MailScanner setting score ALL_TRUSTED 0???!!!! - SA trust
paths; doing it correctly?
Quentin Campbell
Q.G.Campbell at NEWCASTLE.AC.UK
Thu Mar 10 15:25:04 GMT 2005
Jeff
If you don't specify any "internal_networks" entries but
"trusted_networks" is set then the value of this is used for the
"internal_networks" value.
The SA 3.0.2 docs say that "internal_networks" is used when checking
dial-up or dynamic IP address blocklists in order to detect spamming
where these hosts connect directly to your MX host. Normally
dial-up/dynamic-IP hosts should make their SMTP connection via a
"smarthost". If they instead make a direct connection to your MX host
then that is a good "signature" to identify a likely spam source.
What happens if you run a "smarthost" yourself with MS + SA on it and it
receives mail from dial-up, etc, clients? The answer is you simply do
not include the smarthost's IP in "internal_networks". However you
should include it in "trusted_networks".
Note also that according to the SA docs, in a straigtforward mail
gateway/network setup where the MTA writes RFC compliant "Received:"
headers, SA is clever enough to correctly autodetect your "trusted"
hosts. However as this is not a bullet proof algorithm, particularly at
sites using NAT, etc, it is recommended that you set these values
explicitly.
Quentin
---
PHONE: +44 191 222 8209 Information Systems and Services (ISS),
University of Newcastle,
Newcastle upon Tyne,
FAX: +44 191 222 8765 United Kingdom, NE1 7RU.
------------------------------------------------------------------------
"Any opinion expressed above is mine. The University can get its own."
>-----Original Message-----
>From: MailScanner mailing list
>[mailto:MAILSCANNER at JISCMAIL.AC.UK] On Behalf Of Jeff A. Earickson
>Sent: 10 March 2005 14:14
>To: MAILSCANNER at JISCMAIL.AC.UK
>Subject: Re: MailScanner setting score ALL_TRUSTED 0???!!!! -
>SA trust paths; doing it correctly?
>
>Gang,
>
>I have done roughly the same thing, per email with Matt and
>the discussion
>on the list. The *only* IP addresses that I listed as trusted_networks
>are 127.0.0.1/32 and the IP of my own mail server. I don't trust any
>other machine in my own class-B network, because we are a college with
>student machines that sometimes have spambots.
>
>I am unclear as to what the difference between trusted_networks and
>internal_networks is. Do I need to specify internal_networks, if I
>don't trust anything except my own mail server? Or will
>trusted_networks
>do it?
>
>Jeff Earickson
>Colby College
>
>On Thu, 10 Mar 2005, Quentin Campbell wrote:
>
>> Date: Thu, 10 Mar 2005 12:39:34 -0000
>> From: Quentin Campbell <Q.G.Campbell at NEWCASTLE.AC.UK>
>> Reply-To: MailScanner mailing list <MAILSCANNER at JISCMAIL.AC.UK>
>> To: MAILSCANNER at JISCMAIL.AC.UK
>> Subject: Re: MailScanner setting score ALL_TRUSTED 0???!!!!
>- SA trust paths;
>> doing it correctly?
>>
>> Julian
>>
>> I thought it might be appropriate to start a thread here
>that will help
>> clarify the issues arising from Matt Kettler's comments about
>> ALL_TRUSTED.
>>
>> I believe what I have done now correctly specifies and
>exploits the SA
>> "trust path" features.
>>
>> I have removed "score ALL_TRUSTED 0" from
>> /etc/MailScanner/spam.assassin.prefs.conf.
>>
>> This line is replaced by two sets of new SA preferences in that file:
>>
>> 1. A block of "trusted_networks ..." lines.
>>
>> These are simply the network IP blocks that I already define in the
>> "Spam Checks = %rules-dir%/Spam_Checks.rules" file and which
>have "no"
>> as the action. That is to say I don't want MS treating mail
>fromn these
>> sources as spam and I don't want SA to do DNSBL checks on them. I
>> "trust" them because they are all within our campus network.
>>
>> 2. A block of "internal_networks ..." lines.
>>
>> There is an "internal_networks ..." record for the IP
>address of each of
>> the 8 mail relays that host our 50+ mail domains. Note that these
>> addresses are also included in the trusted_networks address blocks
>> specified above.
>>
>> It is important (as I understand it) that I exclude from the
>> "internal_networks ..." records the one mail relay we allow our
>> external/peripatetic users to specify as their SMTP host in POP, etc,
>> mailers. If I include the IP address of this host in the
>list then any
>> connections to it from hosts listed in the DYNABLOCK RBL would have a
>> HELO_DYNAMIC_* score added to their SA total scores.
>>
>> Note that you might already be seeing contributions from
>HELO_DYNAMIC_*
>> SA rules because in the absence of _both_ "trusted_networks" and
>> "internal_networks" definitions, SA will try to infer what are the
>> "trusted" hosts in your network. However it is not always
>possible to do
>> this automatically. If SA gets its guesses wrong this can lead to an
>> increase in both FNs and FPs. Hence it is safer to do it
>explicitly as
>> above.
>>
>> I hope I have understood things correctly. If not would someone who
>> understands this part of SA better let me know immediately - I am
>> running with the above setup in "spam.assassin.prefs.conf" now!!
>>
>>
>> Quentin
>> ---
>> PHONE: +44 191 222 8209 Information Systems and Services (ISS),
>> University of Newcastle,
>> Newcastle upon Tyne,
>> FAX: +44 191 222 8765 United Kingdom, NE1 7RU.
>>
>---------------------------------------------------------------
>---------
>> "Any opinion expressed above is mine. The University can get
>its own."
>>
>>> -----Original Message-----
>>> From: MailScanner mailing list
>>> [mailto:MAILSCANNER at JISCMAIL.AC.UK] On Behalf Of Julian Field
>>> Sent: 09 March 2005 17:45
>>> To: MAILSCANNER at JISCMAIL.AC.UK
>>> Subject: Re: MailScanner setting score ALL_TRUSTED 0???!!!!
>>>
>>> Matt Kettler wrote:
>>>
>>>> At 03:32 AM 3/9/2005, Julian Field wrote:
>>>>
>>>>>> Are you completely out of your mind Julian?
>>>>>
>>>>> Someone remind me to add that to the list of "ways of
>>> getting Jules to
>>>>> ignore your email"
>>>>> :-)
>>>>
>>>>
>>>> Sorry Julian.. I just saw it and my jaw hit the floor. I
>>> know you're a
>>>> smart guy
>>>
>>> You're too kind :)
>>>
>>>> so I assumed you must have been overcome by temporary
>insanity... :)
>>>
>>> Wibble.... what's my name again? Where am I?
>>>
>>>> Martin wrote:
>>>>
>>>>> Matt's probably they guy for this (given his comments on
>>> the SA list),
>>>>> but something like in the SA docs...bit of mouthful, but covers it
>>>>> nicely.
>>>>
>>>>
>>>>
>>>> Martin... the bit you suggested is about internal_networks, and not
>>>> trusted_networks.. While SA defaults to considering nothing
>>> but localhost
>>>> to be internal, it DOES default to trying to guess at
>>> trusted_networks.
>>>> That's the crux of the problem... It guesses poorly in some cases.
>>>>
>>>> "If you're running with DNS checks enabled, SpamAssassin
>>> includes code to
>>>> infer your trusted networks on the fly, so this may not be
>necessary.
>>>> (Thanks to Scott Banister and Andrew Flury for the
>>> inspiration for this
>>>> algorithm.) This inference works as follows: "
>>>>
>>>> And the inference algorithm works poorly if you have a NATed
>>> mailserver.
>>>> SA's algorithm winds up trusting all reserved IP's (ie: any
>>> NATed host),
>>>> plus the one non-reserved IP that delivered to a reserved
>>> IP. This works
>>>> great for NAT networks with a normally addressed MX. It
>works poorly
>>>> for a
>>>> network where everything is NATed. Unfortunately, no
>>> algorithm can tell
>>>> which of the two cases is going on, and trusting too few
>>> hosts is just as
>>>> bad as trusting too many, so there's not much that can be
>done better
>>>> on an
>>>> automatic basis.
>>>>
>>>> Julian: Might I suggest this comment:
>>>>
>>>> If you have problems where ALL_TRUSTED is matching external email,
>>>> including spam, then SpamAssassin has become confused about which
>>>> hosts are
>>>> a part of your trusted_networks. The most common cause of this is
>>>> having a
>>>> gateway mail exchanger that has a reserved IP and gets
>NATed by your
>>>> firewall. Fortunately the problem is easy to fix by manually
>>> declaring a
>>>> trusted_networks setting. See man Mail::SpamAssassin::Conf
>>> for details.
>>>> Once manually set, SA won't try to guess.
>>>>
>>>> If that does not fix your problem, the other possibility
>is you have
>>>> an MTA
>>>> that generates malformed Received: headers. If you've modified your
>>>> Received: header format, please put it back to the standard format.
>>>> SpamAssassin is quite tolerant of deviations from the RFC
>>> 2822 format,
>>>> but
>>>> there are some combinations it can't handle. If the
>>> malformed headers are
>>>> being made by some form of network appliance that you can't
>>> fix, report a
>>>> bug to your vendor, and as a short-term fix set the score of
>>>> ALL_TRUSTED to
>>>> 0. However, realize that other problems may occur as a
>result of the
>>>> mis-parsed headers and the root cause does need fixing.
>>>
>>> That text sounds very good. I'll get it into the file I distribute.
>>>
>>> --
>>> Julian Field
>>> www.MailScanner.info
>>> Buy the MailScanner book at www.MailScanner.info/store
>>> Professional Support Services at www.MailScanner.biz
>>> MailScanner thanks transtec Computers for their support
>>>
>>> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>>>
>>> ------------------------ MailScanner list ------------------------
>>> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
>>> 'leave mailscanner' in the body of the email.
>>> Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
>>> the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>>>
>>> Support MailScanner development - buy the book off the website!
>>>
>>>
>>
>> ------------------------ MailScanner list ------------------------
>> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
>> 'leave mailscanner' in the body of the email.
>> Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
>> the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>>
>> Support MailScanner development - buy the book off the website!
>>
>
>------------------------ MailScanner list ------------------------
>To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
>'leave mailscanner' in the body of the email.
>Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
>the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>
>Support MailScanner development - buy the book off the website!
>
>
------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
Support MailScanner development - buy the book off the website!
More information about the MailScanner
mailing list