You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Lars Ippich <la...@speicherplatz4you.de> on 2007/10/18 02:19:26 UTC
trusted_networks and RCVD_IN_DNSWL_*
Hi list,
I run into the same problem the administrator in the thread
"RCVD_IN_DNSWL_LOW" has: Having mails being forwarded and having the SA
rules applied to the wrong mail server causing imprecise filter results.
Now I added IPs to trusted_networks and that causes another problem: The
trusted_network IPs are in the DNSWL and therefore get a positive bonus
from SA. I did not find a solution to disabled this test in postfix for
specific IPs and that would probably cause other problems anyway, so I
thought it might be the easiest way to just disabled the DNSWL rule in SA
for the case the IP of the scanned mail is in trusted_networks.
Is this possible or has somebody another way to solve it?
Lars Ippich
Re: trusted_networks and RCVD_IN_DNSWL_*
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
> > For this, SA 3.2.* has its own rules for DNSWL, which you throw away
> > with your custom rule, since they are identically named. The built-in
> > rule for SA 3.2.* is:
> >
> > header RCVD_IN_DNSWL_LOW eval:check_rbl_sub('dnswl-firsttrusted',
> > '127.0.\d+.1')
> > describe RCVD_IN_DNSWL_LOW Sender listed at http://www.dnswl.org/,
> > low trust
> > tflags RCVD_IN_DNSWL_LOW nice net
On 18.10.07 19:56, Lars Ippich wrote:
> I am using 3.0.3 (from my distribution and therefore cannot update
> without compiling myself). I guess the rule is missing in this version.
If you are using Debian Sarge (it contains 3.0.3), install 3.1.7 from
volatile archive. (see volatile.debian.org)
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Silvester Stallone: Father of the RISC concept.
Re: trusted_networks and RCVD_IN_DNSWL_*
Posted by Lars Ippich <la...@speicherplatz4you.de>.
Alex,
> For this, SA 3.2.* has its own rules for DNSWL, which you throw away
> with your custom rule, since they are identically named. The built-in
> rule for SA 3.2.* is:
>
> header RCVD_IN_DNSWL_LOW eval:check_rbl_sub('dnswl-firsttrusted',
> '127.0.\d+.1')
> describe RCVD_IN_DNSWL_LOW Sender listed at http://www.dnswl.org/,
> low trust
> tflags RCVD_IN_DNSWL_LOW nice net
I am using 3.0.3 (from my distribution and therefore cannot update
without compiling myself). I guess the rule is missing in this version.
Even though I do not want to query the rbl for every mail, but rather
use my pre-downloaded files from dnswl, I think it might be the easiest
way just to add the above rule to my config.
Anyway: If somebody else knows another solution, please let me know.
Thanks
Lars
Re: trusted_networks and RCVD_IN_DNSWL_*
Posted by Alex Woick <al...@wombaz.de>.
Lars Ippich schrieb am 18.10.2007 09:32:
>> header RCVD_IN_DNSWL_LOW X-DNS-Whitelist =~ /^low/
>> score RCVD_IN_DNSWL_LOW -1
>> describe RCVD_IN_DNSWL_LOW Sender listed at http://www.dnswl.org/, low trust
[...]
>> # web.de
>> trusted_networks 217.72.192.
> 2) Postfix adds the X-DNS-Whitelist header for this server.
With this setup, the header reflects the DNSWL status of the system that
sends the mail to your system. That would be web.de, for example, if
web.de delivers to you. This ignores trusted_networks. SA has to check
the system that sends to web.de - one step further in the received: chain.
For this, SA 3.2.* has its own rules for DNSWL, which you throw away
with your custom rule, since they are identically named. The built-in
rule for SA 3.2.* is:
header RCVD_IN_DNSWL_LOW eval:check_rbl_sub('dnswl-firsttrusted',
'127.0.\d+.1')
describe RCVD_IN_DNSWL_LOW Sender listed at http://www.dnswl.org/,
low trust
tflags RCVD_IN_DNSWL_LOW nice net
With this rule, not the directly sending system is checked for DNSWL,
but the sender that sends the mail to the first trusted system in the
trusted-path. That would be the system that sent the mail to web.de. The
X-DNS-Whitelist header from Postfix is not needed.
How to correct the situation:
Simply remove your customized RCVD_IN_DNSWL_* rules and let SA use its
built-in rules. Your trusted_networks entry is correct.
Tschau
Alex
Re: trusted_networks and RCVD_IN_DNSWL_*
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
On 18.10.07 17:32, Lars Ippich wrote:
> >> Now I added IPs to trusted_networks and that causes another problem: The
> >> trusted_network IPs are in the DNSWL and therefore get a positive bonus
> >> from SA.
I guess that's the meaning of trusted_networks setting (or at least one of
its meanings)
> > Hm, somehow I can't follow what you're trying to do. Can you post the
> > relevant parts of your configuration?
>
> Sure:
>
> > header RCVD_IN_DNSWL X-DNS-Whitelist =~ /^none/
> > score RCVD_IN_DNSWL -0.1
> > describe RCVD_IN_DNSWL Sender listed at http://www.dnswl.org/, no trust
> >
> > header RCVD_IN_DNSWL_LOW X-DNS-Whitelist =~ /^low/
> > score RCVD_IN_DNSWL_LOW -1
> > describe RCVD_IN_DNSWL_LOW Sender listed at http://www.dnswl.org/, low trust
> >
> > header RCVD_IN_DNSWL_MED X-DNS-Whitelist =~ /^med/
> > score RCVD_IN_DNSWL_MED -4
> > describe RCVD_IN_DNSWL_MED Sender listed at http://www.dnswl.org/, medium trust
> >
> > header RCVD_IN_DNSWL_HI X-DNS-Whitelist =~ /^hi/
> > score RCVD_IN_DNSWL_HI -8
> > describe RCVD_IN_DNSWL_HI Sender listed at http://www.dnswl.org/, high trust
> >
> > header RCVD_IN_DNSWL_NO X-DNS-Whitelist =~ /^No$/
> > score RCVD_IN_DNSWL_NO 0.1
> > describe RCVD_IN_DNSWL_NO Sender *not* listed at http://www.dnswl.org/
Here you replaced RCVD_IN_DNSWL* rules.
> > # web.de
> > trusted_networks 217.72.192.
>
> What now happens is the following:
>
> 1) I get an mail (from a server within the trusted_networks range).
> 2) Postfix adds the X-DNS-Whitelist header for this server.
> 3) SpamAssassin gets the mail and checks it.
> 3a) SpamAssassin notes that the mail has been handled by a server from
> the trusted_networks range before.
I don't think SA checks that, unless your scores do not apply.
Your scores above make SA not to check for trusted hosts.
> 3b) Therefore SpamAssassin applies all tests to the server one more hop
> away.
not all. Blacklist checks are done on the internal network boundary.
> 3c) SpamAssassin does not know that the X-DNS-Whitelist entry does not
> belong the the server within the trusted_networks range and therefore
> applies a bonus score on the mail.
It's problem of your scores, not problem of SA. Originally SA does the check
itself on the trusted_networks boundary and does not check headers added by
postfix.
> 4) The mail does not get ranked as spam due to the bonus spam.
> 5) I get spam.
>
> If it is not possible to make something like an if statement preventing
> this from happening, I would be happy about some information on how to
> integrate dnswl.org into SpamAssassin.
I am not completely sure how DNSWL tests are meant. It seems that all
whitelist rules apply only for hosts you added to trusted_networks.
(Someone please correct me if I'm wrong)
However, the trusted_networks setting is described:
<CITE>
A trusted host could conceivably relay spam, but will not originate it, and
will not forge header data.
</CITE>
Therefore, it's expected that the trusted host only relayed spam for you.
I always warn users and colleagues that EVERY MAIL FORWARDING DEGRADES SPAM
FILTERING CAPABILITIES. And it's not just because of these options.
If someone forwards mail, (s)he should take care of spam before forwarding,
not after it.
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Chernobyl was an Windows 95 beta test site.
Re: trusted_networks and RCVD_IN_DNSWL_*
Posted by Lars Ippich <la...@speicherplatz4you.de>.
Matthias,
>> Now I added IPs to trusted_networks and that causes another problem: The
>> trusted_network IPs are in the DNSWL and therefore get a positive bonus
>> from SA.
>
> Hm, somehow I can't follow what you're trying to do. Can you post the
> relevant parts of your configuration?
Sure:
> header RCVD_IN_DNSWL X-DNS-Whitelist =~ /^none/
> score RCVD_IN_DNSWL -0.1
> describe RCVD_IN_DNSWL Sender listed at http://www.dnswl.org/, no trust
>
> header RCVD_IN_DNSWL_LOW X-DNS-Whitelist =~ /^low/
> score RCVD_IN_DNSWL_LOW -1
> describe RCVD_IN_DNSWL_LOW Sender listed at http://www.dnswl.org/, low trust
>
> header RCVD_IN_DNSWL_MED X-DNS-Whitelist =~ /^med/
> score RCVD_IN_DNSWL_MED -4
> describe RCVD_IN_DNSWL_MED Sender listed at http://www.dnswl.org/, medium trust
>
> header RCVD_IN_DNSWL_HI X-DNS-Whitelist =~ /^hi/
> score RCVD_IN_DNSWL_HI -8
> describe RCVD_IN_DNSWL_HI Sender listed at http://www.dnswl.org/, high trust
>
> header RCVD_IN_DNSWL_NO X-DNS-Whitelist =~ /^No$/
> score RCVD_IN_DNSWL_NO 0.1
> describe RCVD_IN_DNSWL_NO Sender *not* listed at http://www.dnswl.org/
>
> # web.de
> trusted_networks 217.72.192.
What now happens is the following:
1) I get an mail (from a server within the trusted_networks range).
2) Postfix adds the X-DNS-Whitelist header for this server.
3) SpamAssassin gets the mail and checks it.
3a) SpamAssassin notes that the mail has been handled by a server from
the trusted_networks range before.
3b) Therefore SpamAssassin applies all tests to the server one more hop
away.
3c) SpamAssassin does not know that the X-DNS-Whitelist entry does not
belong the the server within the trusted_networks range and therefore
applies a bonus score on the mail.
4) The mail does not get ranked as spam due to the bonus spam.
5) I get spam.
If it is not possible to make something like an if statement preventing
this from happening, I would be happy about some information on how to
integrate dnswl.org into SpamAssassin.
Thanks,
Lars
Re: trusted_networks and RCVD_IN_DNSWL_*
Posted by Matthias Leisi <ma...@leisi.net>.
> Now I added IPs to trusted_networks and that causes another problem: The
> trusted_network IPs are in the DNSWL and therefore get a positive bonus
> from SA.
Hm, somehow I can't follow what you're trying to do. Can you post the
relevant parts of your configuration?
> I did not find a solution to disabled this test in postfix for
> specific IPs and that would probably cause other problems anyway, so I
Yes, you can use dnswl.org data in your MTA (Postfix, Sendmail, whatever)
as well as in SpamAssassin, but they are independent of each other.
> thought it might be the easiest way to just disabled the DNSWL rule in SA
> for the case the IP of the scanned mail is in trusted_networks.
>
> Is this possible or has somebody another way to solve it?
I suspect that something with your trusted_networks is not the way it is
thought to be ;)
-- Matthias