You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Chris <cp...@earthlink.net> on 2006/05/21 20:28:27 UTC
USER_IN_DEF_WHITELIST
I've got an FN that showed up in my inbox, the above tag with -15 for a
score is keeping it from being tagged as spam. I've ran spamassassin -R and
spamassassin --remove-addr-from-whitelist= however the its still got the
tag. Where is the default whitelist and how can I remove this address?
--
Chris
Registered Linux User 283774 http://counter.li.org
13:24:35 up 7 days, 1:24, 3 users, load average: 0.18, 0.20, 0.14
Mandriva Linux 10.1 Official, kernel 2.6.8.1-12mdk
Re: USER_IN_DEF_WHITELIST
Posted by Matt Kettler <mk...@comcast.net>.
Chris wrote:
> On Sunday 21 May 2006 1:52 pm, Matt Kettler wrote:
>
>> Chris wrote:
>>
>>> I've got an FN that showed up in my inbox, the above tag with -15 for a
>>> score is keeping it from being tagged as spam. I've ran spamassassin -R
>>> and spamassassin --remove-addr-from-whitelist=
>>>
>> That command only affects the AWL. It does not affect the real
>> whitelists.
>>
>>
>>> however the its still got the
>>> tag. Where is the default whitelist and how can I remove this address?
>>>
>> it's in /usr/share/spamassassin/60_whitelist.cf.
>>
>> Also, if your false-positive is a forged email, make sure your
>> trusted_networks is set properly. If SA is mis-trusting headers, it may
>> cause whitelist_from_rcvd type rules to match for forgeries.
>>
>> http://wiki.apache.org/spamassassin/TrustPath
>>
>> Note: that page mentions whitelist_from_rcvd not matching as a symptom..
>> this is true, but trust path problems can also go the other way and
>> cause it to match more than it should.
>>
>>
>> I would also suggest that if there is an entry there that's causing you
>> problems, and it's not caused by mis-parsing, let us know about it.
>>
>
> Matt, here are the headers of the message:
>
>
<snip>
> X-Spam-Untrusted: Relays [ ip=200.8.7.99 rdns=mailer.whitehat.com
> helo=mailer.whitehat.com by=mx-roseate.atl.sa.earthlink.net ident=
> envfrom= intl=0 id=1fHL0V28i3Nl34f0 auth= ]
>
>
<snip>
> Received: from mailer.whitehat.com ([200.8.7.99])
> by mx-roseate.atl.sa.earthlink.net (EarthLink SMTP Server) with SMTP
>
What concerns me is that SA thinks that mx-roseate successfuly RDNSed
200.8.7.99 to mailer.whitehat.com.
Based on the above header it's not clear that RDNS succeeded at all, but
there are some MTAs that use that format to indicate the helo and RDNS
matched.
Currently I cannot RDNS 200.8.7.99 to anything, but it's in Venezuela
mailer.whitehat.com has a forward lookup of 204.74.75.15, with a
correct RDNS and location info in the US.
Clearly 200.8.7.99 is NOT mailer.whitehat.com, the question is:
If it did successfully RDNS to whitehat.com, then we now have spammers
forging RDNS.
If it did not, we have a new conflict in parsing Received: headers,
where Earthlink's MTA uses a format to mean RDNS timeout, and other MTAs
use it to indicate RDNS match.
<snip>
> As you can see "Received: from mailer.whitehat.com" matches the entry in
> 60_whitelist.cf:
>
> def_whitelist_from_rcvd *@mailer.whitehat.com
> whitehat.com
>
Since SA decided that this was legitimately delivered to earthlink by a
host that did RDNS as mailer.whitehat.com
Re: USER_IN_DEF_WHITELIST
Posted by Chris <cp...@earthlink.net>.
On Sunday 21 May 2006 1:52 pm, Matt Kettler wrote:
> Chris wrote:
> > I've got an FN that showed up in my inbox, the above tag with -15 for a
> > score is keeping it from being tagged as spam. I've ran spamassassin -R
> > and spamassassin --remove-addr-from-whitelist=
>
> That command only affects the AWL. It does not affect the real
> whitelists.
>
> > however the its still got the
> > tag. Where is the default whitelist and how can I remove this address?
>
> it's in /usr/share/spamassassin/60_whitelist.cf.
>
> Also, if your false-positive is a forged email, make sure your
> trusted_networks is set properly. If SA is mis-trusting headers, it may
> cause whitelist_from_rcvd type rules to match for forgeries.
>
> http://wiki.apache.org/spamassassin/TrustPath
>
> Note: that page mentions whitelist_from_rcvd not matching as a symptom..
> this is true, but trust path problems can also go the other way and
> cause it to match more than it should.
>
>
> I would also suggest that if there is an entry there that's causing you
> problems, and it's not caused by mis-parsing, let us know about it.
Matt, here are the headers of the message:
X-Spam-Virus: No
X-Spam-Seen: Tokens 102
X-Spam-New: Tokens 265
X-Spam-Remote: Host localhost.localdomain
X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on
cpollock.localdomain
X-Spam-Hammy: Tokens 4
X-Spam-Status: No, score=2.4 required=5.0 tests=BAYES_99,DCC_CHECK,
RCVD_IN_XBL,RM_t_bobbf,SORTED_RECIPS,SPF_FAIL,SUSPICIOUS_RECIPS,
UNPARSEABLE_RELAY,USER_IN_DEF_WHITELIST autolearn=disabled
version=3.1.0
X-Spam-Spammy: Tokens 34
X-Spam-Pyzor: Reported 0 times.
X-Spam-Token: Summary Tokens: new, 163; hammy, 4; neutral, 64; spammy, 34.
X-Spam-DCC: dcc.uncw.edu cpollock 1201; Body=1 Fuz1=1 Fuz2=many
X-Spam-Untrusted: Relays [ ip=200.8.7.99 rdns=mailer.whitehat.com
helo=mailer.whitehat.com by=mx-roseate.atl.sa.earthlink.net ident=
envfrom= intl=0 id=1fHL0V28i3Nl34f0 auth= ]
X-Spam-Level: **
X-Spam-RBL: Results <dns:99.7.8.200.sbl-xbl.spamhaus.org> [127.0.0.4]
<dns:mailer.whitehat.com?type=MX> [5 mailer.whitehat.com.]
<dns:mailer.whitehat.com> [204.74.75.15]
Status: U
Return-Path: <VL...@mailer.whitehat.com>
Received: from pop.earthlink.net [209.86.93.201]
by localhost with POP3 (fetchmail-6.2.5)
for cpollock@localhost (single-drop); Sun, 21 May 2006 05:20:08
-0500 (CDT)
Received: from mailer.whitehat.com ([200.8.7.99])
by mx-roseate.atl.sa.earthlink.net (EarthLink SMTP Server) with SMTP
id 1fHL0V28i3Nl34f0; Sun, 21 May 2006 06:18:24 -0400 (EDT)
Received: from smtp.endend.nl ([Mon, 22 May 2006 06:02:50 +0200])
by relay.2yahoo.com with NNFMP; Mon, 22 May 2006 06:02:50 +0200
Received: from Mon, 22 May 2006 05:48:33 +0200 ([Mon, 22 May 2006 05:48:33
+0200]) by relay-x.misswldrs.com with SMTP; Mon, 22 May 2006 05:48:33 +0200
Received: from external.newsubdomain.com ([Mon, 22 May 2006 05:34:14
+0200])
by qrx.quickslick.com with NNFMP; Mon, 22 May 2006 05:34:14 +0200
Message-ID: <b2...@VLee>
Reply-To: "Blythe Gordon" <VL...@mailer.whitehat.com>
From: "Bethann Ryan" <VL...@mailer.whitehat.com>
To: "Ashlyn J Johnson" <cp...@earthlink.com>,
"Annalee" <cp...@earthlink.com>,
"Alline Barber" <cp...@earthlink.com>,
"Yuko N Parker" <cp...@earthlink.com>,
"Vella" <cp...@earthlink.com>,
"Trang Gray" <cp...@earthlink.com>,
"Towanda B Brown" <cp...@earthlink.com>
Subject: loads of players online, win big
Date: Mon, 22 May 2006 05:24:09 +0200
MIME-Version: 1.0
Content-Type: text/plain;
charset="windows-1252"
Content-Transfer-Encoding: 7bit
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.50.4522.1200
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200
X-ELNK-Info: spv=1;
X-ELNK-Info: sbv=0; sbrc=.0; sbf=00; sbw=000;
X-SenderIP: 200.8.7.99
X-ASN: ASN-21826
X-CIDR: 200.8.6.0/23
X-UID: 1
X-Length: 3728
As you can see "Received: from mailer.whitehat.com" matches the entry in
60_whitelist.cf:
def_whitelist_from_rcvd *@mailer.whitehat.com
whitehat.com
I suppose thats where that tag came from. I have raised the score on the
RM_t_bobbf from 3.0 to 10.0 for now which raised the score on this message
to above the 5.0 threshold.
--
Chris
Registered Linux User 283774 http://counter.li.org
21:17:11 up 7 days, 9:17, 2 users, load average: 1.48, 0.80, 0.58
Mandriva Linux 10.1 Official, kernel 2.6.8.1-12mdk
Re: USER_IN_DEF_WHITELIST
Posted by Matt Kettler <mk...@comcast.net>.
Chris wrote:
> I've got an FN that showed up in my inbox, the above tag with -15 for a
> score is keeping it from being tagged as spam. I've ran spamassassin -R and
> spamassassin --remove-addr-from-whitelist=
That command only affects the AWL. It does not affect the real whitelists.
> however the its still got the
> tag. Where is the default whitelist and how can I remove this address?
>
it's in /usr/share/spamassassin/60_whitelist.cf.
Also, if your false-positive is a forged email, make sure your
trusted_networks is set properly. If SA is mis-trusting headers, it may
cause whitelist_from_rcvd type rules to match for forgeries.
http://wiki.apache.org/spamassassin/TrustPath
Note: that page mentions whitelist_from_rcvd not matching as a symptom..
this is true, but trust path problems can also go the other way and
cause it to match more than it should.
I would also suggest that if there is an entry there that's causing you
problems, and it's not caused by mis-parsing, let us know about it.