Re: SA 3.0 ALL_TRUSTED rule

8 Aug 2004 01:35:47 -0000

Jay Levitt wrote:
Andy Jezierski wrote:This is happening to me too - in fact, as far as I can tell, ALL spam hits ALL_TRUSTED.  I don't have any trusted networks defined either; my machine is on a private 192.168/16 IP inside a NAT firewall, and its external and internal DNS records differ accordingly, if that affects how SA auto-detects trusted networks.  However, none of the messages I've checked had a 192.168 Received: line in them.  I uploaded config, sample message, and debug output to bug 3636.
OK, I think I may have figured this out:  ALL_TRUSTED is being scored as if it really means "all trusted", when what it really means is "none known for certain to be untrusted".  One example: any spam that didn't come through a relay (e.g. direct-to-MX spam) is getting marked all trusted, because there's only one relay, that's me, and it's trusted.  Oy!

Another example: Any spam whose other Received: lines are odd-format or otherwise ignored.  F'rinstance, these:

Received: from linux.home.jay.fm ([unix socket])
	by linux.home.jay.fm (Cyrus v2.1.12-Mandrake-RPM-2.1.12-1mdk) with LMTP; Sat, 07 Aug 2004 09:27:45 -0400
X-Sieve: CMU Sieve 2.2
Received: from ns.sign-on-africa1.net ([66.227.5.177])
	by linux.home.jay.fm (8.12.10/8.12.10) with ESMTP id i77DRgh7017380
	(version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO)
	for <[EMAIL PROTECTED]>; Sat, 7 Aug 2004 09:27:43 -0400
Received: from mellamed by ns.sign-on-africa1.net with local (Exim 4.34)
	id 1BtRkP-00070Y-Rx; Sat, 07 Aug 2004 10:00:34 -0400
Received: from 80.88.138.202 ([80.88.138.202])
        (SquirrelMail authenticated user [EMAIL PROTECTED])
        by www.mellamed.com with HTTP;

produce this output:

debug: received-header: parsed as [ ip=66.227.5.177 rdns= helo=ns.sign-on-africa1.net by=linux.home.jay.fm ident= envfrom= intl=0 id=i77DRgh7017380 ]
debug: received-header: ignored SquirrelMail injection: from 80.88.138.202 ([80.88.138.202]) (SquirrelMail authenticated user [EMAIL PROTECTED]) by www.mellamed.com with HTTP; Sat, 7 Aug 2004 10:00:33 -0400 (EDT) 
debug: looking up A records for 'linux.home.jay.fm'
debug: A records for 'linux.home.jay.fm': 192.168.1.150
debug: looking up A records for 'linux.home.jay.fm'
debug: A records for 'linux.home.jay.fm': 192.168.1.150
debug: received-header: 'by' linux.home.jay.fm has reserved IP 192.168.1.150
debug: received-header: 'by' linux.home.jay.fm has no public IPs
debug: received-header: relay 66.227.5.177 trusted? yes internal? no
debug: metadata: X-Spam-Relays-Trusted: [ ip=66.227.5.177 rdns= helo=ns.sign-on-africa1.net by=linux.home.jay.fm ident= envfrom= intl=0 id=i77DRgh7017380 ]
debug: metadata: X-Spam-Relays-Untrusted: 
        Sat, 7 Aug 2004 10:00:33 -0400 (EDT)
My received: line is trusted.  The second received: line is ignored because of "with local" (line 811 of Received.pm).  The third is ignored because of Squirrelmail.  And voila, an entire chain of untrusted hosts is declared trusted.

This seems too broken to fix for 3.0, honestly... I've set ALL_TRUSTED's score to 0.

Jay Levitt

Reply via email to