| Welcome to the Zimbra :: Forums! | |
Welcome, if you would like to post a comment please register.
We also encourage you to explore all things Zimbra with our team and members of the community.
|
 | 
03-07-2011, 09:16 AM
| | |  [SOLVED] RCVD_ILLEGAL_IP spam
Getting some complaints about spam from other companies being specifically marked by the RCVD_ILLEGAL_IP Spam rule
Below is an example of one of the source headers: Code: Return-Path: <external-user>@ngc.com
Received: from pobox1.virtc.com (LHLO pobox1.virtc.com) (192.168.x.x) by
mrmailman.virtc.com with LMTP; Thu, 3 Mar 2011 19:15:24 -0500 (EST)
Received: from localhost (localhost.localdomain [127.0.0.1])
by pobox1.virtc.com (Postfix) with ESMTP id E1B60418303
for <internal-user@raytheonvtc.com>; Thu, 3 Mar 2011 19:15:23 -0500 (EST)
X-Quarantine-ID: <vfRytL2IDf2b>
X-Virus-Scanned: amavisd-new at pobox1.virtc.com
X-Spam-Flag: YES
X-Spam-Score: 2.498
X-Spam-Level: **
X-Spam-Status: Yes, score=2.498 tagged_above=-10 required=2.4
tests=[BAYES_00=-1.9, EXTRA_MPART_TYPE=1, HTML_MESSAGE=0.001,
RCVD_ILLEGAL_IP=3.399, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001]
autolearn=no
Received: from pobox1.virtc.com ([127.0.0.1])
by localhost (pobox1.virtc.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id vfRytL2IDf2b; Thu, 3 Mar 2011 19:15:20 -0500 (EST)
Received: from northgrum.com (xspv0101.northgrum.com [134.223.120.76])
by pobox1.virtc.com (Postfix) with ESMTPS id B894C4180C8
for <internal-user@raytheonvtc.com>; Thu, 3 Mar 2011 19:15:19 -0500 (EST)
Received: from ([134.223.80.11])
by xspv0101.northgrum.com with ESMTP with TLS id 1TV4JL1.34693890;
Thu, 03 Mar 2011 18:15:14 -0600
Received: from XHTVAG01.northgrum.com (134.223.82.51) by
XHTV0002.northgrum.com (134.223.80.11) with Microsoft SMTP Server (TLS) id
14.1.270.1; Thu, 3 Mar 2011 18:15:14 -0600
Received: from XMBVAG71.northgrum.com ([169.254.1.162]) by
XHTVAG01.northgrum.com ([134.223.82.51]) with mapi id 14.01.0270.001; Thu, 3
Mar 2011 18:15:14 -0600 Any ideas? Is this something out of our control other than disabling the rule?  |
03-07-2011, 10:35 AM
| | Zimbra Consultant & Moderator | |
Posts: 20,314
| |
Quote:
Originally Posted by VTC  Getting some complaints about spam from other companies being specifically marked by the RCVD_ILLEGAL_IP Spam rule
Below is an example of one of the source headers: Code: Return-Path: <external-user>@ngc.com
Received: from pobox1.virtc.com (LHLO pobox1.virtc.com) (192.168.x.x) by
mrmailman.virtc.com with LMTP; Thu, 3 Mar 2011 19:15:24 -0500 (EST)
Received: from localhost (localhost.localdomain [127.0.0.1])
by pobox1.virtc.com (Postfix) with ESMTP id E1B60418303
for <internal-user@raytheonvtc.com>; Thu, 3 Mar 2011 19:15:23 -0500 (EST)
X-Quarantine-ID: <vfRytL2IDf2b>
X-Virus-Scanned: amavisd-new at pobox1.virtc.com
X-Spam-Flag: YES
X-Spam-Score: 2.498
X-Spam-Level: **
X-Spam-Status: Yes, score=2.498 tagged_above=-10 required=2.4
tests=[BAYES_00=-1.9, EXTRA_MPART_TYPE=1, HTML_MESSAGE=0.001,
RCVD_ILLEGAL_IP=3.399, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001]
autolearn=no
Received: from pobox1.virtc.com ([127.0.0.1])
by localhost (pobox1.virtc.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id vfRytL2IDf2b; Thu, 3 Mar 2011 19:15:20 -0500 (EST)
Received: from northgrum.com (xspv0101.northgrum.com [134.223.120.76])
by pobox1.virtc.com (Postfix) with ESMTPS id B894C4180C8
for <internal-user@raytheonvtc.com>; Thu, 3 Mar 2011 19:15:19 -0500 (EST)
Received: from ([134.223.80.11])
by xspv0101.northgrum.com with ESMTP with TLS id 1TV4JL1.34693890;
Thu, 03 Mar 2011 18:15:14 -0600
Received: from XHTVAG01.northgrum.com (134.223.82.51) by
XHTV0002.northgrum.com (134.223.80.11) with Microsoft SMTP Server (TLS) id
14.1.270.1; Thu, 3 Mar 2011 18:15:14 -0600
Received: from XMBVAG71.northgrum.com ([169.254.1.162]) by
XHTVAG01.northgrum.com ([134.223.82.51]) with mapi id 14.01.0270.001; Thu, 3
Mar 2011 18:15:14 -0600 Any ideas? Is this something out of our control other than disabling the rule? | Are you saying that it doesn't contain an invalid IP or that you want to ignore it? Isn't the first IP address (highleted in blue) an invalid address? AFAIK, that should never been seen in an email header.
Why do you also have the 'required' set so low? What are your tag/kill percentages?
__________________
Regards
Bill
|
03-07-2011, 10:38 AM
| | |
From the looks yes but im curious where the fault is, is it how their smtp server is sending the message or is it how our smtp server is displaying and filtering it?
I have only seen this with a few addresses and only recently has it appeared since the recent upgrade from 6.0.5 to 6.0.10.
Just curious what my options are to mitigate this. |
03-07-2011, 10:41 AM
| | |
Here is an example from the same sender back in november Code: X-Spam-Status: No, score=-5.06 tagged_above=-10 required=2.4
tests=[AWL=-0.539, BAYES_00=-2.599, HTML_MESSAGE=0.001,
RCVD_IN_DNSWL_MED=-4, SUBJ_ALL_CAPS=2.077] autolearn=ham
Received: from pobox2.virtc.com ([127.0.0.1])
by localhost (pobox2.virtc.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id XyC5Pvcc3-lD; Sun, 7 Nov 2010 15:24:28 -0500 (EST)
Received: from xmrc0101.northgrum.com (xmrc0101.northgrum.com [208.12.122.34])
by pobox2.virtc.com (Postfix) with ESMTP id A14328040C7
for <drichardson@raytheonvtc.com>; Sun, 7 Nov 2010 15:24:27 -0500 (EST)
Received: from xbhc0001.northgrum.com ([157.127.103.104]) by xmrc0101.northgrum.com with InterScan Message Security Suite; Sun, 07 Nov 2010 15:29:54 -0500
Received: from XBHIL103.northgrum.com ([134.223.165.23]) by xbhc0001.northgrum.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.4675);
Sun, 7 Nov 2010 12:24:03 -0800
Received: from XMBIL123.northgrum.com ([134.223.166.14]) by XBHIL103.northgrum.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.4675);
Sun, 7 Nov 2010 14:24:02 -0600
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: multipart/alternative;
Last edited by phoenix; 03-07-2011 at 11:11 AM..
|
03-07-2011, 11:11 AM
| | Zimbra Consultant & Moderator | |
Posts: 20,314
| |
Quote:
Originally Posted by VTC Here is an example from the same sender back in november | ..... and your point is? It's evident from those two messages that something has changed at the mail server of the company/person sending the email, the invalid IP address doesn't appear in that output you've posted. This isn't a Zimbra problem, spamassassin is doing what it's supposed to do.
You also didn't answer my other question about the 'required' setting nor the kill/tag percentages.
__________________
Regards
Bill
|
03-07-2011, 11:26 AM
| | |
It is evident that its changed, and im not stating its a spamassign problem im seeking advise on how to handle it? Its just odd that it started post the 6.0.10 upgrade, the problem is that previous emails from two different mail domains now show this rule and an internal IP in the source header for the sender. Just saying...
Kill 55
Tag 12 |
03-07-2011, 03:13 PM
| | Outstanding Member | |
Posts: 717
| |
See: Rules/RCVD_ILLEGAL_IP - Spamassassin Wiki
and: IANA IPv4 Address Space Registry
The issue is with this line: Code: Received: from XMBVAG71.northgrum.com ([169.254.1.162]) by
XHTVAG01.northgrum.com ([134.223.82.51]) with mapi id 14.01.0270.001; Thu, 3
Mar 2011 18:15:14 -0600 It does not like the "169.254.x.x" address, since that is private address space. |
03-07-2011, 10:51 PM
| | Zimbra Consultant & Moderator | |
Posts: 20,314
| |
Quote:
Originally Posted by VTC It is evident that its changed, and im not stating its a spamassign problem im seeking advise on how to handle it? Its just odd that it started post the 6.0.10 upgrade, the problem is that previous emails from two different mail domains now show this rule and an internal IP in the source header for the sender. Just saying... | What has changed, as I said earlier, is the fact that the sending mail server now includes the 169.254..x.x address space in it's headers, that's not allowed as it a 'private' IP address and should never be seen in the wild. This is a problem that needs to be fixed by the administrator of the sending mail server. Quote:
Originally Posted by VTC Kill 55
Tag 12 | That tag percentage will give you lots of false-positives, including the problem you're now seeing. If you look at the scoring, the email that's causing you a problem is only just above the tag level and putting it to a more reasonable level (such as 33) will stop that email going to the Junk folder. Don't forget that the tag/kill percentages aren't fixed in stone, you need to monitor the status of your anti-spam system and adjust it accordingly. The sending server still needs to fix their problem.
__________________
Regards
Bill
|
03-08-2011, 05:44 AM
| | |
Thank you for your input.
I have modified my kill/tag percentages to give a little more leeway, as advised.
Thanks again. | | Thread Tools | Search this Thread | | | | | Display Modes |  Linear Mode | | Why Join? Registering let's you ask questions, makes it easier to search, displays any files attached to posts, and notifies you about replies.   |
Bugzilla
Wiki
Source
