SA has some heuristics in Received.pm to determine which Received: headers should be ignored. Those with IP addresses in RFC1918 domains are ignored, for example. We should also refrain from doing RBL checks on the IP address shown in Received: headers which show that the message was transmitted by _authenticated_ SMTP. According to RFC3848, this is shown by the use of 'by esmtpa' or 'by esmtpsa' in the Received: header.
I believe these issues may be fixed in the (as yet unreleased) SA 3.1.x tree. http://bugzilla.spamassassin.org/show_bug.cgi?id=2462 is the auth-SMTP fix.
Looks like a patch exists for 3.0.x too. Btw, we should also be dropping IPv6 addresses in reserved ranges, especially those with non-global scope.
> Looks like a patch exists for 3.0.x too. If you want this in FC4, please supply a unidiff patch for me. Make sure your patch wont cause problems for us because I wont test it before applying it.
Nah, FC4 is useless for mail for me anyway; I'll not bother updating my FC3 machines until FC5 comes out.
David I am now actively going through upstream 3.0.3 target bugs and looking for the most critical 3.1.0 stuff to backport. Working with the Debian spamassassin maintainer because we have the common goal of making a real 3.0.3 maintenance release. If you consider this issue to be serious enough to warrant a 3.0.3 backport, please open a new bug in upstream bugzilla, CC me and report in this bug the URL. In the upstream report include your backported 3.0.x patch for target inclusion in 3.0.3. http://people.redhat.com/wtogami/temp/spamassassin/ FC2 and FC3 packages of spamassassin-3.0.2 plus stuff already checked into 3.0 branch of SVN. If you want to rebuild for ppc check out the package from FC4.
Looks like it was applied to r112026 in b3_0, so it will be in 3.0.3. Already in rawhide.