You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@spamassassin.apache.org by jm...@apache.org on 2007/01/15 14:19:37 UTC
svn commit: r496308 - in /spamassassin/trunk/lib/Mail/SpamAssassin: Conf.pm
Message/Metadata/Received.pm
Author: jm
Date: Mon Jan 15 05:19:37 2007
New Revision: 496308
URL: http://svn.apache.org/viewvc?view=rev&rev=496308
Log:
bug 5054: update documentation to match post-bug-5054 situation with trusted_networks inference algorithm; the Scott Flury algo is no more, due to differing results with/without -L
Modified:
spamassassin/trunk/lib/Mail/SpamAssassin/Conf.pm
spamassassin/trunk/lib/Mail/SpamAssassin/Message/Metadata/Received.pm
Modified: spamassassin/trunk/lib/Mail/SpamAssassin/Conf.pm
URL: http://svn.apache.org/viewvc/spamassassin/trunk/lib/Mail/SpamAssassin/Conf.pm?view=diff&rev=496308&r1=496307&r2=496308
==============================================================================
--- spamassassin/trunk/lib/Mail/SpamAssassin/Conf.pm (original)
+++ spamassassin/trunk/lib/Mail/SpamAssassin/Conf.pm Mon Jan 15 05:19:37 2007
@@ -609,6 +609,8 @@
conceivably relay spam, but will not originate it, and will not forge header
data. DNS blacklist checks will never query for hosts on these networks.
+See C<http://wiki.apache.org/spamassassin/TrustPath> for more information.
+
MXes for your domain(s) and internal relays should B<also> be specified using
the C<internal_networks> setting. When there are 'trusted' hosts that
are not MXes or internal relays for your domain(s) they should B<only> be
@@ -638,27 +640,24 @@
If C<trusted_networks> is not set and C<internal_networks> is, the value
of C<internal_networks> will be used for this parameter.
-If you're running with DNS checks enabled, SpamAssassin includes code to
-infer your trusted networks on the fly, so this may not be necessary.
-(Thanks to Scott Banister and Andrew Flury for the inspiration for this
-algorithm.) This inference works as follows:
+If neither C<trusted_networks> or C<internal_networks> is set, a basic
+inference algorithm is applied. This works as follows:
=over 4
=item *
-if the 'from' IP address is on the same /16 network as the top Received
-line's 'by' host, it's trusted
+If the 'from' host has an IP address in a private (RFC 1918) network range,
+then it's trusted
=item *
-if the address of the 'from' host is in a private network range,
-then it's trusted
+If there are authentication tokens in the received header, and
+the previous host was trusted, then this host is also trusted
=item *
-if any addresses of the 'by' host is in a private network range,
-then it's trusted
+Otherwise this host, and all further hosts, are consider untrusted.
=back
Modified: spamassassin/trunk/lib/Mail/SpamAssassin/Message/Metadata/Received.pm
URL: http://svn.apache.org/viewvc/spamassassin/trunk/lib/Mail/SpamAssassin/Message/Metadata/Received.pm?view=diff&rev=496308&r1=496307&r2=496308
==============================================================================
--- spamassassin/trunk/lib/Mail/SpamAssassin/Message/Metadata/Received.pm (original)
+++ spamassassin/trunk/lib/Mail/SpamAssassin/Message/Metadata/Received.pm Mon Jan 15 05:19:37 2007
@@ -136,34 +136,7 @@
$self->make_relay_as_string($relay);
}
-# OK, infer the trusted/untrusted handover, if we don't have real info.
-# Here's the algorithm used (taken from Dan's mail):
-#
-# Talking with Scott Banister (this was his idea) and Andrew Flury at
-# IronPort, we came up with an alternate and easier algorithm that doesn't
-# involve trees and we think should be good enough most of the time
-# whenever trusted IP headers is not set. It also has the nice property
-# of being very easy to implement, but it should, of course, be tested
-# out.
-#
-# "first" = top Received line in the message
-#
-# "public" = not a local or private IP address
-#
-# "mypublicnet" = first public "by" address
-#
-# 1. Trust all Received line where the "from" IP is in mypublicnet/16
-# regardless of where they appear. (The goal is to remove any relay
-# steps that involve your network, relying on /16 is good enough since
-# anything on your /16 is you or at worst involves your ISP.)
-#
-# 2. Trust all Received lines that contain local (127) or private (10.1,
-# etc.) IP addresses anywhere, whether "from" or "by".
-#
-# 3. The first Received line that you don't trust is the one that
-# contains the "by" of your trusted relay and the "from" of the first
-# untrusted relay (which is used for bondedsender testing and so on).
-
+ # OK, infer the trusted/untrusted handover, if we don't have real info.
if ($in_trusted) {
unless ($did_user_specify_trust || $did_user_specify_internal) {
my $inferred_as_trusted = 0;