You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Andy Jezierski <aj...@stepan.com> on 2004/07/26 17:38:42 UTC
SA 3.0 ALL_TRUSTED rule
I've been noticing that the ALL_TRUSTED rule is being triggered on quite a
few messages that are not coming from trusted networks. I've never had any
entries specified for trusted networks, has something changed in SA3?
Couldn't find anything in the docs. Anyone have any ideas? Here's a
sample of some of the headers from one of the messages:
Received: from viper.stepan.com ([198.180.157.5]) by
nf-nt2.stepan.com (Lotus Domino Release 6.0.3) with ESMTP id
2004072303040447-34608 ; Fri, 23 Jul 2004 03:04:04 -0500
Received: from mail.idiglobal.com (mail.idiglobal.com [209.90.73.118]) by
viper.stepan.com (8.13.0/8.13.0) with ESMTP id i6N83ndb028461 for
<aj...@email2.stepan.com>; Fri, 23 Jul 2004 03:03:54 -0500 (CDT)
Received: from User (firewall.idiglobal.com [208.187.219.15]) by
mail.idiglobal.com (8.11.3/8.11.6) with SMTP id i6N7Ohr05002; Fri, 23
Jul 2004 01:24:43 -0600
$MessageID: <20...@mail.idiglobal.com>
ReplyTo: dfufkm@beijing.com
From: Manual de Seguridad Urbana<df...@beijing.com>
Subject: [SPAM] (13.00/6.20) Manual de Seguridad Urbana
JFNMYPQXSU
PostedDate: 07/23/2004 04:33:52 AM
MIME_Version: 1.0
DeliveryPriority: N
X_MSMail_Priority: Normal
$Mailer: Microsoft Outlook Express 6.00.2600.0000
X_MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
X_Virus_Scanned: clamd / ClamAV version 0.74, clamav-milter version 0.74a
on viper.stepan.com
X_Virus_Status: Clean
X_Spam_Flag: YES
X_Scanned_By: milter-spamc/0.20.282 ( [198.180.157.5]); Fri, 23 Jul 2004
03:04:04 -0500
X_Spam_Status: YES, hits=13.00 required=6.20
X_Spam_Level: xxxxxxxxxxxxx
X_Spam_Report: Content analysis details: (13.0 points, 6.2 required)
____ pts rule name description ---- ----------------------
-------------------------------------------------- 1.7 SUBJ_HAS_SPACES
Subject contains lots of white space -0.8 ALL_TRUSTED Did not
pass through any untrusted hosts 1.3 SUBJ_HAS_UNIQ_ID Subject
contains a unique ID 1.8 MISSING_HEADERS Missing To: header 0.6
OACYS_SINGLE BODY: A single consonant surrounded by whitespace,
minus some of the obvious FP's 0.1 LG_4C_2V_3C BODY: Gibberish
found? 1.3 MAILTO_TO_REMOVE URI: Includes a 'remove' email address
0.0 MAILTO_WITH_SUBJ URI: Includes a link to send a mail with a
subject 1.0 MIME_HTML_ONLY BODY: Message only has text/html MIME
parts 0.3 HTML_FONT_BIG BODY: HTML tag for a big font size 0.0
BAYES_50 BODY: Bayesian spam probability is 40 to 60%
[score: 0.5000] 0.1 HTML_BACKHAIR_1 BODY: HTML tags used to
obfuscate words 0.0 LINES_OF_YELLING_2 BODY: 2 WHOLE LINES OF YELLING
DETECTED 0.2 HTML_50_60 BODY: Message is 50% to 60% HTML
2.1 RAZOR2_CF_RANGE_51_100 BODY: Razor2 gives confidence between 51 and 100
[cf: 100] 0.0 HTML_MESSAGE BODY: HTML included in message 0.1
LINES_OF_YELLING BODY: A WHOLE LINE OF YELLING DETECTED 0.4
MAILTO_SUBJ_REMOVE RAW: mailto URI includes removal text 0.6
RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/) 0.8
SARE_TOCC_NONE No To header found in email 0.0
FORGED_OUTLOOK_HTML Outlook can't send HTML message only 0.3
UPPERCASE_25_50 message body is 25-50% uppercase 1.3
FORGED_MUA_OUTLOOK Forged mail pretending to be from MS Outlook ____
X_Greylist: Delayed for 00:29:38 by milter-greylist-1.5.3
(viper.stepan.com [198.180.157.5]); Fri, 23 Jul 2004 03:04:04 -0500 (CDT)
Thanks
Andy
Re: SA 3.0 ALL_TRUSTED rule
Posted by Jay Levitt <ja...@shopwatch.org>.
Jay Levitt wrote:
> Andy Jezierski wrote:This is happening to me too - in fact, as far as
> I can tell, ALL spam hits ALL_TRUSTED. I don't have any trusted
> networks defined either; my machine is on a private 192.168/16 IP
> inside a NAT firewall, and its external and internal DNS records
> differ accordingly, if that affects how SA auto-detects trusted
> networks. However, none of the messages I've checked had a 192.168
> Received: line in them. I uploaded config, sample message, and debug
> output to bug 3636.
OK, I think I may have figured this out: ALL_TRUSTED is being scored as
if it really means "all trusted", when what it really means is "none
known for certain to be untrusted". One example: any spam that didn't
come through a relay (e.g. direct-to-MX spam) is getting marked all
trusted, because there's only one relay, that's me, and it's trusted. Oy!
Another example: Any spam whose other Received: lines are odd-format or
otherwise ignored. F'rinstance, these:
Received: from linux.home.jay.fm ([unix socket])
by linux.home.jay.fm (Cyrus v2.1.12-Mandrake-RPM-2.1.12-1mdk) with LMTP; Sat, 07 Aug 2004 09:27:45 -0400
X-Sieve: CMU Sieve 2.2
Received: from ns.sign-on-africa1.net ([66.227.5.177])
by linux.home.jay.fm (8.12.10/8.12.10) with ESMTP id i77DRgh7017380
(version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO)
for <ja...@jay.fm>; Sat, 7 Aug 2004 09:27:43 -0400
Received: from mellamed by ns.sign-on-africa1.net with local (Exim 4.34)
id 1BtRkP-00070Y-Rx; Sat, 07 Aug 2004 10:00:34 -0400
Received: from 80.88.138.202 ([80.88.138.202])
(SquirrelMail authenticated user barukh@mellamed.com)
by www.mellamed.com with HTTP;
produce this output:
debug: received-header: parsed as [ ip=66.227.5.177 rdns= helo=ns.sign-on-africa1.net by=linux.home.jay.fm ident= envfrom= intl=0 id=i77DRgh7017380 ]
debug: received-header: ignored SquirrelMail injection: from 80.88.138.202 ([80.88.138.202]) (SquirrelMail authenticated user barukh@mellamed.com) by www.mellamed.com with HTTP; Sat, 7 Aug 2004 10:00:33 -0400 (EDT)
debug: looking up A records for 'linux.home.jay.fm'
debug: A records for 'linux.home.jay.fm': 192.168.1.150
debug: looking up A records for 'linux.home.jay.fm'
debug: A records for 'linux.home.jay.fm': 192.168.1.150
debug: received-header: 'by' linux.home.jay.fm has reserved IP 192.168.1.150
debug: received-header: 'by' linux.home.jay.fm has no public IPs
debug: received-header: relay 66.227.5.177 trusted? yes internal? no
debug: metadata: X-Spam-Relays-Trusted: [ ip=66.227.5.177 rdns= helo=ns.sign-on-africa1.net by=linux.home.jay.fm ident= envfrom= intl=0 id=i77DRgh7017380 ]
debug: metadata: X-Spam-Relays-Untrusted:
Sat, 7 Aug 2004 10:00:33 -0400 (EDT)
My received: line is trusted. The second received: line is ignored
because of "with local" (line 811 of Received.pm). The third is ignored
because of Squirrelmail. And voila, an entire chain of untrusted hosts
is declared trusted.
This seems too broken to fix for 3.0, honestly... I've set ALL_TRUSTED's
score to 0.
Jay Levitt
Re: SA 3.0 ALL_TRUSTED rule
Posted by Jay Levitt <ja...@shopwatch.org>.
Andy Jezierski wrote:
>Daniel Quinlan <qu...@pathname.com> wrote on 07/26/2004 12:41:42 PM:
>
>
>>Andy Jezierski <aj...@stepan.com> writes:
>>
>>
>>
>>> <>I've been noticing that the ALL_TRUSTED rule is being triggered on
>>> quite a few messages that are not coming from trusted networks. I've
>>> never had any entries specified for trusted networks, has something
>>> changed in SA3? Couldn't find anything in the docs. Anyone have any
>>> ideas? Here's a sample of some of the headers from one of the messages:
>>
>Done. Bug 3636
>
>
>
This is happening to me too - in fact, as far as I can tell, ALL spam
hits ALL_TRUSTED. I don't have any trusted networks defined either; my
machine is on a private 192.168/16 IP inside a NAT firewall, and its
external and internal DNS records differ accordingly, if that affects
how SA auto-detects trusted networks. However, none of the messages
I've checked had a 192.168 Received: line in them. I uploaded config,
sample message, and debug output to bug 3636.
Jay Levitt
Re: SA 3.0 ALL_TRUSTED rule
Posted by Andy Jezierski <aj...@stepan.com>.
Daniel Quinlan <qu...@pathname.com> wrote on 07/26/2004 12:41:42 PM:
> Andy Jezierski <aj...@stepan.com> writes:
>
> > I've been noticing that the ALL_TRUSTED rule is being triggered on
quite a
> > few messages that are not coming from trusted networks. I've never had
any
> > entries specified for trusted networks, has something changed in SA3?
> > Couldn't find anything in the docs. Anyone have any ideas? Here's a
> > sample of some of the headers from one of the messages:
>
> Hello, can you please file a bug in bugzilla.spamassassin.org? Attach
> an example message and your configuration (especially if you have set
> trusted networks manually). Don't use cut-and-paste for the example
> message since that destroys whitespace and generally mangles things.
>
> Daniel
>
> --
> Daniel Quinlan
> http://www.pathname.com/~quinlan/
Done. Bug 3636
Andy
Re: SA 3.0 ALL_TRUSTED rule
Posted by Daniel Quinlan <qu...@pathname.com>.
Andy Jezierski <aj...@stepan.com> writes:
> I've been noticing that the ALL_TRUSTED rule is being triggered on quite a
> few messages that are not coming from trusted networks. I've never had any
> entries specified for trusted networks, has something changed in SA3?
> Couldn't find anything in the docs. Anyone have any ideas? Here's a
> sample of some of the headers from one of the messages:
Hello, can you please file a bug in bugzilla.spamassassin.org? Attach
an example message and your configuration (especially if you have set
trusted networks manually). Don't use cut-and-paste for the example
message since that destroys whitespace and generally mangles things.
Daniel
--
Daniel Quinlan
http://www.pathname.com/~quinlan/