On Thu, 2004-11-04 at 14:14, Dave Goodrich wrote:
> Sean Doherty wrote:
> > On Wed, 2004-11-03 at 21:40, Dave Goodrich wrote:
> >
> >>Good afternoon,
> >>
> >>I just finished testing an upgrade of SA to 3.01 and my scores fell
> >>through the floor. Read the docs, tried to use the Wiki, followed
> >>everyone else's upgrade on the list. Not sure just what went wrong.
> >
> >
> >>X-Spam-Checker-Version: SpamAssassin 3.0.1 (2004-10-22) on avhost.tls.net
> >>X-Spam-Status: No, score=0.6 required=5.0 tests=ALL_TRUSTED,DRUGS_ERECTILE,
> >> FROM_NO_LOWER,INVALID_DATE,MISSING_SUBJECT,RM_hm_EmtyMsgid
> >> autolearn=disabled version=3.0.1
> >
> >
> > You need to specify trusted_networks in local.cf, otherwise
> > you're going to continue to hit the ALL_TRUSTED rule which can
> > *decrease* your score by up to -3.3. If you don't specify
> > trusted_networks then SpamAssassin infers what your trusted
> > networks are - and the inference algorithm may not always get
> > the correct result. For instance if your mail relay/server is
> > on a private network and NATed thru a firewall, then the
> > algorithm may infer incorrectly that the connecting mail server
> > is trusted. i.e. the algorithm assumes that since you're a
> > private address, then the next hop server must belong to you
> > since your MX must be public. However it does not take NAT
> > into account. Setting trusted_networks appropriately will solve
> > this issue (I don't think SA 2.64 has the ALL_TRUSTED rule - or
> > at least it scores low).
> I will look into that, I didn't set it as I want no network to be
> trusted. I'll reread what I can find on that.
Just set trusted_network 127.0.0.1
> >
> > Since you hit ALL_TRUSTED certain other DNS based tests are not
> > run.
> Eh? Where do I find this out?
Check out trusted_network section of Mail::SpamAssassin::Conf
i.e no RBL tests on trusted networks.
> I don't want any networks trusted, infered or otherwise. So I left
> trusted_networks and internal_networks both blank.
My understanding is that if unset trusted_networks will be infered.
Setting it to the loopback address and/or the host IP address will
prevent this.
> > Also skip_rbl_checks will do just that.
> Umm I don't follow you there, are you saying skip_rbl_checks will skip
> SURBL? Because if it does, I'll need to go back to 2.64.
No. Just pointing out that no RBL tests will not be run.
Also, Matt Kettler pointed out in this thread that reason for the
ALL_TRUSTED firing may not be entirely related invalid inference
of trust, but because the Received headers had unknown format in
the debug output.
- Sean
