You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by giga328 <gi...@hotmail.com> on 2008/02/24 02:34:41 UTC
ALL_TRUSTED and DOS_OE_TO_MX
I'm testing SpamAssassin and I'm getting false positives. Both tests
ALL_TRUSTED and DOS_OE_TO_MX are firing for emails sent by Outlook Express
for local clients and it seems like I have something wrong in *_networks.
Here is my setup:
All my servers and my clients IP are in trusted_networks
First server is receiving email from Internet (acting as MX) and it is in
trusted_networks and in internal_networks. This server is not problematic
one.
Second server is receiving email from my clients and it is in
trusted_network and in msa_networks
Third server is spamd server (and it is in trusted_networks).
Client is Outlook Express sending ham.
Any idea where is my problem?
Regards,
Giga
--
View this message in context: http://www.nabble.com/ALL_TRUSTED-and-DOS_OE_TO_MX-tp15659736p15659736.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: ALL_TRUSTED and DOS_OE_TO_MX
Posted by "Daryl C. W. O'Shea" <sp...@dostech.ca>.
On 24/02/2008 10:06 AM, giga328 wrote:
> Client in example is Outlook Express at 89.110.202.24 also in trusted
> networks.
> Relevant configuration lines are:
> trusted_networks 212.62.32.0/19
> trusted_networks 89.110.192.0/18
Not that this is the cause of your problem, but I'm wondering why
89.110.192.0/18 is included in trusted_networks.
Assuming there's a good reason for it to be included, why is it not
included in internal_networks too? Doing so would resolve your issue
(except for any clients that have their own relay... ie have their
clients send to their own MSA and then smart host it to your MSA), but
read on anyway.
> trusted_networks 213.137.96.0/19
> trusted_networks 82.208.192.0/18
> trusted_networks 10.0.0.0/8
> internal_networks 212.62.57.32/30
> msa_networks 212.62.57.116/30
> msa_networks 212.62.57.156/30
> msa_networks 212.62.57.36/30
>
> MTA acting as MX is mtain1.isp.ptt.rs 212.62.57.32 and I put it in trusted
> and internal networks (if relevant).
> MTA receiving email from clients is mtaout1.isp.ptt.rs 212.62.57.36 and I
> put it in trusted and msa networks.
With msa_networks, you can actually include your MSA as internal for
better results.
The problem in your case, though, is something I've felt uneasy about
for a long time, is the way SA identifies trusted/internal/msa relays...
it's one hop late in doing so (it bases it on the from, not the by).
So if (and I'll admit I don't think this occurred to me before) you're
running SA on outgoing mail on your MSA right after you receive it (it's
not relayed to an intermediate machine) SA can't detect the MSA and the
whole msa_networks thing doesn't work.
To make things work with the way SA works now you need a header
structure something like this:
Received: from msa.example.com (msa.example.com [1.2.3.4])
by out-mta.example.com with ESMTP id m1O2Vcnu010976;
Sat, 23 Feb 2008 21:31:39 -0500
Received: from client (client.example.net [4.3.2.1])
by msa.example.com with ESMTP id m1O2Vcnu010976;
Sat, 23 Feb 2008 21:31:39 -0500
That is, you need an extra received header so that "(msa.example.com
[1.2.3.4])" is shown to SA. There's two ways to get the extra header...
relay the mail, or forge it in what you feed to SA. You could even
forge something like this (which would keep the headers sane and not
require you to actually relay the mail somewhere):
Received: from msa.example.com (msa.example.com [1.2.3.4])
by msa.example.com with ESMTP id m1O2Vcnu010976;
Sat, 23 Feb 2008 21:31:39 -0500
Received: from client (client.example.net [4.3.2.1])
by msa.example.com with ESMTP id m1O2Vcnu010976;
Sat, 23 Feb 2008 21:31:39 -0500
That is, just forge a header for a relay from the msa to itself. In
your case swap msa for mtaout1 in both headers.
> SpamAssassin is implemented by using spamd running on machine which is also
> in trusted networks (if it is relevant for anything).
Just for reference, unless that machine's IP shows up in Received
headers (it relays or sends mail itself) it's not required. Including
it won't hurt anything though.
Daryl
Re: ALL_TRUSTED and DOS_OE_TO_MX
Posted by giga328 <gi...@hotmail.com>.
Daryl C. W. O'Shea wrote:
>
>
> Please post the full received headers of the problem message and your
> trusted/internal/msa networks config. If you're paranoid about publicly
> posting them you can send them to me directly.
>
> Daryl
>
>
Hi Daryl,
Email system will not use NAT so IP adressess are not secret and somebody
can see almost everything from headers so there is no reason not to post all
requested data.
Relevant configuration lines are:
trusted_networks 212.62.32.0/19
trusted_networks 89.110.192.0/18
trusted_networks 213.137.96.0/19
trusted_networks 82.208.192.0/18
trusted_networks 10.0.0.0/8
internal_networks 212.62.57.32/30
msa_networks 212.62.57.116/30
msa_networks 212.62.57.156/30
msa_networks 212.62.57.36/30
MTA acting as MX is mtain1.isp.ptt.rs 212.62.57.32 and I put it in trusted
and internal networks (if relevant).
MTA receiving email from clients is mtaout1.isp.ptt.rs 212.62.57.36 and I
put it in trusted and msa networks.
SpamAssassin is implemented by using spamd running on machine which is also
in trusted networks (if it is relevant for anything).
Client in example is Outlook Express at 89.110.202.24 also in trusted
networks.
Here are headers and body of sample email captured as direct communication
between spamc and spamd:
CHECK SPAMC/1.2
Content-length: 1324
Received: from gigatpc ([89.110.202.24]) by mtaout1.isp.ptt.rs with ESMTP;
Sun, 24 Feb 2008 15:11:09 +0100 (CET)
Message-ID: <00...@saga.co.yu>
From: "Joshua Gigic" <jo...@ptt.yu>
To: <gi...@saga.co.yu>
Subject: ovo je email 2
Date: Sun, 24 Feb 2008 15:13:05 +0100
MIME-Version: 1.0
Content-Type: multipart/alternative;
.boundary="----=_NextPart_000_000A_01C876F7.C1872B80"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.3138
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198
This is a multi-part message in MIME format.
------=_NextPart_000_000A_01C876F7.C1872B80
Content-Type: text/plain;
.charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
dva su dela
------=_NextPart_000_000A_01C876F7.C1872B80
Content-Type: text/html;
.charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.6000.16608" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV>dva su dela</DIV>
<DIV> </DIV></BODY></HTML>
------=_NextPart_000_000A_01C876F7.C1872B80--
This is just sample email, not representing ham or spam which is not so
relevant because SpamAssasing fires on every email by DOS_OE_TO_MX.
Log line from spamd:
Feb 24 15:11:10 localhost spamd[23664]: spamd: result: . 1 -
ALL_TRUSTED=-1.44,AWL=-0.294,DOS_OE_TO_MX=2.75,HTML_MESSAGE=0.001
scantime=0.8,size=1324,user=(unknown),uid=1783,required_score=5.0,rhost=mtaout1.isp.ptt.rs,raddr=212.62.57.36,rport=30948,mid=<00...@saga.co.yu>,autolearn=no,shortcircuit=no
SpamAssassin has only one non standard patch for logging all scores but same
thing is happening with SpamAssassin without any patches so problem must be
in my configuration.
Regards,
Giga
--
View this message in context: http://www.nabble.com/ALL_TRUSTED-and-DOS_OE_TO_MX-tp15659736p15665031.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: ALL_TRUSTED and DOS_OE_TO_MX
Posted by "Daryl C. W. O'Shea" <sp...@dostech.ca>.
On 23/02/2008 8:34 PM, giga328 wrote:
> I'm testing SpamAssassin and I'm getting false positives. Both tests
> ALL_TRUSTED and DOS_OE_TO_MX are firing for emails sent by Outlook Express
> for local clients and it seems like I have something wrong in *_networks.
> Here is my setup:
> All my servers and my clients IP are in trusted_networks
> First server is receiving email from Internet (acting as MX) and it is in
> trusted_networks and in internal_networks. This server is not problematic
> one.
> Second server is receiving email from my clients and it is in
> trusted_network and in msa_networks
> Third server is spamd server (and it is in trusted_networks).
> Client is Outlook Express sending ham.
> Any idea where is my problem?
Please post the full received headers of the problem message and your
trusted/internal/msa networks config. If you're paranoid about publicly
posting them you can send them to me directly.
Daryl
Re: ALL_TRUSTED and DOS_OE_TO_MX
Posted by giga328 <gi...@hotmail.com>.
Matus UHLAR - fantomas wrote:
>
> We've had similar problem. It was caused by our clients who did not SMTP
> authentication and sent mail to our clients, so they were really sending
> mail from outlook express to the destination server (we use the same
> servers
> for primary MX as for outgoing SMTP).
>
Hi Matus,
I know that there is no SMTP AUTH, but this project is split in two phases,
first one is to replace old equipment with new one, and second is to ask
users to start using SMTP AUTH in some timeframe.
Fortunately there are separate SMTP servers for MX and for clients and I
would like to configure SpamAssassin to trust users relayed by
mtaout1.isp.ptt.rs from my example.
Regards,
Giga
--
View this message in context: http://www.nabble.com/ALL_TRUSTED-and-DOS_OE_TO_MX-tp15659736p15669827.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: ALL_TRUSTED and DOS_OE_TO_MX
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
On 23.02.08 17:34, giga328 wrote:
> I'm testing SpamAssassin and I'm getting false positives. Both tests
> ALL_TRUSTED and DOS_OE_TO_MX are firing for emails sent by Outlook Express
> for local clients and it seems like I have something wrong in *_networks.
> Here is my setup:
> All my servers and my clients IP are in trusted_networks
only dynamic IP addresses should be in trusted_networks. Maybe even those
would not need to be, if your clients used SMTP authentication...
> First server is receiving email from Internet (acting as MX) and it is in
> trusted_networks and in internal_networks. This server is not problematic
> one.
> Second server is receiving email from my clients and it is in
> trusted_network and in msa_networks
> Third server is spamd server (and it is in trusted_networks).
> Client is Outlook Express sending ham.
> Any idea where is my problem?
We've had similar problem. It was caused by our clients who did not SMTP
authentication and sent mail to our clients, so they were really sending
mail from outlook express to the destination server (we use the same servers
for primary MX as for outgoing SMTP).
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"Where do you want to go to die?" [Microsoft]