You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by John Fleming <jo...@wa9als.com> on 2006/11/06 16:40:56 UTC
Spam used whitelist?
Real novice here - Would someone please explain how a stock spam was
able to use my whitelist to get a huge negative score? I do have a
whitelist, but the user shown below is not in it. I do have one
Italian (.it) domain in the whitelist, but it is a different/address
domain. How did this msg get whitelisted?
And, why did it get autolearned as "Spam" with a huge negative score
and end up in my inbox?? Seems very strange to me on several fronts!
Thanks! - John
Viewing Full Header - View message
Return-Path: <jo...@wa9als.com>
X-Original-To: john@wa9als.com
Delivered-To: john@wa9als.com
Received: from 59.93.203.39 (unknown [59.93.203.39])
by wa9als.com (Postfix) with ESMTP id 64D552D6B0A
for <jo...@wa9als.com>; Mon, 6 Nov 2006 10:16:08 -0500 (EST)
Received: from comtel-tech.com (port=15040 helo=ejaqycujbpy)
by 59.93.203.39 with smtp
id 52d4O-6S8sS3Tt0-U0W
for john@wa9als.com; Mon, 06 Nov 2006 20:53:40 -0800
Message-ID: <00...@ejaqycujbpy>
From: "Jay" <lg...@comune.veduggioconcolzano.mi.it>
To: john@wa9als.com
Subject: thousand footmen: that waiteth And it ceaseth: shall not said
unto
Date: Mon, 06 Nov 2006 20:53:40 -0800
MIME-Version: 1.0
Content-Type: multipart/related;
type="multipart/alternative";
boundary="----=_NextPart_000_000B_01C701E5.A125B510"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2869
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962
X-Virus-Status: No
X-Virus-Checker-Version: Luke wa9als.com running clamassassin 1.2.1
with ClamAV 0.88.5/2166/Mon Nov 6 08:44:31 2006 signatures 41.2166
X-Spam-Checker-Version: SpamAssassin 3.0.3 (2005-04-27) on
Luke.wa9als.com
X-Spam-Level:
X-Spam-Status: No, score=-70.3 required=5.0 tests=BAYES_99,
DATE_IN_FUTURE_12_24,HTML_90_100,HTML_IMAGE_ONLY_08,HTML_MESSAGE,
MIME_HTML_MOSTLY,MIME_QP_LONG_LINE,MPART_ALT_DIFF,MY_CID_AND_CLOSING,
MY_CID_AND_STYLE,RCVD_BY_IP,RCVD_IN_DSBL,RCVD_IN_NJABL_PROXY,
RCVD_IN_SORBS_HTTP,RCVD_IN_XBL,RCVD_NUMERIC_HELO,SARE_GIF_ATTACH,
SARE_GIF_STOX,USER_IN_WHITELIST autolearn=spam version=3.0.3
Re: Spam used whitelist?
Posted by "Daryl C. W. O'Shea" <sp...@dostech.ca>.
John Fleming wrote:
> Real novice here - Would someone please explain how a stock spam was
> able to use my whitelist to get a huge negative score? I do have a
> whitelist, but the user shown below is not in it. I do have one
> Italian (.it) domain in the whitelist, but it is a different/address
> domain. How did this msg get whitelisted?
I do not believe you when you say you haven't whitelisted yourself. Do
not use whitelist_from to whitelist yourself, use one of the whitelist
methods that isn't open to forgery.
Better yet, think about why it's even necessary to whitelist yourself.
If you have to whitelist yourself to receive your own mail, what about
all the people you send mail to?
> And, why did it get autolearned as "Spam" with a huge negative score
> and end up in my inbox?? Seems very strange to me on several fronts!
The learner ignores userconf rules when determining whether or not to
learn. I believe 3.2 will not learn the message in cases like this.
>
> Thanks! - John
>
> Viewing Full Header - View message
> Return-Path: <jo...@wa9als.com>
Daryl
Re: Spamassassin Score
Posted by Leander Koornneef <l....@ic-s.nl>.
On 6-nov-2006, at 19:59, Claus Westerkamp wrote:
> Hello list,
>
> Id like to modify the Score output of spamassassin. I want 3digits
> display permanently (e.g. ***(Score002.3)*** or ***(Score102.3)*** )
>
> Is this possible? I want it to be able to sort the spam-messages by
> Score.
Of course this is possible, but you will probably have to
hack some code to get the result you want. As far as I
know, there is no configuration option for this.
If you are using amavis for instance, you could change
the part where $full_spam_status is put together from:
sprintf("%3.1f",$spam_level)
to something like:
sprintf("%05.1f",$spam_level)
In spamd this would be from:
my $msg_score = sprintf( "%.1f", $status->get_score );
to:
my $msg_score = sprintf( "%05.1f", $status->get_score );
Also beware that this will be overwritten when you update/upgrade
your software...
Leander
Spamassassin Score
Posted by Claus Westerkamp <cl...@raytion.com>.
Hello list,
Id like to modify the Score output of spamassassin. I want 3digits
display permanently (e.g. ***(Score002.3)*** or ***(Score102.3)*** )
Is this possible? I want it to be able to sort the spam-messages by Score.
thanx
claus
Re: Spam used whitelist?
Posted by Matt Kettler <mk...@verizon.net>.
John Fleming wrote:
> Real novice here - Would someone please explain how a stock spam was
> able to use my whitelist to get a huge negative score? I do have a
> whitelist, but the user shown below is not in it.
Check the Return-Path header.
Is john@wa9als.com in your whitelist_from? If so, there's you culprit.
To fix this, switch to whitelist_from_rcvd. NEVER use whitelist_from for
ANYTHING unless you've exhausted all other options first.
whitelist_from is trivially forgeable.
And before you complain about whitelist_from matching the return-path,
this header is no more difficult to forge than the real From: header.
whitelist_from'ing yourself or your domain is just asking to be abused,
no matter how many or how few headers it checks, they're all easy to forge.
> I do have one
> Italian (.it) domain in the whitelist, but it is a different/address
> domain. How did this msg get whitelisted?
>
> And, why did it get autolearned as "Spam" with a huge negative score
> and end up in my inbox?? Seems very strange to me on several fronts!
>
> Thanks! - John
>
> Viewing Full Header - View message
> Return-Path: <jo...@wa9als.com>