Russ Ringer wrote:
> On Thu, 8 Dec 2005 23:16:13 -0800, you wrote:
>
>
>>>Even with TRUSTED_NETWORKS set, the RCVD_IN_SORBS_DUL rule is
>>
>>triggered. I don't see how this is correct, when the IP address that
>>triggered it was not the last hop. This rule should only be triggered
>>when "sent directly from dynamic IP address"
>>
>>If someone hasn't suggested it already, post your trusted_* config lines
>>along with the headers for a message that you think hit wrong, and we can
>>probably help you figure out what is going wrong. The first guess would be
>>that you don't have trusted_networks set quite *right*, even though you have
>>it set to *something*.
>>
>> Loren
>
>
>
> TRUSTED_NETWORKS 10.0.0/24 198.135.234.36
Russ, Actually it looks like in SA 3.0.x and SA 3.1.0 the trusted_networks
setting doesn't matter that much.
For some reason the trust-path based code for DUL RBLs from 2.6x was reverted
back out and SA 3.0.x and higher use the classic "not first hop" algorithm from
SA 2.5x with some minor twists:
1) get a list of all external IPs in the Received: path
2) strip off any private IPs anywhere
3) remove the first hop from that list.
4) check these IPs.
In your example, SA 3.0.0 or higher will FP. SA 2.6x will not FP on this, since
it uses a trust-path based algorithm.
Really, as I see it, both algorithms are broken.
See http://issues.apache.org/SpamAssassin/show_bug.cgi?id=4728
