unexpected outgoing spam classification based on X-Originating-IP

Wolfgang Rosenauer wolfgang.rosenauer at an-netz.de
Sat Aug 18 11:49:47 CEST 2018


I'm running Postfix + amavisd-new + spamassassin on my mailserver(s) and my users have access to a webmail system to send mails.
Just recently I got an unexpected spam classifiation from an outgoing mail which I do not really fully understand:

First upstream SMTP client IP address: [] 
Received from:
-> this is my webmail system which sends mail as a client via Submission and SMTP AUTH.

Return-Path: <anonymized> mailto:christiane at rosenauer.org
From: anonymized
Message-ID: <1227337344.171.1534513303678 at ox.an-netz.de> mailto:1227337344.171.1534513303678 at ox.an-netz.de
X-Mailer: Open-Xchange Mailer v7.10.0-Rev12
Subject: Re: Anfrage
Not quarantined.

The message WILL BE relayed to:
<anonymized> mailto:landgasthof.egerbach at aon.at

Spam scanner report:
Spam detection software, running on the system "my mailserver",
has identified this incoming email as possible spam.  The original
message has been attached to this so you can view it or label
similar future email.  If you have any questions, see
postmaster for details.

Content preview:  

Content analysis details:   (7.2 points, 5.0 required)

pts rule name              description
---- ---------------------- --------------------------------------------------
0.0 HTML_MESSAGE           BODY: HTML included in message
3.6 RCVD_IN_PBL            RBL: Received via a relay in Spamhaus PBL
[ listed in zen.spamhaus.org]
0.7 RCVD_IN_XBL            RBL: Received via a relay in Spamhaus XBL
1.6 RCVD_IN_BRBL_LASTEXT   RBL: No description available.
[ listed in bb.barracudacentral.org]
1.3 RDNS_NONE              Delivered to internal network by a host with no rDNS

The IP listed above is the dialup IP used send the mail via the webmailer. It is rightfully listed in PBL because it's "dialup".
But it only is listed/used as X-Originating-IP.
So this is a fully legitimate mail as it was sent authenticated.

I was quite a bit surprised. I guess (haven't checked yet) that I can workaround this issue by whitelisting something. I also would be interested in pointers to that but I'm wondering also from a more general point of view if looking at X-Originating-IP for RBLs really makes sense?
I already tag and filter authenticated delivered mail as originating and send it to a different amavis port and tag it there as "ORIGINATING" policy.

$policy_bank{'ORIGINATING'} = { # mail supposedly originating from our users
originating => 1, # declare that mail was submitted by our smtp client
allow_disclaimers => 0, # enables disclaimer insertion if available
virus_admin_maps => ["virusalert\@$mydomain"],
spam_admin_maps => ["virusalert\@$mydomain"],
warnbadhsender => 1,
smtpd_discard_ehlo_keywords => ['8BITMIME'],
bypass_banned_checks_maps => [1], # allow sending any file names and types
terminate_dsn_on_notify_success => 0, # don't remove NOTIFY=SUCCESS option

Any indicators about this issue? Does it make sense? How to fix it?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.amavis.org/pipermail/amavis-users/attachments/20180818/e4e3b1f6/attachment.html>

More information about the amavis-users mailing list