I am sure this is a common occurrence: a user (who has an IP that is in a blacklist or two ) is sending mail using his email provides server (with SMTP authentication), then that server is forwarding the message to the recipient.
Here's a sanitized header of such message.
Received: from email-com-hosting.com ([1.2.3.4])
by mail.email2.com with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
(Exim 4.84_2)
(envelope-from <[email protected]>)
id 1aaaaa-000000-aa
for [email protected]; Fri, 30 Sep 2016 00:01:00 +0300
DKIM-Signature: some-valid-signature-added-by-1.2.3.4;
Received: from [5.6.7.8] (helo=[10.0.0.1])
by email-com-hosting.com with esmtpa (Exim 4.76)
(envelope-from <[email protected]>)
id 1aaaaa-000000-ab
for [email protected]; Fri, 30 Sep 2016 00:00:00 +0300
Server 1.2.3.4 is the actual server for email.com, the mx record points to it ant everything. IP 5.6.7.8 is in a couple of blacklists.
Spamassassin marks this email as spam because 5.6.7.8 is in a blacklist.
How do I make it ignore all received headers that have "esmtpa" - autenticated SMTP and all headers below it? The idea is this:
- If the header is genuine and the user is actually authenticated, do not check if the IP is in a blacklist.
- If the header is spoofed, then it is useless anyway.
- If the user is not authenticated, then check his IP too.
For now I can add -lastexternal or -notfirsthop to all checks, but maybe there is a way to do this incorporating the presence/absence of "a" in the received header.
