MailScanner setting score ALL_TRUSTED 0???!!!! - SA trust paths; doing it correctly?

Jeff A. Earickson jaearick at COLBY.EDU
Thu Mar 10 14:13:48 GMT 2005


Gang,

I have done roughly the same thing, per email with Matt and the discussion
on the list.  The *only* IP addresses that I listed as trusted_networks
are 127.0.0.1/32 and the IP of my own mail server.  I don't trust any
other machine in my own class-B network, because we are a college with
student machines that sometimes have spambots.

I am unclear as to what the difference between trusted_networks and
internal_networks is.  Do I need to specify internal_networks, if I
don't trust anything except my own mail server?  Or will trusted_networks
do it?

Jeff Earickson
Colby College

On Thu, 10 Mar 2005, Quentin Campbell wrote:

> Date: Thu, 10 Mar 2005 12:39:34 -0000
> From: Quentin Campbell <Q.G.Campbell at NEWCASTLE.AC.UK>
> Reply-To: MailScanner mailing list <MAILSCANNER at JISCMAIL.AC.UK>
> To: MAILSCANNER at JISCMAIL.AC.UK
> Subject: Re: MailScanner setting score ALL_TRUSTED 0???!!!! - SA trust paths;
>     doing it correctly?
>
> Julian
>
> I thought it might be appropriate to start a thread here that will help
> clarify the issues arising from Matt Kettler's comments about
> ALL_TRUSTED.
>
> I believe what I have done now correctly specifies and exploits the SA
> "trust path" features.
>
> I have removed "score ALL_TRUSTED 0" from
> /etc/MailScanner/spam.assassin.prefs.conf.
>
> This line is replaced by two sets of new SA preferences in that file:
>
> 1. A block of "trusted_networks ..." lines.
>
> These are simply the network IP blocks that I already define in the
> "Spam Checks = %rules-dir%/Spam_Checks.rules" file and which have "no"
> as the action. That is to say I don't want MS treating mail fromn these
> sources as spam and I don't want SA to do DNSBL checks on them. I
> "trust" them because they are all within our campus network.
>
> 2. A block of "internal_networks ..." lines.
>
> There is an "internal_networks ..." record for the IP address of each of
> the 8 mail relays that host our 50+ mail domains. Note that these
> addresses are also included in the trusted_networks address blocks
> specified above.
>
> It is important (as I understand it) that I exclude from the
> "internal_networks ..." records the one mail relay we allow our
> external/peripatetic users to specify as their SMTP host in POP, etc,
> mailers. If I include the IP address of this host in the list then any
> connections to it from hosts listed in the DYNABLOCK RBL would have a
> HELO_DYNAMIC_* score added to their SA total scores.
>
> Note that you might already be seeing contributions from HELO_DYNAMIC_*
> SA rules because in the absence of _both_ "trusted_networks" and
> "internal_networks" definitions, SA will try to infer what are the
> "trusted" hosts in your network. However it is not always possible to do
> this automatically. If SA gets its guesses wrong this can lead to an
> increase in both FNs and FPs. Hence it is safer to do it explicitly as
> above.
>
> I hope I have understood things correctly. If not would someone who
> understands this part of SA better let me know immediately - I am
> running with the above setup in "spam.assassin.prefs.conf" now!!
>
>
> Quentin
> ---
> PHONE: +44 191 222 8209    Information Systems and Services (ISS),
>                           University of Newcastle,
>                           Newcastle upon Tyne,
> FAX:   +44 191 222 8765    United Kingdom, NE1 7RU.
> ------------------------------------------------------------------------
> "Any opinion expressed above is mine. The University can get its own."
>
>> -----Original Message-----
>> From: MailScanner mailing list
>> [mailto:MAILSCANNER at JISCMAIL.AC.UK] On Behalf Of Julian Field
>> Sent: 09 March 2005 17:45
>> To: MAILSCANNER at JISCMAIL.AC.UK
>> Subject: Re: MailScanner setting score ALL_TRUSTED 0???!!!!
>>
>> Matt Kettler wrote:
>>
>>> At 03:32 AM 3/9/2005, Julian Field wrote:
>>>
>>>>> Are you completely out of your mind Julian?
>>>>
>>>> Someone remind me to add that to the list of "ways of
>> getting Jules to
>>>> ignore your email"
>>>> :-)
>>>
>>>
>>> Sorry Julian.. I just saw it and my jaw hit the floor. I
>> know you're a
>>> smart guy
>>
>> You're too kind :)
>>
>>> so I assumed you must have been overcome by temporary insanity... :)
>>
>> Wibble.... what's my name again? Where am I?
>>
>>> Martin wrote:
>>>
>>>> Matt's probably they guy for this (given his comments on
>> the SA list),
>>>> but something like in the SA docs...bit of mouthful, but covers it
>>>> nicely.
>>>
>>>
>>>
>>> Martin... the bit you suggested is about internal_networks, and not
>>> trusted_networks.. While SA defaults to considering nothing
>> but localhost
>>> to be internal, it DOES default to trying to guess at
>> trusted_networks.
>>> That's the crux of the problem... It guesses poorly in some cases.
>>>
>>> "If you're running with DNS checks enabled, SpamAssassin
>> includes code to
>>> infer your trusted networks on the fly, so this may not be necessary.
>>> (Thanks to Scott Banister and Andrew Flury for the
>> inspiration for this
>>> algorithm.) This inference works as follows: "
>>>
>>> And the inference algorithm works poorly if you have a NATed
>> mailserver.
>>> SA's algorithm winds up trusting all reserved IP's (ie: any
>> NATed host),
>>> plus the one non-reserved IP that delivered to a reserved
>> IP. This works
>>> great for NAT networks with a normally addressed MX. It works poorly
>>> for a
>>> network where everything is NATed. Unfortunately, no
>> algorithm can tell
>>> which of the two cases is going on, and trusting too few
>> hosts is just as
>>> bad as trusting too many, so there's not much that can be done better
>>> on an
>>> automatic basis.
>>>
>>> Julian: Might I suggest this comment:
>>>
>>> If you have problems where ALL_TRUSTED is matching external email,
>>> including spam, then SpamAssassin has become confused about which
>>> hosts are
>>> a part of your trusted_networks. The most common cause of this is
>>> having a
>>> gateway mail exchanger that has a reserved IP and gets NATed by your
>>> firewall. Fortunately the problem is easy to fix by manually
>> declaring a
>>> trusted_networks setting. See man Mail::SpamAssassin::Conf
>> for details.
>>> Once manually set, SA won't try to guess.
>>>
>>> If that does not fix your problem, the other possibility is you have
>>> an MTA
>>> that generates malformed Received: headers. If you've modified your
>>> Received: header format, please put it back to the standard format.
>>> SpamAssassin is quite tolerant of deviations from the RFC
>> 2822 format,
>>> but
>>> there are some combinations it can't handle. If the
>> malformed headers are
>>> being made by some form of network appliance that you can't
>> fix, report a
>>> bug to your vendor, and as a short-term fix set the score of
>>> ALL_TRUSTED to
>>> 0. However, realize that other problems may occur as a result of the
>>> mis-parsed headers and the root cause does need fixing.
>>
>> That text sounds very good. I'll get it into the file I distribute.
>>
>> --
>> Julian Field
>> www.MailScanner.info
>> Buy the MailScanner book at www.MailScanner.info/store
>> Professional Support Services at www.MailScanner.biz
>> MailScanner thanks transtec Computers for their support
>>
>> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>>
>> ------------------------ MailScanner list ------------------------
>> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
>> 'leave mailscanner' in the body of the email.
>> Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
>> the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>>
>> Support MailScanner development - buy the book off the website!
>>
>>
>
> ------------------------ MailScanner list ------------------------
> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
> 'leave mailscanner' in the body of the email.
> Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
> the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>
> Support MailScanner development - buy the book off the website!
>

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!




More information about the MailScanner mailing list