Page History

...

The common symptoms of a broken Trust path include:

• Wiki Markup\["ALL_TRUSTED"\] matching spam email from the outside or other untrusted mail.
• Dialup/Dynamic IP RBLs misfiring for properly relayed mail.
• Dialup/Dynamic IP RBLs not catching direct-delivered mail.
• whitelist_from_rcvd fails to match.
• SPF tests misfiring (failing when they should pass and vice versa).
• False positives on non-spam mail coming from "dynamic" or "dialup" addresses in your own network.
• AutoWhitelist mismatches on forged mail due to confusion about the source IP.
  

...

If you see these warning signs frequently, you probably need to manually configure trusted_networks. See the \[http://spamassassin.apache.org/doc/Mail_SpamAssassin_Conf.html Mail::Spamassassin::Conf\] manpage for details. Generally you want trusted_networks set to contain all the mailservers you control that add Received: headers, and nothing else. For proper operation of DUL and SPF tests on authenticated mail submission from dynamic/"dialup" hosts, see [DynablockIssues].

Here's an example trusted_networks line that could be added to /etc/mail/spamassassin/local.cf to specify trust:

...

Unfortunately there's limits to what one can automatically discover about a network from just email headers.

Wiki MarkupIt's pretty obvious that any \[http://tools.ietf.org/html/rfc1918 RFC 1918\] (which obsoleted \[http://tools.ietf.org/html/rfc1597 RFC 1597\]) private IP's in the most recent Received: header are part of the local network. From there, tracking backwards in terms of time, each additional private IP can be safely assumed to be a part of the local network until you hit the first non-private IP.

The problem is how can you tell if that first non-private IP is part of the local network? You can't.

...