Matt Kettler wrote: > Bowie Bailey wrote: > > I was just looking through the default scores and I noticed that > > ALL_TRUSTED is only scored at -1.8. I thought it had a much lower > > score than that. Am I completely off track, or did something > > change in one of the recent versions? > > It got hacked back because trust-path misconfiguration is VERY > common.
So we reduce the effectiveness of a properly configured system in order to prevent problems on a misconfigured system? Sounds a bit backwards to me. Also, since the trust path issues that cause ALL_TRUSTED to FP also cause other problems for various network tests, does it really make sense to hide the main symptom of the problem? > ie: SA will by default FP ALL_TRUSTED on all direct-delivered spam > with no extra received: headers if your MX server is NATed or > otherwise has a reserved IP address.. > > This is because by default SA will trust the first public IP, > assuming that to be your MX, and all the privates to be internal > relays. > > Unfortunately, as the world of IT goes now, static-mapped NAT for > mailservers is just as common as direct-public IPed mailservers. The > static-mapping allows you to conserve IP space when making multiple > DMZs.. You only loose 3 public IPs total for > network/broadcast/gateway, instead of 3 per DMZ (network, broadcast, > gateway). Everything is mapped to useable IPs in the private nets, > so the IPs lost in each DMZ for net/bcast/gate are all private IPs > with no public mappings. Right, I understand all of that. I'm usually one of the first people on the list to point this out to those who complain about ALL_TRUSTED false positives. I guess I need to go fix the score on all my servers now. I should have noticed this a while back, but I don't usually pay too much attention to the scoring unless something goes wrong. -- Bowie
