Bug 7359 - RCVD_IN_BRBL_LASTEXT block local IP
Summary: RCVD_IN_BRBL_LASTEXT block local IP
Status: RESOLVED INVALID
Alias: None
Product: Spamassassin
Classification: Unclassified
Component: Rules (show other bugs)
Version: 3.4.0
Hardware: PC All
: P2 normal
Target Milestone: Undefined
Assignee: SpamAssassin Developer Mailing List
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-10-14 15:51 UTC by Michaël
Modified: 2018-02-03 01:57 UTC (History)
4 users (show)


Attachment Type Modified Status Actions Submitter/CLA Status
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Michaël 2016-10-14 15:51:02 UTC 
We have email send by local exchange to an other local server (Zimbra) protected by SpamAssassin
But these mails are tag as SPAM
When we check header, we can see that rules RCVD_IN_BRBL_LASTEXT is matched
On Wiki (http://wiki.apache.org/spamassassin/Rules/RCVD_IN_BRBL_LASTEXT) we can read that this correspond to a blacklist on Barracuda for the last relay IP but allow IP in the relay list are local (private IP: 127.0.0.1, 192.168.10.x and 192.168.20.x)
We have check local IP and domain name on Barracuda, no blacklist found.
Comment 1 AXB 2016-10-14 16:15:04 UTC 
please provide debug data for such a message and sample to test against or take this to the SA user's mailing list.
Comment 2 Michaël 2016-10-17 07:06:02 UTC 
Yes we can show you all header from an email.
But how can we send you these information not in "public" mode ?
We don't want to publish information about client and server used
Comment 3 RW 2016-10-17 12:54:54 UTC 
(In reply to Michaël from comment #2)
> Yes we can show you all header from an email.
> But how can we send you these information not in "public" mode ?
> We don't want to publish information about client and server used

So can obfuscate server names and rDNS provided you leave it clear what's going on. It's the IP addresses that matter; and you previously wrote that they are all from the private ranges.
Comment 4 Bill Cole 2016-10-17 15:56:58 UTC 
(In reply to Michaël from comment #0)
> We have email send by local exchange to an other local server (Zimbra)
> protected by SpamAssassin
> But these mails are tag as SPAM

This is almost certainly a configuration error, not a SpamAssassin bug.

> When we check header, we can see that rules RCVD_IN_BRBL_LASTEXT is matched
> On Wiki (http://wiki.apache.org/spamassassin/Rules/RCVD_IN_BRBL_LASTEXT) 

As the name suggests, that rule checks the last "external" Received header. The parsing of Received to decide whether a they are internal or external and whether a they can be trusted as accurate is governed by 3 configuration options that you MUST set correctly to get correct characterization of Received headers by SpamAssassin: 

internal_networks
trusted_networks
msa_networks

To be certain of what address SpamAssassin is checking you need to check a misidentified message using the SpamAssassin configuration which misidentified it, with the option '-D metadata,received-header' so that you get SpamAssassin's debug messages regarding its classification of Received headers.

The most likely problem is that the IP address of your Exchange server needs to be included in *all three* of those network lists. If it is not, SpamAssassin may detect the submission of mail to the Exchange server as an 'external' transport step and check the address from that Received header against the BRBL and other DNSBLs.
Comment 5 Giovanni Bechis 2018-02-03 00:18:33 UTC 
I think this is a configuration problem and no email has been attached to test the possible bug.
Time to close this bz ?
Comment 6 Bill Cole 2018-02-03 01:57:41 UTC 
The Reporter never followed up with adequate data to even demonstrate that the problem existed. This is and always has been OBVIOUSLY a local configuration problem, grounded in a failure to correctly define the 3 *_networks parameters that are REQUIRED to enable SA to determine the correct Received header to parse for DNSBL checks. 

This is, AT MOST, an issue to be resolved by a more careful reading of the documentation and/or consultation with more expert SA users, e.g. the spamassassin-users mailing list. 

Simply put: 

"I don't know how to follow detailed documentation"  IS NOT A BUG