I was always of the understanding that a senders IP address was irrelevant when sending using authenticated SMTP or say Office 365..
However, today I noticed a mail from someone using BT, whose broadband IP is blacklisted, was marked as spam even though it was sent through office 365, authenticated:
* 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was
* blocked. See
* http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
* for more information.
* [URIs: blah.com]
* 1.5 RCVD_IN_CBL RBL: Received via a relay in cbl.abuseat.org
* [Blocked - see <http://www.abuseat.org/lookup.cgi?ip=86.129.191.88>]
* -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2)
* [40.107.8.121 listed in wl.mailspike.net]
* -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at
* https://www.dnswl.org/, no trust
* [40.107.8.121 listed in list.dnswl.org]
* 1.5 RCVD_IN_SBL_XBL RBL: Received via a relay in Spamhaus SBL+XBL
* [86.129.191.88 listed in sbl-xbl.spamhaus.org]
* 3.6 RCVD_IN_SBL_CSS RBL: Received via a relay in Spamhaus SBL-CSS
* [86.129.191.88 listed in zen.spamhaus.org]
* 0.7 MR_NOT_ATTRIBUTED_IP Beta rule: an non-attributed IPv4 found in
* headers
* -0.7 SPF_HELO_PASS SPF: HELO matches SPF record
* -0.6 SPF_PASS SPF: sender matches SPF record
* 0.1 LONGWORD BODY: Uses overlong words
* 0.1 TW_VB BODY: Odd Letter Triples with VB
* -0.1 MD5_CONTENT BODY: Contains MD5 hash.
* 0.0 HTML_FONT_FACE_BAD BODY: HTML font face is not a word
* 0.0 HTML_IMAGE_RATIO_08 BODY: HTML has a low ratio of text to image
* area
* 0.0 HTML_MESSAGE BODY: HTML included in message
* 0.0 HTML_FONT_LOW_CONTRAST BODY: HTML font color similar or
* identical to background
* -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
* author's domain
* -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from
* envelope-from domain
* -1.5 DKIM_VALID Message has at least one valid DKIM or DK signature
* 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily
* valid
* 0.5 RDNS_NONE Delivered to internal network by a host with no rDNS
* 0.0 LOTS_OF_MONEY Huge... sums of money
* 0.1 RCVD_IN_SORBS No description available.
Looking at the headers below it seems the IP is only shown in one place:
x-originating-ip: [86.129.191.88]
not in the actual headers.. so is this a setup error on my part or a spam-assassin change? or a mistake?
Obviously I need to resolve/stop this to reduce false positives..
Kind Regards,
Jonathan Gilpin
Full headers are:
Return-path: <Michas@*************>
Envelope-to: jonathan@fluent.ltd.uk
Received: from [40.107.8.121] (port=28758 helo=EUR04-VI1-obe.outbound.protection.outlook.com)
by mail.fluent.ltd.uk with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256)
(Exim 4.92.3 (FreeBSD))
(envelope-from <Michas@blah.com>)
id 1khtN9-000MY4-Sb
for jonathan@fluent.ltd.uk; Wed, 25 Nov 2020 11:54:11 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=W28N/723guQOuCSXW1Naa+37KEO6bHZx26TLYZrztvBdCeaPxCdDFBIl+3XogEQ02FI6sgs8jyyEpdOu5r6pzv5VYaSLeSK3bKpVUBXJd81rrBOD6CP2v51wbJiZPqWtyjKitI1C4VspnqYd3MaT2P5zcxvMlFXoFwJ1zfBB+0KJ2+0VvmyKySB8QwiSPzoRmYbIWYSfx0kjBkkcXPlicxBsWp7Acnrejf7tOFMoG/G2MYjVyYlKgdr+eBYN3X/x8KBerjMoxKnko5Ifbr8C048UCIm8t4DwYW0edA+SCyoubaaA90Wb025nZ1m3Hw+DgUeH10Ry5meaUASxLaX0rw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=uG0lvf0QC6HBaYnHSOFl85l4r9bpThL5UiE/bSuehSU=;
b=aNFxANvz/1NKpFB4auemXGsVzoT9ZTmatvS6EE3J2/ixLDR/UVALA/aPOeYuKvh7N2c/yVeMFFRsTn36OyxIus6yh1k6yeVEfmxLCB4lbhANKWhDTJX89dINn90TArp6TIfBfqAw3JQP8LsvWFUFGqrwyfdUmcBmChwyFEKBjAkx5OpKnwKkkgcqkOu2tf2XuZ6byZ/CZB0COTWwlzb4PcRQIhb68OMHvhC7g4UZZm0HsS3WJQpLoOncQMPaYUEMKwjIReBXAGLq8AAR2DdCWTS/K9mGcV5kkYfcGj8tMnA3HHQ0hoHHJWhuoeMcpY50dYYG3XpUOPyj69ec/phlSA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is
104.40.229.156) smtp.rcpttodomain=fluent.ltd.uk smtp.mailfrom=blah.com;
dmarc=bestguesspass action=none header.from=blah.com; dkim=none (message
not signed); arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=blah.com;
s=selector2;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=uG0lvf0QC6HBaYnHSOFl85l4r9bpThL5UiE/bSuehSU=;
b=FrGoYe/6s3IKRB11KHYxB6lNtvb0bao75MycN+7aKBfDXpV1CEpblk80zn0+vg408wVgeH5EQhcMU05dhlJhnAUrCWcdUfWFpnkC9ytfhbppq0MkT/buDDT4iQVEdg6dpwhD/zSuo0hR7QFQr4yI3bNGs/h5KtSkYEkZT8j3FmI=
Received: from MR2P264CA0080.FRAP264.PROD.OUTLOOK.COM (2603:10a6:500:32::20)
by AS8PR10MB4533.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:20b:2b5::23) with
Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3589.22; Wed, 25 Nov
2020 11:54:07 +0000
Received: from VE1EUR03FT009.eop-EUR03.prod.protection.outlook.com
(2603:10a6:500:32:cafe::94) by MR2P264CA0080.outlook.office365.com
(2603:10a6:500:32::20) with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3611.20 via Frontend
Transport; Wed, 25 Nov 2020 11:54:07 +0000
X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 104.40.229.156)
smtp.mailfrom=blah.com; fluent.ltd.uk; dkim=none (message not signed)
header.d=none;fluent.ltd.uk; dmarc=bestguesspass action=none
header.from=blah.com;
Received-SPF: Pass (protection.outlook.com: domain of blah.com designates
104.40.229.156 as permitted sender) receiver=protection.outlook.com;
client-ip=104.40.229.156; helo=eu1.smtp.exclaimer.net;
Received: from eu1.smtp.exclaimer.net (104.40.229.156) by
VE1EUR03FT009.mail.protection.outlook.com (10.152.18.92) with Microsoft SMTP
Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id
15.20.3589.20 via Frontend Transport; Wed, 25 Nov 2020 11:54:06 +0000
Received: from EUR05-AM6-obe.outbound.protection.outlook.com (104.47.18.113)
by eu1.smtp.exclaimer.net (104.40.229.156) with Exclaimer Signature Manager
ESMTP Proxy eu1.smtp.exclaimer.net (tlsversion=TLS12,
tlscipher=TLS_ECDHE_WITH_AES256_SHA384); Wed, 25 Nov 2020 11:54:06 +0000
X-ExclaimerHostedSignatures-MessageProcessed: true
X-ExclaimerProxyLatency: 23783642
X-ExclaimerImprintLatency: 3521053
X-ExclaimerImprintAction: c8cf8f81e33e4173b5019c0de3b7dbfa
Content-Type: multipart/related;
boundary="----_=_NextPart_45edd4ec-206f-41a5-909b-f03baaa1763d"
Received: from AM6PR10MB2216.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:20b:51::18)
by AS8PR10MB4598.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:20b:2b5::22) with
Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3589.28; Wed, 25 Nov
2020 11:54:01 +0000
Received: from AM6PR10MB2216.EURPRD10.PROD.OUTLOOK.COM
([fe80::ad9b:7ad7:d894:265d]) by AM6PR10MB2216.EURPRD10.PROD.OUTLOOK.COM
([fe80::ad9b:7ad7:d894:265d%5]) with mapi id 15.20.3589.025; Wed, 25 Nov 2020
11:54:01 +0000
From: Michas Rapf <Michas@blah.com>
To: Jonathan Gilpin <jonathan@fluent.ltd.uk>
Thread-Topic: Comcast Abuse Report
Thread-Index: AQHWwyDbVkxJnu70vkWSP/mbjQ9CC6nYvQ04
Date: Wed, 25 Nov 2020 11:54:00 +0000
Message-ID:
<AM6PR10MB22161C3D102DEA421F6E65CAC6FA0@AM6PR10MB2216.EURPRD10.PROD.OUTLOOK.COM>
References:
<01EQXDVY8QWX916F51R51E718W.fbl@bounce.mailstream.senderscore.net>,<DFD39E7B-BC12-4EC0-9D43-39C97EB90B14@fluent.ltd.uk>
In-Reply-To: <DFD39E7B-BC12-4EC0-9D43-39C97EB90B14@fluent.ltd.uk>
Accept-Language: en-GB, en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Authentication-Results-Original: fluent.ltd.uk; dkim=none (message not signed)
header.d=none;fluent.ltd.uk; dmarc=none action=none header.from=blah.com;
x-originating-ip: [86.129.191.88]
x-ms-publictraffictype: Email
X-MS-Office365-Filtering-Correlation-Id: 39551bfc-0a24-4f5e-b8cb-08d89138d010
x-ms-traffictypediagnostic: AS8PR10MB4598:|AS8PR10MB4533:
X-Microsoft-Antispam-PRVS:
<AS8PR10MB4533CF58C4EB3D16F4BAE770C6FA0@AS8PR10MB4533.EURPRD10.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:8882;OLM:8882;
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam-Untrusted: BCL:0;
X-Microsoft-Antispam-Message-Info-Original:
AodMuHq3ZaW61ibAVvYcyN9wUHXbjrFo8MiITzhydRNYfsyi7cMhZxyFqdgd/K2c5VtKno6pQZPLEGjSCsLtxhAWLVHiFKL0Jy1E+d2XWWUUDGRnZp7/6qjsUWO27QqTkEX/6lEW4DVfdgxQYr614LtwC6jIkm3tSy1kufFeO9dbnzbiurarULDk6adMtFEeNwjVt6iIaX0fZvQbh/HBHF+dbztkwpNgYOirKV7NjzyQSAz1leOGTcbpfIFjT7P1BPerQ8oV4pAXYQf1O3N7bPjoZ5SBs/j451diWmOjFGn+ijRTCThpTte7KRXBswry1FnHUSPKF2Ca7kn2EemxVZL4vzToiS5dedYuDuFHu+uhzdS2SL77qg3LyxH3vC8QSSr6tZ48K/f8KFj6Whgykw==
X-Forefront-Antispam-Report-Untrusted:
CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:AM6PR10MB2216.EURPRD10.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(376002)(366004)(396003)(346002)(39840400004)(136003)(76236003)(478600001)(186003)(66946007)(3480700007)(8936002)(33656002)(9686003)(55016002)(83380400001)(26005)(52536014)(86362001)(7066003)(71200400001)(5660300002)(7116003)(16799955002)(6506007)(53546011)(2906002)(8676002)(316002)(7696005)(76116006)(19627405001)(66446008)(64756008)(6916009)(66476007)(166002)(66556008)(559001)(579004);DIR:OUT;SFP:1102;
x-ms-exchange-antispam-messagedata:
WWu2hxeCT4Zw57X3TzB0gTtaW2of+K6thAjvcc+d9cP5KF6AXsMViHfBiBmrjVTE/t2/N7/XqVIxniLVnzpGjQCjTlRIb2QAf9F5GqWgcjf+FRxMtVhm+mPDMFAhRhATl6I6B7sipSwCCK4eSSjxZjvNqVxYogxSvfyV3CW027V6sP/jz+owjqybM5ARTehxq5TL+b2RXshTtLk/yw4HXoATS9AeXvZLPhq0MCifToikthz0lpDqLCvg6dzH9AOXtd//YDbOipzK3OQPfx8P9EgRb4wTj7dqxIfdTAr0EQUAAYKco/sN7ZXbxbpCIex2Xl1GsaA3aQXgFzWFkl0BbeIr6fi2/5hGouH+ahMxZQxpC+sYS04aC1FEoNeKU9BNwIdOHGV0aGuBBMjeALGmUm4TXzkZxqvswlHbROQFeEyX0E4UNfPEQgohkUGjQgdlMVR5zu9oNcx4zDSYrSlMp1qtZgp2vMs7H1rjirnNzHDGOF4V9BRA+ItrfkH3w92jIFkX7u3nZ1tzaNTxpXG2Ue8cDD0U0mAHCxW7RDH5ZD+vArXb7NO4WwKqD6ph2E57QtkteF/BnJ8rHqzy5op2kiDYzShinxuEjSS7l4vKIoSf1A7vv7EyIKoAuCJAwKDFSdeofgpvZCIRkNwSHNfobop0LpHcBTN2VRxC95eB5rGXhXWOsfQd3SXQfw0EaCnwgX9Jf1zdGqXTwJycKttbmpsDiBMhNcAuzyeEQY9DzIcNbMf7U2UKDHcvu1Qx8ce0NUXhxnfrQ+DqzSPpUO3R/GWKkVWcno1WcM8LpHwDxPmrM/54T5rvaWzGXKMsPnp7ZUpXClVqHLWx8zLoRC9ulJ89hiR6vDYffwOQgr26Igo0+v8xjX+fB8nZoO7eIZLyn6Rd2o22f00qjZ/fMnLYEg==
x-ms-exchange-transport-forked: True
MIME-Version: 1.0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AS8PR10MB4598
X-EOPAttributedMessage: 0
X-MS-Exchange-Transport-CrossTenantHeadersStripped:
VE1EUR03FT009.eop-EUR03.prod.protection.outlook.com
X-MS-Office365-Filtering-Correlation-Id-Prvs:
925da4d8-d491-4078-39c2-08d89138cd03
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info:
6JGPEgxe1fCJmQ7o0AAKLaXanBxDlA5RQICgs6kWctg3o5mE56buF1tXj3bkqkSz2hoZeZHmXPNCexFQTLdH3W4F1w8UI3qCmz5lSsIu3ejDphcZRKyPS4gV68k4zlRPQAN30fqoBHrEZJMFupuUJtYeiuMqITRPlpPeMAwdSfkVGnKhQcia5Opou5saowCp3hyYyh58t4w0v0jKt578VsFWByEmFfuV0k9zvGbhzdFTjQKGf8UnEcWQklqQ6TbfSwsTffep37ZNimAAPxUNE+N7/3LdlRRda9Aus7WaPIodOklPyrgsJVartF69xQU5XAIQFpbIKFzqWrWBtT4q63kGgc7c8pqKR+o7Yc4u4KCoIUp1RXUU6AwJjL3EHv4Sjt9HVnPonQ7ftM82XfXwxJYVwO6vwSR40HPElcQktpTk1mEBmsUV1uHgB+meoULhmzy6TcQDUSXgIoWlLpnQ0uNFUtKgZv4dKsCDg6gCC4yNUK4I+cOCmAG/sOSBbRgn
X-Forefront-Antispam-Report:
CIP:104.40.229.156;CTRY:NL;LANG:en;SCL:1;SRV:;IPV:CAL;SFV:NSPM;H:eu1.smtp.exclaimer.net;PTR:eu1.smtp.exclaimer.net;CAT:NONE;SFS:(346002)(376002)(396003)(136003)(39840400004)(46966005)(8676002)(52536014)(33964004)(30864003)(7116003)(16799955002)(336012)(7696005)(6916009)(70206006)(47076004)(82310400003)(478600001)(76236003)(6506007)(8936002)(2906002)(53546011)(7636003)(7596003)(83380400001)(33656002)(356005)(26005)(186003)(19627405001)(166002)(66576008)(5660300002)(9686003)(55016002)(15974865002)(86362001)(316002)(7066003)(70586007)(3480700007)(130860200001)(579004)(559001);DIR:OUT;SFP:1102;
X-OriginatorOrg: blah.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 25 Nov 2020 11:54:06.3270
(UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 39551bfc-0a24-4f5e-b8cb-08d89138d010
X-MS-Exchange-CrossTenant-Id: 29330ce7-8bee-4b7f-96d8-1066707d22b5
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=29330ce7-8bee-4b7f-96d8-1066707d22b5;Ip=[104.40.229.156];Helo=[eu1.smtp.exclaimer.net]
X-MS-Exchange-CrossTenant-AuthSource:
VE1EUR03FT009.eop-EUR03.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AS8PR10MB4533
X-SA-Exim-Connect-IP: 40.107.8.121
X-SA-Exim-Mail-From: Michas@blah.com
Subject: Re: Comcast Abuse Report
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on as001.fluent.ltd.uk
X-Spam-Flag: YES
X-Spam-Level: *****
X-Spam-Status: Yes, score=5.0 required=4.4 tests=DKIM_SIGNED,DKIM_VALID,
DKIM_VALID_AU,DKIM_VALID_EF,HTML_FONT_FACE_BAD,HTML_FONT_LOW_CONTRAST,
HTML_IMAGE_RATIO_08,HTML_MESSAGE,LONGWORD,LOTS_OF_MONEY,MD5_CONTENT,
MR_NOT_ATTRIBUTED_IP,RCVD_IN_CBL,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,
RCVD_IN_SBL_CSS,RCVD_IN_SBL_XBL,RCVD_IN_SORBS,RDNS_NONE,SPF_HELO_PASS,
SPF_PASS,TW_VB,URIBL_BLOCKED autolearn=disabled version=3.4.4
X-Spam-Report:
* 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was
* blocked. See
* http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
* for more information.
* [URIs: blah.com]
* 1.5 RCVD_IN_CBL RBL: Received via a relay in cbl.abuseat.org
* [Blocked - see <http://www.abuseat.org/lookup.cgi?ip=86.129.191.88>]
* -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2)
* [40.107.8.121 listed in wl.mailspike.net]
* -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at
* https://www.dnswl.org/, no trust
* [40.107.8.121 listed in list.dnswl.org]
* 1.5 RCVD_IN_SBL_XBL RBL: Received via a relay in Spamhaus SBL+XBL
* [86.129.191.88 listed in sbl-xbl.spamhaus.org]
* 3.6 RCVD_IN_SBL_CSS RBL: Received via a relay in Spamhaus SBL-CSS
* [86.129.191.88 listed in zen.spamhaus.org]
* 0.7 MR_NOT_ATTRIBUTED_IP Beta rule: an non-attributed IPv4 found in
* headers
* -0.7 SPF_HELO_PASS SPF: HELO matches SPF record
* -0.6 SPF_PASS SPF: sender matches SPF record
* 0.1 LONGWORD BODY: Uses overlong words
* 0.1 TW_VB BODY: Odd Letter Triples with VB
* -0.1 MD5_CONTENT BODY: Contains MD5 hash.
* 0.0 HTML_FONT_FACE_BAD BODY: HTML font face is not a word
* 0.0 HTML_IMAGE_RATIO_08 BODY: HTML has a low ratio of text to image
* area
* 0.0 HTML_MESSAGE BODY: HTML included in message
* 0.0 HTML_FONT_LOW_CONTRAST BODY: HTML font color similar or
* identical to background
* -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
* author's domain
* -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from
* envelope-from domain
* -1.5 DKIM_VALID Message has at least one valid DKIM or DK signature
* 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily
* valid
* 0.5 RDNS_NONE Delivered to internal network by a host with no rDNS
* 0.0 LOTS_OF_MONEY Huge... sums of money
* 0.1 RCVD_IN_SORBS No description available.
X-SA-Exim-Version: 4.2
X-SA-Exim-Scanned: Yes (on mail.fluent.ltd.uk)
However, today I noticed a mail from someone using BT, whose broadband IP is blacklisted, was marked as spam even though it was sent through office 365, authenticated:
* 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was
* blocked. See
* http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
* for more information.
* [URIs: blah.com]
* 1.5 RCVD_IN_CBL RBL: Received via a relay in cbl.abuseat.org
* [Blocked - see <http://www.abuseat.org/lookup.cgi?ip=86.129.191.88>]
* -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2)
* [40.107.8.121 listed in wl.mailspike.net]
* -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at
* https://www.dnswl.org/, no trust
* [40.107.8.121 listed in list.dnswl.org]
* 1.5 RCVD_IN_SBL_XBL RBL: Received via a relay in Spamhaus SBL+XBL
* [86.129.191.88 listed in sbl-xbl.spamhaus.org]
* 3.6 RCVD_IN_SBL_CSS RBL: Received via a relay in Spamhaus SBL-CSS
* [86.129.191.88 listed in zen.spamhaus.org]
* 0.7 MR_NOT_ATTRIBUTED_IP Beta rule: an non-attributed IPv4 found in
* headers
* -0.7 SPF_HELO_PASS SPF: HELO matches SPF record
* -0.6 SPF_PASS SPF: sender matches SPF record
* 0.1 LONGWORD BODY: Uses overlong words
* 0.1 TW_VB BODY: Odd Letter Triples with VB
* -0.1 MD5_CONTENT BODY: Contains MD5 hash.
* 0.0 HTML_FONT_FACE_BAD BODY: HTML font face is not a word
* 0.0 HTML_IMAGE_RATIO_08 BODY: HTML has a low ratio of text to image
* area
* 0.0 HTML_MESSAGE BODY: HTML included in message
* 0.0 HTML_FONT_LOW_CONTRAST BODY: HTML font color similar or
* identical to background
* -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
* author's domain
* -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from
* envelope-from domain
* -1.5 DKIM_VALID Message has at least one valid DKIM or DK signature
* 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily
* valid
* 0.5 RDNS_NONE Delivered to internal network by a host with no rDNS
* 0.0 LOTS_OF_MONEY Huge... sums of money
* 0.1 RCVD_IN_SORBS No description available.
Looking at the headers below it seems the IP is only shown in one place:
x-originating-ip: [86.129.191.88]
not in the actual headers.. so is this a setup error on my part or a spam-assassin change? or a mistake?
Obviously I need to resolve/stop this to reduce false positives..
Kind Regards,
Jonathan Gilpin
Full headers are:
Return-path: <Michas@*************>
Envelope-to: jonathan@fluent.ltd.uk
Received: from [40.107.8.121] (port=28758 helo=EUR04-VI1-obe.outbound.protection.outlook.com)
by mail.fluent.ltd.uk with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256)
(Exim 4.92.3 (FreeBSD))
(envelope-from <Michas@blah.com>)
id 1khtN9-000MY4-Sb
for jonathan@fluent.ltd.uk; Wed, 25 Nov 2020 11:54:11 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=W28N/723guQOuCSXW1Naa+37KEO6bHZx26TLYZrztvBdCeaPxCdDFBIl+3XogEQ02FI6sgs8jyyEpdOu5r6pzv5VYaSLeSK3bKpVUBXJd81rrBOD6CP2v51wbJiZPqWtyjKitI1C4VspnqYd3MaT2P5zcxvMlFXoFwJ1zfBB+0KJ2+0VvmyKySB8QwiSPzoRmYbIWYSfx0kjBkkcXPlicxBsWp7Acnrejf7tOFMoG/G2MYjVyYlKgdr+eBYN3X/x8KBerjMoxKnko5Ifbr8C048UCIm8t4DwYW0edA+SCyoubaaA90Wb025nZ1m3Hw+DgUeH10Ry5meaUASxLaX0rw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=uG0lvf0QC6HBaYnHSOFl85l4r9bpThL5UiE/bSuehSU=;
b=aNFxANvz/1NKpFB4auemXGsVzoT9ZTmatvS6EE3J2/ixLDR/UVALA/aPOeYuKvh7N2c/yVeMFFRsTn36OyxIus6yh1k6yeVEfmxLCB4lbhANKWhDTJX89dINn90TArp6TIfBfqAw3JQP8LsvWFUFGqrwyfdUmcBmChwyFEKBjAkx5OpKnwKkkgcqkOu2tf2XuZ6byZ/CZB0COTWwlzb4PcRQIhb68OMHvhC7g4UZZm0HsS3WJQpLoOncQMPaYUEMKwjIReBXAGLq8AAR2DdCWTS/K9mGcV5kkYfcGj8tMnA3HHQ0hoHHJWhuoeMcpY50dYYG3XpUOPyj69ec/phlSA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is
104.40.229.156) smtp.rcpttodomain=fluent.ltd.uk smtp.mailfrom=blah.com;
dmarc=bestguesspass action=none header.from=blah.com; dkim=none (message
not signed); arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=blah.com;
s=selector2;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=uG0lvf0QC6HBaYnHSOFl85l4r9bpThL5UiE/bSuehSU=;
b=FrGoYe/6s3IKRB11KHYxB6lNtvb0bao75MycN+7aKBfDXpV1CEpblk80zn0+vg408wVgeH5EQhcMU05dhlJhnAUrCWcdUfWFpnkC9ytfhbppq0MkT/buDDT4iQVEdg6dpwhD/zSuo0hR7QFQr4yI3bNGs/h5KtSkYEkZT8j3FmI=
Received: from MR2P264CA0080.FRAP264.PROD.OUTLOOK.COM (2603:10a6:500:32::20)
by AS8PR10MB4533.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:20b:2b5::23) with
Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3589.22; Wed, 25 Nov
2020 11:54:07 +0000
Received: from VE1EUR03FT009.eop-EUR03.prod.protection.outlook.com
(2603:10a6:500:32:cafe::94) by MR2P264CA0080.outlook.office365.com
(2603:10a6:500:32::20) with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3611.20 via Frontend
Transport; Wed, 25 Nov 2020 11:54:07 +0000
X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 104.40.229.156)
smtp.mailfrom=blah.com; fluent.ltd.uk; dkim=none (message not signed)
header.d=none;fluent.ltd.uk; dmarc=bestguesspass action=none
header.from=blah.com;
Received-SPF: Pass (protection.outlook.com: domain of blah.com designates
104.40.229.156 as permitted sender) receiver=protection.outlook.com;
client-ip=104.40.229.156; helo=eu1.smtp.exclaimer.net;
Received: from eu1.smtp.exclaimer.net (104.40.229.156) by
VE1EUR03FT009.mail.protection.outlook.com (10.152.18.92) with Microsoft SMTP
Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id
15.20.3589.20 via Frontend Transport; Wed, 25 Nov 2020 11:54:06 +0000
Received: from EUR05-AM6-obe.outbound.protection.outlook.com (104.47.18.113)
by eu1.smtp.exclaimer.net (104.40.229.156) with Exclaimer Signature Manager
ESMTP Proxy eu1.smtp.exclaimer.net (tlsversion=TLS12,
tlscipher=TLS_ECDHE_WITH_AES256_SHA384); Wed, 25 Nov 2020 11:54:06 +0000
X-ExclaimerHostedSignatures-MessageProcessed: true
X-ExclaimerProxyLatency: 23783642
X-ExclaimerImprintLatency: 3521053
X-ExclaimerImprintAction: c8cf8f81e33e4173b5019c0de3b7dbfa
Content-Type: multipart/related;
boundary="----_=_NextPart_45edd4ec-206f-41a5-909b-f03baaa1763d"
Received: from AM6PR10MB2216.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:20b:51::18)
by AS8PR10MB4598.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:20b:2b5::22) with
Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3589.28; Wed, 25 Nov
2020 11:54:01 +0000
Received: from AM6PR10MB2216.EURPRD10.PROD.OUTLOOK.COM
([fe80::ad9b:7ad7:d894:265d]) by AM6PR10MB2216.EURPRD10.PROD.OUTLOOK.COM
([fe80::ad9b:7ad7:d894:265d%5]) with mapi id 15.20.3589.025; Wed, 25 Nov 2020
11:54:01 +0000
From: Michas Rapf <Michas@blah.com>
To: Jonathan Gilpin <jonathan@fluent.ltd.uk>
Thread-Topic: Comcast Abuse Report
Thread-Index: AQHWwyDbVkxJnu70vkWSP/mbjQ9CC6nYvQ04
Date: Wed, 25 Nov 2020 11:54:00 +0000
Message-ID:
<AM6PR10MB22161C3D102DEA421F6E65CAC6FA0@AM6PR10MB2216.EURPRD10.PROD.OUTLOOK.COM>
References:
<01EQXDVY8QWX916F51R51E718W.fbl@bounce.mailstream.senderscore.net>,<DFD39E7B-BC12-4EC0-9D43-39C97EB90B14@fluent.ltd.uk>
In-Reply-To: <DFD39E7B-BC12-4EC0-9D43-39C97EB90B14@fluent.ltd.uk>
Accept-Language: en-GB, en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Authentication-Results-Original: fluent.ltd.uk; dkim=none (message not signed)
header.d=none;fluent.ltd.uk; dmarc=none action=none header.from=blah.com;
x-originating-ip: [86.129.191.88]
x-ms-publictraffictype: Email
X-MS-Office365-Filtering-Correlation-Id: 39551bfc-0a24-4f5e-b8cb-08d89138d010
x-ms-traffictypediagnostic: AS8PR10MB4598:|AS8PR10MB4533:
X-Microsoft-Antispam-PRVS:
<AS8PR10MB4533CF58C4EB3D16F4BAE770C6FA0@AS8PR10MB4533.EURPRD10.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:8882;OLM:8882;
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam-Untrusted: BCL:0;
X-Microsoft-Antispam-Message-Info-Original:
AodMuHq3ZaW61ibAVvYcyN9wUHXbjrFo8MiITzhydRNYfsyi7cMhZxyFqdgd/K2c5VtKno6pQZPLEGjSCsLtxhAWLVHiFKL0Jy1E+d2XWWUUDGRnZp7/6qjsUWO27QqTkEX/6lEW4DVfdgxQYr614LtwC6jIkm3tSy1kufFeO9dbnzbiurarULDk6adMtFEeNwjVt6iIaX0fZvQbh/HBHF+dbztkwpNgYOirKV7NjzyQSAz1leOGTcbpfIFjT7P1BPerQ8oV4pAXYQf1O3N7bPjoZ5SBs/j451diWmOjFGn+ijRTCThpTte7KRXBswry1FnHUSPKF2Ca7kn2EemxVZL4vzToiS5dedYuDuFHu+uhzdS2SL77qg3LyxH3vC8QSSr6tZ48K/f8KFj6Whgykw==
X-Forefront-Antispam-Report-Untrusted:
CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:AM6PR10MB2216.EURPRD10.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(376002)(366004)(396003)(346002)(39840400004)(136003)(76236003)(478600001)(186003)(66946007)(3480700007)(8936002)(33656002)(9686003)(55016002)(83380400001)(26005)(52536014)(86362001)(7066003)(71200400001)(5660300002)(7116003)(16799955002)(6506007)(53546011)(2906002)(8676002)(316002)(7696005)(76116006)(19627405001)(66446008)(64756008)(6916009)(66476007)(166002)(66556008)(559001)(579004);DIR:OUT;SFP:1102;
x-ms-exchange-antispam-messagedata:
WWu2hxeCT4Zw57X3TzB0gTtaW2of+K6thAjvcc+d9cP5KF6AXsMViHfBiBmrjVTE/t2/N7/XqVIxniLVnzpGjQCjTlRIb2QAf9F5GqWgcjf+FRxMtVhm+mPDMFAhRhATl6I6B7sipSwCCK4eSSjxZjvNqVxYogxSvfyV3CW027V6sP/jz+owjqybM5ARTehxq5TL+b2RXshTtLk/yw4HXoATS9AeXvZLPhq0MCifToikthz0lpDqLCvg6dzH9AOXtd//YDbOipzK3OQPfx8P9EgRb4wTj7dqxIfdTAr0EQUAAYKco/sN7ZXbxbpCIex2Xl1GsaA3aQXgFzWFkl0BbeIr6fi2/5hGouH+ahMxZQxpC+sYS04aC1FEoNeKU9BNwIdOHGV0aGuBBMjeALGmUm4TXzkZxqvswlHbROQFeEyX0E4UNfPEQgohkUGjQgdlMVR5zu9oNcx4zDSYrSlMp1qtZgp2vMs7H1rjirnNzHDGOF4V9BRA+ItrfkH3w92jIFkX7u3nZ1tzaNTxpXG2Ue8cDD0U0mAHCxW7RDH5ZD+vArXb7NO4WwKqD6ph2E57QtkteF/BnJ8rHqzy5op2kiDYzShinxuEjSS7l4vKIoSf1A7vv7EyIKoAuCJAwKDFSdeofgpvZCIRkNwSHNfobop0LpHcBTN2VRxC95eB5rGXhXWOsfQd3SXQfw0EaCnwgX9Jf1zdGqXTwJycKttbmpsDiBMhNcAuzyeEQY9DzIcNbMf7U2UKDHcvu1Qx8ce0NUXhxnfrQ+DqzSPpUO3R/GWKkVWcno1WcM8LpHwDxPmrM/54T5rvaWzGXKMsPnp7ZUpXClVqHLWx8zLoRC9ulJ89hiR6vDYffwOQgr26Igo0+v8xjX+fB8nZoO7eIZLyn6Rd2o22f00qjZ/fMnLYEg==
x-ms-exchange-transport-forked: True
MIME-Version: 1.0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AS8PR10MB4598
X-EOPAttributedMessage: 0
X-MS-Exchange-Transport-CrossTenantHeadersStripped:
VE1EUR03FT009.eop-EUR03.prod.protection.outlook.com
X-MS-Office365-Filtering-Correlation-Id-Prvs:
925da4d8-d491-4078-39c2-08d89138cd03
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info:
6JGPEgxe1fCJmQ7o0AAKLaXanBxDlA5RQICgs6kWctg3o5mE56buF1tXj3bkqkSz2hoZeZHmXPNCexFQTLdH3W4F1w8UI3qCmz5lSsIu3ejDphcZRKyPS4gV68k4zlRPQAN30fqoBHrEZJMFupuUJtYeiuMqITRPlpPeMAwdSfkVGnKhQcia5Opou5saowCp3hyYyh58t4w0v0jKt578VsFWByEmFfuV0k9zvGbhzdFTjQKGf8UnEcWQklqQ6TbfSwsTffep37ZNimAAPxUNE+N7/3LdlRRda9Aus7WaPIodOklPyrgsJVartF69xQU5XAIQFpbIKFzqWrWBtT4q63kGgc7c8pqKR+o7Yc4u4KCoIUp1RXUU6AwJjL3EHv4Sjt9HVnPonQ7ftM82XfXwxJYVwO6vwSR40HPElcQktpTk1mEBmsUV1uHgB+meoULhmzy6TcQDUSXgIoWlLpnQ0uNFUtKgZv4dKsCDg6gCC4yNUK4I+cOCmAG/sOSBbRgn
X-Forefront-Antispam-Report:
CIP:104.40.229.156;CTRY:NL;LANG:en;SCL:1;SRV:;IPV:CAL;SFV:NSPM;H:eu1.smtp.exclaimer.net;PTR:eu1.smtp.exclaimer.net;CAT:NONE;SFS:(346002)(376002)(396003)(136003)(39840400004)(46966005)(8676002)(52536014)(33964004)(30864003)(7116003)(16799955002)(336012)(7696005)(6916009)(70206006)(47076004)(82310400003)(478600001)(76236003)(6506007)(8936002)(2906002)(53546011)(7636003)(7596003)(83380400001)(33656002)(356005)(26005)(186003)(19627405001)(166002)(66576008)(5660300002)(9686003)(55016002)(15974865002)(86362001)(316002)(7066003)(70586007)(3480700007)(130860200001)(579004)(559001);DIR:OUT;SFP:1102;
X-OriginatorOrg: blah.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 25 Nov 2020 11:54:06.3270
(UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 39551bfc-0a24-4f5e-b8cb-08d89138d010
X-MS-Exchange-CrossTenant-Id: 29330ce7-8bee-4b7f-96d8-1066707d22b5
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=29330ce7-8bee-4b7f-96d8-1066707d22b5;Ip=[104.40.229.156];Helo=[eu1.smtp.exclaimer.net]
X-MS-Exchange-CrossTenant-AuthSource:
VE1EUR03FT009.eop-EUR03.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AS8PR10MB4533
X-SA-Exim-Connect-IP: 40.107.8.121
X-SA-Exim-Mail-From: Michas@blah.com
Subject: Re: Comcast Abuse Report
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on as001.fluent.ltd.uk
X-Spam-Flag: YES
X-Spam-Level: *****
X-Spam-Status: Yes, score=5.0 required=4.4 tests=DKIM_SIGNED,DKIM_VALID,
DKIM_VALID_AU,DKIM_VALID_EF,HTML_FONT_FACE_BAD,HTML_FONT_LOW_CONTRAST,
HTML_IMAGE_RATIO_08,HTML_MESSAGE,LONGWORD,LOTS_OF_MONEY,MD5_CONTENT,
MR_NOT_ATTRIBUTED_IP,RCVD_IN_CBL,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,
RCVD_IN_SBL_CSS,RCVD_IN_SBL_XBL,RCVD_IN_SORBS,RDNS_NONE,SPF_HELO_PASS,
SPF_PASS,TW_VB,URIBL_BLOCKED autolearn=disabled version=3.4.4
X-Spam-Report:
* 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was
* blocked. See
* http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
* for more information.
* [URIs: blah.com]
* 1.5 RCVD_IN_CBL RBL: Received via a relay in cbl.abuseat.org
* [Blocked - see <http://www.abuseat.org/lookup.cgi?ip=86.129.191.88>]
* -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2)
* [40.107.8.121 listed in wl.mailspike.net]
* -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at
* https://www.dnswl.org/, no trust
* [40.107.8.121 listed in list.dnswl.org]
* 1.5 RCVD_IN_SBL_XBL RBL: Received via a relay in Spamhaus SBL+XBL
* [86.129.191.88 listed in sbl-xbl.spamhaus.org]
* 3.6 RCVD_IN_SBL_CSS RBL: Received via a relay in Spamhaus SBL-CSS
* [86.129.191.88 listed in zen.spamhaus.org]
* 0.7 MR_NOT_ATTRIBUTED_IP Beta rule: an non-attributed IPv4 found in
* headers
* -0.7 SPF_HELO_PASS SPF: HELO matches SPF record
* -0.6 SPF_PASS SPF: sender matches SPF record
* 0.1 LONGWORD BODY: Uses overlong words
* 0.1 TW_VB BODY: Odd Letter Triples with VB
* -0.1 MD5_CONTENT BODY: Contains MD5 hash.
* 0.0 HTML_FONT_FACE_BAD BODY: HTML font face is not a word
* 0.0 HTML_IMAGE_RATIO_08 BODY: HTML has a low ratio of text to image
* area
* 0.0 HTML_MESSAGE BODY: HTML included in message
* 0.0 HTML_FONT_LOW_CONTRAST BODY: HTML font color similar or
* identical to background
* -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
* author's domain
* -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from
* envelope-from domain
* -1.5 DKIM_VALID Message has at least one valid DKIM or DK signature
* 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily
* valid
* 0.5 RDNS_NONE Delivered to internal network by a host with no rDNS
* 0.0 LOTS_OF_MONEY Huge... sums of money
* 0.1 RCVD_IN_SORBS No description available.
X-SA-Exim-Version: 4.2
X-SA-Exim-Scanned: Yes (on mail.fluent.ltd.uk)