RCVD_IN_BSP_TRUSTED

Mon Oct 23 23:04:33 IST 2006

Jim Coates wrote:

> Matt,
> 
> I tried running the IPs from the email header (every one I could find)
> through the sa-trusted.bondedsender.org test and none of them triggered it
> using "dig".   What is interesting is that I tried our own mail server IP
> (which I know is listed with Bonded Sender) and it didn't trigger it either.
> 
> However, in my searching, I found a few things:
> 
> 1) We are allowing SpamAssassin to "guess" the trusted path (rather than
> specifying it)
> 
In general, I would suggest not using the trust path guesser unless all your
mail comes to your network through a mailserver with a public IP address.
(literally has an interface with a public IP, not static-nat mapped to one.)

> and
> 
> 2) All of the emails I looked at where actually retrieved from a common mail
> server at our ISP via fetchmail to our private mail server.  IE - all of
> those were delivered to a backup mail server, then fetched via fetchmail to
> our primary box.
> 
> I don't know if this is part of what's confusing the rule or not.  

No, it would not confuse the rule, but it could be confusing the trust
path-guesser or the Received: parser.

By default If SA sees private IPs in the Received: headers, it will assume all
the hosts with private IPs, plus the first host in a "by" clause with public IP
is a part of your network. In this case, that shouldn't be too bad. SA will
assume your ISP's server is yours, but it shouldn't break much to do that unless
you think your ISP might start forging Received: headers.

The IP SA should be checking against BSP should be the host delivering mail to
the host you fetched from.

That said, it's highly strange the rule would fire if none of the IPs in the
headers is listed upon manual search. (unless one of the IPs was listed, and got
dropped after they got hacked and abused.)

Do any of the IPs look like they "belong" (ie: aren't part of some random
home-user IP block, and might belong to some large legitimate company?)

> 
> I did some searching on some forums that claim the best use of the
> RCVD_IN_BSP_TRUSTED rule is to score it at 0 to keep it from doing anything.

If you search the forums and web you'll find plenty of folks making the
knee-jerk suggestion of zeroing out the score of almost any misbehaving rule.
Don't trust them. There's a lot of folks out there jumping to hack-fix problems
without understanding them, and advising everyone else to do the same. 9 times
out of 10 their suggestions are a bad idea because they're covering up a bigger
problem.

As far as the rule itself goes, I never have it match anyone that isn't listed
in BSP. That said, there's not many folks listed in BSP, so zeroing the rule
won't have a huge impact.

I'd still suggest keeping it non-zero so you can monitor the problem, but make
it like -0.001.

For me the sites that do match it are legitimate commercial mass-mailers: ebay,
foolsubs.com (Motley fool investment newsletter), hallmark.com, classmates.com
ediets.com make up the bulk of my matches.

What version of SA are you running?