You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Chris <cp...@embarqmail.com> on 2007/04/29 16:33:57 UTC

[Possible SPAM] Re: [Possible SPAM] Possibly [OT] - Embarq Mail

On Saturday 28 April 2007 11:22 pm, Matt Kettler wrote:
> From the looks of it, you need to adjust your trusted_networks.
>
> Right now it looks like it is mis-judging the network boundaries, and
> tagging all mail with the DUL lists.
>
> http://wiki.apache.org/spamassassin/TrustPath
>
Matt, here are the markups from your reply, mine first then Embarqs/Synacors:

X-Spam-Checker-Version: SpamAssassin 3.1.8 (2007-02-13) on 
cpollock.localdomain
 X-Spam-Status: No, score=-6.4 required=5.0 tests=BAYES_00=-6.4
        autolearn=disabled version=3.1.8

Old-X-Spam-Status: No, score=-2.545 tagged_above=-10 required=6.6
        tests=[ALL_TRUSTED=-1.8, AWL=-0.054, BAYES_00=-2.599,
        DNS_FROM_RFC_ABUSE=0.2, DNS_FROM_RFC_POST=1.708]

Yet your reply is marked as [possible spam].

Here is my trust paths in my local.cf:

trusted_networks 127/8 192.168/16 207.217.121/24 209.86.93/24 208.47.184/24 
71.48.160.0/20
internal_networks 71.48.160.0/20

Looking at my post to the mailing list here are the markups:

This one I'll have to guess is Synacor's

X-Virus-Scanned: amavisd-new at
 Old-X-Spam-Score: -2.599
 Old-X-Spam-Level: 
 Old-X-Spam-Status: No, score=-2.599 tagged_above=-10 required=6.6
        tests=[BAYES_00=-2.599]

Then there is this one:

X-ASF-Spam-Status: No, hits=0.0 required=10.0
        tests=
 Old-X-Spam-Check-By: apache.org

Then there is this one:

Message-Id: <20...@embarqmail.com>
 X-Virus-Checked: Checked by ClamAV on apache.org
 X-Old-Spam-Flag: YES
 X-Old-Spam-Status: Yes, score=9.068 tagged_above=-10 required=6.6
        tests=[AWL=1.576, BAYES_99=3.5, RCVD_IN_NJABL_DUL=1.946,
        RCVD_IN_SORBS_DUL=2.046]

Now I'm confused as to which Old-X-Spam markup is from Embarq/Synacor and 
which is from Apache.org. The last one 'looks' like the markups that have 
been showing up from Embarq/Synacor on my cronjob output posts:

X-Spam-Remote: Host localhost.localdomain
 X-Spam-Checker-Version: SpamAssassin 3.1.8 (2007-02-13) on 
cpollock.localdomain
 X-Spam-Status: No, score=-4.0 required=5.0 tests=ALL_TRUSTED=-1.8,AWL=4.209,
        BAYES_00=-6.4 autolearn=disabled version=3.1.8

The one above is the markup from my box on a cronjob output, the one below is 
the same cronjob output but marked up by Embarq/Synacor:

Old-X-Spam-Flag: YES
 Old-X-Spam-Score: 7.384
 Old-X-Spam-Level: *******
 Old-X-Spam-Status: Yes, score=7.384 tagged_above=-10 required=6.6
        tests=[AWL=3.256, BAYES_50=0.001, FORGED_RCVD_HELO=0.135,
        RCVD_IN_NJABL_DUL=1.946, RCVD_IN_SORBS_DUL=2.046]

My question then is what good would it do me to adjust my trusted_networks 
setting, if in fact I have it incorrect. The [possible spam] markups are 
being made by Embarq/Synacor not me.

BTW Matt, here is how your reply to me scored, on my box and by 
Embarq/Synacor:

X-Spam-Remote: Host localhost.localdomain
 X-Spam-Checker-Version: SpamAssassin 3.1.8 (2007-02-13) on 
cpollock.localdomain
 X-Spam-Status: No, score=-4.0 required=5.0 tests=ALL_TRUSTED=-1.8,AWL=4.209,
        BAYES_00=-6.4 autolearn=disabled version=3.1.8

Old-X-Spam-Flag: YES
 Old-X-Spam-Score: 7.384
 Old-X-Spam-Level: *******
 Old-X-Spam-Status: Yes, score=7.384 tagged_above=-10 required=6.6
        tests=[AWL=3.256, BAYES_50=0.001, FORGED_RCVD_HELO=0.135,
        RCVD_IN_NJABL_DUL=1.946, RCVD_IN_SORBS_DUL=2.046]

Chris

-- 
Chris
KeyID 0xE372A7DA98E6705C

Re: [Possible SPAM] Re: [Possible SPAM] Possibly [OT] - Embarq Mail

Posted by Matt Kettler <mk...@verizon.net>.

Chris wrote:
>
> My question then is what good would it do me to adjust my trusted_networks 
> setting, if in fact I have it incorrect. The [possible spam] markups are 
> being made by Embarq/Synacor not me.

Ahh, I get it.. Well, whoever is tagging that has a broken
trusted_networks. Their winding up with verizon's mailserver being
considered internal, and thus SA is seeing the message as if my home PC
was direct-delivering to your network.

Having the _DUL tests fire off on properly relayed mail is a sure-fire
sign that SA's trust-path is over-trusting.

My guess is they've got their inbound mailservers static NATed, and SA
by default assumes (guesses) that all private-range IP's are internal,
plus the first non-private. This guess breaks down when the inbound MX
is private-IP'ed due to static NATing, and here SA winds up thinking
verizon's smarthost is part of the local network when it isn't.