Sandy S wrote: > I know there's been a lot of talk on the ALL_TRUSTED rule, but I > don't remember seeing this issue and couldn't find it in a search of > the list archives. > > We've gotten several spams recently that made it through because they > hit the ALL_TRUSTED rule. We have a standard setup and haven't had > trouble with this rule before, so I ran one of the messages through > spamassassin -D. The debug output showed:
[snip] > debug: looking up A records for 'merlin.boreal.org' > debug: A records for 'merlin.boreal.org': 216.70.16.15 > debug: received-header: 'from' 71.8.49.195 has reserved IP This is definitely weird; 71.0.0.0/8 is NOT special in any way I know of. > Notice that the IP the spams came from is marked as a "reserved IP" > and apparently because of this it's being flagged as trusted. What > is a reserved IP and how can I tell spamassassin that this IP isn't > one? I dug into the code, and finally found the culprit - hardcoded IANA "reserved" IP space lists. 71/8 through 79/8 are tagged this way. To "fix" this, find the file Constants.pm, and change line 98: - 7[1-9]| # 071-079/8: IANA Reserved + 7[3-9]| # 073-079/8: IANA Reserved (For 2.6x, this information is in Dns.pm.) According to http://www.iana.org/assignments/ipv4-address-space, 71/8 and 72/8 have been delegated to ARIN for allocation. I understand some of why these are hardcoded like this, but this is VERY dangerous - just because it's reserved by IANA does NOT mean it can't be allocated to someone tomorrow! I once had a number of these "reserved" /8 blocks listed in my firewall, and it caused some truly annoying trouble. Several months later, I was looking at the listing for some other reason, and noticed that one such block question was no longer reserved. I removed *all* such entries immeditately in order to prevent further such problems. -kgd -- Get your mouse off of there! You don't know where that email has been!
