spamassassin-users December 2011 archive
Main Archive Page > Month Archives  > spamassassin-users archives
spamassassin-users: Why not trust that header? And ALL_TRUSTED w

Why not trust that header? And ALL_TRUSTED wrong?

From: Michael Monnerie <lists.michael.monnerie_at_nospam>
Date: Tue Dec 06 2011 - 16:48:10 GMT
To: SpamAssassin Users List <users@spamassassin.apache.org>

I get this message:

[21120] dbg: message: X-Envelope-From header found after 1 or more Received lines, cannot trust envelope-from

because my mail got these headers:
**************
Received: by mailsrv14.zmi.at (Postfix, from userid 65534) id A19381828D92;
        Sat, 26 Nov 2011 04:17:04 +0100 (CET)
Received: from protegate54.zmi.at (protegate54.zmi.at [212.69.164.56]) (using TLSv1
        with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN "protegate5.zmi.at", Issuer "power4u.zmi.at" (not verified))
        by mailsrv14.zmi.at (Postfix) with ESMTPS id 3963B1828D91 for <afm@zmi.at>;
        Sat, 26 Nov 2011 04:17:04 +0100 (CET)
X-Envelope-From: support@bridgestone.com.sg
Received: from localhost (localhost [127.0.0.1])
        by protegate54.zmi.at (Postfix) with ESMTP id 20F7B31B623 for <afm@zmi.at>;
        Sat, 26 Nov 2011 04:17:04 +0100 (CET)
Received: from protegate54.zmi.at ([127.0.0.1])
        by localhost (protegate54.zmi.at [127.0.0.1]) (amavisd-new, port 10024)
        with LMTP id aB17X1qwKp0V for <afm@zmi.at>;
        Sat, 26 Nov 2011 04:17:04 +0100 (CET)
Received-SPF: none (bridgestone.com.sg: No applicable sender policy
        available) receiver=protegate54.zmi.at; identity=mailfrom;
        envelope-from="support@bridgestone.com.sg";
        helo=mailserver.bridgestone.com.sg; client-ip=203.125.59.147
X-Envelope-From: support@bridgestone.com.sg
Received: from mailserver.bridgestone.com.sg (mailserver.bridgestone.com.sg [203.125.59.147]) (using TLSv1
        with cipher AES128-SHA (128/128 bits)) (Client CN "mailserver", Issuer "mailserver" (not verified))
        by protegate54.zmi.at (Postfix) with ESMTPS id DD84531B622
        for <afm@zmi.at>; Sat, 26 Nov 2011 04:15:06 +0100 (CET)
Received: from User (70.34.196.21)
        by mailserver.bridgestone.com.sg (172.17.1.5) with Microsoft SMTP Server
        id 14.1.323.3; Sat, 26 Nov 2011 11:10:37 +0800
**************

When all headers above X-Envelope-From are from trusted sources, this header should also be a trustee.

Another question to that spam:

[21120] dbg: rules: ran eval rule ALL_TRUSTED ======> got hit (1)

Why is it ALL_TRUSTED, when my settings are:

clear_trusted_networks
clear_internal_networks
clear_msa_networks
trusted_networks 212.69.162.192/28 212.69.164.48/28 195.202.151.128/28 195.202.170.128/29
internal_networks 212.69.162.192/28 212.69.164.48/28 195.202.151.128/28 195.202.170.128/29
msa_networks 212.69.162.192/28 212.69.164.48/28 195.202.151.128/28 195.202.170.128/29

See these messages:
[21120] dbg: received-header: found fetchmail marker outside trusted area, ignored
[21120] dbg: received-header: parsed as [ ip=212.69.164.56 rdns=protegate54.zmi.at helo=protegate54.zmi.at by=mailsrv14.zmi.at ident= envfrom= intl=0 id=3963B1828D91 auth= msa=0 ]
[21120] dbg: received-header: found MSA relay, remaining relays will be considered trusted: yes internal: yes
[21120] dbg: received-header: relay 212.69.164.56 trusted? yes internal? yes msa? yes
[21120] dbg: received-header: parsed as [ ip=127.0.0.1 rdns=localhost helo=localhost by=protegate54.zmi.at ident= envfrom= intl=0 id=20F7B31B623 auth= msa=0 ]
[21120] dbg: received-header: relay 127.0.0.1 trusted? yes internal? yes msa? no
[21120] dbg: received-header: parsed as [ ip=127.0.0.1 rdns= helo=protegate54.zmi.at by=localhost ident= envfrom= intl=0 id=aB17X1qwKp0V auth= msa=0 ]
[21120] dbg: received-header: relay 127.0.0.1 trusted? yes internal? yes msa? no
[21120] dbg: received-header: parsed as [ ip=203.125.59.147 rdns=mailserver.bridgestone.com.sg helo=mailserver.bridgestone.com.sg by=protegate54.zmi.at ident= envfrom= intl=0 id=DD84531B622 auth= msa=0 ]
[21120] dbg: received-header: relay 203.125.59.147 trusted? yes internal? yes msa? no
[21120] dbg: received-header: parsed as [ ip=70.34.196.21 rdns=User helo=User by=mailserver.bridgestone.com.sg ident= envfrom= intl=0 id=14.1.323.3 auth= msa=0 ]
[21120] dbg: received-header: relay 70.34.196.21 trusted? yes internal? yes msa? no
[21120] dbg: received-header: parsed as [ ip=70.34.196.21 rdns= helo= by= ident= envfrom= intl=0 id= auth= msa=0 ]
[21120] dbg: received-header: relay 70.34.196.21 trusted? yes internal? yes msa? no
[21120] dbg: metadata: X-Spam-Relays-Trusted: [ ip=212.69.164.56 rdns=protegate54.zmi.at helo=protegate54.zmi.at by=mailsrv14.zmi.at ident= envfrom= intl=1 id=3963B1828D91 auth= msa=1 ] [ ip=127.0.0.1 rdns=localhost helo=localhost by=pr
[21120] dbg: metadata: X-Spam-Relays-Untrusted:
[21120] dbg: metadata: X-Spam-Relays-Internal: [ ip=212.69.164.56 rdns=protegate54.zmi.at helo=protegate54.zmi.at by=mailsrv14.zmi.at ident= envfrom= intl=1 id=3963B1828D91 auth= msa=1 ] [ ip=127.0.0.1 rdns=localhost helo=localhost by=p
[21120] dbg: metadata: X-Spam-Relays-External:

Did I do something wrong? I can't see how 203.125.59.147 or 70.34.196.21 should be trusted or internal IPs?

-- mit freundlichen Grüssen, Michael Monnerie, Ing. BSc it-management Internet Services: Protéger http://proteger.at [gesprochen: Prot-e-schee] Tel: +43 660 / 415 6531