Chris wrote:
> Before I put my foot in my mouth to my ISP, I'd like to make sure I'm right.
> From the headers below, what does Embarq/Synacor consider to be ALL_TRUSTED?
>

The default trust-path auto-guesser assumes that your MX has a public IP
address, not a private address. It *WILL* break if your MTA's have
private IPs and are static NAT-mapped to public IP's.

My guess is that the scanning machine resolves smtp.embarq.synacor.com
as a private address, causing SA to assume that mxintern.schlund.de is
the MX for the local network, even though it is not.

Based on that assumption, what SA saw was simply a transfer between two
different local private networks attached to the same publicly addressed
MX that is a part of the local net.

This really underscores why it is critical for folks who have NATed
mailservers to explicitly declare a trusted_networks.

More details can be found at:

http://wiki.apache.org/spamassassin/TrustPath



>
> Received: from localhost (localhost.localdomain [127.0.0.1])
> by smtp.embarq.synacor.com (Postfix) with ESMTP id 3ECA115F5EC
> for ; Tue, 12 Jun 2007 21:32:15 -0400 (EDT)
> X-Virus-Scanned: amavisd-new at
> X-Spam-Score: -4.399
> X-Spam-Level:
> X-Spam-Status: No, score=-4.399 tagged_above=-10 required=10
> tests=[ALL_TRUSTED=-1.8, BAYES_00=-2.599]
> Received: from smtp.embarq.synacor.com ([127.0.0.1])
> by localhost (smtp10.embarq.synacor.com [127.0.0.1]) (amavisd-new,
> port 10024)
> with ESMTP id J-Y1RUpHW7XQ for ;
> Tue, 12 Jun 2007 21:32:13 -0400 (EDT)
> Received: from mxintern.schlund.de (mxintern.schlund.de [212.227.126.201])
> by smtp.embarq.synacor.com (Postfix) with ESMTP id A323615F5A2
> for ; Tue, 12 Jun 2007 21:32:13 -0400 (EDT)
> Received: from [172.19.16.7] (helo=home.kundenserver.de)
> by mxintern.kundenserver.de with esmtp (Exim 4.50)
> id 1HyHiW-0000y9-Mu
> for cpollock@embarqmail.com; Wed, 13 Jun 2007 03:32:12 +0200
> Received: from abuse by home.kundenserver.de with local (Exim 3.36 #1)
> id 1HyHiW-0004Kl-00
> for cpollock@embarqmail.com; Wed, 13 Jun 2007 03:32:12 +0200
> From: Abuse Department
> To: "cpollock@embarqmail.com"
> Subject: Re: Fwd: 74.208.53.91 URGENT: Phish Site http://74.208
> In-Reply-To: <476758.552107157-sendEmail@cpollock>
> Message-Id:
> Date: Wed, 13 Jun 2007 03:32:12 +0200
> X-Virus-Scanned: Symantec AntiVirus Scan Engine
> X-UI-Msg-Verification: db928a8b4f3b2a34c9e716dce16c42bc
> Content-Type:
> X-UID: 3636
> X-Length: 4690
>
>