MailScanner setting score ALL_TRUSTED 0???!!!! - SA trust paths; doing it correctly?

Quentin Campbell Q.G.Campbell at NEWCASTLE.AC.UK
Thu Mar 10 12:39:34 GMT 2005 

Julian

I thought it might be appropriate to start a thread here that will help
clarify the issues arising from Matt Kettler's comments about
ALL_TRUSTED. 

I believe what I have done now correctly specifies and exploits the SA
"trust path" features.

I have removed "score ALL_TRUSTED 0" from
/etc/MailScanner/spam.assassin.prefs.conf.

This line is replaced by two sets of new SA preferences in that file:

1. A block of "trusted_networks ..." lines. 

These are simply the network IP blocks that I already define in the
"Spam Checks = %rules-dir%/Spam_Checks.rules" file and which have "no"
as the action. That is to say I don't want MS treating mail fromn these
sources as spam and I don't want SA to do DNSBL checks on them. I
"trust" them because they are all within our campus network.

2. A block of "internal_networks ..." lines.

There is an "internal_networks ..." record for the IP address of each of
the 8 mail relays that host our 50+ mail domains. Note that these
addresses are also included in the trusted_networks address blocks
specified above.

It is important (as I understand it) that I exclude from the
"internal_networks ..." records the one mail relay we allow our
external/peripatetic users to specify as their SMTP host in POP, etc,
mailers. If I include the IP address of this host in the list then any
connections to it from hosts listed in the DYNABLOCK RBL would have a
HELO_DYNAMIC_* score added to their SA total scores.

Note that you might already be seeing contributions from HELO_DYNAMIC_*
SA rules because in the absence of _both_ "trusted_networks" and
"internal_networks" definitions, SA will try to infer what are the
"trusted" hosts in your network. However it is not always possible to do
this automatically. If SA gets its guesses wrong this can lead to an
increase in both FNs and FPs. Hence it is safer to do it explicitly as
above.  

I hope I have understood things correctly. If not would someone who
understands this part of SA better let me know immediately - I am
running with the above setup in "spam.assassin.prefs.conf" now!!


Quentin
---
PHONE: +44 191 222 8209    Information Systems and Services (ISS),
                           University of Newcastle,
                           Newcastle upon Tyne,
FAX:   +44 191 222 8765    United Kingdom, NE1 7RU.
------------------------------------------------------------------------
"Any opinion expressed above is mine. The University can get its own."  

>-----Original Message-----
>From: MailScanner mailing list 
>[mailto:MAILSCANNER at JISCMAIL.AC.UK] On Behalf Of Julian Field
>Sent: 09 March 2005 17:45
>To: MAILSCANNER at JISCMAIL.AC.UK
>Subject: Re: MailScanner setting score ALL_TRUSTED 0???!!!!
>
>Matt Kettler wrote:
>
>> At 03:32 AM 3/9/2005, Julian Field wrote:
>>
>>> > Are you completely out of your mind Julian?
>>>
>>> Someone remind me to add that to the list of "ways of 
>getting Jules to
>>> ignore your email"
>>> :-)
>>
>>
>> Sorry Julian.. I just saw it and my jaw hit the floor. I 
>know you're a
>> smart guy
>
>You're too kind :)
>
>> so I assumed you must have been overcome by temporary insanity... :)
>
>Wibble.... what's my name again? Where am I?
>
>> Martin wrote:
>>
>>> Matt's probably they guy for this (given his comments on 
>the SA list),
>>> but something like in the SA docs...bit of mouthful, but covers it
>>> nicely.
>>
>>
>>
>> Martin... the bit you suggested is about internal_networks, and not
>> trusted_networks.. While SA defaults to considering nothing 
>but localhost
>> to be internal, it DOES default to trying to guess at 
>trusted_networks.
>> That's the crux of the problem... It guesses poorly in some cases.
>>
>> "If you're running with DNS checks enabled, SpamAssassin 
>includes code to
>> infer your trusted networks on the fly, so this may not be necessary.
>> (Thanks to Scott Banister and Andrew Flury for the 
>inspiration for this
>> algorithm.) This inference works as follows: "
>>
>> And the inference algorithm works poorly if you have a NATed 
>mailserver.
>> SA's algorithm winds up trusting all reserved IP's (ie: any 
>NATed host),
>> plus the one non-reserved IP that delivered to a reserved 
>IP. This works
>> great for NAT networks with a normally addressed MX. It works poorly
>> for a
>> network where everything is NATed. Unfortunately, no 
>algorithm can tell
>> which of the two cases is going on, and trusting too few 
>hosts is just as
>> bad as trusting too many, so there's not much that can be done better
>> on an
>> automatic basis.
>>
>> Julian: Might I suggest this comment:
>>
>> If you have problems where ALL_TRUSTED is matching external email,
>> including spam, then SpamAssassin has become confused about which
>> hosts are
>> a part of your trusted_networks. The most common cause of this is
>> having a
>> gateway mail exchanger that has a reserved IP and gets NATed by your
>> firewall. Fortunately the problem is easy to fix by manually 
>declaring a
>> trusted_networks setting. See man Mail::SpamAssassin::Conf 
>for details.
>> Once manually set, SA won't try to guess.
>>
>> If that does not fix your problem, the other possibility is you have
>> an MTA
>> that generates malformed Received: headers. If you've modified your
>> Received: header format, please put it back to the standard format.
>> SpamAssassin is quite tolerant of deviations from the RFC 
>2822 format,
>> but
>> there are some combinations it can't handle. If the 
>malformed headers are
>> being made by some form of network appliance that you can't 
>fix, report a
>> bug to your vendor, and as a short-term fix set the score of
>> ALL_TRUSTED to
>> 0. However, realize that other problems may occur as a result of the
>> mis-parsed headers and the root cause does need fixing.
>
>That text sounds very good. I'll get it into the file I distribute.
>
>--
>Julian Field
>www.MailScanner.info
>Buy the MailScanner book at www.MailScanner.info/store
>Professional Support Services at www.MailScanner.biz
>MailScanner thanks transtec Computers for their support
>
>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>
>------------------------ MailScanner list ------------------------
>To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
>'leave mailscanner' in the body of the email.
>Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
>the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>
>Support MailScanner development - buy the book off the website!
>
>

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list