Mailing List Archive

ALL_TRUSTED always shown in X-Spam-Status header
hi-

i've just noticed that every mail received seems to be hitting the ALL_TRUSTED test [ALL_TRUSTED=-1], regardless of where the message has come from. i have the following:

>grep -riF 'internal_networks' /etc/spamassassin/*
/etc/spamassassin/99_local-config.cf:internal_networks 198.19.20.50/32
/etc/spamassassin/99_local-config.cf:internal_networks 198.19.20.212/32

here is a set of sample headers, slightly sanitized:

http://dpaste.com/33J7SF5

how can i troubleshoot why this is happening?

thanks!
Re: ALL_TRUSTED always shown in X-Spam-Status header [ In reply to ]
On Sat, 10 Nov 2018, listsb wrote:

> hi-
>
> i've just noticed that every mail received seems to be hitting the ALL_TRUSTED test [ALL_TRUSTED=-1], regardless of where the message has come from. i have the following:
>
>> grep -riF 'internal_networks' /etc/spamassassin/*
> /etc/spamassassin/99_local-config.cf:internal_networks 198.19.20.50/32
> /etc/spamassassin/99_local-config.cf:internal_networks 198.19.20.212/32
>
> here is a set of sample headers, slightly sanitized:
>
> http://dpaste.com/33J7SF5
>
> how can i troubleshoot why this is happening?
>
> thanks!

internal_networks != trusted_networks.


--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
If you trust the government, you obviously failed history class.
-- Don Freeman
-----------------------------------------------------------------------
Tomorrow: Veterans Day
Re: ALL_TRUSTED always shown in X-Spam-Status header [ In reply to ]
On Nov 10, 2018, at 21.01, John Hardin <jhardin@impsec.org> wrote:
>
> On Sat, 10 Nov 2018, listsb wrote:
>
>> hi-
>>
>> i've just noticed that every mail received seems to be hitting the ALL_TRUSTED test [ALL_TRUSTED=-1], regardless of where the message has come from. i have the following:
>>
>>> grep -riF 'internal_networks' /etc/spamassassin/*
>> /etc/spamassassin/99_local-config.cf:internal_networks 198.19.20.50/32
>> /etc/spamassassin/99_local-config.cf:internal_networks 198.19.20.212/32
>>
>> here is a set of sample headers, slightly sanitized:
>>
>> http://dpaste.com/33J7SF5
>>
>> how can i troubleshoot why this is happening?
>>
>> thanks!
>
> internal_networks != trusted_networks.

i'm not sure i understand. from the documentation here:

https://spamassassin.apache.org/full/3.4.x/doc/Mail_SpamAssassin_Conf.html

it says:

"If trusted_networks is not set and internal_networks is, the value of internal_networks will be used for this parameter"

additionally, how would absence of either setting result in ALL_TRUSTED getting matched?

what am i misunderstanding?
Re: ALL_TRUSTED always shown in X-Spam-Status header [ In reply to ]
On 10.11.18 20:04, listsb wrote:
>i've just noticed that every mail received seems to be hitting the ALL_TRUSTED test [ALL_TRUSTED=-1], regardless of where the message has come from. i have the following:
>
>>grep -riF 'internal_networks' /etc/spamassassin/*
>/etc/spamassassin/99_local-config.cf:internal_networks 198.19.20.50/32
>/etc/spamassassin/99_local-config.cf:internal_networks 198.19.20.212/32
>
>here is a set of sample headers, slightly sanitized:
>
>http://dpaste.com/33J7SF5
>
>how can i troubleshoot why this is happening?

show us an example of such mail. With complete headers.
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
BSE = Mad Cow Desease ... BSA = Mad Software Producents Desease
Re: ALL_TRUSTED always shown in X-Spam-Status header [ In reply to ]
> On Nov 11, 2018, at 09.01, Matus UHLAR - fantomas <uhlar@fantomas.sk> wrote:
>
> On 10.11.18 20:04, listsb wrote:
>> i've just noticed that every mail received seems to be hitting the ALL_TRUSTED test [ALL_TRUSTED=-1], regardless of where the message has come from. i have the following:
>>
>>> grep -riF 'internal_networks' /etc/spamassassin/*
>> /etc/spamassassin/99_local-config.cf:internal_networks 198.19.20.50/32
>> /etc/spamassassin/99_local-config.cf:internal_networks 198.19.20.212/32
>>
>> here is a set of sample headers, slightly sanitized:
>>
>> http://dpaste.com/33J7SF5
>>
>> how can i troubleshoot why this is happening?
>
> show us an example of such mail. With complete headers.

sure - http://dpaste.com/3MHN5HD.txt
Re: ALL_TRUSTED always shown in X-Spam-Status header [ In reply to ]
On Sun, 11 Nov 2018 10:35:18 -0500
listsb wrote:

> > On Nov 11, 2018, at 09.01, Matus UHLAR - fantomas
> > <uhlar@fantomas.sk> wrote:
> >
> > On 10.11.18 20:04, listsb wrote:
> >> i've just noticed that every mail received seems to be hitting the
> >> ALL_TRUSTED test [ALL_TRUSTED=-1], regardless of where the message

> > show us an example of such mail. With complete headers.
>
> sure - http://dpaste.com/3MHN5HD.txt

When I ran it through SA with your internal network I didn't get
ALL_TRUSTED. I suspect that there's some other config being used, maybe
in amavisd-new.
Re: ALL_TRUSTED always shown in X-Spam-Status header [ In reply to ]
On Sat, Nov 10, 2018 at 08:04:42PM -0500, listsb wrote:
> hi-
>
> i've just noticed that every mail received seems to be hitting the ALL_TRUSTED test [ALL_TRUSTED=-1], regardless of where the message has come from. i have the following:
>
> >grep -riF 'internal_networks' /etc/spamassassin/*
> /etc/spamassassin/99_local-config.cf:internal_networks 198.19.20.50/32
> /etc/spamassassin/99_local-config.cf:internal_networks 198.19.20.212/32
>
> here is a set of sample headers, slightly sanitized:
>
> http://dpaste.com/33J7SF5
>
> how can i troubleshoot why this is happening?

Are you perhaps using amavisd-new 2.11.x ? It has originating bug that
makes it always hit ALL_TRUSTED.

https://gitlab.com/amavis/amavis/issues/6
Re: ALL_TRUSTED always shown in X-Spam-Status header [ In reply to ]
>On Sat, Nov 10, 2018 at 08:04:42PM -0500, listsb wrote:
>> i've just noticed that every mail received seems to be hitting the ALL_TRUSTED test [ALL_TRUSTED=-1], regardless of where the message has come from. i have the following:
>>
>> >grep -riF 'internal_networks' /etc/spamassassin/*
>> /etc/spamassassin/99_local-config.cf:internal_networks 198.19.20.50/32
>> /etc/spamassassin/99_local-config.cf:internal_networks 198.19.20.212/32
>>
>> here is a set of sample headers, slightly sanitized:
>>
>> http://dpaste.com/33J7SF5
>>
>> how can i troubleshoot why this is happening?

On 11.11.18 19:23, Henrik K wrote:
>Are you perhaps using amavisd-new 2.11.x ? It has originating bug that
>makes it always hit ALL_TRUSTED.
>
>https://gitlab.com/amavis/amavis/issues/6

is it the right issue? This one mentions DKIM not signing.

Can it be the patch that causes everything hitting ALL_TRUSTED?

You have also commented you need to investigate the patch, have you already?

--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I don't have lysdexia. The Dog wouldn't allow that.
Re: ALL_TRUSTED always shown in X-Spam-Status header [ In reply to ]
Amavisd does not use spamassassin *networks settings

Orignation bug is not spamassassin problem

Benny

On 11. november 2018 18.24.05 Henrik K <hege@hege.li> wrote:

> On Sat, Nov 10, 2018 at 08:04:42PM -0500, listsb wrote:
>> hi-
>>
>> i've just noticed that every mail received seems to be hitting the
>> ALL_TRUSTED test [ALL_TRUSTED=-1], regardless of where the message has come
>> from. i have the following:
>>
>> >grep -riF 'internal_networks' /etc/spamassassin/*
>> /etc/spamassassin/99_local-config.cf:internal_networks 198.19.20.50/32
>> /etc/spamassassin/99_local-config.cf:internal_networks 198.19.20.212/32
>>
>> here is a set of sample headers, slightly sanitized:
>>
>> http://dpaste.com/33J7SF5
>>
>> how can i troubleshoot why this is happening?
>
> Are you perhaps using amavisd-new 2.11.x ? It has originating bug that
> makes it always hit ALL_TRUSTED.
>
> https://gitlab.com/amavis/amavis/issues/6
Re: ALL_TRUSTED always shown in X-Spam-Status header [ In reply to ]
On Sun, Nov 11, 2018 at 06:43:27PM +0100, Matus UHLAR - fantomas wrote:
> >On Sat, Nov 10, 2018 at 08:04:42PM -0500, listsb wrote:
> >>i've just noticed that every mail received seems to be hitting the ALL_TRUSTED test [ALL_TRUSTED=-1], regardless of where the message has come from. i have the following:
> >>
> >>>grep -riF 'internal_networks' /etc/spamassassin/*
> >>/etc/spamassassin/99_local-config.cf:internal_networks 198.19.20.50/32
> >>/etc/spamassassin/99_local-config.cf:internal_networks 198.19.20.212/32
> >>
> >>here is a set of sample headers, slightly sanitized:
> >>
> >>http://dpaste.com/33J7SF5
> >>
> >>how can i troubleshoot why this is happening?
>
> On 11.11.18 19:23, Henrik K wrote:
> >Are you perhaps using amavisd-new 2.11.x ? It has originating bug that
> >makes it always hit ALL_TRUSTED.
> >
> >https://gitlab.com/amavis/amavis/issues/6
>
> is it the right issue? This one mentions DKIM not signing.
>
> Can it be the patch that causes everything hitting ALL_TRUSTED?
>
> You have also commented you need to investigate the patch, have you already?

Yes

https://lists.amavis.org/pipermail/amavis-users/2018-November/005539.html
https://lists.amavis.org/pipermail/amavis-users/2018-November/005540.html

It's trivial to see from logs. Incoming external mail is always marked
AcceptedInternal / LOCAL.

Passed CLEAN {AcceptedInternal,Quarantined}, LOCAL

Amavisd-new passes originating flag to SpamAssassin internally with some
suppl_attr magic.. that's why it's even harder to diagnose, if you don't
know that it happens in the background..
Re: ALL_TRUSTED always shown in X-Spam-Status header [ In reply to ]
> On Nov 11, 2018, at 12.05, RW <rwmaillists@googlemail.com> wrote:
>
> On Sun, 11 Nov 2018 10:35:18 -0500
> listsb wrote:
>
>>> On Nov 11, 2018, at 09.01, Matus UHLAR - fantomas
>>> <uhlar@fantomas.sk> wrote:
>>>
>>> On 10.11.18 20:04, listsb wrote:
>>>> i've just noticed that every mail received seems to be hitting the
>>>> ALL_TRUSTED test [ALL_TRUSTED=-1], regardless of where the message
>
>>> show us an example of such mail. With complete headers.
>>
>> sure - http://dpaste.com/3MHN5HD.txt
>
> When I ran it through SA with your internal network I didn't get
> ALL_TRUSTED. I suspect that there's some other config being used, maybe
> in amavisd-new.

thanks, that's helpful. you're right, i don't get ALL_TRUSTED either when running through just spamassassin directly - i am indeed using amavis.
Re: ALL_TRUSTED always shown in X-Spam-Status header [ In reply to ]
> On Nov 11, 2018, at 12.23, Henrik K <hege@hege.li> wrote:
>
> On Sat, Nov 10, 2018 at 08:04:42PM -0500, listsb wrote:
>> hi-
>>
>> i've just noticed that every mail received seems to be hitting the ALL_TRUSTED test [ALL_TRUSTED=-1], regardless of where the message has come from. i have the following:
>>
>>> grep -riF 'internal_networks' /etc/spamassassin/*
>> /etc/spamassassin/99_local-config.cf:internal_networks 198.19.20.50/32
>> /etc/spamassassin/99_local-config.cf:internal_networks 198.19.20.212/32
>>
>> here is a set of sample headers, slightly sanitized:
>>
>> http://dpaste.com/33J7SF5
>>
>> how can i troubleshoot why this is happening?
>
> Are you perhaps using amavisd-new 2.11.x ? It has originating bug that
> makes it always hit ALL_TRUSTED.
>
> https://gitlab.com/amavis/amavis/issues/6

i'm currently using 2.9.0.
Re: ALL_TRUSTED always shown in X-Spam-Status header [ In reply to ]
>> On Sat, Nov 10, 2018 at 08:04:42PM -0500, listsb wrote:
>>> i've just noticed that every mail received seems to be hitting the ALL_TRUSTED test [ALL_TRUSTED=-1], regardless of where the message has come from. i have the following:
>>>
>>>> grep -riF 'internal_networks' /etc/spamassassin/*
>>> /etc/spamassassin/99_local-config.cf:internal_networks 198.19.20.50/32
>>> /etc/spamassassin/99_local-config.cf:internal_networks 198.19.20.212/32
>>>
>>> here is a set of sample headers, slightly sanitized:
>>>
>>> http://dpaste.com/33J7SF5
>>>
>>> how can i troubleshoot why this is happening?

>> On Nov 11, 2018, at 12.23, Henrik K <hege@hege.li> wrote:
>> Are you perhaps using amavisd-new 2.11.x ? It has originating bug that
>> makes it always hit ALL_TRUSTED.
>>
>> https://gitlab.com/amavis/amavis/issues/6

On 11.11.18 13:08, listsb wrote:
>i'm currently using 2.9.0.

in such case, according to previous message, it's important to check amavis
settings.

--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
One OS to rule them all, One OS to find them,
One OS to bring them all and into darkness bind them
Re: ALL_TRUSTED always shown in X-Spam-Status header [ In reply to ]
On Nov 11, 2018, at 13.18, Matus UHLAR - fantomas <uhlar@fantomas.sk> wrote:
>
>>> On Sat, Nov 10, 2018 at 08:04:42PM -0500, listsb wrote:
>>>> i've just noticed that every mail received seems to be hitting the ALL_TRUSTED test [ALL_TRUSTED=-1], regardless of where the message has come from. i have the following:
>>>>
>>>>> grep -riF 'internal_networks' /etc/spamassassin/*
>>>> /etc/spamassassin/99_local-config.cf:internal_networks 198.19.20.50/32
>>>> /etc/spamassassin/99_local-config.cf:internal_networks 198.19.20.212/32
>>>>
>>>> here is a set of sample headers, slightly sanitized:
>>>>
>>>> http://dpaste.com/33J7SF5
>>>>
>>>> how can i troubleshoot why this is happening?
>
>>> On Nov 11, 2018, at 12.23, Henrik K <hege@hege.li> wrote:
>>> Are you perhaps using amavisd-new 2.11.x ? It has originating bug that
>>> makes it always hit ALL_TRUSTED.
>>>
>>> https://gitlab.com/amavis/amavis/issues/6
>
> On 11.11.18 13:08, listsb wrote:
>> i'm currently using 2.9.0.
>
> in such case, according to previous message, it's important to check amavis
> settings.

thanks, agreed. is continuation of this discussion ok here? or should i take to the amavis list?
Re: ALL_TRUSTED always shown in X-Spam-Status header [ In reply to ]
>> >On Sat, Nov 10, 2018 at 08:04:42PM -0500, listsb wrote:
>> >>i've just noticed that every mail received seems to be hitting the ALL_TRUSTED test [ALL_TRUSTED=-1], regardless of where the message has come from. i have the following:
>> >>
>> >>>grep -riF 'internal_networks' /etc/spamassassin/*
>> >>/etc/spamassassin/99_local-config.cf:internal_networks 198.19.20.50/32
>> >>/etc/spamassassin/99_local-config.cf:internal_networks 198.19.20.212/32
>> >>
>> >>here is a set of sample headers, slightly sanitized:
>> >>
>> >>http://dpaste.com/33J7SF5
>> >>
>> >>how can i troubleshoot why this is happening?
>>
>> On 11.11.18 19:23, Henrik K wrote:
>> >Are you perhaps using amavisd-new 2.11.x ? It has originating bug that
>> >makes it always hit ALL_TRUSTED.
>> >
>> >https://gitlab.com/amavis/amavis/issues/6

>On Sun, Nov 11, 2018 at 06:43:27PM +0100, Matus UHLAR - fantomas wrote:
>> is it the right issue? This one mentions DKIM not signing.
>>
>> Can it be the patch that causes everything hitting ALL_TRUSTED?
>>
>> You have also commented you need to investigate the patch, have you already?

On 11.11.18 20:00, Henrik K wrote:
>Yes
>
>https://lists.amavis.org/pipermail/amavis-users/2018-November/005539.html
>https://lists.amavis.org/pipermail/amavis-users/2018-November/005540.html
>
>It's trivial to see from logs. Incoming external mail is always marked
>AcceptedInternal / LOCAL.

current problem is not mentioned there, only here in this list (which is not
even amavis list).

>Passed CLEAN {AcceptedInternal,Quarantined}, LOCAL
>
>Amavisd-new passes originating flag to SpamAssassin internally with some
>suppl_attr magic.. that's why it's even harder to diagnose, if you don't
>know that it happens in the background..

I believe this only applies when originating flag is set.

--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Posli tento mail 100 svojim znamim - nech vidia aky si idiot
Send this email to 100 your friends - let them see what an idiot you are
Re: ALL_TRUSTED always shown in X-Spam-Status header [ In reply to ]
listsb skrev den 2018-11-11 19:20:

> thanks, agreed. is continuation of this discussion ok here? or
> should i take to the amavis list?

its important that networks ip ranges is equal in all software used

its not done automatic

ALL_TRUSTED is not a amavis problem to solve

so keep it here, until solved
Re: ALL_TRUSTED always shown in X-Spam-Status header [ In reply to ]
On Sat, 10 Nov 2018, listsb wrote:

> On Nov 10, 2018, at 21.01, John Hardin <jhardin@impsec.org> wrote:
>>
>> On Sat, 10 Nov 2018, listsb wrote:
>>
>>> i've just noticed that every mail received seems to be hitting the ALL_TRUSTED test [ALL_TRUSTED=-1], regardless of where the message has come from. i have the following:
>>>
>>>> grep -riF 'internal_networks' /etc/spamassassin/*
>>> /etc/spamassassin/99_local-config.cf:internal_networks 198.19.20.50/32
>>> /etc/spamassassin/99_local-config.cf:internal_networks 198.19.20.212/32
>>>
>>> here is a set of sample headers, slightly sanitized:
>>>
>>> http://dpaste.com/33J7SF5
>>>
>>> how can i troubleshoot why this is happening?
>>>
>>> thanks!
>>
>> internal_networks != trusted_networks.
>
> i'm not sure i understand. from the documentation here:
>
> https://spamassassin.apache.org/full/3.4.x/doc/Mail_SpamAssassin_Conf.html
>
> it says:
>
> "If trusted_networks is not set and internal_networks is, the value of internal_networks will be used for this parameter"

Ah, apologies - I wasn't aware of that behavior. I presume you are not
explicitly setting any trusted networks, so while it's conceptually
correct, I withdraw my comment as unhelpful in this case...

> additionally, how would absence of either setting result in ALL_TRUSTED getting matched?

I *think* there's some defaults included (perhaps the local network?) -
I've never focused on that detail before, I've always just set it up for
my environment.

> what am i misunderstanding?

Is there some possibility that you're stripping external Received headers?
(grasping at straws here)


--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Britain used to be the most powerful empire in the world.
Now they're terrified of pocketknives.
How the mighty have fallen. -- Matt Walsh
-----------------------------------------------------------------------
Today: Veterans Day
Re: ALL_TRUSTED always shown in X-Spam-Status header [ In reply to ]
On Sun, 11 Nov 2018, John Hardin wrote:

> On Sat, 10 Nov 2018, listsb wrote:
>
>> what am i misunderstanding?
>
> Is there some possibility that you're stripping external Received headers?
> (grasping at straws here)

Heh. Ignore that. I have *got* to learn to catch up *before* replying to
stuff... :)


--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Britain used to be the most powerful empire in the world.
Now they're terrified of pocketknives.
How the mighty have fallen. -- Matt Walsh
-----------------------------------------------------------------------
Today: Veterans Day
Re: ALL_TRUSTED always shown in X-Spam-Status header [ In reply to ]
On Nov 11, 2018, at 13.35, Benny Pedersen <me@junc.eu> wrote:
>
> listsb skrev den 2018-11-11 19:20:
>
>> thanks, agreed. is continuation of this discussion ok here? or
>> should i take to the amavis list?
>
> its important that networks ip ranges is equal in all software used
>
> its not done automatic
>
> ALL_TRUSTED is not a amavis problem to solve
>
> so keep it here, until solved

slightly resurrecting this, for posterity. i've recently upgraded, amavis to 2.11.0 and spamassassin to 3.4.2. since then, this behavior has stopped and i no longer see ALL_TRUSTED in scoring details.

i probably won't pursue the root cause, but wanted to at least close the topic from my perspective. thanks everyone for the assistance.