SpamAssassin test: RCVD_IN_DNSWL_MED

[kilbasar]

Possibly I should take this question to the SpamAssassin mailing lists, but figured I'd try it here first. My server received a bunch of spam that got through both Postini and SpamAssassin. The relevant headers are:

Code:

Return-Path: subornationjc5601@rnacpa.com
Received: from 10.10.22.10 (LHLO mx.mydomain.com) (10.10.22.10) by
 mx.mydomain.com with LMTP; Tue, 29 Jun 2010 12:04:39 -0400 (EDT)
Received: from localhost (localhost.localdomain [127.0.0.1])
	by mx.mydomain.com (Postfix) with ESMTP id 139194CA8017;
	Tue, 29 Jun 2010 12:04:38 -0400 (EDT)
X-Virus-Scanned: amavisd-new at wsl-mx1.mydomain.com
X-Spam-Flag: NO
X-Spam-Score: 2.134
X-Spam-Level: **
X-Spam-Status: No, score=2.134 tagged_above=-10 required=4.2
	tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, MIME_HTML_ONLY=1.457,
	RCVD_IN_BL_SPAMCOP_NET=1.96, RCVD_IN_DNSWL_MED=-4,
	URIBL_AB_SURBL=1.86, URIBL_BLACK=1.955, URIBL_WS_SURBL=1.5]
Received: from mx.mydomain.com ([127.0.0.1])
	by localhost (mx.mydomain.com [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id U4eRmNZatcv5; Tue, 29 Jun 2010 12:04:03 -0400 (EDT)
Received: from psmtp.com (exprod5mx244.postini.com [64.18.0.164])
	by mx.mydomain.com (Postfix) with SMTP id 4AC044CA8010
	for <inwood@mydomain.com>; Tue, 29 Jun 2010 12:03:53 -0400 (EDT)
Received: from source ([93.74.74.171]) by exprod5mx244.postini.com ([64.18.4.14]) with SMTP;
	Tue, 29 Jun 2010 12:04:00 EDT
Received: from 93.74.74.171 (port=6472 helo=[NETBOOKMSI])
	by inbound30.exchangedefender.com with asmtp 
	id 8F2729-000401-95
	for inwood@mydomain.com; Tue, 29 Jun 2010 19:03:40 +0200
Message-ID: <409D29E6.0409664@rnacpa.com>
Date: Tue, 29 Jun 2010 19:03:40 +0200
From: "mydomain.com" <support@mydomain.com>
MIME-Version: 1.0
To: inwood@mydomain.com
Subject: Reset your mydomain.com password
Content-Disposition: inline
Content-Transfer-Encoding: binary
Content-Type: text/html; charset=iso-8859-1
X-Spam: Not detected
X-Mras: OK
X-pstn-levels:     (S: 3.52628/99.90000 CV:99.9000 FC:95.5390 LC:95.5390 R:95.9108 P:95.9108 M:97.0282 C:98.6951 )
X-pstn-settings: 5 (2.0000:2.0000) s cv gt3 gt2 gt1 r p m c 
X-pstn-addresses: from <support@mydomain.com> [db-null]

From the looks of it, the reason it passed SpamAssassin is because the RCVD_IN_DNSWL_MED test tacked on -4 to the score. The originating IP address is 93.74.74.171, but when I checked, that URL is not in the DNSWL whitelist. So, why did this test pass? My only guess is that rather than (or in addition to) checking the original IP address, it checked the next one in the received chain, which would be Postini. Since Postini is in the whitelist, it gave the mail an extra -4. Does that make any sense? If not, why is it giving -4 to an IP not in the list? Thanks!

[arnbruster]

SpamAssassin does DNSBL lookups almost exclusively on the peer of your
MX. In this case postini's IP. Doing "deep header parsing" for more lookups
is against the Terms and Conditions of most DNSBLs (eg: PBL, CBL, XBL
etc.) and will generally cause unacceptable numbers of false positives.

So, when Postini leaks, DNSBLs won't help you.

You'd be best off bumping up the scores for SURBL hits a few notches and/or
inhibiting the DNSWL listing of Postini.

[kilbasar]

Thanks for the reply! I'm not sure I understand though. The Postini IP is neither the first received header (that would be the spammer's IP, 93.74.74.171) nor the last received header (that would be localhost, 127.0.0.1). Are you saying it just goes back to the first peer seen before localhost? That seems strange, especially because that will only rarely be the actual origin of the message. In my case, that will ALWAYS be Postini, which would make the RCVD_IN_DNSWL_MED test completely useless. I'm sure I'm not the only one with this type of setup. But I guess it doesn't make sense to check the first received header either, as that can very easily be spoofed. The only "legitimate" peer is the most recent one.

I guess I need to go through some mails and see if that's really the case (that RCVD_IN_DNSWL_MED is being applied to everything). If so, it sounds like I need to disable ALL blacklist/whitelist rules, as they will only be applied against Postini. I guess it makes sense that all such rules need to be applied by Postini, and all I can effectively do on my side are message-text heuristics.

Thanks!

[arnbruster]

Sorry, didn't realize that you were a Postini customer. I thought that this
email was outbound from Postini to your MX, not inbound to you via your MX to
Postini.

That changes things.

You have to educate SA where your "perimeter" is - namely, the Postini
inbounds. Once you've done that, SA will be doing the DNSBL lookups
on Postini's peer - namely, the hop that got the email to Postini.

See: TrustedRelays - Spamassassin Wiki