[prev in list] [next in list] [prev in thread] [next in thread] 

List:       spamassassin-users
Subject:    Re: RCVD_IN_SORBS_SPAM and google IPs
From:       RW <rwmaillists () googlemail ! com>
Date:       2017-06-17 20:53:38
Message-ID: 20170617215338.1a07f605 () gumby ! homeunix ! com
[Download RAW message or body]

On Sat, 17 Jun 2017 08:55:48 -0700 (MST)
hmiller wrote:

> Hi,
> 
> Commonly RCVD_IN_ rules are checking the last untrusted relay,

Most positive scoring rules check the last-external.

>  but
> RCVD_IN_SORBS_WEB is apparently doing all Received hops.
> 
> Received: from host (host [2.2.2.2]) #The last untrusted relay
> Received: from [192.168.1.100] ([1.1.1.1]) #Authenticated MUA
> 
> I would expect it to check only 2.2.2.2 (the last untrusted hop), but
> in this case 1.1.1.1 was listed in SORBS_WEB and was scored 1.50.

In theory it seems reasonable:

describe RCVD_IN_SORBS_WEB      SORBS: sender is an abusable web server

An abused web-server may relay through a separate mail server. And
since web servers usually have static addresses it shouldn't be a
problem to do a deep check.

However in this case it looks like a dynamic address has got into list.
If this is common, it may be necessary to make it last-external. 

It may be worth creating a separate  last-external rule and see what
happens to the scores.

[prev in list] [next in list] [prev in thread] [next in thread]