On Wed, 17 Oct 2007, Alex Woick wrote:
Matthias Leisi schrieb am 17.10.2007 09:46:
Correct. But by setting (in your local.cf or equivalent)
| trusted_networks 204.9.177.18
you are telling SpamAssassin that this relay is not operated by a
spammer and that it should apply all black-/whitelist rules etc. to the
IP address one more hop away. Then, in the context of SpamAssassin, you
regain full control of connection-oriented rules.
That's not fully equivalent to having the actual "spamming connection"
to deal with, but as close as it gets -- if you need it "closer", you
should not use forwarding services.
Good point. I think I start to understand what trusted_network is for and how
it works. Currently, I have a provider whose MX receives mail for me and
forwards it to my local mail server. Spam detection improved much when I
added its IP address to trusted_networks some time ago.
Now, I occasionly get spam to my users.sourceforge.net account, just like Dan
Mahoney is getting spam to his Livejournal account. Sourceforge is also
listed with LOW at dnswl and acts as a forwarder to my own mail server.
Since I never get spam from users.sourceforge.net accounts directly but only
spam sent to my users.sourceforge.net account from random addresses, I
suppose the Sourceforge mail server is trusted in that way that spam doesn't
originate from it, and that's the purpose of trusted_network. Just like my
Provider forwarding mail to me sent from random originators, but never
produces spam itself.
Sure, but that means each person who is a member of one of these services
has to:
* Look up their forwarded email address
* Look up the SPF record for that domain
-or-
* Take a best guess as to the fact that the receiving MX will also be the
sending.
THEN
* Translate that into trusted networks statements, which are GLOBALLY
trusted (either per server or per used, but NOT per envelope-recipient) --
which is fine for Livejournal or Sourceforge, I guess, I'd imagine their
MXes are pretty dedicated, but I'm sure there's smaller cases.
But it might help to have some series of dynamic rule...whereby an address
is DNSWL'd with a special code that lists it as a known relay for certain
domains, and the trusted_networks logic extends automatically (if the
relaying domain matches).
Apologies if I've repeated anything already said.
-Dan
--
"there is no loyalty in the business, so we stay away from things that piss people
off"
-The Boss, November 12, 2002
--------Dan Mahoney--------
Techie, Sysadmin, WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144 AIM: LarpGM
Site: http://www.gushi.org
---------------------------
