x-originating-ip used for RBL checks?

[psuter]

hi
i recently had a few false positive on my private PMG spam filter. Here is the spam info part of the header of such a false positiv email:

X-SPAM-LEVEL: Spam detection results:  4
    AWL                    -1.164 Adjusted score from AWL reputation of From: address
    DKIM_SIGNED               0.1 Message has a DKIM or DK signature, not necessarily valid
    DKIM_VALID               -0.1 Message has at least one valid DKIM or DK signature
    HTML_MESSAGE            0.001 HTML included in message
    KAM_EU                    0.5 Prevalent use of .eu in spam/malware
    RCVD_IN_BL_SPAMCOP_NET  1.246 Received via a relay in bl.spamcop.net
    RCVD_IN_DNSWL_NONE     -0.0001 Sender listed at https://www.dnswl.org/, no trust
    RCVD_IN_SBL_CSS         3.558 Received via a relay in Spamhaus SBL-CSS
    SPF_HELO_PASS          -0.001 SPF: HELO matches SPF record
    SPF_PASS               -0.001 SPF: sender matches SPF record
    T_KAM_HTML_FONT_INVALID   0.01 Test for Invalidly Named or Formatted Colors in HTML
x-spam-mail: yes

the sender is using office365 and the only ip in the header that i found was blacklisted with spamhaus was the ip of the sender's ISP which terminates his internet connection. the ip was mentioned in the mail header like this:

 x-originating-ip: [51.154.8.96]

now since the sender is using a cheap private internet connection whith dynamic ip's it is of course very likely that such ip's are blacklisted on any blacklists, since these are often "polluted" ip's and nobody cares to unlist them ans nobody keeps them for long.

is there a way to tell PMG to only look at IP's of mailservers that the mail passed through and not the client's ip?

cheers
Pascal

 

[dcsapak]

is there a way to tell PMG to only look at IP's of mailservers that the mail passed through and not the client's ip?

but that kinda defeats (part of) the purpose of the blacklists...
also why does o365 include the ip of the client? that does not really make sense...

as to your question, no there is no such option in pmg
you can only disable the checks altogether

 

[hata_ph]

hi
i recently had a few false positive on my private PMG spam filter. Here is the spam info part of the header of such a false positiv email:

X-SPAM-LEVEL: Spam detection results:  4
    AWL                    -1.164 Adjusted score from AWL reputation of From: address
    DKIM_SIGNED               0.1 Message has a DKIM or DK signature, not necessarily valid
    DKIM_VALID               -0.1 Message has at least one valid DKIM or DK signature
    HTML_MESSAGE            0.001 HTML included in message
    KAM_EU                    0.5 Prevalent use of .eu in spam/malware
    RCVD_IN_BL_SPAMCOP_NET  1.246 Received via a relay in bl.spamcop.net
    RCVD_IN_DNSWL_NONE     -0.0001 Sender listed at https://www.dnswl.org/, no trust
    RCVD_IN_SBL_CSS         3.558 Received via a relay in Spamhaus SBL-CSS
    SPF_HELO_PASS          -0.001 SPF: HELO matches SPF record
    SPF_PASS               -0.001 SPF: sender matches SPF record
    T_KAM_HTML_FONT_INVALID   0.01 Test for Invalidly Named or Formatted Colors in HTML
x-spam-mail: yes

the sender is using office365 and the only ip in the header that i found was blacklisted with spamhaus was the ip of the sender's ISP which terminates his internet connection. the ip was mentioned in the mail header like this:

 x-originating-ip: [51.154.8.96]

now since the sender is using a cheap private internet connection whith dynamic ip's it is of course very likely that such ip's are blacklisted on any blacklists, since these are often "polluted" ip's and nobody cares to unlist them ans nobody keeps them for long.

is there a way to tell PMG to only look at IP's of mailservers that the mail passed through and not the client's ip?

cheers
Pascal

Pls provide the false positive mail log.