Re: trusted_networks and RCVD_IN_DNSWL_*

On 18.10.07 17:32, Lars Ippich wrote:
> >> Now I added IPs to trusted_networks and that causes another problem: The
> >> trusted_network IPs are in the DNSWL and therefore get a positive bonus
> >> from SA.

I guess that's the meaning of trusted_networks setting (or at least one of its meanings)

> > Hm, somehow I can't follow what you're trying to do. Can you post the
> > relevant parts of your configuration?
>
> Sure:
>
> > header RCVD_IN_DNSWL X-DNS-Whitelist =~ /^none/
> > score RCVD_IN_DNSWL -0.1
> > describe RCVD_IN_DNSWL Sender listed at http://www.dnswl.org/, no trust
> >
> > header RCVD_IN_DNSWL_LOW X-DNS-Whitelist =~ /^low/
> > score RCVD_IN_DNSWL_LOW -1
> > describe RCVD_IN_DNSWL_LOW Sender listed at http://www.dnswl.org/, low trust
> >
> > header RCVD_IN_DNSWL_MED X-DNS-Whitelist =~ /^med/
> > score RCVD_IN_DNSWL_MED -4
> > describe RCVD_IN_DNSWL_MED Sender listed at http://www.dnswl.org/, medium trust
> >
> > header RCVD_IN_DNSWL_HI X-DNS-Whitelist =~ /^hi/
> > score RCVD_IN_DNSWL_HI -8
> > describe RCVD_IN_DNSWL_HI Sender listed at http://www.dnswl.org/, high trust
> >
> > header RCVD_IN_DNSWL_NO X-DNS-Whitelist =~ /^No$/
> > score RCVD_IN_DNSWL_NO 0.1
> > describe RCVD_IN_DNSWL_NO Sender *not* listed at http://www.dnswl.org/

Here you replaced RCVD_IN_DNSWL* rules.

> > # web.de
> > trusted_networks 217.72.192.
>
> What now happens is the following:
>
> 1) I get an mail (from a server within the trusted_networks range).
> 2) Postfix adds the X-DNS-Whitelist header for this server.
> 3) SpamAssassin gets the mail and checks it.
> 3a) SpamAssassin notes that the mail has been handled by a server from
> the trusted_networks range before.

I don't think SA checks that, unless your scores do not apply. Your scores above make SA not to check for trusted hosts.

> 3b) Therefore SpamAssassin applies all tests to the server one more hop
> away.

not all. Blacklist checks are done on the internal network boundary.

Do you need help?
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related spamassassin.apache.org Links users Request more information about Pantek

> 3c) SpamAssassin does not know that the X-DNS-Whitelist entry does not
> belong the the server within the trusted_networks range and therefore
> applies a bonus score on the mail.

It's problem of your scores, not problem of SA. Originally SA does the check itself on the trusted_networks boundary and does not check headers added by postfix.

> 4) The mail does not get ranked as spam due to the bonus spam.
> 5) I get spam.
>
> If it is not possible to make something like an if statement preventing
> this from happening, I would be happy about some information on how to
> integrate dnswl.org into SpamAssassin.

I am not completely sure how DNSWL tests are meant. It seems that all whitelist rules apply only for hosts you added to trusted_networks. (Someone please correct me if I'm wrong)

However, the trusted_networks setting is described:

<CITE>
A trusted host could conceivably relay spam, but will not originate it, and will not forge header data.
</CITE>

Therefore, it's expected that the trusted host only relayed spam for you. I always warn users and colleagues that EVERY MAIL FORWARDING DEGRADES SPAM FILTERING CAPABILITIES. And it's not just because of these options. If someone forwards mail, (s)he should take care of spam before forwarding, not after it.

-- 
Matus UHLAR - fantomas, 
uhlar(at)fantomas.sk ; 
http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Chernobyl was an Windows 95 beta test site.