Hello,
half year ago I discussed issue with mail submitted from local clients,
without authentication, being marked as spam, because some rules hit.
thread archive here:
https://marc.info/?l=spamassassin-users&m=153563489524609&w=2
Summary of the issue:
- clients are listed in trusted_hosts (local IP addresses)
as advised in https://wiki.apache.org/spamassassin/DynablockIssues
- clients aren't using smtp auth (historical reasons)
The results:
mail that hits ALL_TRUSTED and __DOS_SINGLE_EXT_RELAY
is considered locally submitted.
- mailservers should put their Received: headers to mail thus not hit
__DOS_SINGLE_EXT_RELAY
This leads me to testing rule:
meta TRUSTED_SUBMISSION ALL_TRUSTED && __DOS_SINGLE_EXT_RELAY
describe TRUSTED_SUBMISSION mail submitted by trusted client
score TRUSTED_SUBMISSION -3
For now, I am testing this rule.
I hope that later this rule could be incpororated into multiple rules as
John Hardin mentioned:
https://marc.info/?l=spamassassin-users&m=153575741730705&w=2
For example, MIMEOLE_DIRECT_TO_MX, DOS_OE_TO_MX, DOS_OUTLOOK_TO_MX,
XPRIO_SHORT_SUBJ, ...?
Btw, sorry John for not answering your last question:
https://marc.info/?l=spamassassin-users&m=153633826515464&w=2
For now, I believe that using (ALL_TRUSTED && __DOS_SINGLE_EXT_RELAY)
is just what I need to prevent all rules from firing:
I think you mean !ALL_TRUSTED, right?
yes, mail with (ALL_TRUSTED && __DOS_SINGLE_EXT_RELAY) is trusted
submission, while (!ALL_TRUSTED && __DOS_SINGLE_EXT_RELAY)
is direct-to-MX
I believe that mail who hit bost ALL_TRUSTED and __DOS_SINGLE_EXT_RELAY
should be exempted from hitting __DOS_DIRECT_TO_MX, currently:
meta __DOS_DIRECT_TO_MX __DOS_SINGLE_EXT_RELAY && !__DOS_HAS_LIST_ID &&
!__DOS_HAS_LIST_UNSUB && !__DOS_HAS_MAILING_LIST && !__DOS_RELAYED_EXT
meta __DOS_DIRECT_TO_MX __DOS_SINGLE_EXT_RELAY && !ALL_TRUSTED && !__DOS_HAS_LIST_ID &&
!__DOS_HAS_LIST_UNSUB && !__DOS_HAS_MAILING_LIST && !__DOS_RELAYED_EXT
- this would make exemption to all those rules.
(note that it's apparently possible to skip !__DOS_RELAYED_EXT from the rule
above because it seems complementary to __DOS_SINGLE_EXT_RELAY)
and looking at it now, these rules use __DOS_DIRECT_TO_MX:
meta DOS_HIGH_BAT_TO_MX __DOS_DIRECT_TO_MX && __HIGHBITS &&
__LAST_UNTRUSTED_RELAY_NO_AUTH && __THEBAT_MUA
meta DOS_OE_TO_MX __OE_MUA && __DOS_DIRECT_TO_MX &&
!DOS_OE_TO_MX_IMAGE
meta DOS_OE_TO_MX_IMAGE __OE_MUA && __DOS_DIRECT_TO_MX &&
__ANY_IMAGE_ATTACH
meta DOS_OUTLOOK_TO_MX __ANY_OUTLOOK_MUA && !__OE_MUA && __DOS_DIRECT_TO_MX
&& !T_DOS_OUTLOOK_TO_MX_IMAGE
meta PHOTO_EDITING_DIRECT (__PHOTO_RETOUCHING && __DOS_DIRECT_TO_MX) &&
!ALL_TRUSTED && !__HAS_HREF
meta T_DOS_OUTLOOK_TO_MX_IMAGE __ANY_OUTLOOK_MUA && !__OE_MUA && __DOS_DIRECT_TO_MX
&& __ANY_IMAGE_ATTACH
meta __MIMEOLE_DIRECT_TO_MX __HAS_MIMEOLE && __DOS_DIRECT_TO_MX
meta __TO_EQ_FM_DIRECT_MX __TO_EQ_FROM && __DOS_DIRECT_TO_MX
- I don't think adding && !ALL_TRUSTED should cause an issue here
__DOS_SINGLE_EXT_RELAY is currently only used in rules
DOS_FIX_MY_URI - adding !ALL_TRUSTED shouldn't break anything
HDR_ORDER_FTSDMCXX_DIRECT - !ALL_TRUSTED was added already
HDRS_LCASE
T_MANY_HDRS_LCASE
- there use !__DOS_SINGLE_EXT_RELAY, no change thus.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Christian Science Programming: "Let God Debug It!".
