spamassassin-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kris Deugau <>
Subject Re: how to parse back through forwarding headers to find the true source IP
Date Thu, 08 Dec 2016 17:18:52 GMT
> On 12/8/2016 10:54 AM, Marcus Schopen wrote:
>> Hi,
>> some of my users forward external mails to my host. In some cases those
>> forwarding hosts don't filter spam. How do I parse back through
>> forwarding headers to find the true source IP and run dnsrbl checks on
>> that IP. I don't want to reject those mails in case of spam, so that the
>> forwarding host will become a backscatter, but just marking them. I
>> tried to set the forwarding host IPs to trusted_networks, which helps
>> with wrong checks, but RBL checks are disabled then. Any ideas
>> how to handle that?

Not sure what you mean by "RBL checks are disabled then";  do you mean
that none of them fire when expected?

*Some* DNSBL rules will fire differently in this case depending on
whether they were defined with -lastexternal or -firsttrusted, but most
should work fine and do what you want.

I do this here for customers who have domain mail hosted with a third
party, with mail forwarded to their ISP account with us.

Kevin A. McGrail wrote:
> I would answer that you can't.  Unless they forward you the source or
> the original email as an attachment, many times that information is lost.

That depends on whether this is automated forwarding at the mail system
level, or by-hand forwarding in any mail client.

Automated forwarding should just be another SMTP hop, and adding the
third-party host to trusted_networks should work just fine[1].

Mail that was forwarded by hand, yeah, you're usually stuck unless you
can teach your users how to properly forward as attachment.  Inline
forwards rarely include *any* origin IP info, or any headers at all
other than From, To, CC, Subject, and Date.


[1] Unless the third party mail host is one who routes forwarded mail
for a single domain through outbound IPs across half a dozen /8 ranges
(yes, really, I have observed this personally).  In which case you can
either give up on getting correct origin IP information, or play
trusted_networks whack-an-IP until the results are "good enough".

View raw message