You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Denny Jones via users <us...@spamassassin.apache.org> on 2023/06/24 02:12:50 UTC
ALL_TRUSTED is Always in Headers
Hello,
Spamassassin Version: 3.4.2Amavisd-new Vrsion: 2.7.1
ALL_TRUSTED is always in every header:Here's an example header:
Return-Path: <36...@bounce.info.adobe.com>
Delivered-To: <email hidden>
Received: from localhost (localhost [127.0.0.1])
by mailserver.com (Postfix) with ESMTP id 06D399209E6
for <email hidden>; Fri, 23 Jun 2023 10:08:08 -0500 (CDT)
X-Virus-Scanned: Debian amavisd-new at mailserver.com
X-Spam-Flag: NO
X-Spam-Score: -0.875
X-Spam-Level:
X-Spam-Status: No, score=-0.875 tagged_above=-9999 required=4
tests=[ALL_TRUSTED=-9, BAYES_95=8.514, DKIM_INVALID=0.1,
DKIM_SIGNED=-0.5, HTML_MESSAGE=0.001, T_KAM_HTML_FONT_INVALID=0.01,
T_SCC_BODY_TEXT_LINE=-0.01, T_SPF_HELO_TEMPERROR=0.01]
autolearn=no autolearn_force=no
Authentication-Results: mailserver.com (amavisd-new); dkim=neutral
reason="invalid (public key: DNS error: unknown error or no error)"
header.d=info.adobe.com header.b=KUYoKm+s; dkim=neutral
reason="invalid (public key: DNS error: unknown error or no error)"
header.d=mktdns.com header.b=SUJjLr4c
Received: from mailserver.com ([127.0.0.1])
by localhost (mailserver.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id PopBB_RLVu-O for <email hidden>;
Fri, 23 Jun 2023 10:08:07 -0500 (CDT)
Received: from bounce.info.adobe.com (bounce.info.adobe.com [192.28.155.24])
by mailserver.com (Postfix) with ESMTPS id 08D9E920938
for <email hidden>; Fri, 23 Jun 2023 10:08:05 -0500 (CDT)
X-MSFBL: gcw/tJ06N/ARaZfFESKqq9ndwWIWXdvw23qQPDyFCao=|eyJnIjoiYmctYWJkLTg
2OSIsImIiOiJkdnAtMTkyLTI4LTE1NS0yNCIsInIiOiJkam9uZXMtc3Vkb2xAZ3J
hcGhpY3NpaS5jb20iLCJ1IjoiMzYwLUtDSS04MDQ6MDo5NDAzNTo1MDExMTc6MjY
wODcwNzoxNzAxMzk6OToxMDQ5ODQzOjc2Nzk2NzUifQ==
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1687532842;
s=m1; d=info.adobe.com; i=@info.adobe.com;
h=Content-Type:MIME-Version:Subject:To:From:Date;
bh=fzTniaB97fKkL/zccN8peKm3+Ehw95QNLNCFE3Dyizs=;
b=KUYoKm+smMdihivUZBbhRpHEEKCUWD2KefgMJ1MAI3wVKkWs7tXsddwuMW9vmB4J
ShxSX3h0aCL+Ajubk7jr8ZCH9i0Q5i5LirY9VHKK2qluGIS92PBEJ2u7zN644yJJaGt
3pBL4X5ds9aA8oI5uUuroh18GuxhtryCjIKN5Uak=
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1687532842;
s=m1; d=mktdns.com; i=@mktdns.com;
h=Content-Type:MIME-Version:Subject:To:From:Date;
bh=fzTniaB97fKkL/zccN8peKm3+Ehw95QNLNCFE3Dyizs=;
b=SUJjLr4czOUnuQmZoHnOHvFQwGXjm4WTafWxYuh6DiLScW7G5Vy/8Zv/2dfd0H/D
27cwkR37G+rTEgEvUySeP+KLmPlgaFQgEyX6e3FpDri6HH1yhcURu/HOl2/MqT2OWBI
M1wk3DZIeyXmzphtSIMckW0pIGQu3dSO5nf2uI90=
Date: Fri, 23 Jun 2023 10:07:22 -0500 (CDT)
From: Adobe Creative Cloud for Business <de...@info.adobe.com>
Reply-To: demand@info.adobe.com
To: <email hidden>
Message-ID: <2077373210.283929485.1687532842319@abmktmail-batch1i.mark
I have both internal_networks and trusted_networks set correctly.
I don't know where to look to stop this from happening.
I've tried adding clear_internal_networks and clear_trusted_networks
You probably noticed I bumped up the ALL_TRUSTED score but even if use the default value (-1) it still fires on every message.
Any clues as to where to start sleuthing this?
Re: ALL_TRUSTED is Always in Headers
Posted by Bill Cole <sa...@billmail.scconsult.com>.
On 2023-06-23 at 22:12:50 UTC-0400 (Sat, 24 Jun 2023 02:12:50 +0000
(UTC))
Denny Jones via users <lh...@aol.com>
is rumored to have said:
> Hello,
> Spamassassin Version: 3.4.2Amavisd-new Vrsion: 2.7.1
>
> ALL_TRUSTED is always in every header:Here's an example header:
>
[snip]
> I have both internal_networks and trusted_networks set correctly.
I have a sneaking suspicion that this is not actually true. Unless you
consider Adobe's servers trusted, which you absolutely should not. It is
not unknown to have a typo cause this sort of problem.
If I run those headers with a dummy body thru SA4, I do not get
ALL_TRUSTED and I do get MSPIKE and DNSWL hits indicating the
192.28.155.24 address of Adobe's machine as the relevant (i.e. last
external) relay.
> I don't know where to look to stop this from happening.
Review your configuration files. Make sure that Amavis is not using some
alternative configuration with insane *_network settings.
> I've tried adding clear_internal_networks and clear_trusted_networks
>
>
> You probably noticed I bumped up the ALL_TRUSTED score but even if use
> the default value (-1) it still fires on every message.
It will fire unless the score is zero.
But don't do that. If SA cannot properly determine external relays, it
is crippled.
> Any clues as to where to start sleuthing this?
Start with a command-line check using the "spamassassin" script. If it
doesn't show the same hits as the run via Amavis, find the evil Amavis
config file.
If spamassassin has the same problem, you can run with the debug option
(-D) and a suitable set of channels. The output from "-D all" is
voluminous, but it will show you what config files were loaded, how the
Received headers were parsed, and all (or nearly all) of the many things
SA does internally. See
https://cwiki.apache.org/confluence/display/SPAMASSASSIN/DebugChannels
for details.
--
Bill Cole
bill@scconsult.com or billcole@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire
Re: ALL_TRUSTED is Always in Headers
Posted by Denny Jones via users <us...@spamassassin.apache.org>.
Following up...
Bill - thanks for your input. Yes, the internal_networks and trusted_network settings are correct. I have 3 mail servers with those settings properly implemented and the other 2 work fine. This particular server is on an old Ubuntu version (14.04) and I will be upgrading it soon so please save the chastisements. I'm stuck with it for now.
ALL - running the emails through Spamassassin via the command line does NOT fire the ALL_TRUSTED flag so I am left to believe the issue is with Amavis. I am not using milter. Ubuntu says Amavis is already at the latest version so I guess I would have to manually upgrade. I'm hesitant to do this as it could break the whole server.
I read where the bug on milter that this could potentially cause it in amvisd-new. There was a patch available? I have no idea of how to find that and then no idea of how to install it.
For the time being, I just set the ALL_TRUSTED to 0. This is not desirable I know but until I find a fix this all I know to do.
If you men have any more ideas I'll try them.
Thanks for now!
-----Original Message-----
From: Matus UHLAR - fantomas <uh...@fantomas.sk>
To: users@spamassassin.apache.org
Sent: Mon, Jun 26, 2023 5:21 am
Subject: Re: ALL_TRUSTED is Always in Headers
>>On 24.06.23 02:12, Denny Jones via users wrote:
>>>Spamassassin Version: 3.4.2Amavisd-new Vrsion: 2.7.1
>>>
>>>ALL_TRUSTED is always in every header:Here's an example header:
>On 6/25/2023 9:23 AM, Matus UHLAR - fantomas wrote:
>>do you use amavisd-milter?
>>
>>There's bug in older versions of amavis describes here:
>>https://gitlab.com/amavis/amavis/-/issues/61
>>with patch here:
>>https://gitlab.com/amavis/amavis/-/merge_requests/81/diffs
On 25.06.23 19:21, Jared Hall wrote:
>No, that affects amavis internal handlers. SpamAssassin is getting
>called and it is being presented with the proper headers.
nevertheless, this problem caused SpamAssassin rules hitting ALL_TRUSTED
when amavis was called via AM.PDP socket (via milter), see:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=958462
OP provided headers have amavis syntax, so if OP uses amavisd-milter, there
is his problem.
>1) As per Bill Cole, I'd double-check your internal_networks and
>trusted_networks setting. Usually, this is just the IP address of the
>server. Check if any values exist in any other config files;
>something like "grep -r trusted_networks" and "grep -r
>trusted_networks" from the /etc/spamassassin folder.
yes, checking setting of trusted_networks is not a bad idea.
>2) SA 3.4.2 is about 5 years old. There have been issues with
>LASTEXTERNAL, EnvelopeFrom, and AskDNS that have been fixed since
>then. I would upgrade SA to 3.4.6.
SA 3.4.2 is still in debian 10, and upgrading SA will hardly solve this
problem, if it lies outside of SA.
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Spam = (S)tupid (P)eople's (A)dvertising (M)ethod
Re: ALL_TRUSTED is Always in Headers
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
>>On 24.06.23 02:12, Denny Jones via users wrote:
>>>Spamassassin Version: 3.4.2Amavisd-new Vrsion: 2.7.1
>>>
>>>ALL_TRUSTED is always in every header:Here's an example header:
>On 6/25/2023 9:23 AM, Matus UHLAR - fantomas wrote:
>>do you use amavisd-milter?
>>
>>There's bug in older versions of amavis describes here:
>>https://gitlab.com/amavis/amavis/-/issues/61
>>with patch here:
>>https://gitlab.com/amavis/amavis/-/merge_requests/81/diffs
On 25.06.23 19:21, Jared Hall wrote:
>No, that affects amavis internal handlers. SpamAssassin is getting
>called and it is being presented with the proper headers.
nevertheless, this problem caused SpamAssassin rules hitting ALL_TRUSTED
when amavis was called via AM.PDP socket (via milter), see:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=958462
OP provided headers have amavis syntax, so if OP uses amavisd-milter, there
is his problem.
>1) As per Bill Cole, I'd double-check your internal_networks and
>trusted_networks setting. Usually, this is just the IP address of the
>server. Check if any values exist in any other config files;
>something like "grep -r trusted_networks" and "grep -r
>trusted_networks" from the /etc/spamassassin folder.
yes, checking setting of trusted_networks is not a bad idea.
>2) SA 3.4.2 is about 5 years old. There have been issues with
>LASTEXTERNAL, EnvelopeFrom, and AskDNS that have been fixed since
>then. I would upgrade SA to 3.4.6.
SA 3.4.2 is still in debian 10, and upgrading SA will hardly solve this
problem, if it lies outside of SA.
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Spam = (S)tupid (P)eople's (A)dvertising (M)ethod
Re: ALL_TRUSTED is Always in Headers
Posted by Jared Hall <ja...@jaredsec.com>.
On 6/25/2023 9:23 AM, Matus UHLAR - fantomas wrote:
> On 24.06.23 02:12, Denny Jones via users wrote:
>> Spamassassin Version: 3.4.2Amavisd-new Vrsion: 2.7.1
>>
>> ALL_TRUSTED is always in every header:Here's an example header:
>
> do you use amavisd-milter?
>
> There's bug in older versions of amavis describes here:
> https://gitlab.com/amavis/amavis/-/issues/61
> with patch here:
> https://gitlab.com/amavis/amavis/-/merge_requests/81/diffs
>
No, that affects amavis internal handlers. SpamAssassin is getting
called and it is being presented with the proper headers.
>
>> You probably noticed I bumped up the ALL_TRUSTED score but even if
>> use the default value (-1) it still fires on every message.
>>
>>
>> Any clues as to where to start sleuthing this?
>>
>
1) As per Bill Cole, I'd double-check your internal_networks and
trusted_networks setting. Usually, this is just the IP address of the
server. Check if any values exist in any other config files; something
like "grep -r trusted_networks" and "grep -r trusted_networks" from the
/etc/spamassassin folder.
2) SA 3.4.2 is about 5 years old. There have been issues with
LASTEXTERNAL, EnvelopeFrom, and AskDNS that have been fixed since then.
I would upgrade SA to 3.4.6.
-- Jared Hall
Re: ALL_TRUSTED is Always in Headers
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
On 24.06.23 02:12, Denny Jones via users wrote:
>Spamassassin Version: 3.4.2Amavisd-new Vrsion: 2.7.1
>
>ALL_TRUSTED is always in every header:Here's an example header:
do you use amavisd-milter?
There's bug in older versions of amavis describes here:
https://gitlab.com/amavis/amavis/-/issues/61
with patch here:
https://gitlab.com/amavis/amavis/-/merge_requests/81/diffs
>Return-Path: <36...@bounce.info.adobe.com>
>Delivered-To: <email hidden>
>Received: from localhost (localhost [127.0.0.1])
> by mailserver.com (Postfix) with ESMTP id 06D399209E6
> for <email hidden>; Fri, 23 Jun 2023 10:08:08 -0500 (CDT)
>X-Virus-Scanned: Debian amavisd-new at mailserver.com
>X-Spam-Flag: NO
>X-Spam-Score: -0.875
>X-Spam-Level:
>X-Spam-Status: No, score=-0.875 tagged_above=-9999 required=4
> tests=[ALL_TRUSTED=-9, BAYES_95=8.514, DKIM_INVALID=0.1,
> DKIM_SIGNED=-0.5, HTML_MESSAGE=0.001, T_KAM_HTML_FONT_INVALID=0.01,
> T_SCC_BODY_TEXT_LINE=-0.01, T_SPF_HELO_TEMPERROR=0.01]
> autolearn=no autolearn_force=no
>Authentication-Results: mailserver.com (amavisd-new); dkim=neutral
> reason="invalid (public key: DNS error: unknown error or no error)"
> header.d=info.adobe.com header.b=KUYoKm+s; dkim=neutral
> reason="invalid (public key: DNS error: unknown error or no error)"
> header.d=mktdns.com header.b=SUJjLr4c
>Received: from mailserver.com ([127.0.0.1])
> by localhost (mailserver.com [127.0.0.1]) (amavisd-new, port 10024)
> with ESMTP id PopBB_RLVu-O for <email hidden>;
> Fri, 23 Jun 2023 10:08:07 -0500 (CDT)
>Received: from bounce.info.adobe.com (bounce.info.adobe.com [192.28.155.24])
> by mailserver.com (Postfix) with ESMTPS id 08D9E920938
> for <email hidden>; Fri, 23 Jun 2023 10:08:05 -0500 (CDT)
>X-MSFBL: gcw/tJ06N/ARaZfFESKqq9ndwWIWXdvw23qQPDyFCao=|eyJnIjoiYmctYWJkLTg
> 2OSIsImIiOiJkdnAtMTkyLTI4LTE1NS0yNCIsInIiOiJkam9uZXMtc3Vkb2xAZ3J
> hcGhpY3NpaS5jb20iLCJ1IjoiMzYwLUtDSS04MDQ6MDo5NDAzNTo1MDExMTc6MjY
> wODcwNzoxNzAxMzk6OToxMDQ5ODQzOjc2Nzk2NzUifQ==
>DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1687532842;
> s=m1; d=info.adobe.com; i=@info.adobe.com;
> h=Content-Type:MIME-Version:Subject:To:From:Date;
> bh=fzTniaB97fKkL/zccN8peKm3+Ehw95QNLNCFE3Dyizs=;
> b=KUYoKm+smMdihivUZBbhRpHEEKCUWD2KefgMJ1MAI3wVKkWs7tXsddwuMW9vmB4J
> ShxSX3h0aCL+Ajubk7jr8ZCH9i0Q5i5LirY9VHKK2qluGIS92PBEJ2u7zN644yJJaGt
> 3pBL4X5ds9aA8oI5uUuroh18GuxhtryCjIKN5Uak=
>DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1687532842;
> s=m1; d=mktdns.com; i=@mktdns.com;
> h=Content-Type:MIME-Version:Subject:To:From:Date;
> bh=fzTniaB97fKkL/zccN8peKm3+Ehw95QNLNCFE3Dyizs=;
> b=SUJjLr4czOUnuQmZoHnOHvFQwGXjm4WTafWxYuh6DiLScW7G5Vy/8Zv/2dfd0H/D
> 27cwkR37G+rTEgEvUySeP+KLmPlgaFQgEyX6e3FpDri6HH1yhcURu/HOl2/MqT2OWBI
> M1wk3DZIeyXmzphtSIMckW0pIGQu3dSO5nf2uI90=
>Date: Fri, 23 Jun 2023 10:07:22 -0500 (CDT)
>From: Adobe Creative Cloud for Business <de...@info.adobe.com>
>Reply-To: demand@info.adobe.com
>To: <email hidden>
>Message-ID: <2077373210.283929485.1687532842319@abmktmail-batch1i.mark
>
>I have both internal_networks and trusted_networks set correctly.
>
>
>I don't know where to look to stop this from happening.
>
>
>I've tried adding clear_internal_networks and clear_trusted_networks
>
>
>You probably noticed I bumped up the ALL_TRUSTED score but even if use the default value (-1) it still fires on every message.
>
>
>Any clues as to where to start sleuthing this?
>
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
It's now safe to throw off your computer.