You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Irina <ir...@nas.net> on 2006/01/12 17:21:37 UTC

AWL and trusted_networks

Hello all,

We getting much more spam lately than used to.  I am looking at SA and
seeing few things that either don't work properly or have not been set up
(my fault I have to admit).  I will start from a simple question.

At some point we had a problem with AWL giving a positive score to our users
forcing messages to be marked as spam.  I disabled it.  Later on I enabled
trusted_networks which works ok (it give a minus score when I am sending a
message).

Here is my question.  If trusted_networks are set right, will it ever
give/add a positive score to AWL?

Thank you for your help in advance.

Irina Kalachnikova
Systems Programmer
NetAccess Systems Inc.
irina@nas.net
===========================

Re: AWL and trusted_networks

Posted by Matt Kettler <mk...@evi-inc.com>.

Irina wrote:
> Matt,
> 
> Thank you for your reply.  To everybody else who got on this topic and
> helped Robert :-)))
> 
> 
> Does the score
>     score ALL_TRUSTED -1.360
> work only with
>     trusted_networks <IP_addresses>
> ?
> 

No.. SA always uses trust detection. If you don't declare a trusted_networks, SA
will try to guess what the right setting is. Sometimes it guesses wrong,
particularly if you have NATed mailservers.

Hence my comment about on/enable being a misnomer. Trust path detection is
always on and can't be disabled. It is used by about a dozen different parts of
SA. (RBLs, SPF, AWL, RelayCountry, HABEAS, HELO_DYNAMIC, MSGID_FROM_MTA,
FAKE_HELO_*, FORGED_*_RCVD, and ALL_TRUSTED some of the things that make use of
trust at some point)

> 
> As I mentioned I had the problem with AWL and turned it off.  I now tend to
> enable it, but am afraid it has old scores in it.
> -  Is there any way to display what it has?

Grab the tarball off the website, in the tools directory it has a
"check_whitelist" utility that can dump the AWL for you.

> -  Do you think I should zero out everything in AWL and start from scratch?

probably.
> How do I do that?

Assuming you aren't using SQL for it:

rm ~/.spamassassin/auto-whitelist*

RE: AWL and trusted_networks

Posted by Robert Bartlett <ro...@digitalphx.com>.

I read the link Matt provided, it has this statement in the document that
looks to pertain to "starting from scratch", if you decide to do that:

"Now, with that said, it IS possible for the AWL to be polluted and cause
problems. Generally this is the result of past misconfiguration or scoring
problems that have since been fixed, but the AWL retains the old average and
causes score problems, pushing things onto the wrong side of the spam/ham
threshold line.

If you have this problem, you can use spamassassin
--remove-addr-from-whitelist to remove any prior knowledge about a given
address from the AWL database. If you consult the main spamassassin manpage,
there are other commands to force an AWL entry towards the black or white,
but use these somewhat cautiously."

Robert

-----Original Message-----
From: Irina [mailto:irina@nas.net] 
Sent: Thursday, January 12, 2006 10:28 AM
To: users@spamassassin.apache.org
Subject: Re: AWL and trusted_networks

Matt,

Thank you for your reply.  To everybody else who got on this topic and
helped Robert :-)))


Does the score
    score ALL_TRUSTED -1.360
work only with
    trusted_networks <IP_addresses>
?


As I mentioned I had the problem with AWL and turned it off.  I now tend to
enable it, but am afraid it has old scores in it.
-  Is there any way to display what it has?
-  Do you think I should zero out everything in AWL and start from scratch?
How do I do that?


Thank you for the help.  I appreciate it very much.
Irina
======================


----- Original Message -----
From: "Matt Kettler" <mk...@evi-inc.com>
To: "Irina" <ir...@nas.net>
Cc: <us...@spamassassin.apache.org>
Sent: Thursday, January 12, 2006 11:35 AM
Subject: Re: AWL and trusted_networks


> Irina wrote:
> > Hello all,
> >
> > We getting much more spam lately than used to.  I am looking at SA and
> > seeing few things that either don't work properly or have not been set
up
> > (my fault I have to admit).  I will start from a simple question.
> >
> > At some point we had a problem with AWL giving a positive score to our
users
> > forcing messages to be marked as spam.  I disabled it.  Later on I
enabled
> > trusted_networks which works ok (it give a minus score when I am sending
a
> > message).
> >
> > Here is my question.  If trusted_networks are set right, will it ever
> > give/add a positive score to AWL?
>
> Yes, it will give positive scores sometimes. But those scores shouldn't be
> significant.
>
> Please read:
> http://wiki.apache.org/spamassassin/AwlWrongWay
>
>
> Basically, adding positive scores to nonspam and negative scores to spam
is
> normal for the AWL. It's only a problem when things get pushed too far one
way
> or another.(as you saw)
>
> A poorly defined trusted_networks can cause the AWL to not be able to tell
the
> difference between someone actually sending mail and someone else spoofing
them.
> That can cause errant AWL learning of spoofed spam/viruses/etc as being
sent by
> the real person.
>
> I suspect that you might have had this happen at your site, and setting
> trusted_networks correctly should prevent that from re-occurring.
>

Re: AWL and trusted_networks

Posted by Irina <ir...@nas.net>.

Matt,

Thank you for your reply.  To everybody else who got on this topic and
helped Robert :-)))


Does the score
    score ALL_TRUSTED -1.360
work only with
    trusted_networks <IP_addresses>
?


As I mentioned I had the problem with AWL and turned it off.  I now tend to
enable it, but am afraid it has old scores in it.
-  Is there any way to display what it has?
-  Do you think I should zero out everything in AWL and start from scratch?
How do I do that?


Thank you for the help.  I appreciate it very much.
Irina
======================


----- Original Message ----- 
From: "Matt Kettler" <mk...@evi-inc.com>
To: "Irina" <ir...@nas.net>
Cc: <us...@spamassassin.apache.org>
Sent: Thursday, January 12, 2006 11:35 AM
Subject: Re: AWL and trusted_networks


> Irina wrote:
> > Hello all,
> >
> > We getting much more spam lately than used to.  I am looking at SA and
> > seeing few things that either don't work properly or have not been set
up
> > (my fault I have to admit).  I will start from a simple question.
> >
> > At some point we had a problem with AWL giving a positive score to our
users
> > forcing messages to be marked as spam.  I disabled it.  Later on I
enabled
> > trusted_networks which works ok (it give a minus score when I am sending
a
> > message).
> >
> > Here is my question.  If trusted_networks are set right, will it ever
> > give/add a positive score to AWL?
>
> Yes, it will give positive scores sometimes. But those scores shouldn't be
> significant.
>
> Please read:
> http://wiki.apache.org/spamassassin/AwlWrongWay
>
>
> Basically, adding positive scores to nonspam and negative scores to spam
is
> normal for the AWL. It's only a problem when things get pushed too far one
way
> or another.(as you saw)
>
> A poorly defined trusted_networks can cause the AWL to not be able to tell
the
> difference between someone actually sending mail and someone else spoofing
them.
> That can cause errant AWL learning of spoofed spam/viruses/etc as being
sent by
> the real person.
>
> I suspect that you might have had this happen at your site, and setting
> trusted_networks correctly should prevent that from re-occurring.
>

Re: AWL and trusted_networks

Posted by Matt Kettler <mk...@evi-inc.com>.

Irina wrote:
> Hello all,
> 
> We getting much more spam lately than used to.  I am looking at SA and
> seeing few things that either don't work properly or have not been set up
> (my fault I have to admit).  I will start from a simple question.
> 
> At some point we had a problem with AWL giving a positive score to our users
> forcing messages to be marked as spam.  I disabled it.  Later on I enabled
> trusted_networks which works ok (it give a minus score when I am sending a
> message).
> 
> Here is my question.  If trusted_networks are set right, will it ever
> give/add a positive score to AWL?

Yes, it will give positive scores sometimes. But those scores shouldn't be
significant.

Please read:
http://wiki.apache.org/spamassassin/AwlWrongWay

Basically, adding positive scores to nonspam and negative scores to spam is
normal for the AWL. It's only a problem when things get pushed too far one way
or another.(as you saw)

A poorly defined trusted_networks can cause the AWL to not be able to tell the
difference between someone actually sending mail and someone else spoofing them.
That can cause errant AWL learning of spoofed spam/viruses/etc as being sent by
the real person.

I suspect that you might have had this happen at your site, and setting
trusted_networks correctly should prevent that from re-occurring.

Re: AWL and trusted_networks

Posted by Matt Kettler <mk...@evi-inc.com>.

Robert Bartlett wrote:
> Turned on/enabled, sorry for wrong choice of words.
> 
> Actually I got this advice from this very same list, noone seemed to respond
> to the advice given in a bad way so I went ahead and did it.

Yeah, I try to keep on top of the people that suggest that, but I often miss a
few. Way too many admins out there that just do a "quick fix" for the symptoms
without looking for the real problem.

> Knowing what
> you told me now what would be the proper setup for my server? Its just a
> single server that runs SA for hosted domains. Do I just add the ip address
> of the local server and that's all?

Put simply: add the IPs of all mailservers you control that add Received:
headers. If you've got some kind of NAT going on, use the IP that your SA box
will get if it does a lookup on the hostname that appears in the "by" part of a
Received: header.

For example: My mail comes in to xanadu.evi-inc.com, which has an outside IP of
208.39.141.94. However, that box is behind a static-NAT, and the SA box will
resolve xanadu as "192.168.x.y" due to split-dns. I need to trust the 192.168
address, not the 208.39. address.

RE: AWL and trusted_networks

Posted by Robert Bartlett <ro...@digitalphx.com>.

SA 3.0.1

Robert 

-----Original Message-----
From: Loren Wilton [mailto:lwilton@earthlink.net] 
Sent: Thursday, January 12, 2006 11:14 AM
To: users@spamassassin.apache.org
Subject: Re: AWL and trusted_networks
Importance: High

> Turned on/enabled, sorry for wrong choice of words.
>
> Actually I got this advice from this very same list, noone seemed to
respond
> to the advice given in a bad way so I went ahead and did it. Knowing 
> what

Which version of SA are you on?  I seem to recall lthere were some 3.0x
teething problems with certain rather odd configurations and trusted
networks just wouldn't resolve correctly in those cases.  In those VERY FEW
cases, setting the score to zero was about the only avaiable option - but it
was a workaround and the problem was still there.

In general though the blanket statement -- which admittedly has been made in
this list multiple times -- of zeroing the score is just plain the wrong
answer.  Bowie and Matt have much better advice on what to do.

        Loren

Re: AWL and trusted_networks

Posted by Loren Wilton <lw...@earthlink.net>.

> Turned on/enabled, sorry for wrong choice of words.
>
> Actually I got this advice from this very same list, noone seemed to
respond
> to the advice given in a bad way so I went ahead and did it. Knowing what

Which version of SA are you on?  I seem to recall lthere were some 3.0x
teething problems with certain rather odd configurations and trusted
networks just wouldn't resolve correctly in those cases.  In those VERY FEW
cases, setting the score to zero was about the only avaiable option - but it
was a workaround and the problem was still there.

In general though the blanket statement -- which admittedly has been made in
this list multiple times -- of zeroing the score is just plain the wrong
answer.  Bowie and Matt have much better advice on what to do.

        Loren

RE: AWL and trusted_networks

Posted by Robert Bartlett <ro...@digitalphx.com>.

Turned on/enabled, sorry for wrong choice of words.

Actually I got this advice from this very same list, noone seemed to respond
to the advice given in a bad way so I went ahead and did it. Knowing what
you told me now what would be the proper setup for my server? Its just a
single server that runs SA for hosted domains. Do I just add the ip address
of the local server and that's all?

Thanks
Robert

-----Original Message-----
From: Matt Kettler [mailto:mkettler@evi-inc.com] 
Sent: Thursday, January 12, 2006 9:32 AM
To: Robert Bartlett
Cc: users@spamassassin.apache.org
Subject: Re: AWL and trusted_networks

Robert Bartlett wrote:
> I had the same problem when I turned on trusted_networks.

Turned on? Please elaborate.. There is no "off" for trusted_networks. SA
always parses trust, not matter what you do.

> I was told to put this in my local.cf for SA:
> 
> score ALL_TRUSTED       0
> 
> It seemed to resolve the problem

ACCCK.. Please don't listen to whoever told you to do that!!!!

In general it's a VERY bad idea to set ALL_TRUSTED to 0. All you're doing is
covering up the most noticeable symptom of a more serious problem (broken
trust).

If your trusted_networks is declared manually, and correctly, you should
never see ALL_TRUSTED fire off for external mail.

If you still see ALL_TRUSTED matching external mail, you've got serious
problems that need fixing.

Re: AWL and trusted_networks

Posted by Matt Kettler <mk...@evi-inc.com>.

Robert Bartlett wrote:
> I had the same problem when I turned on trusted_networks.

Turned on? Please elaborate.. There is no "off" for trusted_networks. SA always
parses trust, not matter what you do.

> I was told to put this in my local.cf for SA:
> 
> score ALL_TRUSTED       0
> 
> It seemed to resolve the problem

ACCCK.. Please don't listen to whoever told you to do that!!!!

In general it's a VERY bad idea to set ALL_TRUSTED to 0. All you're doing is
covering up the most noticeable symptom of a more serious problem (broken trust).

If your trusted_networks is declared manually, and correctly, you should never
see ALL_TRUSTED fire off for external mail.

If you still see ALL_TRUSTED matching external mail, you've got serious problems
that need fixing.

Re: AWL and trusted_networks

Posted by Irina <ir...@nas.net>.

Robert,

Thank you for your reply.

I think I am trying to achieve the opposite.  I do want to use AWL.  But I
don't want it to give any positive score if sent from our IP addresses.  It
has worked good, but I had to disable it due to... it was giving a positive
score to some of our senders.

I already have
    trusted_networks 216.145.96/20
set in local.cf.

I now want to enable AWL.  But my question is if it will give a positive
score for IPs from trusted_networks.

Thank you
Irina
=============================



----- Original Message ----- 
From: "Robert Bartlett" <ro...@digitalphx.com>
To: <us...@spamassassin.apache.org>
Sent: Thursday, January 12, 2006 11:23 AM
Subject: RE: AWL and trusted_networks


> I had the same problem when I turned on trusted_networks. I was told to
put
> this in my local.cf for SA:
>
> score ALL_TRUSTED       0
>
> It seemed to resolve the problem
>
> Robert
>
> -----Original Message-----
> From: Irina [mailto:irina@nas.net]
> Sent: Thursday, January 12, 2006 9:22 AM
> To: users@spamassassin.apache.org
> Subject: AWL and trusted_networks
>
> Hello all,
>
> We getting much more spam lately than used to.  I am looking at SA and
> seeing few things that either don't work properly or have not been set up
> (my fault I have to admit).  I will start from a simple question.
>
> At some point we had a problem with AWL giving a positive score to our
users
> forcing messages to be marked as spam.  I disabled it.  Later on I enabled
> trusted_networks which works ok (it give a minus score when I am sending a
> message).
>
> Here is my question.  If trusted_networks are set right, will it ever
> give/add a positive score to AWL?
>
> Thank you for your help in advance.
>
> Irina Kalachnikova
> Systems Programmer
> NetAccess Systems Inc.
> irina@nas.net
> ===========================
>
>
>
>
>
>
>

RE: AWL and trusted_networks

Posted by Robert Bartlett <ro...@digitalphx.com>.

I had the same problem when I turned on trusted_networks. I was told to put
this in my local.cf for SA:

score ALL_TRUSTED       0

It seemed to resolve the problem

Robert 

-----Original Message-----
From: Irina [mailto:irina@nas.net] 
Sent: Thursday, January 12, 2006 9:22 AM
To: users@spamassassin.apache.org
Subject: AWL and trusted_networks

Hello all,

We getting much more spam lately than used to.  I am looking at SA and
seeing few things that either don't work properly or have not been set up
(my fault I have to admit).  I will start from a simple question.

At some point we had a problem with AWL giving a positive score to our users
forcing messages to be marked as spam.  I disabled it.  Later on I enabled
trusted_networks which works ok (it give a minus score when I am sending a
message).

Here is my question.  If trusted_networks are set right, will it ever
give/add a positive score to AWL?

Thank you for your help in advance.

Irina Kalachnikova
Systems Programmer
NetAccess Systems Inc.
irina@nas.net
===========================