Bug 5373

Created attachment 3879 [details]
Add trusted_host option

The code we use that overwrites existing SA methods to add trusted_host

Unfortunately Mail::SpamAssassin::Message::Metadata::parse_received_headers
doesn't really provide a way to easily hook in a new trust system, so I had to
reproduce the whole function with really just a small change, these lines:

    # trusted_networks matches?
    if ($in_trusted && $did_user_specify_trust && !$self->is_trusted($relay,
$trusted))
    {
      $in_trusted = 0;		# we're in deep water now
    }

It would be nice to actually change parse_received_headers so there are more
"hook" places people could get into if they want to change the overall
algorithm in the future as well...

Created attachment 3880 [details]
Code to determine if RDNS name is a dialup/dsl

We use this code on our systems to determine if a machine is a dialup/dsl host
(eg more dodgy and subject to more checks like greylisting, enumeration
detection, etc). Empirically, it seems to be pretty accurate these days
assuming that the machine has any rdns at all. If not, we assume it's on the
dodgy list.

I'm pretty keen on this. aiming at 3.3.0

btw (In reply to comment #0)
> The trusted_networks allows you to define the IP addresses of networks you
> trust. Consider this situation:
> 
> spam-zombie -> zoneedit-mail-forwarding -> fastmail.fm-customer
> 
> So fastmail.fm runs SpamAssassin. We set our known internal networks as
> trusted_networks. This means the relay analysis algorithm will use the
> zoneedit-mail-forwarding IP as the -lastexternal IP for some RBL tests such as:
> 
> header RCVD_IN_XBL eval:check_rbl('sblxbl-lastexternal', 'sbl-xbl.spamhaus.org.'
> 
> This isn't very useful, we really want to scan further back to test against the
> source IP. Now the way to do this is to add all the known forwarding systems to
> your trusted_networks.

hmm, hold on.  "trusted" != "internal" -- I think you're conflating
trusted_networks and internal_networks here.

I haven't looked at the code, but this is something I've had in mind for a
while.  I wanted to pluginize most of Received.pm first though.  I could see
this ending up in a 3.2.x release sometime in the summer though.

The SRS support part needs to end up in the SPF plugin though, it's not
something we should screw about with while determining trusted/internal though.


(In reply to comment #4)
> hmm, hold on.  "trusted" != "internal" -- I think you're conflating
> trusted_networks and internal_networks here.

Maybe, maybe not.  In his described case they'll be the same anyway.  It really
has nothing to do with adding support for using rDNS to extend trust though.

BTW... I meant I could see this implemented in Received.pm during 3.2,
pluginizing would be 3.3.

I don't think it's in time to get into 3.2.0; at this stage we should consider
that release in feature-freeze mode, IMO.  3.3.0, I'm fine with.

Yeah, not now, but maybe a small patch to 3.2.x later...

(In reply to comment #5)
> I could see this ending up in a 3.2.x release sometime in the summer though.

I was about to say "no", but then I realised that it doesn't affect _existing_
behaviour -- it's a new feature driven entirely by a new config keyword.  so
maybe ;)

Sorry, I'm pulling in this quote from
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5374 because I think it's
more related to this and should respond here:

> FWIW, I think extending trusted_networks towards the sender further than
> internal_networks is pointless 99.99% of the time (your local DNS cache absorbs
> any penalty of a few extra DNS lookups in systems busy enough for the penalty to
> be an issue).  I recommend that people don't do it.  The only place I see
> differing trusted/internal configs is on the MSA side where you can't determine
> auth from the headers (or POPAuth).  With msa_networks now implemented it's not
> even necessary in this case anymore.

In hindsight, I think I'm agreeing with this. I think I was confused about the
use of -lastexternal, and now I'm not convinced that my patch here actually adds
anything useful to DNSBL checks.

So I went back and checked some more to see what it was helping on, and really
it seemed to be 2 cases:
1. Forwarder hosts that for some reason were on an RBL. By extended trust into
them, their IPs aren't checked, and thus when some persons forwarding service
ends up being RBL listed for some reason, suddenly a lot of their email was
being marked as spam
2. SPF checks for forwarding services that don't use SRS because I have some
other code that overrides Mail::SpamAssassin::Plugin::SPF::_get_relay to check
each relay for ->{trust_type}.

Apart from that though, I'm not sure any of this is actually a help, and I may
have been leading things up the garden path. Still, things that reduce false
positives and overall accuracy for users is always a good thing.

Rob

moving most remaining 3.3.0 bugs to 3.3.1 milestone

reassigning, too

moving all open 3.3.1 bugs to 3.3.2

Moving back off of Security, which got changed by accident during the mass Target Milestone move.

I'd also like to see *_networks work with rdns names. Obviously this isn't happening with 3.3.. target undefined until someone wants to tackle it.