* Dominik Ruf <[EMAIL PROTECTED]> [2003-10-10 04:59]:
> Just before upgrading to the new 2.60 Release, I read through
> to documentation to see what has changed. But some things are
> not clear to me. Maybe someone's able to bring some light to me?
As noone answered this yet, I've now taken some hours searching
the source code to find my answers. I'm posting them here and
hopefully they're usefull for someone else, too. Additionally,
I'd propose to update the documentation about these things a
little bit, but more about this later at the end.
[Documentation about trusted_networks]
> | If you're running with DNS checks enabled, SpamAssassin includes code to
> | infer your trusted networks on the fly, so this may not be necessary.
> | (Thanks to Scott Banister and Andrew Flury for the inspiration for this
> | algorithm.) This inference works as follows:
> |
> | * if the 'from' IP address is on the same /16 network as the top
> | Received line's 'by' host, it's trusted
>
> Does this mean that if my MX has address 217.160.190.191 the
> whole 217.160.0.0/16 network is automatically "trusted" and
> therefor no DNSBL checks will be run for it?
Yes, with the exception that if one sets the trusted_network
option, there'll be no "auto-inference" of trusted networks at all.
After reading Dns.pm and EvalTests.pm I found the answer in
Received.pm:
my $trusted = $self->{conf}->{trusted_networks};
[...]
my $did_user_specify_trust = ($trusted->get_num_nets() > 0);
Then, the whole code about auto-inference is surrounded by this
if-statement:
if ($in_trusted && !$did_user_specify_trust) { ...
> This is really not what I want: This network contains other
> dedicated servers operated by other customers of my ISP and
> even if they've an working abuse-department there will be
> open proxies/relays in it from time to time.
> Is it possible to turn this "feature" of auto-inference of
> the trusted_networks off? And if so, how could it be done?
> Would the clear_trusted_networks option work to get rid of it?
I think, clear_trusted_networks doesn't prevent from auto-inference,
but as stated above auto-inference is ONLY done if the trusted_networks
option is not set or doesn't eval to at least one IP or network
address.
> | * if the address of the 'from' host is in a reserved network
> | range, then it's trusted
> | * if any addresses of the 'by' host is in a reserved network
> | range, then it's trusted
>
> How's "reserved" defined in this context? The reserved
> netblocks from RFC 1918? Or anything else?
Yes, the blocks from RFC 1918 but also many more somewhat
"reserved" networks. The detailed answer could be found in
Dns.pm, where $IP_IN_RESERVED_RANGE is defined. There are
quite nice comments and references to RFCs etc. which explain
why these networks are "reserved" - especially RFC 3330.
Back to changing the documentation about trusted_networks,
I'd propose the following little change:
Old:
If you're running with DNS checks enabled, SpamAssassin includes
code to infer your trusted networks on the fly, [...]
New:
If you're running with DNS checks enabled and haven't set
the trusted_networks option, SpamAssassin includes code to
infer your trusted networks on the fly, [...]
I'd also prepare a diff, but I'm not familiar about the
procedures within the SA project yet, e.g. I don't know
if it should be agains the stable version or the cvs version
etc. (But I've read http://eu.spamassassin.org/hacking.html
now :-)
Dominik
-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
SourceForge.net hosts over 70,000 Open Source Projects.
See the people who have HELPED US provide better services:
Click here: http://sourceforge.net/supporters.php
_______________________________________________
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
