Yeah I do manage the MTA, but I do still want to pass those emails to SpamAssassin for checking - I just don't want SA to run the DNSBL tests against those whitelisted IPs, but I do still want SA to run all it's other tests against the email, as it might still be spam anyway. All I could do at the MTA level, is tell the MTA not to pass the email over to SA at all, which is not what I want.
Another example might be: say I wanted to add the server of my ISP to trusted_networks. The server doesn't generate spam itself, but it could possibly still have spam passing through it to me from elsewhere. This fits within the description of the correct usage of trusted_networks at http://spamassassin.apache.org/full/3.1.x/doc/Mail_SpamAssassin_Conf.html: "A trusted host could conceivably relay spam, but will not originate it, and will not forge header data." And at the same time, I want to exclude that server from the DNSBL tests, including the nerd.dk ones I run. Having the server added to trusted_networks means that most of the DNSBL tests won't be run against the server's IP, but the -lastexternal tests still will be. I wish there were some way of completely whitelisting an IP (at SA level) from all DNSBL tests, regardless of -lastexternal etc. I wonder if such functionality will be possible with SA 3.20? As a side note, I think a number of other SA rules could also fire on ham in the above scenario - eg. there are some rules in SA that look for a HELO name with no dots in it within X-Spam-Relays-Untrusted, such as the __HELO_NO_DOMAIN rule. If I were to (for example) add my ISP's server to trusted_networks, and another customer of that ISP sent an email to me through the ISP's server, most likely this rule (__HELO_NO_DOMAIN) would fire if that other user's computer used a single-word machine name with no dots in it - know what I mean? And that would cause an FP. Likewise with many of the rules in 20_fake_helo_tests.cf which also search for certain strings within X-Spam-Relays-Untrusted, and could conceivably hit on ham emails passed from an end-user to his own server which I might have added to trusted_networks. Right? Wouldn't it be better, therefore, to have those rules in 20_fake_helo_tests.cf (and also the __HELO_NO_DOMAIN rule) use X-Spam-Relays-External instead of X-Spam-Relays-Untrusted?? - Jeremy "Matt Hampton" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > Jeremy Fairbrass wrote: >> I want to block all emails that come from an IP in China (where the IP is >> the one connecting to me), *BUT* I want to exclude a particular server in >> China that is used by a friend who I trust, for example. How could I do >> that? > > Do you managed the MTA? If you do this would be an ideal case for using > the zz.countries.nerd.dk as a RBL and then whitelist the server at MTA > level. > > Well, I guess I could make a meta rule that combines my >> zz.countries.nerd.dk rules with something else that prevents those rules >> from working if the trusted IP is found within the Received header or >> something - but that would be fiddly, and would be a nuisance if I had a >> whole bunch of IPs that I wanted to whitelist. It would obviously be much >> easier if I could simply trust/exclude from testing all the IPs listed in >> trusted_networks. > > > matt >
