FROM/MX_MATCHES_NOT_HELO(DOMAIN)=21.39

Christopher Hunt dharmachris at gmail.com
Fri Jul 1 17:25:13 CEST 2011 

Mr. Felber,
Thank you for you quick reply.  I will work with the sender on those
issues.  I will be whitelisting the send or recipient according to
http://www.policyd-weight.org/faq.html#whitelisting.

I have an additional question though, somewhat related:  Do you generally
recommend that policyd-weight appear last in smtp_recipient_restrictions?

Here's what I have now:

smtpd_recipient_restrictions = permit_mynetworks,
                               permit_sasl_authenticated,
                               check_policy_service inet:127.0.0.1:12525,
                               reject_unknown_reverse_client_hostname,
                               reject_invalid_hostname,
                               reject_non_fqdn_hostname
                               reject_rbl_client zen.spamhaus,
                               reject_unknown_sender_domain,
                               reject_non_fqdn_sender,
                               reject_non_fqdn_recipient,
                               reject_unauth_destination,
                               reject_unlisted_recipient


I wonder if I couldn't take some load off of policyd-weight by moving it to
the end of the list..

-Chris

P.S.  the IRC server's .com web site mentioned on the website seems to down,
but the .net is up
On Jul 1, 2011 3:36 AM, "Robert Felber" <robtone at ek-muc.de> wrote:
> On Thu, Jun 30, 2011 at 03:29:21PM -0700, Christopher Hunt wrote:
>> Gurus,
>>  I'm having a lot of trouble resolving an issue with the
>> FROM/MX_MATCHES_NOT_HELO(DOMAIN) score.  It is legitimate, desired
>> email sent from a vendor through a hosting farm. Here are the headers
>> from this message which is getting rejected:
>>
>> NOT_IN_SBL_XBL_SPAMHAUS=-1.5
>> IN_SORBS_NET=2.35
>
> It's also on a BL. The private adress in the A records and the BL
> listing trigger more caution.
>
> The example.inetu.net server doesn't appear to be responsible for the
sender
> domain, which is a normal thing - but in consideration of the BL and the
fishy
> sing of private records in public names it could also be a owned SMTP.
>
>
>> BOGUS_MX=4.45
>> CL_IP_EQ_HELO_IP=-2 (check from: .example. - helo: .example2.inetu. -
>> helo-domain: .inetu.)
>> FROM/MX_MATCHES_NOT_HELO(DOMAIN)=21.39
>> CLIENT_NOT_MX/A_FROM_DOMAIN=3.85
>> CLIENT/24_NOT_MX/A_FROM_DOMAIN=3.85;
>> <client=x.x.x.58>
>> <helo=example2.inetu.net>
>> <from=katherine at example.com> <to=ron at mycompany.example>;
>> rate: 32.39
>>
>> The ONLY fishy thing I can see is that one of the A records for
>> example.com (the sender's domain) resolves to an RFC1918 Private IP
>> address. Could that really be causing this very high score? My
>> $REJECTLEVEL = 11.5;
>>
>> I'm using the defaults here:
>> [root at mail01-01 ~]# grep from_match_regex_verified_helo
>> /etc/policyd-weight.conf
>> [root at mail01-01 ~]# /usr/sbin/policyd-weight defaults | grep
>> from_match_regex_verified_helo
>>    @from_match_regex_verified_helo   = (1,         -2    );
>>
>> #from man policyd-wieght.conf
>> @bogus_mx_score (2.1, 0)
>> If the sender domain has neither MX nor A records or these
>> records resolve to a bogus IP-Address (for instance private
>> networks) then this check asigns the full score of
>> bogus_mx_score. If there is no MX but an A record of the sender
>> domain then it receives a penalty only if DNSBL-listed.
>> Log Entries:
>> BOGUS_MX
>> The sender A and MX records are bogus or empty.
>> BAD_MX
>> The sender domain has an empty or bogus MX record and the
>> client is DNSBL listed.
>> Related RFCs:
>> [1918] Address Allocation for Private Internets
>> [2821] Simple Mail Transfer Protocol (Sect 3.6 and Sect 5)
>>
>>
>> [root at mail01-04 ~]# dig example.com
>> ; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2 <<>> example.com
>> ;; global options:  printcmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18021
>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
>> ;; QUESTION SECTION:
>> ;example.com.                        IN      A
>> ;; ANSWER SECTION:
>> example.com.         1       IN      A       192.168.29.2
>> example.com.         1       IN      A       x.x.x.97
>> ;; Query time: 65 msec
>> ;; SERVER: 127.0.0.1#53(127.0.0.1)
>> ;; WHEN: Wed Jun 22 15:33:54 2011
>> ;; MSG SIZE  rcvd: 64
>>
>> [root at mail01-04 ~]# dig mx example.com
>>
>> ; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2 <<>> mx example.com
>> ;; global options:  printcmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23820
>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 11
>>
>> ;; QUESTION SECTION:
>> ;example.com.                        IN      MX
>>
>> ;; ANSWER SECTION:
>> example.com.         1       IN      MX      25
>> example.com.inbound25.mxlogicmx.net.
>> example.com.         1       IN      MX      35
>> example.com.inbound35.mxlogicmx.net.
>> example.com.         1       IN      MX      15
>> example.com.inbound15.mxlogicmx.net.
>> example.com.         1       IN      MX      15
>> example.com.inbound15.mxlogic.net.
>> example.com.         1       IN      MX      25
>> example.com.inbound25.mxlogic.net.
>> example.com.         1       IN      MX      35
>> example.com.inbound35.mxlogic.net.
>>
>> ;; ADDITIONAL SECTION:
>> example.com.inbound35.mxlogicmx.net. 14197 IN A 208.65.145.11
>> example.com.inbound15.mxlogic.net. 14197 IN A 208.65.144.13
>> example.com.inbound15.mxlogic.net. 14197 IN A 208.65.145.12
>> example.com.inbound15.mxlogic.net. 14197 IN A 208.65.145.13
>> example.com.inbound15.mxlogicmx.net. 14197 IN A 208.65.144.12
>> example.com.inbound15.mxlogic.net. 14197 IN A 208.65.144.12
>> example.com.inbound15.mxlogicmx.net. 14197 IN A 208.65.144.13
>> example.com.inbound25.mxlogic.net. 14197 IN A 208.65.145.11
>> example.com.inbound25.mxlogicmx.net. 14197 IN A 208.65.145.11
>> example.com.inbound15.mxlogicmx.net. 14197 IN A 208.65.145.12
>> example.com.inbound35.mxlogic.net. 14197 IN A 208.65.145.11
>>
>> Thanks,
>> -Chris
>> _______________________________________________
>> Policyd-weight-users Mailingliste
>> JPBerlin - Politischer Provider
>> Policyd-weight-users at listen.jpberlin.de
>> https://listen.jpberlin.de/mailman/listinfo/policyd-weight-users
>
> --
> Robert Felber, PGP: D1B2F2E5 http://www.selling-it.de
>
> _______________________________________________
> Policyd-weight-users Mailingliste
> JPBerlin - Politischer Provider
> Policyd-weight-users at listen.jpberlin.de
> https://listen.jpberlin.de/mailman/listinfo/policyd-weight-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://listen.jpberlin.de/pipermail/policyd-weight-users/attachments/20110701/c34413fd/attachment-0001.html>

More information about the Policyd-weight-users mailing list