Re: ALL_TRUSTED score

[Matt Kettler <mk...@comcast.net>]

Bowie Bailey wrote:
> I was just looking through the default scores and I noticed that
> ALL_TRUSTED is only scored at -1.8.  I thought it had a much lower
> score than that.  Am I completely off track, or did something change
> in one of the recent versions?
>   

It got hacked back because trust-path misconfiguration is VERY common.

ie: SA will by default FP ALL_TRUSTED on all direct-delivered spam with
no extra received: headers if your MX server is NATed or otherwise has a
reserved IP address..

This is because by default SA will trust the first public IP, assuming
that to be your MX, and all the privates to be internal relays.

Unfortunately, as the world of IT goes now, static-mapped NAT for
mailservers is just as common as direct-public IPed mailservers. The
static-mapping allows you to conserve IP space when making multiple
DMZs.. You only loose 3 public IPs total for network/broadcast/gateway,
instead of 3 per DMZ (network, broadcast, gateway). Everything is mapped
to useable IPs in the private nets, so the IPs lost in each DMZ for
net/bcast/gate are all private IPs with no public mappings.