ALL_TRUSTED problems

Matt Kettler mkettler at
Wed Feb 1 22:27:35 GMT 2006

dnsadmin wrote:

> I read the whole thread dated 03/08- 03/10/2005. I still don't see the
> resolution. I am not NAt'd. I am not gatewayed. I am cleared by my ISP
> to answer direct DNS PTR. I love Sprint, by the way! Nor do I see why
> this was all of a sudden a factor on my server, when I can't say that it
> has been in the past. Could I have missed it?
> It is possible, since I have Dynamic DNS customers on a Verizon network,
> and the IP neighborhood was close on this nasty spam, that SA was making
> an educated guess?

No. SA doesn't use that kind of smarts.

SA more-or-less does the following things when guessing trust path, Starting
with the most recent Received: header.
If the relay in the "by" clause resolves to a RFC 1918 reserved IP address,
trust the node and check the next.

If it's not private, trust the host and all others are untrusted.

Thus, SA should, by default, trust all servers with private IPs, and the first
one with a non-trusted IP.

Unless of course there is a trusted_networks declared, in which case SA trusts that.

Did you ever get your parsing problem resolved?? This thread is so huge I can't
even keep track of it.

If not, you need to find out why that isn't working first.

The fact that "score ALL_TRUSTED 0" doesn't work implies that your config files
are NOT being parsed by spamassassin.

That is a a truly major problem with your system if it's still oging on. That's
horribly bad. Stop worrying about how ALL_TRUSTED works, and worry about why you
can't get SA to honor your configuration.

More information about the MailScanner mailing list