3221 – make sure dynamic tests do right thing

Bug 3221 - make sure dynamic tests do right thing

Summary: make sure dynamic tests do right thing

Status:	RESOLVED WORKSFORME

Alias:	None

Product:	Spamassassin
Classification:	Unclassified
Component:	Rules (Eval Tests) (show other bugs)
Version:	SVN Trunk (Latest Devel Version)
Hardware:	Other other

Importance:	P2 major
Target Milestone:	3.0.0
Assignee:	SpamAssassin Developer Mailing List

URL:
Whiteboard:
Keywords:

Depends on:	2462 2537 2860
Blocks:	3208
	Show dependency tree

Reported:	2004-03-26 20:47 UTC by Daniel Quinlan
Modified:	2004-05-03 08:23 UTC (History)
CC List:	0 users

Attachment	Type	Modified	Status	Actions	Submitter/CLA Status
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Daniel Quinlan 2004-03-26 20:47:34 UTC

There seems to be some question about whether or not the dynamic/dial-up
tests are doing the right thing.

See bug 2860 and bug 2537.

Comment 1 Justin Mason 2004-05-03 16:23:24 UTC

no, it's safe.  Here's the overview:

1. in 2.6x, we had a problem in that dynablock rules were hitting if the admin
had set up SA to trust the sender's ISP's mailhost.  e.g. in this setup:

   sender_ip -> sender_mailhost -> recip_mx 

if recip_mx trusted sender_mailhost, then that'd produce a dynablock FP.  A lot
of people ran into this.   This is now fixed by the addition of
"internal_networks"; an admin can set trusted_networks to include *both*
recip_mx and sender_mailhost, but as long as internal_networks doesn't include
sender_mailhost, it'll work fine.  trusted_networks can still be used in the way
it was supposed to; to specify what nets are known not to originate spam, and
are trustworthy.  (first part of bug 2537)

2. there's an issue if the scanner is on sender_mailhost, and a local user
submits a mail from a Dynablock-listed IP.  But in this case, that should be
either (a) not scanned according to local policy, or (b) the Dynablock-listed
local nets should be in trusted_networks; in 3.0.0 that'll get them the
ALL_TRUSTED bonus score.  (another part of bug 2537, grr)

3, bug 2860: a milter has to add a Received header to the message so that SA can
look up the correct host.  that's always been the case, and this is not in any
way an SA bug.  Any milter that doesn't do this is pretty much doing the wrong
thing.  I've added a Wiki note about this, FWIW...

4. if a user authenticates from a *remote* ISP, and their IP on that ISP is
dynablock-listed, then delivers a mail to a local recipient, they will hit
RCVD_IN_DYNABLOCK. The correct response here is to have some way we can tell
authenticated traffic apart from unauth'd.  (The final part of bug 2537)   This
has been moved to a separate issue in bug 2462, which is still open.

So, it's all closed apart from issue 4; and that issue already has a bug open,
bug 2462.  I'd suggest that *this* bug ("make sure dynamic tests do the right
thing") can be closed, because yes, they're doing the right thing! ;)

As to whether we need to get a fix for bug 2462 into SpamAssassin 3.0.0, that's
a different issue, and doesn't need this bug to track it.