You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Vicki Brown <vl...@cfcl.com> on 2005/03/20 20:27:49 UTC
All_TRUSTED (not)
At 10:45 -0800 03/20/2005, Jeff Chan wrote:
>The trust path needs to be set correctly for things to
>work properly.
If the "trust path" is not "set correctly" by default, then the rule should
not be enabled by default. That's just wrong.
It's nice to know it's not just me getting bitten by this
http://readlist.com/lists/incubator.apache.org/spamassassin-users/1/9592.html
Subject: disabling ALL_TRUSTED
Group: Spamassassin-users
From: Arvinn Løkkebakken
Date: 07 Feb 2005
How do I disable the ALL_TRUSTED test?
It's hitting spam more and more often by misinterpreting Received:
headers, i.e. claiming the mail passed through trusted hosts when it didn't.
That makes it a very dangerous setting since it may trigger
auto-learning spam as ham. It allready has several times on my server.
http://bugzilla.spamassassin.org/show_bug.cgi?id=3636
ALL_TRUSTED rule is being triggered on E-Mail that is from a mail server
outside of my network. Trusted networks are not specified in my config.
* marked WONTFIX
http://www.paulstimesink.com/
pwestbro | 16 March, 2005 14:43
I have started seeing spam messages getting though my filter. It looks like
it is being caused because the spammers are sending mail from computers that
have not been listed as untrusted relays. So as spammers are taking over more
and more zombie PCs, the ALL_TRUSTED rule is being triggered.
http://www.mailarchives.org/list/spam-assassin/msg/2004/12778
From: Matt Kettler [mailto:mkettler_sa@<protected>]
Sent: Thu 11/4/2004 7:55 AM
To: Jason Haar; SpamAssassin Users
Subject: Re: Should ALL_TRUSTED be doing this?
At 04:20 PM 11/4/2004 +1300, Jason Haar wrote:
I've been getting a fair amount of missed spam with SA-3.01 that looks like
it would have been caught if it wasn't for ALL_TRUSTED.
No, it should not.
You have one of two problems:
1) SA is confused about trust. This typically happens if your outer-most
mailserver is address translated and has a reserved non-routable IP address
assigned. SA generally assumes the first non-reserved IP is your outside
MX, but this isn't true for a lot of networks that NAT their mailservers.
To fix: set trusted_networks manually in your local.cf. Include just your
mailservers in this. ie if I had two servers, one external MX numbered
192.168.1.8 and a SA scanning box at 192.168.20.8 I could do this:
trusted_networks 192.168.1.8/32
trusted_networks 192.168.20.8/32
2) The other case is SA can't parse your Received: headers. If you run a
message through spamassassin -D you'll see debug lines complaining about it:
debug: received-header: unknown format:
To fix: short term, force the score of ALL_TRUSTED to 0.
score ALL_TRUSTED_0
If it's a received line starting with by, then it's this bug:
http://bugzilla.spamassassin.org/show_bug.cgi?id=3600
Otherwise, create a new bug in the bugzilla, and attach a sample.
--
Vicki Brown ZZZ
Journeyman Sourceror: zz |\ _,,,---,,_ Code, Docs, Process,
Scripts & Philtres zz /,`.-'`' -. ;-;;,_ Perl, WWW, Mac OS X
http://cfcl.com/vlb |,4- ) )-,_. ,\ ( `'-' SF Bay Area, CA USA
_______________________ '---''(_/--' `-'\_) ___________________________
Re: All_TRUSTED (not)
Posted by Vicki Brown <vl...@cfcl.com>.
At 19:07 -0500 03/20/2005, David Brodbeck wrote:
>I actually have the opposite opinion -- because the trust path guessing
>fails in a fair number of cases, I think it might be better to just have
>SpamAssassin refuse to run if people don't set it.
That's not an opposite opinion. That's precisely my opinion.
--
Vicki Brown ZZZ
Journeyman Sourceror: zz |\ _,,,---,,_ Code, Docs, Process,
Scripts & Philtres zz /,`.-'`' -. ;-;;,_ Perl, WWW, Mac OS X
http://cfcl.com/vlb |,4- ) )-,_. ,\ ( `'-' SF Bay Area, CA USA
_______________________ '---''(_/--' `-'\_) ___________________________
Re: All_TRUSTED (not)
Posted by David Brodbeck <gu...@gull.us>.
Vicki Brown wrote:
> At 10:45 -0800 03/20/2005, Jeff Chan wrote:
>
>>The trust path needs to be set correctly for things to
>>work properly.
>
>
> If the "trust path" is not "set correctly" by default, then the rule should
> not be enabled by default. That's just wrong.
A lot of stuff depends on it.
I actually have the opposite opinion -- because the trust path guessing
fails in a fair number of cases, I think it might be better to just have
SpamAssassin refuse to run if people don't set it.
However, considering it's an extremely easy setting to fix, you might be
better off just setting trusted_networks properly instead of
complaining. ;) It probably took you longer to type your message than
it would to just set the variable.
Re: All_TRUSTED (not)
Posted by Matt Kettler <mk...@evi-inc.com>.
Vicki Brown wrote:
>At 10:45 -0800 03/20/2005, Jeff Chan wrote:
>
>
>>The trust path needs to be set correctly for things to
>>work properly.
>>
>>
>
>If the "trust path" is not "set correctly" by default, then the rule should
>not be enabled by default. That's just wrong.
>
Vicki, the problem is that if the trust path is not "set correctly" a
LARGE number of rules in SA would have to be disabled. Not just
"ALL_TRUSTED". SA very heavily depends on the trust path to figure out
what host delivered mail to your network.
Realistically, ALL_TRUSTED misfiring here is in some ways a warning sign
that you have serious problems.
Other problems include:
DUL and dynamic style RBLS false-firing on properly relayed messages
DUL/dynamic RBLs not firing on direct-delivered spam
whitelist_from_rcvd not firing when it should
whitelist_from_rcvd matching spam messages with faked headers.
ditto for RCVD_IN_BSP_TRUSTED
ditto for HELO_DYNAMIC_*
FAKE_HELO_MAIL_COM_DOM not matching when it should (FP unlikely)
Shall I go on?
Re: All_TRUSTED (not)
Posted by Martin Hepworth <ma...@solid-state-logic.com>.
Vicki
the 'solution' is to set the trusted_networks and/or internal_networks
options properly. See
http://spamassassin.apache.org/full/3.0.x/dist/doc/Mail_SpamAssassin_Conf.html#network_test_options
for more details.
This really needs to be documented is big flashing lights, pref will
something that shouts in the logs as well, and has a big brother that
knocks on your door, phones you etc etc until you set the thing. :-)
Either that or behaves properly in th first place, which will happen in
3.1 I believe.
--
Martin Hepworth
Snr Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300
Vicki Brown wrote:
> At 10:45 -0800 03/20/2005, Jeff Chan wrote:
>
>>The trust path needs to be set correctly for things to
>>work properly.
>
>
> If the "trust path" is not "set correctly" by default, then the rule should
> not be enabled by default. That's just wrong.
>
>
>
> It's nice to know it's not just me getting bitten by this
>
> http://readlist.com/lists/incubator.apache.org/spamassassin-users/1/9592.html
> Subject: disabling ALL_TRUSTED
> Group: Spamassassin-users
> From: Arvinn Løkkebakken
> Date: 07 Feb 2005
>
> How do I disable the ALL_TRUSTED test?
>
> It's hitting spam more and more often by misinterpreting Received:
> headers, i.e. claiming the mail passed through trusted hosts when it didn't.
> That makes it a very dangerous setting since it may trigger
> auto-learning spam as ham. It allready has several times on my server.
>
>
> http://bugzilla.spamassassin.org/show_bug.cgi?id=3636
> ALL_TRUSTED rule is being triggered on E-Mail that is from a mail server
> outside of my network. Trusted networks are not specified in my config.
> * marked WONTFIX
>
>
> http://www.paulstimesink.com/
> pwestbro | 16 March, 2005 14:43
>
> I have started seeing spam messages getting though my filter. It looks like
> it is being caused because the spammers are sending mail from computers that
> have not been listed as untrusted relays. So as spammers are taking over more
> and more zombie PCs, the ALL_TRUSTED rule is being triggered.
>
>
> http://www.mailarchives.org/list/spam-assassin/msg/2004/12778
> From: Matt Kettler [mailto:mkettler_sa@<protected>]
> Sent: Thu 11/4/2004 7:55 AM
> To: Jason Haar; SpamAssassin Users
> Subject: Re: Should ALL_TRUSTED be doing this?
>
>
>
> At 04:20 PM 11/4/2004 +1300, Jason Haar wrote:
>
> I've been getting a fair amount of missed spam with SA-3.01 that looks like
> it would have been caught if it wasn't for ALL_TRUSTED.
>
> No, it should not.
>
> You have one of two problems:
>
> 1) SA is confused about trust. This typically happens if your outer-most
> mailserver is address translated and has a reserved non-routable IP address
> assigned. SA generally assumes the first non-reserved IP is your outside
> MX, but this isn't true for a lot of networks that NAT their mailservers.
>
> To fix: set trusted_networks manually in your local.cf. Include just your
> mailservers in this. ie if I had two servers, one external MX numbered
> 192.168.1.8 and a SA scanning box at 192.168.20.8 I could do this:
> trusted_networks 192.168.1.8/32
> trusted_networks 192.168.20.8/32
>
> 2) The other case is SA can't parse your Received: headers. If you run a
> message through spamassassin -D you'll see debug lines complaining about it:
> debug: received-header: unknown format:
>
> To fix: short term, force the score of ALL_TRUSTED to 0.
> score ALL_TRUSTED_0
>
> If it's a received line starting with by, then it's this bug:
> http://bugzilla.spamassassin.org/show_bug.cgi?id=3600
> Otherwise, create a new bug in the bugzilla, and attach a sample.
>
>
>
>
>
>
**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.
This footnote confirms that this email message has been swept
for the presence of computer viruses and is believed to be clean.
**********************************************************************