Chris wrote: > Before I put my foot in my mouth to my ISP, I'd like to make sure I'm right. > From the headers below, what does Embarq/Synacor consider to be ALL_TRUSTED? > The default trust-path auto-guesser assumes that your MX has a public IP address, not a private address. It *WILL* break if your MTA's have private IPs and are static NAT-mapped to public IP's.
My guess is that the scanning machine resolves smtp.embarq.synacor.com as a private address, causing SA to assume that mxintern.schlund.de is the MX for the local network, even though it is not. Based on that assumption, what SA saw was simply a transfer between two different local private networks attached to the same publicly addressed MX that is a part of the local net. This really underscores why it is critical for folks who have NATed mailservers to explicitly declare a trusted_networks. More details can be found at: http://wiki.apache.org/spamassassin/TrustPath > > Received: from localhost (localhost.localdomain [127.0.0.1]) > by smtp.embarq.synacor.com (Postfix) with ESMTP id 3ECA115F5EC > for <[EMAIL PROTECTED]>; Tue, 12 Jun 2007 21:32:15 -0400 (EDT) > X-Virus-Scanned: amavisd-new at > X-Spam-Score: -4.399 > X-Spam-Level: > X-Spam-Status: No, score=-4.399 tagged_above=-10 required=10 > tests=[ALL_TRUSTED=-1.8, BAYES_00=-2.599] > Received: from smtp.embarq.synacor.com ([127.0.0.1]) > by localhost (smtp10.embarq.synacor.com [127.0.0.1]) (amavisd-new, > port 10024) > with ESMTP id J-Y1RUpHW7XQ for <[EMAIL PROTECTED]>; > Tue, 12 Jun 2007 21:32:13 -0400 (EDT) > Received: from mxintern.schlund.de (mxintern.schlund.de [212.227.126.201]) > by smtp.embarq.synacor.com (Postfix) with ESMTP id A323615F5A2 > for <[EMAIL PROTECTED]>; Tue, 12 Jun 2007 21:32:13 -0400 (EDT) > Received: from [172.19.16.7] (helo=home.kundenserver.de) > by mxintern.kundenserver.de with esmtp (Exim 4.50) > id 1HyHiW-0000y9-Mu > for [EMAIL PROTECTED]; Wed, 13 Jun 2007 03:32:12 +0200 > Received: from abuse by home.kundenserver.de with local (Exim 3.36 #1) > id 1HyHiW-0004Kl-00 > for [EMAIL PROTECTED]; Wed, 13 Jun 2007 03:32:12 +0200 > From: Abuse Department <[EMAIL PROTECTED]> > To: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]> > Subject: Re: Fwd: 74.208.53.91 URGENT: Phish Site http://74.208 > In-Reply-To: <[EMAIL PROTECTED]> > Message-Id: <[EMAIL PROTECTED]> > Date: Wed, 13 Jun 2007 03:32:12 +0200 > X-Virus-Scanned: Symantec AntiVirus Scan Engine > X-UI-Msg-Verification: db928a8b4f3b2a34c9e716dce16c42bc > Content-Type: > X-UID: 3636 > X-Length: 4690 > >
