Results 1 to 9 of 9

Thread: [SOLVED] RCVD_ILLEGAL_IP spam

  1. #1
    VTC
    VTC is offline Senior Member
    Join Date
    Apr 2008
    Location
    Virginia
    Posts
    74
    Rep Power
    7

    Default [SOLVED] RCVD_ILLEGAL_IP spam

    Getting some complaints about spam from other companies being specifically marked by the RCVD_ILLEGAL_IP Spam rule

    Below is an example of one of the source headers:

    Code:
    Return-Path: <external-user>@ngc.com
    Received: from pobox1.virtc.com (LHLO pobox1.virtc.com) (192.168.x.x) by
     mrmailman.virtc.com with LMTP; Thu, 3 Mar 2011 19:15:24 -0500 (EST)
    Received: from localhost (localhost.localdomain [127.0.0.1])
    	by pobox1.virtc.com (Postfix) with ESMTP id E1B60418303
    	for <internal-user@raytheonvtc.com>; Thu,  3 Mar 2011 19:15:23 -0500 (EST)
    X-Quarantine-ID: <vfRytL2IDf2b>
    X-Virus-Scanned: amavisd-new at pobox1.virtc.com
    X-Spam-Flag: YES
    X-Spam-Score: 2.498
    X-Spam-Level: **
    X-Spam-Status: Yes, score=2.498 tagged_above=-10 required=2.4
    	tests=[BAYES_00=-1.9, EXTRA_MPART_TYPE=1, HTML_MESSAGE=0.001,
    	RCVD_ILLEGAL_IP=3.399, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001]
    	autolearn=no
    Received: from pobox1.virtc.com ([127.0.0.1])
    	by localhost (pobox1.virtc.com [127.0.0.1]) (amavisd-new, port 10024)
    	with ESMTP id vfRytL2IDf2b; Thu,  3 Mar 2011 19:15:20 -0500 (EST)
    Received: from northgrum.com (xspv0101.northgrum.com [134.223.120.76])
    	by pobox1.virtc.com (Postfix) with ESMTPS id B894C4180C8
    	for <internal-user@raytheonvtc.com>; Thu,  3 Mar 2011 19:15:19 -0500 (EST)
    Received: from ([134.223.80.11])
    	by xspv0101.northgrum.com with ESMTP with TLS id 1TV4JL1.34693890;
    	Thu, 03 Mar 2011 18:15:14 -0600
    Received: from XHTVAG01.northgrum.com (134.223.82.51) by
     XHTV0002.northgrum.com (134.223.80.11) with Microsoft SMTP Server (TLS) id
     14.1.270.1; Thu, 3 Mar 2011 18:15:14 -0600
    Received: from XMBVAG71.northgrum.com ([169.254.1.162]) by
     XHTVAG01.northgrum.com ([134.223.82.51]) with mapi id 14.01.0270.001; Thu, 3
     Mar 2011 18:15:14 -0600
    Any ideas? Is this something out of our control other than disabling the rule?

  2. #2
    phoenix is online now Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,586
    Rep Power
    57

    Default

    Quote Originally Posted by VTC View Post
    Getting some complaints about spam from other companies being specifically marked by the RCVD_ILLEGAL_IP Spam rule

    Below is an example of one of the source headers:

    Code:
    Return-Path: <external-user>@ngc.com
    Received: from pobox1.virtc.com (LHLO pobox1.virtc.com) (192.168.x.x) by
     mrmailman.virtc.com with LMTP; Thu, 3 Mar 2011 19:15:24 -0500 (EST)
    Received: from localhost (localhost.localdomain [127.0.0.1])
    	by pobox1.virtc.com (Postfix) with ESMTP id E1B60418303
    	for <internal-user@raytheonvtc.com>; Thu,  3 Mar 2011 19:15:23 -0500 (EST)
    X-Quarantine-ID: <vfRytL2IDf2b>
    X-Virus-Scanned: amavisd-new at pobox1.virtc.com
    X-Spam-Flag: YES
    X-Spam-Score: 2.498
    X-Spam-Level: **
    X-Spam-Status: Yes, score=2.498 tagged_above=-10 required=2.4
    	tests=[BAYES_00=-1.9, EXTRA_MPART_TYPE=1, HTML_MESSAGE=0.001,
    	RCVD_ILLEGAL_IP=3.399, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001]
    	autolearn=no
    Received: from pobox1.virtc.com ([127.0.0.1])
    	by localhost (pobox1.virtc.com [127.0.0.1]) (amavisd-new, port 10024)
    	with ESMTP id vfRytL2IDf2b; Thu,  3 Mar 2011 19:15:20 -0500 (EST)
    Received: from northgrum.com (xspv0101.northgrum.com [134.223.120.76])
    	by pobox1.virtc.com (Postfix) with ESMTPS id B894C4180C8
    	for <internal-user@raytheonvtc.com>; Thu,  3 Mar 2011 19:15:19 -0500 (EST)
    Received: from ([134.223.80.11])
    	by xspv0101.northgrum.com with ESMTP with TLS id 1TV4JL1.34693890;
    	Thu, 03 Mar 2011 18:15:14 -0600
    Received: from XHTVAG01.northgrum.com (134.223.82.51) by
     XHTV0002.northgrum.com (134.223.80.11) with Microsoft SMTP Server (TLS) id
     14.1.270.1; Thu, 3 Mar 2011 18:15:14 -0600
    Received: from XMBVAG71.northgrum.com ([169.254.1.162]) by
     XHTVAG01.northgrum.com ([134.223.82.51]) with mapi id 14.01.0270.001; Thu, 3
     Mar 2011 18:15:14 -0600
    Any ideas? Is this something out of our control other than disabling the rule?
    Are you saying that it doesn't contain an invalid IP or that you want to ignore it? Isn't the first IP address (highleted in blue) an invalid address? AFAIK, that should never been seen in an email header.

    Why do you also have the 'required' set so low? What are your tag/kill percentages?
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  3. #3
    VTC
    VTC is offline Senior Member
    Join Date
    Apr 2008
    Location
    Virginia
    Posts
    74
    Rep Power
    7

    Default

    From the looks yes but im curious where the fault is, is it how their smtp server is sending the message or is it how our smtp server is displaying and filtering it?

    I have only seen this with a few addresses and only recently has it appeared since the recent upgrade from 6.0.5 to 6.0.10.

    Just curious what my options are to mitigate this.

  4. #4
    VTC
    VTC is offline Senior Member
    Join Date
    Apr 2008
    Location
    Virginia
    Posts
    74
    Rep Power
    7

    Default

    Here is an example from the same sender back in november

    Code:
    X-Spam-Status: No, score=-5.06 tagged_above=-10 required=2.4
    	tests=[AWL=-0.539, BAYES_00=-2.599, HTML_MESSAGE=0.001,
    	RCVD_IN_DNSWL_MED=-4, SUBJ_ALL_CAPS=2.077] autolearn=ham
    Received: from pobox2.virtc.com ([127.0.0.1])
    	by localhost (pobox2.virtc.com [127.0.0.1]) (amavisd-new, port 10024)
    	with ESMTP id XyC5Pvcc3-lD; Sun,  7 Nov 2010 15:24:28 -0500 (EST)
    Received: from xmrc0101.northgrum.com (xmrc0101.northgrum.com [208.12.122.34])
    	by pobox2.virtc.com (Postfix) with ESMTP id A14328040C7
    	for <drichardson@raytheonvtc.com>; Sun,  7 Nov 2010 15:24:27 -0500 (EST)
    Received: from xbhc0001.northgrum.com ([157.127.103.104]) by xmrc0101.northgrum.com with InterScan Message Security Suite; Sun, 07 Nov 2010 15:29:54 -0500
    Received: from XBHIL103.northgrum.com ([134.223.165.23]) by xbhc0001.northgrum.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.4675);
    	 Sun, 7 Nov 2010 12:24:03 -0800
    Received: from XMBIL123.northgrum.com ([134.223.166.14]) by XBHIL103.northgrum.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.4675);
    	 Sun, 7 Nov 2010 14:24:02 -0600
    X-MimeOLE: Produced By Microsoft Exchange V6.5
    Content-class: urn:content-classes:message
    MIME-Version: 1.0
    Content-Type: multipart/alternative;
    Last edited by phoenix; 03-07-2011 at 12:11 PM.

  5. #5
    phoenix is online now Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,586
    Rep Power
    57

    Default

    Quote Originally Posted by VTC View Post
    Here is an example from the same sender back in november
    ..... and your point is? It's evident from those two messages that something has changed at the mail server of the company/person sending the email, the invalid IP address doesn't appear in that output you've posted. This isn't a Zimbra problem, spamassassin is doing what it's supposed to do.

    You also didn't answer my other question about the 'required' setting nor the kill/tag percentages.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  6. #6
    VTC
    VTC is offline Senior Member
    Join Date
    Apr 2008
    Location
    Virginia
    Posts
    74
    Rep Power
    7

    Default

    It is evident that its changed, and im not stating its a spamassign problem im seeking advise on how to handle it? Its just odd that it started post the 6.0.10 upgrade, the problem is that previous emails from two different mail domains now show this rule and an internal IP in the source header for the sender. Just saying...

    Kill 55
    Tag 12

  7. #7
    Krishopper is offline Dedicated Member
    Join Date
    Dec 2006
    Location
    Minneapolis MN
    Posts
    777
    Rep Power
    9

    Default

    See: Rules/RCVD_ILLEGAL_IP - Spamassassin Wiki
    and: IANA IPv4 Address Space Registry

    The issue is with this line:

    Code:
    Received: from XMBVAG71.northgrum.com ([169.254.1.162]) by
     XHTVAG01.northgrum.com ([134.223.82.51]) with mapi id 14.01.0270.001; Thu, 3
     Mar 2011 18:15:14 -0600
    It does not like the "169.254.x.x" address, since that is private address space.
    01 Networks, LLC / Cybernetik.net
    Zimbra NE and OSS Cloud Hosting
    Shared Web Hosting
    Consulting Services

  8. #8
    phoenix is online now Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,586
    Rep Power
    57

    Default

    Quote Originally Posted by VTC View Post
    It is evident that its changed, and im not stating its a spamassign problem im seeking advise on how to handle it? Its just odd that it started post the 6.0.10 upgrade, the problem is that previous emails from two different mail domains now show this rule and an internal IP in the source header for the sender. Just saying...
    What has changed, as I said earlier, is the fact that the sending mail server now includes the 169.254..x.x address space in it's headers, that's not allowed as it a 'private' IP address and should never be seen in the wild. This is a problem that needs to be fixed by the administrator of the sending mail server.

    Quote Originally Posted by VTC View Post
    Kill 55
    Tag 12
    That tag percentage will give you lots of false-positives, including the problem you're now seeing. If you look at the scoring, the email that's causing you a problem is only just above the tag level and putting it to a more reasonable level (such as 33) will stop that email going to the Junk folder. Don't forget that the tag/kill percentages aren't fixed in stone, you need to monitor the status of your anti-spam system and adjust it accordingly. The sending server still needs to fix their problem.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  9. #9
    VTC
    VTC is offline Senior Member
    Join Date
    Apr 2008
    Location
    Virginia
    Posts
    74
    Rep Power
    7

    Default

    Thank you for your input.

    I have modified my kill/tag percentages to give a little more leeway, as advised.

    Thanks again.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Help mail server broadcast spam
    By sh1n_b3 in forum Administrators
    Replies: 0
    Last Post: 01-19-2011, 07:44 PM
  2. Spam, Spam and more Spam (Inbox)
    By luma in forum Administrators
    Replies: 4
    Last Post: 10-07-2010, 07:57 AM
  3. Replies: 3
    Last Post: 02-25-2008, 06:33 AM
  4. Spam being scored with BAYES_00
    By flyerguybham in forum Administrators
    Replies: 6
    Last Post: 04-24-2007, 12:07 PM
  5. Training spam and ham
    By Justin in forum Developers
    Replies: 2
    Last Post: 10-31-2006, 03:39 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •