id: 39551bfc-0a24-4f5e-b8cb-08d89138d010
> X-MS-Exchange-CrossTenant-Id: 29330ce7-8bee-4b7f-96d8-1066707d22b5
> X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=29330ce7-8bee-4b7f-96d8-1066707d22b5;Ip=[104.40.229.156];Helo=[eu1.smtp.exclaimer.net <http://eu1.smtp.exclaimer.net/>]
> X-MS-Exchange-CrossTenant-AuthSource:
> VE1EUR03FT009.eop-EUR03.prod.protection.outlook.com <http://eop-eur03.prod.protection.outlook.com/>
> X-MS-Exchange-CrossTenant-AuthAs: Anonymous
> X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
> X-MS-Exchange-Transport-CrossTenantHeadersStamped: AS8PR10MB4533
> X-SA-Exim-Connect-IP: 40.107.8.121
> X-SA-Exim-Mail-From: Michas@blah.com <mailto:Michas@blah.com>
> Subject: Re: Comcast Abuse Report
> X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on as001.fluent.ltd.uk <http://as001.fluent.ltd.uk/>
> X-Spam-Flag: YES
> X-Spam-Level: *****
> X-Spam-Status: Yes, score=5.0 required=4.4 tests=DKIM_SIGNED,DKIM_VALID,
> DKIM_VALID_AU,DKIM_VALID_EF,HTML_FONT_FACE_BAD,HTML_FONT_LOW_CONTRAST,
> HTML_IMAGE_RATIO_08,HTML_MESSAGE,LONGWORD,LOTS_OF_MONEY,MD5_CONTENT,
> MR_NOT_ATTRIBUTED_IP,RCVD_IN_CBL,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,
> RCVD_IN_SBL_CSS,RCVD_IN_SBL_XBL,RCVD_IN_SORBS,RDNS_NONE,SPF_HELO_PASS,
> SPF_PASS,TW_VB,URIBL_BLOCKED autolearn=disabled version=3.4.4
> X-Spam-Report:
> * 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was
> * blocked. See
> * http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block <http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block>
> * for more information.
> * [URIs: blah.com <http://blah.com/>]
> * 1.5 RCVD_IN_CBL RBL: Received via a relay in cbl.abuseat.org <http://cbl.abuseat.org/>
> * [Blocked - see <http://www.abuseat.org/lookup.cgi?ip=86.129.191.88 <http://www.abuseat.org/lookup.cgi?ip=86.129.191.88>>]
> * -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2)
> * [40.107.8.121 listed in wl.mailspike.net <http://wl.mailspike.net/>]
> * -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at
> * https://www.dnswl.org/ <https://www.dnswl.org/>, no trust
> * [40.107.8.121 listed in list.dnswl.org <http://list.dnswl.org/>]
> * 1.5 RCVD_IN_SBL_XBL RBL: Received via a relay in Spamhaus SBL+XBL
> * [86.129.191.88 listed in sbl-xbl.spamhaus.org <http://sbl-xbl.spamhaus.org/>]
> * 3.6 RCVD_IN_SBL_CSS RBL: Received via a relay in Spamhaus SBL-CSS
> * [86.129.191.88 listed in zen.spamhaus.org <http://zen.spamhaus.org/>]
> * 0.7 MR_NOT_ATTRIBUTED_IP Beta rule: an non-attributed IPv4 found in
> * headers
> * -0.7 SPF_HELO_PASS SPF: HELO matches SPF record
> * -0.6 SPF_PASS SPF: sender matches SPF record
> * 0.1 LONGWORD BODY: Uses overlong words
> * 0.1 TW_VB BODY: Odd Letter Triples with VB
> * -0.1 MD5_CONTENT BODY: Contains MD5 hash.
> * 0.0 HTML_FONT_FACE_BAD BODY: HTML font face is not a word
> * 0.0 HTML_IMAGE_RATIO_08 BODY: HTML has a low ratio of text to image
> * area
> * 0.0 HTML_MESSAGE BODY: HTML included in message
> * 0.0 HTML_FONT_LOW_CONTRAST BODY: HTML font color similar or
> * identical to background
> * -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
> * author's domain
> * -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from
> * envelope-from domain
> * -1.5 DKIM_VALID Message has at least one valid DKIM or DK signature
> * 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily
> * valid
> * 0.5 RDNS_NONE Delivered to internal network by a host with no rDNS
> * 0.0 LOTS_OF_MONEY Huge... sums of money
> * 0.1 RCVD_IN_SORBS No description available.
> X-SA-Exim-Version: 4.2
> X-SA-Exim-Scanned: Yes (on mail.fluent.ltd.uk <http://mail.fluent.ltd.uk/>)
>
Re: IP Address of DSL being marked down when using authenticated SMTP/office 365 [ In reply to ]
On Thu, 26 Nov 2020 10:39:29 +0000
Jonathan Gilpin wrote:

> The header: x-originating-ip: [86.129.191.88]
>
> is being put in by office 365.. it is already in when our exim
> (FreeBSD Port Exim-sa-exim) receives the mail from Office 365..
>
> IS there a way to make SpamAssassin ignore this x- header?

You don't need to, read my reply. The FP was caused by two incorrectly
set-up custom rules. These rules should simply be removed.
Re: IP Address of DSL being marked down when using authenticated SMTP/office 365 [ In reply to ]
Or changed to last-external if that would make them still achieve anything.

On Thu, Nov 26, 2020, 10:06 RW <rwmaillists@googlemail.com> wrote:

> On Thu, 26 Nov 2020 10:39:29 +0000
> Jonathan Gilpin wrote:
>
> > The header: x-originating-ip: [86.129.191.88]
> >
> > is being put in by office 365.. it is already in when our exim
> > (FreeBSD Port Exim-sa-exim) receives the mail from Office 365..
> >
> > IS there a way to make SpamAssassin ignore this x- header?
>
> You don't need to, read my reply. The FP was caused by two incorrectly
> set-up custom rules. These rules should simply be removed.
>
Re: IP Address of DSL being marked down when using authenticated SMTP/office 365 [ In reply to ]
Sorry yes, penny drop now..

Jonathan


> On 26 Nov 2020, at 15:06, RW <rwmaillists@googlemail.com> wrote:
>
> On Thu, 26 Nov 2020 10:39:29 +0000
> Jonathan Gilpin wrote:
>
>> The header: x-originating-ip: [86.129.191.88]
>>
>> is being put in by office 365.. it is already in when our exim
>> (FreeBSD Port Exim-sa-exim) receives the mail from Office 365..
>>
>> IS there a way to make SpamAssassin ignore this x- header?
>
> You don't need to, read my reply. The FP was caused by two incorrectly
> set-up custom rules. These rules should simply be removed.