MailScanner setting score ALL_TRUSTED 0???!!!!

Jeff A. Earickson jaearick at COLBY.EDU
Wed Mar 9 21:24:45 GMT 2005


Gang,

Wait a minute here...  Once this thread started up, I said "Ok,
this is bad, I'll comment it out in my spam.assassin.prefs.conf".  I
searched my syslogs and didn't find any previous reference to ALL_TRUSTED,
so I figured this was ok.  Later I grep again, and find spam getting
its score lowered because of this change:

Mar  9 15:32:44 basalt <22>MailScanner[23467]: Message j29KWXqK021827 from
72.9.241.18 (aw-confimer at ebay.com) to colby.edu is spam, SpamAssassin
(score=7.07, required 5, ALL_TRUSTED -3.30, BAYES_50 0.00, DCC_CHECK 2.17, ...

This IP sure isn't anything I trust.  Referring to Matt Kettler's message
about the two reasons for bogus trust, I wondered what my issue is.
I run sendmail 8.13.3, so it should be RFC compliant.  I don't know
what the network guy has done with NATing on our edge routers.  But our
domain (137.146.0.0/16) only has one (real) MX and one machine I
trust -- our mail server at 137.146.210.56.  I wouldn't expect NATing
with a resolvable IP number, right?

If the defaults for SA internal_networks and trusted_networks are "none",
then I don't really understand my problem here.  How did 72.9.241.18
get trusted by SA?

What I *did* do in my spam.assassin.prefs.conf was:

score ALL_TRUSTED 0 0 -0.01 -0.01
trusted_networks 127.0.0.1
trusted_networks 137.146.210.56

ie, only give a slight change to the score because of trust and then
specify the IP numbers I will trust.  Maybe the trusted_networks and
internal_networks parameters of SA need to be spelled out in MailScanner's
files someplace?  (Yuck).

I'm starting to think that "score ALL_TRUSTED 0" wasn't such a bad idea
after all.

Jeff Earickson
Colby College

On Wed, 9 Mar 2005, Martin Hepworth wrote:

> Date: Wed, 9 Mar 2005 10:04:00 +0000
> From: Martin Hepworth <martinh at SOLID-STATE-LOGIC.COM>
> Reply-To: MailScanner mailing list <MAILSCANNER at JISCMAIL.AC.UK>
> To: MAILSCANNER at JISCMAIL.AC.UK
> Subject: Re: MailScanner setting score ALL_TRUSTED 0???!!!!
>
> Julian
>
> Matt's probably they guy for this (given his comments on the SA list),
> but something like in the SA docs...bit of mouthful, but covers it nicely.
>
> internal_networks ip.add.re.ss[/mask] ... (default: none)
>    What networks or hosts are 'internal' in your setup. Internal means
> that relay hosts on these networks are considered to be MXes for your
> domain(s), or internal relays. This uses the same format as
> trusted_networks, above.
>
>    This value is used when checking 'dial-up' or dynamic IP address
> blocklists, in order to detect direct-to-MX spamming. Trusted relays
> that accept mail directly from dial-up connections should not be listed
> in internal_networks. List them only in trusted_networks.
>
>    If trusted_networks is set and internal_networks is not, the value
> of trusted_networks will be used for this parameter.
>
>    If neither trusted_networks or internal_networks is set, no
> addresses will be considered local; in other words, any relays past the
> machine where SpamAssassin is running will be considered external.
>
>
> and point them at..
> http://spamassassin.apache.org/full/3.0.x/dist/doc/Mail_SpamAssassin_Conf.html#network_test_options
>
>
>
>
> --
> Martin Hepworth
> Snr Systems Administrator
> Solid State Logic
> Tel: +44 (0)1865 842300
>
>
> Julian Field wrote:
>> As someone who understands the trusted path system in SpamAssassin
>> better than I do, any chance you could give me some wording for the
>> comments?
>>
>> Martin Hepworth wrote:
>>
>>> Julian
>>>
>>> maybe a big comment in the spam.assassin.prefs.conf and updates to the
>>> doccy about this would be helpful.
>>>
>>>
>>>
>>> --
>>> Martin Hepworth
>>> Snr Systems Administrator
>>> Solid State Logic
>>> Tel: +44 (0)1865 842300
>>>
>>>
>>> Julian Field wrote:
>>>
>>>> Matt Kettler wrote:
>>>>
>>>>> At 12:45 PM 1/14/2005, Julian Field wrote:
>>>>>
>>>>>> - Added zero score for ALL_TRUSTED rule in SpamAssassin as it is
>>>>>> known to
>>>>>>   cause problems.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> Ok, I know I'm responding very late to a version update, but I just
>>>>> now got
>>>>> around to look at performing an upgrade. In doing so I read the
>>>>> changelogs
>>>>> and my jaw hit the floor.
>>>>>
>>>>> All I have to ask is:
>>>>>
>>>>> Are you completely out of your mind Julian?
>>>>
>>>>
>>>>
>>>>
>>>> Someone remind me to add that to the list of "ways of getting Jules to
>>>> ignore your email"
>>>> :-)
>>>>
>>>> I added it in response to a conversation on the SA list some time ago.
>>>> You know *far* more than I do about SpamAssassin, so  I will remove the
>>>> rule again.
>>>>
>>>> Thanks for the message.
>>>>
>>>>> Setting ALL_TRUSTED to zero
>>>>> doesn't fix the problem, it covers up one of the early warning signs
>>>>> that
>>>>> your system is misconfigured! This is like taking painkillers for a
>>>>> case of
>>>>> gangrene, the pain is your warning sign to get help before the
>>>>> infection
>>>>> kills you.
>>>>>
>>>>>
>>>>> The fundamental cause of ALL_TRUSTED misfiring is SA's trust path code
>>>>> being confused by one of two things:
>>>>>
>>>>>         1) non RFC compliant Received: headers by the local MTA. All
>>>>> MTAs
>>>>> supported by MailScanner default to using RFC compliant formats, but
>>>>> some
>>>>> people modify them to be invalid.
>>>>>
>>>>>         2) A network with a NATed gateway MX.
>>>>>
>>>>> Case 1) needs to be fixed by un-breaking your MTA configuration.
>>>>> Case 2)
>>>>> needs to be fixed by setting a correct trusted_netwoks value in your
>>>>> local.cf.
>>>>>
>>>>> Setting the score to zero prevents the "ALL_TRUSTED" problem from
>>>>> showing
>>>>> up, but you're actually inhibiting the warning signs of a much more
>>>>> severe
>>>>> problem that needs critical attention!
>>>>>
>>>>> If SA's trust path is incorrectly configured you can have MANY other
>>>>> problems, ALL_TRUSTED mis-firing is just the first sign. The broken
>>>>> trust
>>>>> path will cause FPs in the bonded sender tests in messages with forged
>>>>> headers, FNs AND FPs in whitelist_from_rcvd, FPs in any dialup RBL.
>>>>> Just to
>>>>> name a few of the problems that crop up from this.
>>>>>
>>>>> The implications of a broken trust path are very severe. This is not a
>>>>> problem that should be covered up one symptom at a time. It needs to be
>>>>> fixed at the cause, or it's only going to get worse as SA makes more
>>>>> and
>>>>> more use of the trust path code.
>>>>>
>>>>> ------------------------ MailScanner list ------------------------
>>>>> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
>>>>> 'leave mailscanner' in the body of the email.
>>>>> Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
>>>>> the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>>>>>
>>>>> Support MailScanner development - buy the book off the website!
>>>>>
>>>>
>>>> --
>>>> Julian Field
>>>> www.MailScanner.info
>>>> MailScanner thanks transtec Computers for their support
>>>> Buy the MailScanner book at www.MailScanner.info/store
>>>>
>>>> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>>>>
>>>> ------------------------ MailScanner list ------------------------
>>>> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
>>>> 'leave mailscanner' in the body of the email.
>>>> Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
>>>> the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>>>>
>>>> Support MailScanner development - buy the book off the website!
>>>
>>>
>>>
>>> **********************************************************************
>>>
>>> This email and any files transmitted with it are confidential and
>>> intended solely for the use of the individual or entity to whom they
>>> are addressed. If you have received this email in error please notify
>>> the system manager.
>>>
>>> This footnote confirms that this email message has been swept
>>> for the presence of computer viruses and is believed to be clean.
>>>
>>> **********************************************************************
>>>
>>> ------------------------ MailScanner list ------------------------
>>> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
>>> 'leave mailscanner' in the body of the email.
>>> Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
>>> the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>>>
>>> Support MailScanner development - buy the book off the website!
>>>
>>
>> --
>> Julian Field
>> www.MailScanner.info
>> MailScanner thanks transtec Computers for their support
>> Buy the MailScanner book at www.MailScanner.info/store
>>
>> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>>
>> ------------------------ MailScanner list ------------------------
>> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
>> 'leave mailscanner' in the body of the email.
>> Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
>> the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>>
>> Support MailScanner development - buy the book off the website!
>
> **********************************************************************
>
> This email and any files transmitted with it are confidential and
> intended solely for the use of the individual or entity to whom they
> are addressed. If you have received this email in error please notify
> the system manager.
>
> This footnote confirms that this email message has been swept
> for the presence of computer viruses and is believed to be clean.
>
> **********************************************************************
>
> ------------------------ MailScanner list ------------------------
> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
> 'leave mailscanner' in the body of the email.
> Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
> the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>
> Support MailScanner development - buy the book off the website!
>

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!




More information about the MailScanner mailing list