spamassassin-users December 2011 archive
Main Archive Page > Month Archives  > spamassassin-users archives
spamassassin-users: whitelist rules should include IP address in

whitelist rules should include IP address in output?

From: Greg Troxel <gdt_at_nospam>
Date: Sat Dec 24 2011 - 13:54:59 GMT
To: users@spamassassin.apache.org

I'm having (yet another) problem getting spam certified by returnpath.
(This message is not to complain about returnpath; I'll do that sometime
after close of business Monday if they haven't delisted the spammer. :-)

The offending spam had a non-spam score, and thus compact headers
showing the rules that hit:

  X-Spam-Status: No, score=-1.7 required=1.0 tests=BAYES_50,DKIM_FORGED,
          DKIM_SIGNED,HTML_IMAGE_ONLY_28,HTML_MESSAGE,KHOP_RCVD_UNTRUST,
          RCVD_IN_DNSWL_LOW,RCVD_IN_HOSTKARMA_YE,RCVD_IN_RP_CERTIFIED,RCVD_IN_RP_SAFE,
          RCVD_NOT_IN_IPREPDNS,T_DKIM_INVALID,T_REMOTE_IMAGE autolearn=no version=3.3.2

Fair enough - so, I saved the raw bits to a file and ran spamassassin
-t:

  Content analysis details: (-5.7 points, 1.0 required)

   pts rule name description
  ---- ---------------------- --------------------------------------------------
  -0.1 RCVD_IN_DNSWL_LOW RBL: Sender listed at http://www.dnswl.org/, low
                              trust
                              [193.169.121.143 listed in list.dnswl.org]
  -2.0 RCVD_IN_RP_SAFE RBL: Sender is in Return Path Safe (trusted relay)
                              [Return Path SenderScore Safe List (formerly]
                      [Habeas Safelist) - <http://www.senderscorecertified.com>]
   0.5 RCVD_IN_HOSTKARMA_YE RBL: HostKarma: relay in yellow list (varies)
                       [193.169.121.143 listed in hostkarma.junkemailfilter.com]
  -3.0 RCVD_IN_RP_CERTIFIED RBL: Sender is in Return Path Certified (trusted
                               relay)
                              [Return Path SenderScore Certified (formerly]
                        [Bonded Sender) - <http://www.senderscorecertified.com>]
  -2.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
                              [score: 0.0000]
   1.4 HTML_IMAGE_ONLY_28 BODY: HTML: images with 2400-2800 bytes of words
   0.0 HTML_MESSAGE BODY: HTML included in message
   0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid
   0.0 RCVD_NOT_IN_IPREPDNS Sender not listed at
                              http://www.chaosreigns.com/iprep/
   0.2 DKIM_FORGED DKIM_FORGED
   0.0 T_DKIM_INVALID DKIM-Signature header exists but is not valid
   0.1 KHOP_RCVD_UNTRUST DNS-whitelisted sender is not verified
   0.0 T_REMOTE_IMAGE Message contains an external image

(bayes changed because it was autolearned from being in my inbox;
probably my fault for not waiting for a read mark, but separate)

Here, the RCVD_IN_DNSWL_LOW rule shows the IP address (of a wayn machine
that indeed handed the mail to my machine:

  Received: from mail143.wayn.net (mail143.wayn.net [193.169.121.143])
          by fnord.ir.bbn.com (Postfix) with SMTP id D546552F5
          for <gdt@ir.bbn.com>; Fri, 23 Dec 2011 21:39:55 -0500 (EST)

So the rule nicely shows the IP address that was in the database, so
things seems ok there (except wayn shouldn't be listed there either,
because persistent spamming can not be said to be "actively corrected
but less promptly").

But, the RP rules do not show the IP address. Obviously the address
that should be checked (and certainly was) is the one that handed the
mail to the first in the internal/trusted chain, and with direct
delivery from spammer to my machine this is not hard.

I think it's a bug in the RP rules that the IP address is not shown, and
in general a bug in any white/blacklist rule not to show the IP address
that hit.

Do people agree? Is it helpful to file a single bug about the RP rules,
and also a meta bug? Or just to file single bugs about rules missing
the IP address?