search

extremeshok / spamassassin-extremeshok_fromreplyto

Configures spamassassin to score mails with various rules against the reply-to, from and to headers.
https://eXtremeSHOK.com
41 stars 18 forks source link

FROM_IS_REPLY_TO as well as FROM_NOT_REPLYTO at the same time #6

Closed stephanhendl closed 6 years ago

stephanhendl commented 7 years ago

Hi,

recently I've seen in the logs that the obove mentioned values are at the same line... IMHO I thought that these two are mutually exclusive an dshould not be visible at the same time... We are using Version 1.5. What's wrong?

Apr 20 15:26:35 debmail1 amavis[7968]: (07968-05) spam_scan: score=0.501 autolearn=no autolearn_force=no tests=[ALL_TRUSTED=-1,FROM_IS_REPLY_TO=-0.5,FROM_NOT_REPLYTO=2,HTML_MESSAGE=0.001] recips=0 The sender is one of our well known customers and the mail is DKIM-signed too. So REPLYTO should be ok.

Regards Steophan

extremeshok commented 7 years ago

Can you upload the header of the email.

Or the from/to lines.

stephanhendl commented 7 years ago

Here you are:

header.txt

extremeshok commented 7 years ago

Header of the email message as well please

stephanhendl commented 7 years ago

Since this is a user mailbox where I have no access to, I can send the postfix/amavis logfiles only: 

Apr 20 14:42:29 ucsmailrelay postfix/smtpd[32725]: 988AB1994: client=win76cas.ltbbg1.lvnbb.de[10.142.76.17]
Apr 20 14:42:29 ucsmailrelay postfix/cleanup[32727]: 988AB1994: message-id=<18CBE3CCE32E4731A138B63CCBF1650F@win76cas>
Apr 20 14:42:29 ucsmailrelay postfix/qmgr[31912]: 988AB1994: from=<presse@gruene-fraktion.brandenburg.de>, size=7005, nrcpt=1 (queue active)
Apr 20 14:42:30 ucsmailrelay postfix/smtp[32734]: 1042018C: to=<internet@rbb-online.de>, relay=debmail1.secdmz.lvnbb.de[10.128.47.50]:25, conn_use=3, delay=2.1, delays=0.01/0/0.01/2.1, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 21E7E3FC61)
Apr 20 14:42:30 ucsmailrelay postfix/qmgr[31912]: 1042018C: removed
Apr 20 14:42:29 ucsmailrelay postfix/smtpd[32725]: 988AB1994: client=win76cas.ltbbg1.lvnbb.de[10.142.76.17]
Apr 20 14:42:29 ucsmailrelay postfix/cleanup[32727]: 988AB1994: message-id=<18CBE3CCE32E4731A138B63CCBF1650F@win76cas>
Apr 20 14:42:29 ucsmailrelay postfix/qmgr[31912]: 988AB1994: from=<presse@gruene-fraktion.brandenburg.de>, size=7005, nrcpt=1 (queue active)
Apr 20 14:42:29 ucsmailrelay postfix/smtp[32729]: 86A812A76: to=<russew@rasender-reporter.com>, relay=debmail1.secdmz.lvnbb.de[10.128.47.50]:25, conn_use=4, del
ay=2.2, delays=0.01/0/0.01/2.2, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as AEED83FC5F)
Apr 20 14:42:29 ucsmailrelay postfix/qmgr[31912]: 86A812A76: removed
Apr 20 14:42:30 ucsmailrelay postfix/smtp[32734]: 1042018C: to=<internet@rbb-online.de>, relay=debmail1.secdmz.lvnbb.de[10.128.47.50]:25, conn_use=3, delay=2.1, delays=0.01/0/0.01/2.1, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 21E7E3FC61)
Apr 20 14:42:30 ucsmailrelay postfix/qmgr[31912]: 1042018C: removed

So the sender is "presse@gruene-fraktion.brandenburg.de" which is exactly the same as in the amavis logfile before.

How can I whitelist all traffic from internal mailservers?

extremeshok commented 6 years ago

require header of email to debug.