[Bug 3406] No way to treat all networks as untrusted

25 Oct 2004 19:42:38 -0000 

http://bugzilla.spamassassin.org/show_bug.cgi?id=3406





------- Additional Comments From [EMAIL PROTECTED]  2004-10-25 12:42 -------
hmm.. somehow i lost my local.cf and every email that came into the company the
last couple days hit ALL_TRUSTED.  not good, because its a heavyweight at -2.8.
 An example header to show why ALL_TRUSTED fired..

X-Spam-Trusted: [ ip=64.217.128.220 
        rdns=adsl-64-217-128-220.dsl.wchtks.swbell.net helo=unknown 
        by=mailgw.nmgi.com ident= envfrom= intl=0 id= ]

note i do not trust 64.217.128.220, and it is not in my /16.  however
by=mailgw.nmgi.com resolves to 172.17.1.100 causing it to trigger as trusted. 
>From point #3 in the man..

           o   if any addresses of the 'by' host is in a reserved network range,
then it's trusted

So bad things happen when you use an internal DNS server as the primary
nameserver and you let SA infer trustworthiness.

The man also states, 

        "If neither "trusted_networks" or "internal_networks" is set, no
addresses will be considered local; in other words, any relays past the machine
where SpamAssassin is running will be considered external."

which makes things even more clouded.

there has to be a better way, as people who use internal DNS right now are
forced to add

clear_trusted_networks
trusted_networks        127.

to their local.cf in order to 'trust no one' (but the loopback of course). 
after i add that, i get 

X-Spam-Un-Trusted: [ ip=64.217.128.220 
        rdns=adsl-64-217-128-220.dsl.wchtks.swbell.net helo=unknown 
        by=mailgw.nmgi.com ident= envfrom= intl=0 id= ]

which is correct.  the man states that with DNS enabled, SA "infer your trusted
networks".   shouldn't this say 'unless trusted_networks are defined'?  because
 once i add a trusted_network, the problem goes away?

i cant believe more people have not experienced this... maybe they just havent
realized there is a -2.8 on all their inbound emails and havent realized their
accuracy has taken a hit from it???   or maybe people dont sit their mail
servers on internal networks and use internal DNS to resolve requests?  i find
that hard to believe.

sorry that was long and winded :)





------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

Reply via email to