axllent / spamassassin

A SpamAssassin docker container running on Alpine Linux
MIT License
0 stars 2 forks source link

Spamassassin ALL_TRUSTED #6

Open otbutz opened 1 week ago

otbutz commented 1 week ago

docker-compose.yml:

services:
  mailpit:
    container_name: mailpit
    image: axllent/mailpit
    restart: unless-stopped
    volumes:
      - ./mailpit-data:/data
    ports:
      - 80:8025
      - 25:1025
    environment:
      MP_ENABLE_SPAMASSASSIN: spamassassin:783
      MP_SMTP_AUTH_ACCEPT_ANY: 1
      MP_SMTP_AUTH_ALLOW_INSECURE: 1
      TZ: Europe/Berlin
    depends_on:
      - spamassassin
  spamassassin:
    container_name: spamassassin
    image: axllent/spamassassin
    restart: unless-stopped

Sending a test mail to Mailpit results in an overly optimistic spam result:

image

axllent commented 1 week ago

If I am understanding you correctly, are you suggesting the ALL_TRUSTED rule be ignored in spamassassin?

otbutz commented 1 week ago

I can only argue based on my use case, which is testing HTML mail rendering and avoiding potential deliverability issues. In this scenario, nothing ever leaves my local network, which seems to be what this rule gives me points for.

The problem is that I want to mimic the score that the receiving mail server will calculate. At this point, the mail isn't coming from a trusted host, at least from the recipient's point of view.

axllent commented 1 week ago

I completely understand your point, I am just not sure what to do about it. You cannot really disable the ALL_TRUSTED test, or rather, disabling it (setting it's score to 0 in Spamassassin) automatically disables a whole whack of other tests:

spamassassin  | Nov  5 03:56:29.134 [10] info: rules: meta test TO_NO_BRKTS_NORDNS_HTML has dependency 'ALL_TRUSTED' with a zero score
spamassassin  | Nov  5 03:56:29.134 [10] info: rules: meta test HDR_ORDER_FTSDMCXX_NORDNS has dependency 'ALL_TRUSTED' with a zero score
spamassassin  | Nov  5 03:56:29.134 [10] info: rules: meta test FROM_GOV_SPOOF has dependency 'ALL_TRUSTED' with a zero score
spamassassin  | Nov  5 03:56:29.135 [10] info: rules: meta test FROM_BANK_NOAUTH has dependency 'ALL_TRUSTED' with a zero score
spamassassin  | Nov  5 03:56:29.136 [10] info: rules: meta test __NOT_SPOOFED has dependency 'ALL_TRUSTED' with a zero score
spamassassin  | Nov  5 03:56:29.136 [10] info: rules: meta test PHP_SCRIPT has dependency 'ALL_TRUSTED' with a zero score
spamassassin  | Nov  5 03:56:29.136 [10] info: rules: meta test GOOG_REDIR_NORDNS has dependency 'RDNS_NONE' with a zero score
spamassassin  | Nov  5 03:56:29.136 [10] info: rules: meta test __PDS_SHORT_URL has dependency 'ALL_TRUSTED' with a zero score
spamassassin  | Nov  5 03:56:29.136 [10] info: rules: meta test TO_EQ_FM_HTML_ONLY has dependency 'ALL_TRUSTED' with a zero score
spamassassin  | Nov  5 03:56:29.136 [10] info: rules: meta test XPRIO_SHORT_SUBJ has dependency 'ALL_TRUSTED' with a zero score
spamassassin  | Nov  5 03:56:29.136 [10] info: rules: meta test __TO_NO_BRKTS_NORDNS_HTML has dependency 'RDNS_NONE' with a zero score
spamassassin  | Nov  5 03:56:29.136 [10] info: rules: meta test TO_NO_BRKTS_HTML_ONLY has dependency 'RDNS_NONE' with a zero score
spamassassin  | Nov  5 03:56:29.136 [10] info: rules: meta test URI_WP_HACKED has dependency 'ALL_TRUSTED' with a zero score
spamassassin  | Nov  5 03:56:29.137 [10] info: rules: meta test TO_EQ_FM_DOM_SPF_FAIL has dependency 'ALL_TRUSTED' with a zero score
spamassassin  | Nov  5 03:56:29.137 [10] info: rules: meta test __DOS_DIRECT_TO_MX_UNTRUSTED has dependency 'ALL_TRUSTED' with a zero score
spamassassin  | Nov  5 03:56:29.137 [10] info: rules: meta test T_MIME_MALF has dependency 'ALL_TRUSTED' with a zero score
spamassassin  | Nov  5 03:56:29.137 [10] info: rules: meta test RCVD_DOTEDU_SHORT has dependency 'ALL_TRUSTED' with a zero score
spamassassin  | Nov  5 03:56:29.137 [10] info: rules: meta test BTC_ORG has dependency 'ALL_TRUSTED' with a zero score
spamassassin  | Nov  5 03:56:29.137 [10] info: rules: meta test UC_GIBBERISH_OBFU has dependency 'ALL_TRUSTED' with a zero score
spamassassin  | Nov  5 03:56:29.137 [10] info: rules: meta test FSL_HELO_BARE_IP_1 has dependency 'ALL_TRUSTED' with a zero score
spamassassin  | Nov  5 03:56:29.138 [10] info: rules: meta test PHP_ORIG_SCRIPT has dependency 'ALL_TRUSTED' with a zero score
spamassassin  | Nov  5 03:56:29.138 [10] info: rules: meta test LUCRATIVE has dependency 'ALL_TRUSTED' with a zero score
spamassassin  | Nov  5 03:56:29.138 [10] info: rules: meta test HDRS_MISSP has dependency 'ALL_TRUSTED' with a zero score
spamassassin  | Nov  5 03:56:29.138 [10] info: rules: meta test HDRS_LCASE has dependency 'ALL_TRUSTED' with a zero score
spamassassin  | Nov  5 03:56:29.139 [10] info: rules: meta test HDR_ORDER_FTSDMCXX_DIRECT has dependency 'ALL_TRUSTED' with a zero score
spamassassin  | Nov  5 03:56:29.139 [10] info: rules: meta test T_PHOTO_EDITING_DIRECT has dependency 'ALL_TRUSTED' with a zero score
spamassassin  | Nov  5 03:56:29.139 [10] info: rules: meta test URI_PHISH has dependency 'ALL_TRUSTED' with a zero score
spamassassin  | Nov  5 03:56:29.139 [10] info: rules: meta test __GOOGLE_DOC_SUSP has dependency 'ALL_TRUSTED' with a zero score
spamassassin  | Nov  5 03:56:29.140 [10] info: rules: meta test SYSADMIN has dependency 'ALL_TRUSTED' with a zero score
spamassassin  | Nov  5 03:56:29.140 [10] info: rules: meta test BOUNCE_MESSAGE has dependency 'ALL_TRUSTED' with a zero score
spamassassin  | Nov  5 03:56:29.140 [10] info: rules: meta test __XPRIO_MINFP has dependency 'ALL_TRUSTED' with a zero score
spamassassin  | Nov  5 03:56:29.140 [10] info: rules: meta test HEXHASH_WORD has dependency 'ALL_TRUSTED' with a zero score
spamassassin  | Nov  5 03:56:29.141 [10] info: rules: meta test URI_DATA has dependency 'ALL_TRUSTED' with a zero score
spamassassin  | Nov  5 03:56:29.141 [10] info: rules: meta test SUBJ_ATTENTION has dependency 'ALL_TRUSTED' with a zero score
spamassassin  | Nov  5 03:56:29.141 [10] info: rules: meta test TO_EQ_FM_SPF_FAIL has dependency 'ALL_TRUSTED' with a zero score
spamassassin  | Nov  5 03:56:29.141 [10] info: rules: meta test TVD_SPACE_RATIO_MINFP has dependency 'ALL_TRUSTED' with a zero score
spamassassin  | Nov  5 03:56:29.141 [10] info: rules: meta test LONG_IMG_URI has dependency 'ALL_TRUSTED' with a zero score
spamassassin  | Nov  5 03:56:29.141 [10] info: rules: meta test __AC_FROM_MANY_DOTS_MINFP has dependency 'ALL_TRUSTED' with a zero score
spamassassin  | Nov  5 03:56:29.141 [10] info: rules: meta test URI_DOTEDU has dependency 'ALL_TRUSTED' with a zero score
spamassassin  | Nov  5 03:56:29.142 [10] info: rules: meta test FROM_PAYPAL_SPOOF has dependency 'ALL_TRUSTED' with a zero score
spamassassin  | Nov  5 03:56:29.142 [10] info: rules: meta test NORDNS_LOW_CONTRAST has dependency 'ALL_TRUSTED' with a zero score
spamassassin  | Nov  5 03:56:29.142 [10] info: rules: meta test MIME_NO_TEXT has dependency 'ALL_TRUSTED' with a zero score
spamassassin  | Nov  5 03:56:29.142 [10] info: rules: meta test FRNAME_IN_MSG_XPRIO_NO_SUB has dependency 'ALL_TRUSTED' with a zero score
spamassassin  | Nov  5 03:56:29.142 [10] info: rules: meta test HTML_SINGLET_MANY has dependency 'ALL_TRUSTED' with a zero score

I've been doing some reading and I don't believe there is an ideal solution to this (but please correct me if I'm wrong). I have created a temporary docker image for you to test the score ALL_TRUSTED 0 which produces all the above-mentioned info in docker) on axllent/spamassassin:all-trusted-0. This shouldn't give you any negative ALL_TRUSTED scores, however as you'll see above, it probably misses many of the other tests too. I honestly don't think this is "the solution" because of all the disabled tests, but I don't have an idea what the alternative here is.

Could you please try using that "all-trusted-0" tag and let me know what you find? Thanks.

otbutz commented 1 week ago

How does spamassassin derive ALL_TRUSTED ? This has to be related to the IP addresses involved? Maybe we can start there?

axllent commented 1 week ago

I really have no idea to be honest. The Spamassassin codebase is huge, and written in perl (which I'm not familiar with), so if you'd like to spend time investigating it that would be great. I've also moved this issue to axllent/spamassassin project as this really relates directly to this (Mailpit just reads the result) :+1:

otbutz commented 1 week ago

https://cwiki.apache.org/confluence/display/spamassassin/FixingAllTrusted sound promising. I'll investigate :slightly_smiling_face:

otbutz commented 1 week ago

This marks the Docker subnetwork as trusted:

trusted_networks  172.17.0.0/16
internal_networks 172.17.0.0/16

Source: https://cwiki.apache.org/confluence/display/SPAMASSASSIN/TrustPath

Seems to work :+1:

axllent commented 6 days ago

Thanks for that. I've given it a test and this works great if the emails have actually come via those ranges, however if the emails haven't (ie: wrongly configured, or originate from another IP) then the spam rating goes through the roof.

In the next couple of days I will look at a a solution of setting this via an optional environment setting :+1:

otbutz commented 6 days ago

At least for Mailpit this should be sufficient. But I agree that this needs to be something configurable.

axllent commented 5 days ago

Hmm, I'm not actually sure this will achieve what you are wanting, and I cannot replicate my earlier testing / result. From my understanding, all you are achieving is guaranteeing that SpamAssassin knows what your trusted network is, thus guaranteeing that it will apply the -1 ALL_TRUSTED.

I have pushed a change (and a new latest image) that allows you to set the INTERNAL_NETWORKS and TRUSTED_NETWORKS variables in your Docker startup, eg:

  spamassassin:
    container_name: spamassassin
    image: axllent/spamassassin
    restart: unless-stopped
    environment:
      INTERNAL_NETWORKS: 172.20.0.0/16 172.17.0.0/16
      TRUSTED_NETWORKS: 172.20.0.0/16 172.17.0.0/16

Looking forward to your feedback.