Jo Rhett wrote:
On Apr 29, 2008, at 7:40 PM, Matt Kettler wrote:
I'm not repeating for the 5th time that there are no trusted
mailservers. Only this host.
That's a contradiction, because "this host" is a mailserver. Clearly
you have a trusted mailserver.
However, in the interest of moving the discussion forward, you have
exactly one trusted mailserver, your MX, which is perfectly valid.
Yes. I'm sorry but this is obvious. I don't know how to pick the
words exactly as you want them, but most people understood what I
meant 5 or 6 replies ago ;-)
The question lies in why does the AWL seem to be confusing forged
email with your own email. That's generally quite critically
dependent on the trust path.
No, that's not the question at all. (more below)
Have you tried running one of the forged messages, and an actual
legitimate message through SA manually with the -D flag to see what
the trusted and untrusted hosts are, as SA sees it?
Yes. Many times. That's not the point of this thread.
I still think it is.
If your AWL is applying the same history data to forged email as
unforged email, either there's a *major* bug in the AWL code, or your
trust path is broken. Period.
The AWL is designed to be able to distinguish forged mail from nonforged
mail. If that's not working, that's a major problem.
The point of this thread is the obvious ease of forging e-mail from
recipient to (same) recipient. It's one situation where the AWL
wouldn't work very well.
Actually, it's very difficult to forge in a way that will confuse the
AWL, if your trust path and the AWL code is working properly. After all,
it looks at the combination of email address and first untrusted IP.
Forged email will not be from the same IP as legitimate email, unless
your trust path is broken and SA always sees all mail as entering your
network from the same IP.
It would be fairly easy to forge, and worthwhile enough for botnets to
just do this (which they are, in force, for the last month)
I personally see no value in applying AWL to messages from self to self.
I agree, but I see no value in applying the exception. I'd rather try to
fix the more general problem of your AWL not distinguishing message
sources properly.
I may be wrong, and I'm open to arguements against this, but I am
suggesting that the AWL module should skip over self->self messages.
It seems too easy to forge, and no gain in doing so.
You're overlooking how the AWL works. It's actually really hard to forge.
However, I will agree with you there's limited value in self-to-self AWL
records.. but there's also no harm in them if the AWL is working properly.