[SOLVED] RCVD_ILLEGAL_IP spam

[VTC]

Getting some complaints about spam from other companies being specifically marked by the RCVD_ILLEGAL_IP Spam rule

Below is an example of one of the source headers:

Code:

Return-Path: <external-user>@ngc.com
Received: from pobox1.virtc.com (LHLO pobox1.virtc.com) (192.168.x.x) by
 mrmailman.virtc.com with LMTP; Thu, 3 Mar 2011 19:15:24 -0500 (EST)
Received: from localhost (localhost.localdomain [127.0.0.1])
	by pobox1.virtc.com (Postfix) with ESMTP id E1B60418303
	for <internal-user@raytheonvtc.com>; Thu,  3 Mar 2011 19:15:23 -0500 (EST)
X-Quarantine-ID: <vfRytL2IDf2b>
X-Virus-Scanned: amavisd-new at pobox1.virtc.com
X-Spam-Flag: YES
X-Spam-Score: 2.498
X-Spam-Level: **
X-Spam-Status: Yes, score=2.498 tagged_above=-10 required=2.4
	tests=[BAYES_00=-1.9, EXTRA_MPART_TYPE=1, HTML_MESSAGE=0.001,
	RCVD_ILLEGAL_IP=3.399, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001]
	autolearn=no
Received: from pobox1.virtc.com ([127.0.0.1])
	by localhost (pobox1.virtc.com [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id vfRytL2IDf2b; Thu,  3 Mar 2011 19:15:20 -0500 (EST)
Received: from northgrum.com (xspv0101.northgrum.com [134.223.120.76])
	by pobox1.virtc.com (Postfix) with ESMTPS id B894C4180C8
	for <internal-user@raytheonvtc.com>; Thu,  3 Mar 2011 19:15:19 -0500 (EST)
Received: from ([134.223.80.11])
	by xspv0101.northgrum.com with ESMTP with TLS id 1TV4JL1.34693890;
	Thu, 03 Mar 2011 18:15:14 -0600
Received: from XHTVAG01.northgrum.com (134.223.82.51) by
 XHTV0002.northgrum.com (134.223.80.11) with Microsoft SMTP Server (TLS) id
 14.1.270.1; Thu, 3 Mar 2011 18:15:14 -0600
Received: from XMBVAG71.northgrum.com ([169.254.1.162]) by
 XHTVAG01.northgrum.com ([134.223.82.51]) with mapi id 14.01.0270.001; Thu, 3
 Mar 2011 18:15:14 -0600

Any ideas? Is this something out of our control other than disabling the rule?

[phoenix]

Getting some complaints about spam from other companies being specifically marked by the RCVD_ILLEGAL_IP Spam rule

Below is an example of one of the source headers:

Code:

Return-Path: <external-user>@ngc.com
Received: from pobox1.virtc.com (LHLO pobox1.virtc.com) (192.168.x.x) by
 mrmailman.virtc.com with LMTP; Thu, 3 Mar 2011 19:15:24 -0500 (EST)
Received: from localhost (localhost.localdomain [127.0.0.1])
	by pobox1.virtc.com (Postfix) with ESMTP id E1B60418303
	for <internal-user@raytheonvtc.com>; Thu,  3 Mar 2011 19:15:23 -0500 (EST)
X-Quarantine-ID: <vfRytL2IDf2b>
X-Virus-Scanned: amavisd-new at pobox1.virtc.com
X-Spam-Flag: YES
X-Spam-Score: 2.498
X-Spam-Level: **
X-Spam-Status: Yes, score=2.498 tagged_above=-10 required=2.4
	tests=[BAYES_00=-1.9, EXTRA_MPART_TYPE=1, HTML_MESSAGE=0.001,
	RCVD_ILLEGAL_IP=3.399, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001]
	autolearn=no
Received: from pobox1.virtc.com ([127.0.0.1])
	by localhost (pobox1.virtc.com [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id vfRytL2IDf2b; Thu,  3 Mar 2011 19:15:20 -0500 (EST)
Received: from northgrum.com (xspv0101.northgrum.com [134.223.120.76])
	by pobox1.virtc.com (Postfix) with ESMTPS id B894C4180C8
	for <internal-user@raytheonvtc.com>; Thu,  3 Mar 2011 19:15:19 -0500 (EST)
Received: from ([134.223.80.11])
	by xspv0101.northgrum.com with ESMTP with TLS id 1TV4JL1.34693890;
	Thu, 03 Mar 2011 18:15:14 -0600
Received: from XHTVAG01.northgrum.com (134.223.82.51) by
 XHTV0002.northgrum.com (134.223.80.11) with Microsoft SMTP Server (TLS) id
 14.1.270.1; Thu, 3 Mar 2011 18:15:14 -0600
Received: from XMBVAG71.northgrum.com ([169.254.1.162]) by
 XHTVAG01.northgrum.com ([134.223.82.51]) with mapi id 14.01.0270.001; Thu, 3
 Mar 2011 18:15:14 -0600

Any ideas? Is this something out of our control other than disabling the rule?

Are you saying that it doesn't contain an invalid IP or that you want to ignore it? Isn't the first IP address (highleted in blue) an invalid address? AFAIK, that should never been seen in an email header.

Why do you also have the 'required' set so low? What are your tag/kill percentages?

[VTC]

From the looks yes but im curious where the fault is, is it how their smtp server is sending the message or is it how our smtp server is displaying and filtering it?

I have only seen this with a few addresses and only recently has it appeared since the recent upgrade from 6.0.5 to 6.0.10.

Just curious what my options are to mitigate this.

[VTC]

Here is an example from the same sender back in november

Code:

X-Spam-Status: No, score=-5.06 tagged_above=-10 required=2.4
	tests=[AWL=-0.539, BAYES_00=-2.599, HTML_MESSAGE=0.001,
	RCVD_IN_DNSWL_MED=-4, SUBJ_ALL_CAPS=2.077] autolearn=ham
Received: from pobox2.virtc.com ([127.0.0.1])
	by localhost (pobox2.virtc.com [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id XyC5Pvcc3-lD; Sun,  7 Nov 2010 15:24:28 -0500 (EST)
Received: from xmrc0101.northgrum.com (xmrc0101.northgrum.com [208.12.122.34])
	by pobox2.virtc.com (Postfix) with ESMTP id A14328040C7
	for <drichardson@raytheonvtc.com>; Sun,  7 Nov 2010 15:24:27 -0500 (EST)
Received: from xbhc0001.northgrum.com ([157.127.103.104]) by xmrc0101.northgrum.com with InterScan Message Security Suite; Sun, 07 Nov 2010 15:29:54 -0500
Received: from XBHIL103.northgrum.com ([134.223.165.23]) by xbhc0001.northgrum.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.4675);
	 Sun, 7 Nov 2010 12:24:03 -0800
Received: from XMBIL123.northgrum.com ([134.223.166.14]) by XBHIL103.northgrum.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.4675);
	 Sun, 7 Nov 2010 14:24:02 -0600
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: multipart/alternative;

[phoenix]

Here is an example from the same sender back in november

..... and your point is? It's evident from those two messages that something has changed at the mail server of the company/person sending the email, the invalid IP address doesn't appear in that output you've posted. This isn't a Zimbra problem, spamassassin is doing what it's supposed to do.

You also didn't answer my other question about the 'required' setting nor the kill/tag percentages.

[VTC]

It is evident that its changed, and im not stating its a spamassign problem im seeking advise on how to handle it? Its just odd that it started post the 6.0.10 upgrade, the problem is that previous emails from two different mail domains now show this rule and an internal IP in the source header for the sender. Just saying...

Kill 55
Tag 12

[Krishopper]

See: Rules/RCVD_ILLEGAL_IP - Spamassassin Wiki
and: IANA IPv4 Address Space Registry

The issue is with this line:

Code:

Received: from XMBVAG71.northgrum.com ([169.254.1.162]) by
 XHTVAG01.northgrum.com ([134.223.82.51]) with mapi id 14.01.0270.001; Thu, 3
 Mar 2011 18:15:14 -0600

It does not like the "169.254.x.x" address, since that is private address space.

[phoenix]

It is evident that its changed, and im not stating its a spamassign problem im seeking advise on how to handle it? Its just odd that it started post the 6.0.10 upgrade, the problem is that previous emails from two different mail domains now show this rule and an internal IP in the source header for the sender. Just saying...

What has changed, as I said earlier, is the fact that the sending mail server now includes the 169.254..x.x address space in it's headers, that's not allowed as it a 'private' IP address and should never be seen in the wild. This is a problem that needs to be fixed by the administrator of the sending mail server.

Kill 55
Tag 12

That tag percentage will give you lots of false-positives, including the problem you're now seeing. If you look at the scoring, the email that's causing you a problem is only just above the tag level and putting it to a more reasonable level (such as 33) will stop that email going to the Junk folder. Don't forget that the tag/kill percentages aren't fixed in stone, you need to monitor the status of your anti-spam system and adjust it accordingly. The sending server still needs to fix their problem.

[VTC]

Thank you for your input.

I have modified my kill/tag percentages to give a little more leeway, as advised.

Thanks again.