MailScanner setting score ALL_TRUSTED 0???!!!!

Matt Kettler mkettler at EVI-INC.COM
Wed Mar 9 16:50:24 GMT 2005

At 03:32 AM 3/9/2005, Julian Field wrote:
> > Are you completely out of your mind Julian?
>Someone remind me to add that to the list of "ways of getting Jules to
>ignore your email"

Sorry Julian.. I just saw it and my jaw hit the floor. I know you're a
smart guy so I assumed you must have been overcome by temporary insanity... :)

Martin wrote:
>Matt's probably they guy for this (given his comments on the SA list),
>but something like in the SA docs...bit of mouthful, but covers it nicely.

Martin... the bit you suggested is about internal_networks, and not
trusted_networks.. While SA defaults to considering nothing but localhost
to be internal, it DOES default to trying to guess at trusted_networks.
That's the crux of the problem... It guesses poorly in some cases.

"If you're running with DNS checks enabled, SpamAssassin includes code to
infer your trusted networks on the fly, so this may not be necessary.
(Thanks to Scott Banister and Andrew Flury for the inspiration for this
algorithm.) This inference works as follows: "

And the inference algorithm works poorly if you have a NATed mailserver.
SA's algorithm winds up trusting all reserved IP's (ie: any NATed host),
plus the one non-reserved IP that delivered to a reserved IP. This works
great for NAT networks with a normally addressed MX. It works poorly for a
network where everything is NATed. Unfortunately, no algorithm can tell
which of the two cases is going on, and trusting too few hosts is just as
bad as trusting too many, so there's not much that can be done better on an
automatic basis.

Julian: Might I suggest this comment:

If you have problems where ALL_TRUSTED is matching external email,
including spam, then SpamAssassin has become confused about which hosts are
a part of your trusted_networks. The most common cause of this is having a
gateway mail exchanger that has a reserved IP and gets NATed by your
firewall. Fortunately the problem is easy to fix by manually declaring a
trusted_networks setting. See man Mail::SpamAssassin::Conf for details.
Once manually set, SA won't try to guess.

If that does not fix your problem, the other possibility is you have an MTA
that generates malformed Received: headers. If you've modified your
Received: header format, please put it back to the standard format.
SpamAssassin is quite tolerant of deviations from the RFC 2822 format, but
there are some combinations it can't handle. If the malformed headers are
being made by some form of network appliance that you can't fix, report a
bug to your vendor, and as a short-term fix set the score of ALL_TRUSTED to
0. However, realize that other problems may occur as a result of the
mis-parsed headers and the root cause does need fixing.

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ ( and
the archives (

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list