You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Chris <cp...@embarqmail.com> on 2007/06/13 03:58:11 UTC

Embarq/Synacor's SA Setup

Before I put my foot in my mouth to my ISP, I'd like to make sure I'm right. 
From the headers below, what does Embarq/Synacor consider to be ALL_TRUSTED?


Received: from localhost (localhost.localdomain [127.0.0.1])
        by smtp.embarq.synacor.com (Postfix) with ESMTP id 3ECA115F5EC
        for <cp...@embarqmail.com>; Tue, 12 Jun 2007 21:32:15 -0400 (EDT)
 X-Virus-Scanned: amavisd-new at
 X-Spam-Score: -4.399
 X-Spam-Level: 
 X-Spam-Status: No, score=-4.399 tagged_above=-10 required=10
        tests=[ALL_TRUSTED=-1.8, BAYES_00=-2.599]
 Received: from smtp.embarq.synacor.com ([127.0.0.1])
        by localhost (smtp10.embarq.synacor.com [127.0.0.1]) (amavisd-new, 
port 10024)
        with ESMTP id J-Y1RUpHW7XQ for <cp...@embarqmail.com>;
        Tue, 12 Jun 2007 21:32:13 -0400 (EDT)
 Received: from mxintern.schlund.de (mxintern.schlund.de [212.227.126.201])
        by smtp.embarq.synacor.com (Postfix) with ESMTP id A323615F5A2
        for <cp...@embarqmail.com>; Tue, 12 Jun 2007 21:32:13 -0400 (EDT)
 Received: from [172.19.16.7] (helo=home.kundenserver.de)
        by mxintern.kundenserver.de with esmtp (Exim 4.50)
        id 1HyHiW-0000y9-Mu
        for cpollock@embarqmail.com; Wed, 13 Jun 2007 03:32:12 +0200
 Received: from abuse by home.kundenserver.de with local (Exim 3.36 #1)
        id 1HyHiW-0004Kl-00
        for cpollock@embarqmail.com; Wed, 13 Jun 2007 03:32:12 +0200
 From: Abuse Department <ab...@oneandone.net>
 To: "cpollock@embarqmail.com" <cp...@embarqmail.com>
 Subject: Re: Fwd: 74.208.53.91 URGENT: Phish Site http://74.208
 In-Reply-To: <47...@cpollock>
 Message-Id: <E1...@home.kundenserver.de>
 Date: Wed, 13 Jun 2007 03:32:12 +0200
 X-Virus-Scanned: Symantec AntiVirus Scan Engine
 X-UI-Msg-Verification: db928a8b4f3b2a34c9e716dce16c42bc
 Content-Type: 
 X-UID: 3636
 X-Length: 4690

-- 
Chris
KeyID 0xE372A7DA98E6705C

Re: Embarq/Synacor's SA Setup

Posted by Matt Kettler <mk...@verizon.net>.

Chris wrote:
> Before I put my foot in my mouth to my ISP, I'd like to make sure I'm right. 
> From the headers below, what does Embarq/Synacor consider to be ALL_TRUSTED?
>   
The default trust-path auto-guesser assumes that your MX has a public IP
address, not a private address. It *WILL* break if your MTA's have
private IPs and are static NAT-mapped to public IP's.

My guess is that the scanning machine resolves smtp.embarq.synacor.com 
as a private address, causing SA to assume that mxintern.schlund.de is
the MX for the local network, even though it is not.

Based on that assumption, what SA saw was simply a transfer between two
different local private networks attached to the same publicly addressed
MX that is a part of the local net.

This really underscores why it is critical for folks who have NATed
mailservers to explicitly declare a trusted_networks.

More details can be found at:

http://wiki.apache.org/spamassassin/TrustPath



>
> Received: from localhost (localhost.localdomain [127.0.0.1])
>         by smtp.embarq.synacor.com (Postfix) with ESMTP id 3ECA115F5EC
>         for <cp...@embarqmail.com>; Tue, 12 Jun 2007 21:32:15 -0400 (EDT)
>  X-Virus-Scanned: amavisd-new at
>  X-Spam-Score: -4.399
>  X-Spam-Level: 
>  X-Spam-Status: No, score=-4.399 tagged_above=-10 required=10
>         tests=[ALL_TRUSTED=-1.8, BAYES_00=-2.599]
>  Received: from smtp.embarq.synacor.com ([127.0.0.1])
>         by localhost (smtp10.embarq.synacor.com [127.0.0.1]) (amavisd-new, 
> port 10024)
>         with ESMTP id J-Y1RUpHW7XQ for <cp...@embarqmail.com>;
>         Tue, 12 Jun 2007 21:32:13 -0400 (EDT)
>  Received: from mxintern.schlund.de (mxintern.schlund.de [212.227.126.201])
>         by smtp.embarq.synacor.com (Postfix) with ESMTP id A323615F5A2
>         for <cp...@embarqmail.com>; Tue, 12 Jun 2007 21:32:13 -0400 (EDT)
>  Received: from [172.19.16.7] (helo=home.kundenserver.de)
>         by mxintern.kundenserver.de with esmtp (Exim 4.50)
>         id 1HyHiW-0000y9-Mu
>         for cpollock@embarqmail.com; Wed, 13 Jun 2007 03:32:12 +0200
>  Received: from abuse by home.kundenserver.de with local (Exim 3.36 #1)
>         id 1HyHiW-0004Kl-00
>         for cpollock@embarqmail.com; Wed, 13 Jun 2007 03:32:12 +0200
>  From: Abuse Department <ab...@oneandone.net>
>  To: "cpollock@embarqmail.com" <cp...@embarqmail.com>
>  Subject: Re: Fwd: 74.208.53.91 URGENT: Phish Site http://74.208
>  In-Reply-To: <47...@cpollock>
>  Message-Id: <E1...@home.kundenserver.de>
>  Date: Wed, 13 Jun 2007 03:32:12 +0200
>  X-Virus-Scanned: Symantec AntiVirus Scan Engine
>  X-UI-Msg-Verification: db928a8b4f3b2a34c9e716dce16c42bc
>  Content-Type: 
>  X-UID: 3636
>  X-Length: 4690
>
>