You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@spamassassin.apache.org by jm...@apache.org on 2007/01/15 14:19:37 UTC

svn commit: r496308 - in /spamassassin/trunk/lib/Mail/SpamAssassin: Conf.pm Message/Metadata/Received.pm

Author: jm
Date: Mon Jan 15 05:19:37 2007
New Revision: 496308

URL: http://svn.apache.org/viewvc?view=rev&rev=496308
Log:
bug 5054: update documentation to match post-bug-5054 situation with trusted_networks inference algorithm; the Scott Flury algo is no more, due to differing results with/without -L

Modified:
    spamassassin/trunk/lib/Mail/SpamAssassin/Conf.pm
    spamassassin/trunk/lib/Mail/SpamAssassin/Message/Metadata/Received.pm

Modified: spamassassin/trunk/lib/Mail/SpamAssassin/Conf.pm
URL: http://svn.apache.org/viewvc/spamassassin/trunk/lib/Mail/SpamAssassin/Conf.pm?view=diff&rev=496308&r1=496307&r2=496308
==============================================================================
--- spamassassin/trunk/lib/Mail/SpamAssassin/Conf.pm (original)
+++ spamassassin/trunk/lib/Mail/SpamAssassin/Conf.pm Mon Jan 15 05:19:37 2007
@@ -609,6 +609,8 @@
 conceivably relay spam, but will not originate it, and will not forge header
 data. DNS blacklist checks will never query for hosts on these networks. 
 
+See C<http://wiki.apache.org/spamassassin/TrustPath> for more information.
+
 MXes for your domain(s) and internal relays should B<also> be specified using
 the C<internal_networks> setting. When there are 'trusted' hosts that
 are not MXes or internal relays for your domain(s) they should B<only> be
@@ -638,27 +640,24 @@
 If C<trusted_networks> is not set and C<internal_networks> is, the value
 of C<internal_networks> will be used for this parameter.
 
-If you're running with DNS checks enabled, SpamAssassin includes code to
-infer your trusted networks on the fly, so this may not be necessary.
-(Thanks to Scott Banister and Andrew Flury for the inspiration for this
-algorithm.)  This inference works as follows:
+If neither C<trusted_networks> or C<internal_networks> is set, a basic
+inference algorithm is applied.  This works as follows:
 
 =over 4
 
 =item *
 
-if the 'from' IP address is on the same /16 network as the top Received
-line's 'by' host, it's trusted
+If the 'from' host has an IP address in a private (RFC 1918) network range,
+then it's trusted
 
 =item *
 
-if the address of the 'from' host is in a private network range,
-then it's trusted
+If there are authentication tokens in the received header, and
+the previous host was trusted, then this host is also trusted
 
 =item *
 
-if any addresses of the 'by' host is in a private network range,
-then it's trusted
+Otherwise this host, and all further hosts, are consider untrusted.
 
 =back
 

Modified: spamassassin/trunk/lib/Mail/SpamAssassin/Message/Metadata/Received.pm
URL: http://svn.apache.org/viewvc/spamassassin/trunk/lib/Mail/SpamAssassin/Message/Metadata/Received.pm?view=diff&rev=496308&r1=496307&r2=496308
==============================================================================
--- spamassassin/trunk/lib/Mail/SpamAssassin/Message/Metadata/Received.pm (original)
+++ spamassassin/trunk/lib/Mail/SpamAssassin/Message/Metadata/Received.pm Mon Jan 15 05:19:37 2007
@@ -136,34 +136,7 @@
       $self->make_relay_as_string($relay);
     }
 
-# OK, infer the trusted/untrusted handover, if we don't have real info.
-# Here's the algorithm used (taken from Dan's mail):
-# 
-# Talking with Scott Banister (this was his idea) and Andrew Flury at
-# IronPort, we came up with an alternate and easier algorithm that doesn't
-# involve trees and we think should be good enough most of the time
-# whenever trusted IP headers is not set.  It also has the nice property
-# of being very easy to implement, but it should, of course, be tested
-# out.
-# 
-# "first" = top Received line in the message
-# 
-# "public" = not a local or private IP address
-# 
-# "mypublicnet" = first public "by" address
-# 
-# 1. Trust all Received line where the "from" IP is in mypublicnet/16
-#    regardless of where they appear.  (The goal is to remove any relay
-#    steps that involve your network, relying on /16 is good enough since
-#    anything on your /16 is you or at worst involves your ISP.)
-# 
-# 2. Trust all Received lines that contain local (127) or private (10.1,
-#    etc.) IP addresses anywhere, whether "from" or "by".
-# 
-# 3. The first Received line that you don't trust is the one that
-#    contains the "by" of your trusted relay and the "from" of the first
-#    untrusted relay (which is used for bondedsender testing and so on).
-
+    # OK, infer the trusted/untrusted handover, if we don't have real info.
     if ($in_trusted) {
       unless ($did_user_specify_trust || $did_user_specify_internal) {
 	my $inferred_as_trusted = 0;