Re: ALL_TRUSTED appearing on spam
mouss wrote: John T. Yocum wrote: Hello, I've recently noticed that a lot of spam is getting through SpamAssassin, and it's getting the ALL_TRUSTED test listed on it. The issue with that is, I only have one IP trusted, and that's my own mail server. snip from local.cf # Trusted Networks trusted_networks 69.25.118.171 /snip As you can see in the below set of headers the message came from 218.222.75.209. Yet, it's trusted. Return-Path: [EMAIL PROTECTED] Received: from U075209.ppp.dion.ne.jp (U075209.ppp.dion.ne.jp [218.222.75.209]) by kangaroo.publicmx.com (8.13.4/8.13.4) with ESMTP id j6OKabJS014331 for [EMAIL PROTECTED]; Sun, 24 Jul 2005 13:36:40 -0700 My understanding (but I may be wrong) is that ALL_TRUSTED means all received headers are trusted, which seems the case. It doesn't mean the origin client is trusted. You are incorrect mouss. It does in fact mean that all hosts involved are trusted hosts. Well, it actually means there are no untrusted hosts, but unless there's an unparseable header it's the same thing. Suggestions: 1) add a /32 to the end of your trusted networks statement. The docs SAY it will work without a netmask, but my experience with 2.6x is that it did not work, so I always specify a mask. 2) the other causes when SA fails to be able to parse the Received: headers. That header looks normal to me, but try running the message through spamassassin -D and see what SA has to say about the Received: path in it's debug output.
Re: ALL_TRUSTED appearing on spam
Thanks. I tried adding the /32 to the end, but that didn't have an effect. I did run the headers through spamassassin -D and got the following. debug: received-header: unknown format: from U075209.ppp.dion.ne.jp (U075209.ppp.dion.ne.jp debug: metadata: X-Spam-Relays-Trusted: debug: metadata: X-Spam-Relays-Untrusted: Thus, it was tagged as ALL_TRUSTED. What is really odd, is this only happens to direct delivered mail, any message relayed via another host, doesn't get the ALL_TRUSTED flag. Thanks, John mouss wrote: John T. Yocum wrote: Hello, I've recently noticed that a lot of spam is getting through SpamAssassin, and it's getting the ALL_TRUSTED test listed on it. The issue with that is, I only have one IP trusted, and that's my own mail server. snip from local.cf # Trusted Networks trusted_networks 69.25.118.171 /snip As you can see in the below set of headers the message came from 218.222.75.209. Yet, it's trusted. Return-Path: [EMAIL PROTECTED] Received: from U075209.ppp.dion.ne.jp (U075209.ppp.dion.ne.jp [218.222.75.209]) by kangaroo.publicmx.com (8.13.4/8.13.4) with ESMTP id j6OKabJS014331 for [EMAIL PROTECTED]; Sun, 24 Jul 2005 13:36:40 -0700 My understanding (but I may be wrong) is that ALL_TRUSTED means all received headers are trusted, which seems the case. It doesn't mean the origin client is trusted. You are incorrect mouss. It does in fact mean that all hosts involved are trusted hosts. Well, it actually means there are no untrusted hosts, but unless there's an unparseable header it's the same thing. Suggestions: 1) add a /32 to the end of your trusted networks statement. The docs SAY it will work without a netmask, but my experience with 2.6x is that it did not work, so I always specify a mask. 2) the other causes when SA fails to be able to parse the Received: headers. That header looks normal to me, but try running the message through spamassassin -D and see what SA has to say about the Received: path in it's debug output.
Re: ALL_TRUSTED appearing on spam
Thanks for the info. I fixed that Received line, by removing the line wrap, and it was no longer ALL_TRUSTED. Now that I know what the issue is, I just need to figure out why the header is getting munged. Thanks, John John T. Yocum wrote: Thanks. I tried adding the /32 to the end, but that didn't have an effect. I did run the headers through spamassassin -D and got the following. debug: received-header: unknown format: from U075209.ppp.dion.ne.jp (U075209.ppp.dion.ne.jp debug: metadata: X-Spam-Relays-Trusted: debug: metadata: X-Spam-Relays-Untrusted: Thus, it was tagged as ALL_TRUSTED. What is really odd, is this only happens to direct delivered mail, any message relayed via another host, doesn't get the ALL_TRUSTED flag. Well, that much makes sense. SA can't parse the Received: headers your server generates, but it can parse ones generated by outside servers. Thus, outside mail with another relay will show up as having been through an untrusted host. The problem you need to track down is why can't SA parse your Received: headers. Based on the debug output you got it could be an issue with line-wrap formating. At casual glance, the headers you quoted look correct, but it's impossible to tell if they're really correct because they've been copy-pasted into an email message which adds line wraps. To check that, you need to look at a set of pristine message headers, not a copy-paste of them, in a hex editor. (The process of copy-pasting can change linewrap formats, replace tabs with spaces, and other sundry things that would matter here). One thing I can tell you is that there MUST NOT be a linewrap between the end of the RDNS hostname and the [ for the IP address. This quotation should be only 3 lines long: Received: from U075209.ppp.dion.ne.jp (U075209.ppp.dion.ne.jp [218.222.75.209]) by kangaroo.publicmx.com (8.13.4/8.13.4) with ESMTP id j6OKabJS014331 for [EMAIL PROTECTED]; Sun, 24 Jul 2005 13:36:40 -0700 But I'm assuming the extra linewrap after .jp was added by your mail client.
Re: ALL_TRUSTED appearing on spam
I decided to run spamd in debug mode, and log what it was seeing. This is what I found for a direct delivered message.. debug: received-header: unknown format: from fluidhostingc.com (unknown) by kangaroo.publicmx.com; Searched around on Google, and saw a reference that atleast in spamass-milter 0.2, the milter fakes the received header to appease SA. However, that method doesn't work so well. --John Thanks for the info. I fixed that Received line, by removing the line wrap, and it was no longer ALL_TRUSTED. Now that I know what the issue is, I just need to figure out why the header is getting munged. Thanks, John John T. Yocum wrote: Thanks. I tried adding the /32 to the end, but that didn't have an effect. I did run the headers through spamassassin -D and got the following. debug: received-header: unknown format: from U075209.ppp.dion.ne.jp (U075209.ppp.dion.ne.jp debug: metadata: X-Spam-Relays-Trusted: debug: metadata: X-Spam-Relays-Untrusted: Thus, it was tagged as ALL_TRUSTED. What is really odd, is this only happens to direct delivered mail, any message relayed via another host, doesn't get the ALL_TRUSTED flag. Well, that much makes sense. SA can't parse the Received: headers your server generates, but it can parse ones generated by outside servers. Thus, outside mail with another relay will show up as having been through an untrusted host. The problem you need to track down is why can't SA parse your Received: headers. Based on the debug output you got it could be an issue with line-wrap formating. At casual glance, the headers you quoted look correct, but it's impossible to tell if they're really correct because they've been copy-pasted into an email message which adds line wraps. To check that, you need to look at a set of pristine message headers, not a copy-paste of them, in a hex editor. (The process of copy-pasting can change linewrap formats, replace tabs with spaces, and other sundry things that would matter here). One thing I can tell you is that there MUST NOT be a linewrap between the end of the RDNS hostname and the [ for the IP address. This quotation should be only 3 lines long: Received: from U075209.ppp.dion.ne.jp (U075209.ppp.dion.ne.jp [218.222.75.209]) by kangaroo.publicmx.com (8.13.4/8.13.4) with ESMTP id j6OKabJS014331 for [EMAIL PROTECTED]; Sun, 24 Jul 2005 13:36:40 -0700 But I'm assuming the extra linewrap after .jp was added by your mail client.
Re: ALL_TRUSTED appearing on spam
Fixed the problem. Looks like the howto I followed for setting up spamass-milter was wrong. After redoing my sendmail config for it, all is well. Thanks for all the help everyone. --John I decided to run spamd in debug mode, and log what it was seeing. This is what I found for a direct delivered message.. debug: received-header: unknown format: from fluidhostingc.com (unknown) by kangaroo.publicmx.com; Searched around on Google, and saw a reference that atleast in spamass-milter 0.2, the milter fakes the received header to appease SA. However, that method doesn't work so well. --John Thanks for the info. I fixed that Received line, by removing the line wrap, and it was no longer ALL_TRUSTED. Now that I know what the issue is, I just need to figure out why the header is getting munged. Thanks, John John T. Yocum wrote: Thanks. I tried adding the /32 to the end, but that didn't have an effect. I did run the headers through spamassassin -D and got the following. debug: received-header: unknown format: from U075209.ppp.dion.ne.jp (U075209.ppp.dion.ne.jp debug: metadata: X-Spam-Relays-Trusted: debug: metadata: X-Spam-Relays-Untrusted: Thus, it was tagged as ALL_TRUSTED. What is really odd, is this only happens to direct delivered mail, any message relayed via another host, doesn't get the ALL_TRUSTED flag. Well, that much makes sense. SA can't parse the Received: headers your server generates, but it can parse ones generated by outside servers. Thus, outside mail with another relay will show up as having been through an untrusted host. The problem you need to track down is why can't SA parse your Received: headers. Based on the debug output you got it could be an issue with line-wrap formating. At casual glance, the headers you quoted look correct, but it's impossible to tell if they're really correct because they've been copy-pasted into an email message which adds line wraps. To check that, you need to look at a set of pristine message headers, not a copy-paste of them, in a hex editor. (The process of copy-pasting can change linewrap formats, replace tabs with spaces, and other sundry things that would matter here). One thing I can tell you is that there MUST NOT be a linewrap between the end of the RDNS hostname and the [ for the IP address. This quotation should be only 3 lines long: Received: from U075209.ppp.dion.ne.jp (U075209.ppp.dion.ne.jp [218.222.75.209]) by kangaroo.publicmx.com (8.13.4/8.13.4) with ESMTP id j6OKabJS014331 for [EMAIL PROTECTED]; Sun, 24 Jul 2005 13:36:40 -0700 But I'm assuming the extra linewrap after .jp was added by your mail client.
Re: ALL_TRUSTED appearing on spam
On 7/24/05, John T. Yocum [EMAIL PROTECTED] wrote: Hello, I've recently noticed that a lot of spam is getting through SpamAssassin, and it's getting the ALL_TRUSTED test listed on it. The issue with that is, I only have one IP trusted, and that's my own mail server. snip from local.cf # Trusted Networks trusted_networks 69.25.118.171 /snip As you can see in the below set of headers the message came from 218.222.75.209. Yet, it's trusted. Return-Path: [EMAIL PROTECTED] Received: from U075209.ppp.dion.ne.jp (U075209.ppp.dion.ne.jp [218.222.75.209]) by kangaroo.publicmx.com (8.13.4/8.13.4) with ESMTP id j6OKabJS014331 for [EMAIL PROTECTED]; Sun, 24 Jul 2005 13:36:40 -0700 From: Fortifies T. Noon [EMAIL PROTECTED] To: Fawyland [EMAIL PROTECTED] Subject: Petite 18yo Teen Stripping Date: Mon, 25 Jul 2005 11:38:57 -0700 Message-ID: [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.4024 Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600. X-AntiVirus: checked by AntiVir MailGate (version: 2.0.1.10; AVE: 6.20.0.1; VDF: 6.20.0.46; host: U075209.ppp.dion.ne.jp) X-Spam-Status: No, score=0.0 required=3.0 tests=ALL_TRUSTED,BIZ_TLD,CUM_SHOT, HOT_NASTY autolearn=disabled version=3.0.4 X-Spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on kangaroo.publicmx.com I have tried sending a test message from another host to the mail server, and everything seems fine. As headers show below. Return-Path: [EMAIL PROTECTED] Received: from mail1.fluidhosting.com (mail1.fluidhosting.com [204.14.90.61]) by kangaroo.publicmx.com (8.13.4/8.13.4) with SMTP id j6OLZSOU019710 for [EMAIL PROTECTED]; Sun, 24 Jul 2005 14:35:28 -0700 Received: (qmail 43718 invoked by uid 399); 24 Jul 2005 21:35:24 - Received: from localhost (HELO ?192.168.102.220?) ([EMAIL PROTECTED]@127.0.0.1) by localhost with SMTP; 24 Jul 2005 21:35:24 - Message-ID: [EMAIL PROTECTED] Date: Sun, 24 Jul 2005 14:35:21 -0700 From: John T. Yocum REMOVEDfluidhosting.com User-Agent: Mozilla Thunderbird 1.0.6-1.4.1.centos4 (X11/20050721) X-Accept-Language: en-us, en MIME-Version: 1.0 To: [EMAIL PROTECTED] Subject: test Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-0.0 required=4.0 tests=SPF_HELO_PASS,SPF_PASS autolearn=disabled version=3.0.4 X-Spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on kangaroo.publicmx.com My current setup is, SpamAssassin 3.0.4 integrated with Sendmail using SpamAssasin-Milter 0.3. Any ideas why other hosts getting trusted, would be greatly appreciated. Thanks, John John, there's another setting, called internal networks, that you're suppose to put in the local.cf file as well. See this: http://wiki.apache.org/spamassassin/TrustPath?highlight=%28all_trusted%29 -RoNNY
Re: ALL_TRUSTED appearing on spam
John T. Yocum wrote: Hello, I've recently noticed that a lot of spam is getting through SpamAssassin, and it's getting the ALL_TRUSTED test listed on it. The issue with that is, I only have one IP trusted, and that's my own mail server. snip from local.cf # Trusted Networks trusted_networks 69.25.118.171 /snip As you can see in the below set of headers the message came from 218.222.75.209. Yet, it's trusted. Return-Path: [EMAIL PROTECTED] Received: from U075209.ppp.dion.ne.jp (U075209.ppp.dion.ne.jp [218.222.75.209]) by kangaroo.publicmx.com (8.13.4/8.13.4) with ESMTP id j6OKabJS014331 for [EMAIL PROTECTED]; Sun, 24 Jul 2005 13:36:40 -0700 My understanding (but I may be wrong) is that ALL_TRUSTED means all received headers are trusted, which seems the case. It doesn't mean the origin client is trusted.
Re: ALL_TRUSTED appearing on spam
OK. I added the internal_networks setting listing my only MX (It's not trusted, as it's used by many other users, and isn't under my control.) snip # Trusted Networks trusted_networks69.25.118.171 # Internal Networks internal_networks 207.234.226.49 /snip OK. So the trusted_networks line, specifies my mail server IP.(Machine running SA.) And, internal_networks has my third-party operated MX. Now, regardless of what I set trusted_networks to, SA sets ALL_TRUSTED to direct delivered spam, or mail. I think this is part of it's design though. My mail host is a webmail box, thus nobody relays through it, except itself. Thus, it shouldn't trust any hosts other than itself. Now, it doesn't set ALL_TRUSTED from spam, or any e-mail which is relayed via another host. It's only for direct delivered mail. Thanks, John On 7/24/05, John T. Yocum [EMAIL PROTECTED] wrote: Hello, I've recently noticed that a lot of spam is getting through SpamAssassin, and it's getting the ALL_TRUSTED test listed on it. The issue with that is, I only have one IP trusted, and that's my own mail server. snip from local.cf # Trusted Networks trusted_networks 69.25.118.171 /snip As you can see in the below set of headers the message came from 218.222.75.209. Yet, it's trusted. Return-Path: [EMAIL PROTECTED] Received: from U075209.ppp.dion.ne.jp (U075209.ppp.dion.ne.jp [218.222.75.209]) by kangaroo.publicmx.com (8.13.4/8.13.4) with ESMTP id j6OKabJS014331 for [EMAIL PROTECTED]; Sun, 24 Jul 2005 13:36:40 -0700 From: Fortifies T. Noon [EMAIL PROTECTED] To: Fawyland [EMAIL PROTECTED] Subject: Petite 18yo Teen Stripping Date: Mon, 25 Jul 2005 11:38:57 -0700 Message-ID: [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.4024 Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600. X-AntiVirus: checked by AntiVir MailGate (version: 2.0.1.10; AVE: 6.20.0.1; VDF: 6.20.0.46; host: U075209.ppp.dion.ne.jp) X-Spam-Status: No, score=0.0 required=3.0 tests=ALL_TRUSTED,BIZ_TLD,CUM_SHOT, HOT_NASTY autolearn=disabled version=3.0.4 X-Spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on kangaroo.publicmx.com I have tried sending a test message from another host to the mail server, and everything seems fine. As headers show below. Return-Path: [EMAIL PROTECTED] Received: from mail1.fluidhosting.com (mail1.fluidhosting.com [204.14.90.61]) by kangaroo.publicmx.com (8.13.4/8.13.4) with SMTP id j6OLZSOU019710 for [EMAIL PROTECTED]; Sun, 24 Jul 2005 14:35:28 -0700 Received: (qmail 43718 invoked by uid 399); 24 Jul 2005 21:35:24 - Received: from localhost (HELO ?192.168.102.220?) ([EMAIL PROTECTED]@127.0.0.1) by localhost with SMTP; 24 Jul 2005 21:35:24 - Message-ID: [EMAIL PROTECTED] Date: Sun, 24 Jul 2005 14:35:21 -0700 From: John T. Yocum REMOVEDfluidhosting.com User-Agent: Mozilla Thunderbird 1.0.6-1.4.1.centos4 (X11/20050721) X-Accept-Language: en-us, en MIME-Version: 1.0 To: [EMAIL PROTECTED] Subject: test Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-0.0 required=4.0 tests=SPF_HELO_PASS,SPF_PASS autolearn=disabled version=3.0.4 X-Spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on kangaroo.publicmx.com My current setup is, SpamAssassin 3.0.4 integrated with Sendmail using SpamAssasin-Milter 0.3. Any ideas why other hosts getting trusted, would be greatly appreciated. Thanks, John John, there's another setting, called internal networks, that you're suppose to put in the local.cf file as well. See this: http://wiki.apache.org/spamassassin/TrustPath?highlight=%28all_trusted%29 -RoNNY
