what is the purpose of the DoNotTrustSelfByDefault=0 entry in the spamfilter.ini file?

lately I have seen this about three or four times a day in my log.

04/07/04 10:01:16:203 -- (10328) Connection from: 127.0.0.1  -  Originating country : N/A
04/07/04 10:01:16:203 -- (10328) Resolving 127.0.0.1 - localhost
04/07/04 10:01:16:203 -- (10328) Bypassed all rules for: mailto:Orgpce@mailexite.com" CLASS="ASPForums" TITLE="WARNING: URL created by poster. - Orgpce@mailexite.com from x mailto:x@mydomain.com" CLASS="ASPForums" TITLE="WARNING: URL created by poster. - @mydomain.com
04/07/04 10:01:16:203 -- (10328) EMail from x mailto:x@mydomain.com" CLASS="ASPForums" TITLE="WARNING: URL created by poster. - @mydomain.com to mailto:Orgpce@mailexite.com" CLASS="ASPForums" TITLE="WARNING: URL created by poster. - Orgpce@mailexite.com was queued. Size: 1 KB
04/07/04 10:01:16:203 -- (10328) Disconnect

I don't know why.. could someone be spoofing their IP to say 127.0.0.1?
could my spamfilter server have a mass mailing virus? I tested and setup outlook express on the actual server and set it to use it self as the smtp server and in the log it resolved it to it real ip address and not the loopback address of 127.0.0.1...

I added 127.0.0.1 to the blacklisted IP address file, but what is the 'do not trust selft by default' value for? would this be a better solution for me if I set it to 1 instead of 0 ?

thanks for the help.

Keizersozay,

I'm sorry, not only there's bugs in SpamFilter every now and then, but now the documentation has them too...

The readme.html should actually say:

;by default SpamFilter will not allow any IP to relay thru it except for 127.0.0.1 (localhost). Change DoNotTrustSelfByDefault to 1 if you do not want localhost to be able to relay
DoNotTrustSelfByDefault=0

This means that by default, as yo can see in your logs, anything originating from 127.0.0.1 will be whitelisted. If you want to prevent that, then set the value DoNotTrustSelfByDefault=1 as you corretly pointed out.

As for the cause of those connections, if it was a virus you'd be seing so many of those entries that you'd know immediately that it was indeed a virus. 3-4 a day indicate that the cause would be elsewhere.

Roberto F.
LogSat Software

If, and the if is because I do not know your setup, the 127.0.0.1 is originating from OUTSIDE your machine, then it is an IP Spoof.  127.0.0.1 should never arrive from outside and any properly configered router should never pass that address.  I would run a sniffing application such as EtherReal to see if the IP is external.  If so, you router or firewall is letting it through or some other machine on your local area network is in trouble.  If it is not outside and is in fact originating from the machine itself, either you have some other application that is running SMTP or there is a virus present.  I can not imagine any other cause.

Regards,

Dan S.

Eric,

Hmmm,  I would question the statement "most isp`s route the 10.0.0.0/8 etc priv space internally".  As an ISP, we go to great extremes to NEVER route any IP's that are not our PUBLIC, fully registered and BGP announced IP's   Any Private IP's are safely behind a NAT Firewall and can never get to our border OR our public mail servers.   Even in our backup location, where the hosting company there does a terrible job of managing private IP's, we use anti-spoofing in our PIX Firewalls to prevent our systems from ever seeing an internal "Spoof" or, as the case usually is, configuration errors.

There is zero chance that any privite IP's can ever, under any conditions, leave our border.  And ... if they did, our downstream provider would not route them anyway.

Dan S.