-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Jay Levitt writes: > Another example: Any spam whose other Received: lines are odd-format or > otherwise ignored. F'rinstance, these: > > Received: from linux.home.jay.fm ([unix socket]) > by linux.home.jay.fm (Cyrus v2.1.12-Mandrake-RPM-2.1.12-1mdk) with > LMTP; Sat, 07 Aug 2004 09:27:45 -0400 > X-Sieve: CMU Sieve 2.2 > Received: from ns.sign-on-africa1.net ([66.227.5.177]) > by linux.home.jay.fm (8.12.10/8.12.10) with ESMTP id i77DRgh7017380 > (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO) > for <[EMAIL PROTECTED]>; Sat, 7 Aug 2004 09:27:43 -0400 > Received: from mellamed by ns.sign-on-africa1.net with local (Exim 4.34) > id 1BtRkP-00070Y-Rx; Sat, 07 Aug 2004 10:00:34 -0400 > Received: from 80.88.138.202 ([80.88.138.202]) > (SquirrelMail authenticated user [EMAIL PROTECTED]) > by www.mellamed.com with HTTP; > > produce this output: > > debug: received-header: parsed as [ ip=66.227.5.177 rdns= > helo=ns.sign-on-africa1.net by=linux.home.jay.fm ident= envfrom= intl=0 > id=i77DRgh7017380 ] > debug: received-header: ignored SquirrelMail injection: from 80.88.138.202 > ([80.88.138.202]) (SquirrelMail authenticated user [EMAIL PROTECTED]) by > www.mellamed.com with HTTP; Sat, 7 Aug 2004 10:00:33 -0400 (EDT) > debug: looking up A records for 'linux.home.jay.fm' > debug: A records for 'linux.home.jay.fm': 192.168.1.150 > debug: looking up A records for 'linux.home.jay.fm' > debug: A records for 'linux.home.jay.fm': 192.168.1.150 > debug: received-header: 'by' linux.home.jay.fm has reserved IP 192.168.1.150 > debug: received-header: 'by' linux.home.jay.fm has no public IPs > debug: received-header: relay 66.227.5.177 trusted? yes internal? no > debug: metadata: X-Spam-Relays-Trusted: [ ip=66.227.5.177 rdns= > helo=ns.sign-on-africa1.net by=linux.home.jay.fm ident= envfrom= intl=0 > id=i77DRgh7017380 ] > debug: metadata: X-Spam-Relays-Untrusted: > Sat, 7 Aug 2004 10:00:33 -0400 (EDT) > > My received: line is trusted. The second received: line is ignored > because of "with local" (line 811 of Received.pm). The third is ignored > because of Squirrelmail. And voila, an entire chain of untrusted hosts > is declared trusted. your reading is wrong. The first header *should be* and is trusted. However, the problem is that SpamAssassin attempts to see if it should trust beyond that, performs an A lookup on the hostname 'linux.home.jay.fm': debug: looking up A records for 'linux.home.jay.fm' debug: A records for 'linux.home.jay.fm': 192.168.1.150 debug: received-header: 'by' linux.home.jay.fm has reserved IP 192.168.1.150 debug: received-header: 'by' linux.home.jay.fm has no public IPs and because there's no public IPs, it infers that that host cannot be an external relay. Therefore the *next* line should be trusted, as it may be the external relay. So it keeps on looking -- ignores the "with local" and "Squirrelmail" lines because they're not MTA handovers, as it should -- and runs out of headers. Hence, ALL_TRUSTED. The only MTA handover via SMTP in that message was a single, direct-to-MX delivery. So going "one over" the true external host will produce this result. This issue -- going "one past" the real internal/external boundary -- is often the case with split-DNS views, where the internal DNS view presented to SpamAssassin isn't the same as external hosts see; that lack of info means it cannot make a correct inference. Documented way to deal with this, as I said in the bug: set trusted_networks. - --j. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Exmh CVS iD8DBQFBGZS1QTcbUG5Y7woRAqOqAJwMCNyQsah6OGcWCT7XN1XzOT58jACgpBwi Yeb6HLUDtz5kYm7rkzs+1G0= =2RnK -----END PGP SIGNATURE-----
