Hi
there,
I think I understand
the use of trusted networks, and the firsttrusted option for RBL lookups, but
I'm getting some unexpected behavior here. I'm guessing it is caused by SA
inferring additional trusted networks?
My goal: To
identify and heavily score mail coming in directly from dynamic / dialup / dsl /
cable IPs. I don't care about mail that originated from dynamic IPs, nor
do I care if a middle relay is dynamic. I only want to flag the message if
and only if the IP we directly received the mail from is dynamic
...
I have adjusted the
two existing dialup RBL lookups to use the -firsttrusted option, which should
omit all the earlier Received lines, and only use the IP added by our SMTP
server. Which is the only Received line I consider trusted.
For the most part
this works great, and I assume my desired goal is exactly why the -firsttrusted
option was added.
My
Problem:
1) Mail that
originates from a dialup customer using a Webmail interface will have the
first Received line stamped with their dial up IP address.
2) The mail is sent
to our corporate help desk, so the mail is relayed from the Webmail to our
corporate SMTP servers (different from our customer SMTP's, but on the same
network).
3) In the case of
forwards or aliases, the corporate address sometimes forwards the mail to an
email address that is handled back on our customer SMTP
servers.
The relay chain show
here is in reverse order from the email header, the first hop is shown on top,
last (final hop) at the bottom ...
hop 1) Dynamic
IP => Customer Webmail / SMTP server
-- Spam Assassin is not run
here because the user was logged in)
Received: from 242852hfc25.tampabay.rr.com
(242852hfc25.tampabay.rr.com [24.45.51.25]) by mail.customerdomain.com
(Horde) with HTTP for <[EMAIL PROTECTED]>; Wed, 29 Sep 2004
12:21:46 -0400
hop 2) Customer
Webmail / SMTP server => Corporate Operations SMTP
server
Received: from smtp.corporate.com
(webmail3.corporate.com [198.144.153.85]) by mercury.corporate.com
(8.12.10/8.12.10) with ESMTP id i8TGR8wh015687 for <[EMAIL PROTECTED]>;
Wed, 29 Sep 2004 12:27:08 -0400
hop 3) Corporate
Operations SMTP server => Customer Webmail / SMTP server
-- Spam Assassin is run here,
b/c this is a remote to local delivery with no authentication. SpamAssassin sees
the -firsttrusted as dynamic and scores the message as it came directly from a
dynamic IP, even though it was relayed by a static IP SMTP
server.
Received:
from mercury.corporate.com (198.144.153.25) by smtp1.corporate.com with SMTP; 29
Sep 2004 16:21:39 -0000
I believe the problem to be that the 'trusted networks' is considered any IP on our same network, not our specific customer SMTP servers.
I guess my real
question is, How can I prevent this case? This message was relayed through
an official SMTP server on a static IP! I do not want to flag this as
highly suspicious, because it isn't! The trusted networks -firsttrusted
option is simply skipping past the Received I wish to be checked against the
RBLs, and using the Received line a hop down the chain instead. There
is not, 'untrusted' setting that I can add specific IP on our network that
should not be trusted.
Am I missing
something here, or am I out of luck trying to use these
RBLs?
Thanks in advance,
Shane Metler
Shane Metler