FROM/MX_MATCHES_NOT_HELO(DOMAIN)=21.39

Robert Felber robtone at ek-muc.de
Fri Jul 1 10:46:25 CEST 2011 

On Thu, Jun 30, 2011 at 03:29:21PM -0700, Christopher Hunt wrote:
> Gurus,
>       I'm having a lot of trouble resolving an issue with the
> FROM/MX_MATCHES_NOT_HELO(DOMAIN) score.  It is legitimate, desired
> email sent from a vendor through a hosting farm.  Here are the headers
> from this message which is getting rejected:
> 
> NOT_IN_SBL_XBL_SPAMHAUS=-1.5
> IN_SORBS_NET=2.35

It's also on a BL. The private adress in the A records and the BL
listing trigger more caution.

The example.inetu.net server doesn't appear to be responsible for the sender
domain, which is a normal thing - but in consideration of the BL and the fishy
sing of private records in public names it could also be a owned SMTP.


> BOGUS_MX=4.45
> CL_IP_EQ_HELO_IP=-2 (check from: .example. - helo: .example2.inetu. -
> helo-domain: .inetu.)
> FROM/MX_MATCHES_NOT_HELO(DOMAIN)=21.39
> CLIENT_NOT_MX/A_FROM_DOMAIN=3.85
> CLIENT/24_NOT_MX/A_FROM_DOMAIN=3.85;
> <client=x.x.x.58>
> <helo=example2.inetu.net>
> <from=katherine at example.com> <to=ron at mycompany.example>;
> rate: 32.39
> 
> The ONLY fishy thing I can see is that one of the A records for
> example.com (the sender's domain) resolves to an RFC1918 Private IP
> address.  Could that really be causing this very high score?  My
> $REJECTLEVEL  = 11.5;
> 
> I'm using the defaults here:
> [root at mail01-01 ~]# grep from_match_regex_verified_helo
> /etc/policyd-weight.conf
> [root at mail01-01 ~]# /usr/sbin/policyd-weight defaults | grep
> from_match_regex_verified_helo
>    @from_match_regex_verified_helo   = (1,         -2    );
> 
> #from man policyd-wieght.conf
> @bogus_mx_score (2.1, 0)
> If the sender domain has neither MX nor A records or these
> records resolve to a bogus IP-Address (for instance private
> networks) then this check asigns the full score of
> bogus_mx_score. If there is no MX but an A record of the sender
> domain then it receives a penalty only if DNSBL-listed.
> Log Entries:
> BOGUS_MX
> The sender A and MX records are bogus or empty.
> BAD_MX
> The sender domain has an empty or bogus MX record and the
> client is DNSBL listed.
> Related RFCs:
> [1918] Address Allocation for Private Internets
> [2821] Simple Mail Transfer Protocol (Sect 3.6 and Sect 5)
> 
> 
> [root at mail01-04 ~]# dig example.com
> ; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2 <<>> example.com
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18021
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
> ;; QUESTION SECTION:
> ;example.com.                        IN      A
> ;; ANSWER SECTION:
> example.com.         1       IN      A       192.168.29.2
> example.com.         1       IN      A       x.x.x.97
> ;; Query time: 65 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Wed Jun 22 15:33:54 2011
> ;; MSG SIZE  rcvd: 64
> 
> [root at mail01-04 ~]# dig mx example.com
> 
> ; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2 <<>> mx example.com
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23820
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 11
> 
> ;; QUESTION SECTION:
> ;example.com.                        IN      MX
> 
> ;; ANSWER SECTION:
> example.com.         1       IN      MX      25
> example.com.inbound25.mxlogicmx.net.
> example.com.         1       IN      MX      35
> example.com.inbound35.mxlogicmx.net.
> example.com.         1       IN      MX      15
> example.com.inbound15.mxlogicmx.net.
> example.com.         1       IN      MX      15
> example.com.inbound15.mxlogic.net.
> example.com.         1       IN      MX      25
> example.com.inbound25.mxlogic.net.
> example.com.         1       IN      MX      35
> example.com.inbound35.mxlogic.net.
> 
> ;; ADDITIONAL SECTION:
> example.com.inbound35.mxlogicmx.net. 14197 IN A 208.65.145.11
> example.com.inbound15.mxlogic.net. 14197 IN A 208.65.144.13
> example.com.inbound15.mxlogic.net. 14197 IN A 208.65.145.12
> example.com.inbound15.mxlogic.net. 14197 IN A 208.65.145.13
> example.com.inbound15.mxlogicmx.net. 14197 IN A 208.65.144.12
> example.com.inbound15.mxlogic.net. 14197 IN A 208.65.144.12
> example.com.inbound15.mxlogicmx.net. 14197 IN A 208.65.144.13
> example.com.inbound25.mxlogic.net. 14197 IN A 208.65.145.11
> example.com.inbound25.mxlogicmx.net. 14197 IN A 208.65.145.11
> example.com.inbound15.mxlogicmx.net. 14197 IN A 208.65.145.12
> example.com.inbound35.mxlogic.net. 14197 IN A 208.65.145.11
> 
> Thanks,
> -Chris
> _______________________________________________
> Policyd-weight-users Mailingliste
> JPBerlin - Politischer Provider
> Policyd-weight-users at listen.jpberlin.de
> https://listen.jpberlin.de/mailman/listinfo/policyd-weight-users

-- 
	Robert Felber, PGP: D1B2F2E5          http://www.selling-it.de

More information about the Policyd-weight-users mailing list