You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Matthew Newton <mc...@leicester.ac.uk> on 2005/03/04 16:23:45 UTC
ALL_TRUSTED rule hit, but haven't set any trusted networks
Hi,
Sorry if this has been mentioned before. I seem to remember that it
might have been, but I can't find it.
Just had a spam arrive that was given a -3.3 score for "ALL_TRUSTED".
Funny thing is that my local.cf contains the following:
# we trust our local network
# removed: sa never used for internal originating spam.
clear_trusted_networks
#trusted_networks 143.210.
#internal_networks 143.210.
because I commented the lines out a couple of months or more ago. SA is
only run (using exiscan) for messages coming in to our network from
external hosts, so it should never fire on this rule as far as I can
see.
Is this bug related?
http://bugzilla.spamassassin.org/show_bug.cgi?id=3949
Message headers are below. You may notice that there is one received
header missing in the chain as we have an internal old broken sendmail
system that doesn't add the headers sometimes, but that will be fixed in
a few months when it's switched off!
Any ideas? I think the best plan now is the just set the score of
ALL_TRUSTED to 0?
Thanks
Matthew
Return-path: <in...@apexmail.com>
Delivery-date: Fri, 04 Mar 2005 14:25:28 +0000
Received: from mailsend.le.ac.uk ([143.210.16.127] helo=athena.le.ac.uk)
by falcon.le.ac.uk with esmtp (Exim 3.35 #1 (Debian))
id 1D7Dk8-00011I-00; Fri, 04 Mar 2005 14:25:28 +0000
Received: from [143.210.8.56] (helo=harrier.le.ac.uk)
by athena.le.ac.uk with esmtp (Exim 4.44)
id 1D7Dk7-000459-IV
for irix-admin@leicester.ac.uk; Fri, 04 Mar 2005 14:25:28 +0000
Received: from [71.8.202.198] (helo=asiancityweb.com)
by apollo.le.ac.uk with esmtp (Exim 4.44)
id 1D7Dk3-0001hO-Vg
for adm@leicester.ac.uk; Fri, 04 Mar 2005 14:25:26 +0000
Message-ID: <84...@asiancityweb.com>
From: "Ines Hodge" <in...@apexmail.com>
To: adm@leicester.ac.uk
Subject: I'll Give it some time.
Date: Fri, 04 Mar 2005 06:24
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html; charset=windows-1252
X-Spam-Score: (/) 0.0
X-Spam-Report: This e-mail has been scored by SpamAssassin 3.0.2
Pts Rule name Description
---- ---------------------- ---------------------------------------
0.2 INVALID_DATE Invalid Date: header (not RFC 2822)
-3.3 ALL_TRUSTED Did not pass through any untrusted hosts
2.7 MSGID_OUTLOOK_INVALID Message-Id is fake (in Outlook Express +format)
0.0 HTML_40_50 BODY: Message is 40% to 50% HTML
0.0 HTML_MESSAGE BODY: HTML included in message
0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60%
[score: 0.5000]
0.1 HTML_FONT_BIG BODY: HTML tag for a big font size
0.2 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
0.0 MIME_QP_LONG_LINE RAW: Quoted-printable line longer than 76 +chars
--
Matthew Newton <mc...@le.ac.uk>
UNIX and e-mail Systems Administrator, Network Support Section,
Computer Centre, University of Leicester,
Leicester LE1 7RH, United Kingdom
Re: ALL_TRUSTED rule hit, but haven't set any trusted networks
Posted by Matthew Newton <mc...@leicester.ac.uk>.
On Fri, Mar 04, 2005 at 11:07:46AM -0600, Sandy S wrote:
> This looks like another "reserved IP" issue, as discussed in this thread:
> http://thread.gmane.org/gmane.mail.spam.spamassassin.general/62078
>
> If you look at the original received header, it shows an IP address of
> 71.8.202.198, which spamassassin sees as a reserved, and thus trusted, IP.
> The above-referenced thread includes a fix for this issue.
Aah, thanks. Although I suppose in this situation if I set
{trusted,internal}_networks then SA shouldn't have to guess it, and
therefore won't use these supposedly un-used IPs?
Matthew (getting increasingly confused about the whole issue!)
--
Matthew Newton <mc...@le.ac.uk>
UNIX and e-mail Systems Administrator, Network Support Section,
Computer Centre, University of Leicester,
Leicester LE1 7RH, United Kingdom
Re: ALL_TRUSTED rule hit, but haven't set any trusted networks
Posted by "Daryl C. W. O'Shea" <sp...@dostech.ca>.
Sandy S wrote:
> This looks like another "reserved IP" issue, as discussed in this thread:
> http://thread.gmane.org/gmane.mail.spam.spamassassin.general/62078
>
> If you look at the original received header, it shows an IP address of
> 71.8.202.198, which spamassassin sees as a reserved, and thus trusted, IP.
> The above-referenced thread includes a fix for this issue.
I don't believe that little bug (caused by assignment of that netblock,
which is fixed in 3.1) will affect this case (since 71.8.202.198 is a
remote sender's address). At least it doesn't if I run the message
through my setup after adding
trusted_networks 143.210.8.56
internal_networks 143.210.8.56
to my setup.
Daryl
Re: ALL_TRUSTED rule hit, but haven't set any trusted networks
Posted by Sandy S <sa...@boreal.org>.
----- Original Message -----
From: "Daryl C. W. O'Shea" <sp...@dostech.ca>
To: "Matt Kettler" <mk...@comcast.net>
Cc: "Matthew Newton" <mc...@leicester.ac.uk>; <us...@spamassassin.apache.org>
Sent: Friday, March 04, 2005 10:57 AM
Subject: Re: ALL_TRUSTED rule hit, but haven't set any trusted networks
> Matt Kettler wrote:
> > At 10:23 AM 3/4/2005, Matthew Newton wrote:
> >
> >> Just had a spam arrive that was given a -3.3 score for "ALL_TRUSTED".
> >> Funny thing is that my local.cf contains the following:
> >>
> >> # we trust our local network
> >> # removed: sa never used for internal originating spam.
> >> clear_trusted_networks
> >> #trusted_networks 143.210.
> >> #internal_networks 143.210.
> >>
> >> because I commented the lines out a couple of months or more ago. SA is
> >> only run (using exiscan) for messages coming in to our network from
> >> external hosts, so it should never fire on this rule as far as I can
> >> see.
> >
> >
> > If no networks are declared trusted, SA will attempt to auto-detect.
> >
> > You can't, and don't want, to have no trusted hosts at all. That
> > condition would break lots of things, including whitelist_from_rcvd.
>
> Just to clarify on what Matt said, you need and want (really, you do) to
> trust the actual mail server itself. SA sees the message after the
> local server's header is added, so you need to add the IP of that
> machine (that appears in the header).
>
> Whatever you do, don't 'fix' it by setting ALL_TRUSTED to 0.
> ALL_TRUSTED isn't the only thing that relies on a properly configured
> trust path. DNSBLs won't work correctly (both to and against your
> advantage) either.
>
>
> Daryl
>
This looks like another "reserved IP" issue, as discussed in this thread:
http://thread.gmane.org/gmane.mail.spam.spamassassin.general/62078
If you look at the original received header, it shows an IP address of
71.8.202.198, which spamassassin sees as a reserved, and thus trusted, IP.
The above-referenced thread includes a fix for this issue.
Sandy
Re: ALL_TRUSTED rule hit, but haven't set any trusted networks
Posted by Matthew Newton <mc...@leicester.ac.uk>.
On Fri, Mar 04, 2005 at 12:23:10PM -0500, Daryl C. W. O'Shea wrote:
> Matthew Newton wrote:
> >OK, thanks. I still have problems exactly understanding the difference
> >between trusted_networks and internal_networks is, though. My
> >understanding is that trusted_networks is our entire ip address range,
> >all hosts (143.210.0.0/16), and internal_networks is mail servers that
> >we run? There are lots of mail servers, some of which I don't know
> >about, and all machines can potentially send mail by connecting to our
> >servers, so should I set this to 143.210. as well? (still remembering,
> >of course, that SA is not scoring internal messages or those on the way
> >out).
>
> Correct (trusted vs. internal).
>
> Since, in your setup, SA only sees external mail, you don't need to
> worry about adding your other (possibly unknown) mail servers to
> internal networks. Same goes for trusted hosts. The only thing you
> need to worry about is your IP(s) that incoming external mail passes
> through. Add them to trusted & internal networks.
Great! That works, thanks!
Matthew
--
Matthew Newton <mc...@le.ac.uk>
UNIX and e-mail Systems Administrator, Network Support Section,
Computer Centre, University of Leicester,
Leicester LE1 7RH, United Kingdom
Re: ALL_TRUSTED rule hit, but haven't set any trusted networks
Posted by "Daryl C. W. O'Shea" <sp...@dostech.ca>.
Matthew Newton wrote:
> OK, thanks. I still have problems exactly understanding the difference
> between trusted_networks and internal_networks is, though. My
> understanding is that trusted_networks is our entire ip address range,
> all hosts (143.210.0.0/16), and internal_networks is mail servers that
> we run? There are lots of mail servers, some of which I don't know
> about, and all machines can potentially send mail by connecting to our
> servers, so should I set this to 143.210. as well? (still remembering,
> of course, that SA is not scoring internal messages or those on the way
> out).
Correct (trusted vs. internal).
Since, in your setup, SA only sees external mail, you don't need to
worry about adding your other (possibly unknown) mail servers to
internal networks. Same goes for trusted hosts. The only thing you
need to worry about is your IP(s) that incoming external mail passes
through. Add them to trusted & internal networks.
Daryl
Re: ALL_TRUSTED rule hit, but haven't set any trusted networks
Posted by Matt Kettler <mk...@evi-inc.com>.
At 12:04 PM 3/4/2005, Matthew Newton wrote:
>OK, thanks. I still have problems exactly understanding the difference
>between trusted_networks and internal_networks is, though. My
>understanding is that trusted_networks is our entire ip address range,
>all hosts (143.210.0.0/16), and internal_networks is mail servers that
>we run?
From what the doc's say, that's correct.
Trusted = trusted to not forge headers, and not originate spam, but might
relay spam (ie: as an MX). Trusted IPs are also exempted from DNSBL checks.
Internal = a mail relay. Used in whitelist_from_rcvd checks, and in
checking DUL's and other "direct-to-mx" type spam RBLs.
If you only set one of the two, the other will copy it's value and the two
will be the same.
I think this clip from the manpage summarizes it well:
"MXes for your domain(s) and internal relays should also be specified using
the internal_networks setting. When there are 'trusted' hosts that are not
MXes or internal relays for your domain(s) they should only be specified in
trusted_networks. "
Re: ALL_TRUSTED rule hit, but haven't set any trusted networks
Posted by Matthew Newton <mc...@leicester.ac.uk>.
On Fri, Mar 04, 2005 at 11:57:37AM -0500, Daryl C. W. O'Shea wrote:
> Matt Kettler wrote:
> >At 10:23 AM 3/4/2005, Matthew Newton wrote:
> >
> >>Just had a spam arrive that was given a -3.3 score for "ALL_TRUSTED".
> >>Funny thing is that my local.cf contains the following:
> >>
> >> # we trust our local network
> >> # removed: sa never used for internal originating spam.
> >> clear_trusted_networks
> >> #trusted_networks 143.210.
> >> #internal_networks 143.210.
> >>
> >If no networks are declared trusted, SA will attempt to auto-detect.
> >
> >You can't, and don't want, to have no trusted hosts at all. That
> >condition would break lots of things, including whitelist_from_rcvd.
>
> Just to clarify on what Matt said, you need and want (really, you do) to
> trust the actual mail server itself. SA sees the message after the
> local server's header is added, so you need to add the IP of that
> machine (that appears in the header).
>
> Whatever you do, don't 'fix' it by setting ALL_TRUSTED to 0.
> ALL_TRUSTED isn't the only thing that relies on a properly configured
> trust path. DNSBLs won't work correctly (both to and against your
> advantage) either.
OK, thanks. I still have problems exactly understanding the difference
between trusted_networks and internal_networks is, though. My
understanding is that trusted_networks is our entire ip address range,
all hosts (143.210.0.0/16), and internal_networks is mail servers that
we run? There are lots of mail servers, some of which I don't know
about, and all machines can potentially send mail by connecting to our
servers, so should I set this to 143.210. as well? (still remembering,
of course, that SA is not scoring internal messages or those on the way
out).
Thanks
--
Matthew Newton <mc...@le.ac.uk>
UNIX and e-mail Systems Administrator, Network Support Section,
Computer Centre, University of Leicester,
Leicester LE1 7RH, United Kingdom
Re: ALL_TRUSTED rule hit, but haven't set any trusted networks
Posted by "Daryl C. W. O'Shea" <sp...@dostech.ca>.
Matt Kettler wrote:
> At 10:23 AM 3/4/2005, Matthew Newton wrote:
>
>> Just had a spam arrive that was given a -3.3 score for "ALL_TRUSTED".
>> Funny thing is that my local.cf contains the following:
>>
>> # we trust our local network
>> # removed: sa never used for internal originating spam.
>> clear_trusted_networks
>> #trusted_networks 143.210.
>> #internal_networks 143.210.
>>
>> because I commented the lines out a couple of months or more ago. SA is
>> only run (using exiscan) for messages coming in to our network from
>> external hosts, so it should never fire on this rule as far as I can
>> see.
>
>
> If no networks are declared trusted, SA will attempt to auto-detect.
>
> You can't, and don't want, to have no trusted hosts at all. That
> condition would break lots of things, including whitelist_from_rcvd.
Just to clarify on what Matt said, you need and want (really, you do) to
trust the actual mail server itself. SA sees the message after the
local server's header is added, so you need to add the IP of that
machine (that appears in the header).
Whatever you do, don't 'fix' it by setting ALL_TRUSTED to 0.
ALL_TRUSTED isn't the only thing that relies on a properly configured
trust path. DNSBLs won't work correctly (both to and against your
advantage) either.
Daryl
Re: ALL_TRUSTED rule hit, but haven't set any trusted networks
Posted by Matt Kettler <mk...@comcast.net>.
At 10:23 AM 3/4/2005, Matthew Newton wrote:
>Just had a spam arrive that was given a -3.3 score for "ALL_TRUSTED".
>Funny thing is that my local.cf contains the following:
>
> # we trust our local network
> # removed: sa never used for internal originating spam.
> clear_trusted_networks
> #trusted_networks 143.210.
> #internal_networks 143.210.
>
>because I commented the lines out a couple of months or more ago. SA is
>only run (using exiscan) for messages coming in to our network from
>external hosts, so it should never fire on this rule as far as I can
>see.
If no networks are declared trusted, SA will attempt to auto-detect.
You can't, and don't want, to have no trusted hosts at all. That condition
would break lots of things, including whitelist_from_rcvd.