checking all IPs in the email header

[QuantumMechanic]

Hi,

I have two problems that has hopefully one solution if one exists.

1. Emails onto my network go through a firewall - this adds a hop onto the email and consequently the headers are modified and a DNSBL check on the connection IP is not triggered since it is an internal IP address.

2. Email from an ISP account are checked, but not against spamcop, I can forward these emails to my sendmail server for my collection, DNSBL checking would occur but the ip would just be the IP of the ISP's mailserver.

In short I want to check all the IPs in the headers against a DNSBL, or the penultimate hop's IP address for blacklisting.

[Wazoo]

I'm not quite seeing where/how this relates to the use of the SpamCopDNSBL ... not qute sure why a "firewall" would be "adding a hop" either .... moving to the Lounge for now ... the other choice would have been Geek/Tech Things > Software Issues .. however, nothing has been identified in the query ....

[QuantumMechanic]

I'm not quite seeing where/how this relates to the use of the SpamCopDNSBL ... not qute sure why a "firewall" would be "adding a hop" either .... moving to the Lounge for now ... the other choice would have been Geek/Tech Things > Software Issues .. however, nothing has been identified in the query ....

Wow wazoo you really are a pedantic prick. Granted it is a generic question that relates to all DNSBL - and that includes the mighty SCBL.

A firewall would add a hop if it was a email proxy , which is kind of besides the point if you took the time to read the posting.

[Miss Betsy]

A firewall would add a hop if it was a email proxy , which is kind of besides the point if you took the time to read the posting.

I am not a server admin, but I do remember that an admin did say that his 'firewall' was on a separate machine and that all his trojanned machines used it to send spam, but he didn't care because it wasn't used for sending email.

In another thread, someone has an outbound machine which doesn't accept inbound and so has no MX records.

I am not quite sure what you want to do. Whatever computer is the 'first' one to receive email is the one that should be using DNSBLs unless you are intending to accept all email and either tag or drop it. If you are collecting all 'questionable' email, then I would think using something like spamassassin where various bls can be used as part of the criteria would be the answer (and that's usually on another hop).

I don't understand why /all/ the IPs in the headers have to be checked. Only the last sending one is necessary. To check all the IPs is why people use spamcop.

I didn't answer before because I am not really technically fluent, but since no one else has chimed in, that's my layman understanding of what server admins do with incoming email to filter it for spam. Perhaps others are confused also. Maybe if you rephrased your question, you would get more useful answers?

Miss Betsy

[QuantumMechanic]

Yes the first computer (or border computer) to encounter the spam should check the IP, however in an email proxy situation, the email connection is passed to the sendmail MTA by the firewall but the originating IP is changed - the connection traffic is in realtime from the spammer to the sendmail server, so a DNSBL block would work logically if I could just get sendmail to look at the headers in a different way.

Yes I would like for my ISP to install DNSBL on my ISP email account, however they do not add enough BL's. Consequently I get buckets of spam that is untagged and I want to stop this - having given up requesting that they add more DNSBL's to their MTA I would like to block/drop/identify/timeout (whatever etc) the spam with my sendmail server - since the originating IP will be the innocent ISP I want to get my sendmail to check the hop before in the headers against some DNSBL.

Checking the previous hop's IP and checking all the IP's in the headers are not very different - In short, I am willing to accept a crude hack that could be refined to my needs. I simply do not know what that hack is.....

I could use spamassassin and other milters - but I find that DNSBL are really effective - I just cant seem to use it in these two particualr situations. I have searched the net a fair bit before posting and have not found anything that pertains to this problem. I realise that these two problems could be solved via different means - however I think the solution that solves both of them is to obtain a hack for sendmail for its use of DNSBL. I hope that provides more details for you.

[Miss Betsy]

Checking the previous hop's IP and checking all the IP's in the headers are not very different - In short, I am willing to accept a crude hack that could be refined to my needs. I simply do not know what that hack is.....

I could use spamassassin and other milters - but I find that DNSBL are really effective - I just cant seem to use it in these two particualr situations. I have searched the net a fair bit before posting and have not found anything that pertains to this problem. I realise that these two problems could be solved via different means - however I think the solution that solves both of them is to obtain a hack for sendmail for its use of DNSBL. I hope that provides more details for you.

I hope so too. The way I understand what you want to do is to be able to check the 2nd IP address as it comes to you (the 2nd being the source IP; the first being your ISP's email proxy/firewall)

Not knowing anything about sendmail, I can't offer any suggestions, but maybe someone else will.

spamassassin does use bls; also the spamcop email service has choices of bls to use. If there isn't a hack, those are alternatives.

Miss Betsy

[QuantumMechanic]

Can spamassassin do the bl check on the second ip?

[Wazoo]

Wow wazoo you really are a pedantic prick. Granted it is a generic question that relates to all DNSBL - and that includes the mighty SCBL.

For starters, you posted into a Forum section with the Title and description of;

SpamCop Blocklist Help

A forum to help those who use or have had their e-mail blocked based on use of the SpamCopDNSBL by the receiving ISP.

As stated, I fail to see where/how your post fits into that model. You even take the next step of actually stating "Email from an ISP account are checked, but not against spamcop, ....."

Condition #1 not met: SpamCopDNSBL not used

Condition #2 not met: No mention of e-mail being "blocked by the SpamCopDNSBL"

The wrong Forum section for your post, end of discussion.

As this is the Lounge, I'll guess your initial name-calling exercise will slide (however, note that this mention is also a warning) .. yet, looking back at your posting history, I see that you are in a continuing mode of conflict with answers provided to your posts with insufficient data provided, based on previous responses in previous Topics/Discussions .... time to adjust your posting strategy, it appears .... maybe take a look at the [How-to] Post a Question (and prevent stupid/rude answers) entry ..????

A firewall would add a hop if it was a email proxy , which is kind of besides the point if you took the time to read the posting.

As noted, "nothing defined in the first post" .. it "was read" in the process of trying to decide just where to re-locate it. Technically, a "firewall" and an "email proxy" are not the same thing .... asking a "technical" question while using sloppy terms and definitions can get folks hurt.

Now I see that you are asking if/how other software can be modified to work around your configuration issues .... there again, as I stated in my first response ... this type of query would have pointed to moving your Topic to the Geek/Tech Things > Software Issues Forum section .... but your first post had "nothing defined" (and now we see that some terms used were mis-defined)

Your specific question about making some modification to SpamAssassin would seem better asked at a SpamAssassin support site ... flip side might be asking about help with your "email proxy" .... perhaps stopping it from adding its own header line ...??? (noting that this might have impacts somewhere else ... but then again, the "email proxy" is still an unidentified entity)

Your Subject Line and initial suggested mode of checking "all" IP addresses in an e-mail header seems like a tremendous waste of resources .. normally, the prime concern is the IP address of the sending/connection system, then the addressed-to data .... even going back to the bang-path days, the previous traversal points of the attempted e-mail are generally not of concern during the SMTP delivery attempt ....

[michaelanglo]

Your Subject Line and initial suggested mode of checking "all" IP addresses in an e-mail header seems like a tremendous waste of resources .. normally, the prime concern is the IP address of the sending/connection system, then the addressed-to data .... even going back to the bang-path days, the previous traversal points of the attempted e-mail are generally not of concern during the SMTP delivery attempt ....

Oddly enough Wazoo, to take a sharp turn, that's the way the SpamCop email system does BL checks to decide whether an email should go to the 'Held' folder. Every IP address in the header is looked up against every DSNBL that the user has specified until either there are no more IP addresses or until there is a hit.

Of course this method means the SpamCop email system cannot use DSNBLs that list, eg, dynamic or dialup IPs because every normal header would give a hit at the original source.

As to efficiency, it uses lots of caching I expect.

[Wazoo]

Oddly enough Wazoo, to take a sharp turn, that's the way the SpamCop email system does BL checks to decide whether an email should go to the 'Held' folder. Every IP address in the header is looked up against every DSNBL that the user has specified until either there are no more IP addresses or until there is a hit.

OK ... I don't have a SpamCop.net e-mail account, so no user experience (short of troubleshooting other users' accounts) ... no inside information .. only that picked up from dialog that has transpired here, the newsgroups, and e-mail corrspondance with staff ... research that included tracking out data seen in/from provided Tracking URLs usually is focused on other things, but now that you've mentioned it, the listing of IP addresses at the bottom (usually looked at for the reason for Tagging/Moving an e-mail) should have been the clue I didn't connect to what you're saying ....

On the other hand, in my opinion, you're seconding the "it's a software thing" ......

[StevenUnderwood]

Of course this method means the SpamCop email system cannot use DSNBLs that list, eg, dynamic or dialup IPs because every normal header would give a hit at the original source.

And the SpamCop email system does not reject any email either, simply directing it to a Inbox or Held Mail folder depending on the outcome of the testing.

[Miss Betsy]

Can spamassassin do the bl check on the second ip?

Probably not. However, from later answers, it looks as though the spamcop email service does.

Unfortunately since no one has suggested a workaround for you, ISTM, that to do what you want to do is not possible unless you are an experienced programmer. I am surprised that no one has suggested any alternatives because you can't be the only person who has this problem.

As Wazoo said, a spamassassin user forum might be able to tell you what the capabilities of spamassassin are. For that matter, a sendmail user forum might be a better place to ask your question.

Miss Betsy