You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Art Greenberg <ar...@eclipse.net> on 2013/09/18 01:56:56 UTC

Trying to understand "lastexternal", "firsttrusted", etc.

I am running SA on my private mail server. Mail comes in directly for one 
domain (using no-ip.com to get around a port block), and via fetchmail for 
several others. I have listed the MXes at no-ip.com and the ISP machines 
that fetchmail goes to as "trusted", and my (static) domain IP as 
"internal".

Using a single test email that is known to be spam, portions of the 
SA debug output look like this:

Sep 17 19:24:51.580 [939] dbg: dns: checking RBL dnsbl.sorbs.net., set sorbs
Sep 17 19:24:51.581 [939] dbg: dns: IPs found: full-external: 216.178.94.75, 127.0.0.1, 216.178.66.140, 67.234.193.117, 10.11.48.81 
untrusted: 67.234.193.117 originating:
Sep 17 19:24:51.581 [939] dbg: dns: only inspecting the following IPs: 67.234.193.117
...
Sep 17 19:24:51.584 
[939] dbg: dns: checking RBL bl.mailspike.net., set mspike-lastexternal
Sep 17 19:24:51.584 [939] dbg: dns: IPs found: full-external: 216.178.94.75, 127.0.0.1, 216.178.66.140, 67.234.193.117, 10.11.48.81 
untrusted: 67.234.193.117 originating:
Sep 17 19:24:51.584 [939] dbg: dns: no untrusted IPs to check
...
Sep 17 19:24:51.584 [939] dbg: dns: checking RBL bb.barracudacentral.org., set brbl-lastexternal
Sep 17 19:24:51.584 [939] dbg: dns: IPs found: full-external: 216.178.94.75, 127.0.0.1, 216.178.66.140, 67.234.193.117, 10.11.48.81 
untrusted: 67.234.193.117 originating:
Sep 17 19:24:51.585 [939] dbg: dns: no untrusted IPs to check
...
Sep 17 19:24:51.585 [939] dbg: dns: checking RBL sa-trusted.bondedsender.org., set ssc-firsttrusted
Sep 17 19:24:51.585 [939] dbg: dns: IPs found: full-external: 216.178.94.75, 127.0.0.1, 216.178.66.140, 67.234.193.117, 10.11.48.81 
untrusted: 67.234.193.117 originating:
Sep 17 19:24:51.585 [939] dbg: dns: only inspecting the following IPs: 67.234.193.117
...
Sep 17 19:24:51.586 [939] dbg: dns: checking RBL zen.spamhaus.org., set zen
Sep 17 19:24:51.586 [939] dbg: dns: IPs found: full-external: 216.178.94.75, 127.0.0.1, 216.178.66.140, 67.234.193.117, 10.11.48.81 
untrusted: 67.234.193.117 originating:
Sep 17 19:24:51.586 [939] dbg: dns: only inspecting the following IPs: 67.234.193.117
...
X-Spam-RelaysUntrusted: [ ip=67.234.193.117 rdns= helo=pa-67-234-193-117.dhcp.embarqhsd.net 
by=spamfilter.netcarrier.com ident= envfrom= intl=0 id=20130916184440875 auth= msa=0 ]
[ ip=10.11.48.81 rdns=media5.latf1.colo.j2noc.com helo=media5.latf1.colo.j2noc.com
by=latf1.efax.com ident= envfrom= intl=0 id=E10BMM841XX auth= msa=0 ]

(netcarrier.com is one of the ISPs that I use fetchmail on.)

I have read the wiki and the docs, but I still don't understand what 
exactly is happening.

The "lastexternal" tests do list an untrusted IP, yet that IP is deemed 
not appropriate to test. But the "firsttrusted" and other tests do test 
that IP.

Please, someone help me understand this.

Thanks.


--
Art Greenberg
artg@eclipse.net

Re: Trying to understand "lastexternal", "firsttrusted", etc.

Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.

>On Tue, 17 Sep 2013 19:56:56 -0400 (EDT)
>Art Greenberg wrote:
>> I am running SA on my private mail server. Mail comes in directly for
>> one domain (using no-ip.com to get around a port block), and via
>> fetchmail for several others. I have listed the MXes at no-ip.com and
>> the ISP machines that fetchmail goes to as "trusted", and my (static)
>> domain IP as "internal".
>>
>>   ...
>>
>> The "lastexternal" tests do list an untrusted IP, yet that IP is
>> deemed not appropriate to test. But the "firsttrusted" and other
>> tests do test that IP.

On 18.09.13 12:04, RW wrote:
>You need to put the ISP into your internal network for last-external
>tests to work.

not the ISP but MX servers or your e-mail service provider.
That means, the IPs of machine(s) you directly receive the mail through.

-- 
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Remember half the people you know are below average.

Re: Trying to understand "lastexternal", "firsttrusted", etc.

Posted by RW <rw...@googlemail.com>.

On Tue, 17 Sep 2013 19:56:56 -0400 (EDT)
Art Greenberg wrote:

> I am running SA on my private mail server. Mail comes in directly for
> one domain (using no-ip.com to get around a port block), and via
> fetchmail for several others. I have listed the MXes at no-ip.com and
> the ISP machines that fetchmail goes to as "trusted", and my (static)
> domain IP as "internal".
> 
>   ...
>
> The "lastexternal" tests do list an untrusted IP, yet that IP is
> deemed not appropriate to test. But the "firsttrusted" and other
> tests do test that IP.

You need to put the ISP into your internal network for last-external
tests to work. 

Ideally internal network should extend unbroken to all MX servers. If
you have external-trusted servers beyond the internal network it's not
possible to identify the MX handover, the trusted network may contain
submission servers.