You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Chris <cp...@embarqmail.com> on 2007/06/13 03:58:11 UTC
Embarq/Synacor's SA Setup
Before I put my foot in my mouth to my ISP, I'd like to make sure I'm right.
From the headers below, what does Embarq/Synacor consider to be ALL_TRUSTED?
Received: from localhost (localhost.localdomain [127.0.0.1])
by smtp.embarq.synacor.com (Postfix) with ESMTP id 3ECA115F5EC
for <cp...@embarqmail.com>; Tue, 12 Jun 2007 21:32:15 -0400 (EDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Score: -4.399
X-Spam-Level:
X-Spam-Status: No, score=-4.399 tagged_above=-10 required=10
tests=[ALL_TRUSTED=-1.8, BAYES_00=-2.599]
Received: from smtp.embarq.synacor.com ([127.0.0.1])
by localhost (smtp10.embarq.synacor.com [127.0.0.1]) (amavisd-new,
port 10024)
with ESMTP id J-Y1RUpHW7XQ for <cp...@embarqmail.com>;
Tue, 12 Jun 2007 21:32:13 -0400 (EDT)
Received: from mxintern.schlund.de (mxintern.schlund.de [212.227.126.201])
by smtp.embarq.synacor.com (Postfix) with ESMTP id A323615F5A2
for <cp...@embarqmail.com>; Tue, 12 Jun 2007 21:32:13 -0400 (EDT)
Received: from [172.19.16.7] (helo=home.kundenserver.de)
by mxintern.kundenserver.de with esmtp (Exim 4.50)
id 1HyHiW-0000y9-Mu
for cpollock@embarqmail.com; Wed, 13 Jun 2007 03:32:12 +0200
Received: from abuse by home.kundenserver.de with local (Exim 3.36 #1)
id 1HyHiW-0004Kl-00
for cpollock@embarqmail.com; Wed, 13 Jun 2007 03:32:12 +0200
From: Abuse Department <ab...@oneandone.net>
To: "cpollock@embarqmail.com" <cp...@embarqmail.com>
Subject: Re: Fwd: 74.208.53.91 URGENT: Phish Site http://74.208
In-Reply-To: <47...@cpollock>
Message-Id: <E1...@home.kundenserver.de>
Date: Wed, 13 Jun 2007 03:32:12 +0200
X-Virus-Scanned: Symantec AntiVirus Scan Engine
X-UI-Msg-Verification: db928a8b4f3b2a34c9e716dce16c42bc
Content-Type:
X-UID: 3636
X-Length: 4690
--
Chris
KeyID 0xE372A7DA98E6705C
Re: Embarq/Synacor's SA Setup
Posted by Matt Kettler <mk...@verizon.net>.
Chris wrote:
> Before I put my foot in my mouth to my ISP, I'd like to make sure I'm right.
> From the headers below, what does Embarq/Synacor consider to be ALL_TRUSTED?
>
The default trust-path auto-guesser assumes that your MX has a public IP
address, not a private address. It *WILL* break if your MTA's have
private IPs and are static NAT-mapped to public IP's.
My guess is that the scanning machine resolves smtp.embarq.synacor.com
as a private address, causing SA to assume that mxintern.schlund.de is
the MX for the local network, even though it is not.
Based on that assumption, what SA saw was simply a transfer between two
different local private networks attached to the same publicly addressed
MX that is a part of the local net.
This really underscores why it is critical for folks who have NATed
mailservers to explicitly declare a trusted_networks.
More details can be found at:
http://wiki.apache.org/spamassassin/TrustPath
>
> Received: from localhost (localhost.localdomain [127.0.0.1])
> by smtp.embarq.synacor.com (Postfix) with ESMTP id 3ECA115F5EC
> for <cp...@embarqmail.com>; Tue, 12 Jun 2007 21:32:15 -0400 (EDT)
> X-Virus-Scanned: amavisd-new at
> X-Spam-Score: -4.399
> X-Spam-Level:
> X-Spam-Status: No, score=-4.399 tagged_above=-10 required=10
> tests=[ALL_TRUSTED=-1.8, BAYES_00=-2.599]
> Received: from smtp.embarq.synacor.com ([127.0.0.1])
> by localhost (smtp10.embarq.synacor.com [127.0.0.1]) (amavisd-new,
> port 10024)
> with ESMTP id J-Y1RUpHW7XQ for <cp...@embarqmail.com>;
> Tue, 12 Jun 2007 21:32:13 -0400 (EDT)
> Received: from mxintern.schlund.de (mxintern.schlund.de [212.227.126.201])
> by smtp.embarq.synacor.com (Postfix) with ESMTP id A323615F5A2
> for <cp...@embarqmail.com>; Tue, 12 Jun 2007 21:32:13 -0400 (EDT)
> Received: from [172.19.16.7] (helo=home.kundenserver.de)
> by mxintern.kundenserver.de with esmtp (Exim 4.50)
> id 1HyHiW-0000y9-Mu
> for cpollock@embarqmail.com; Wed, 13 Jun 2007 03:32:12 +0200
> Received: from abuse by home.kundenserver.de with local (Exim 3.36 #1)
> id 1HyHiW-0004Kl-00
> for cpollock@embarqmail.com; Wed, 13 Jun 2007 03:32:12 +0200
> From: Abuse Department <ab...@oneandone.net>
> To: "cpollock@embarqmail.com" <cp...@embarqmail.com>
> Subject: Re: Fwd: 74.208.53.91 URGENT: Phish Site http://74.208
> In-Reply-To: <47...@cpollock>
> Message-Id: <E1...@home.kundenserver.de>
> Date: Wed, 13 Jun 2007 03:32:12 +0200
> X-Virus-Scanned: Symantec AntiVirus Scan Engine
> X-UI-Msg-Verification: db928a8b4f3b2a34c9e716dce16c42bc
> Content-Type:
> X-UID: 3636
> X-Length: 4690
>
>