You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by FaberK <f....@gmail.com> on 2007/08/20 13:15:58 UTC
False positives
Hi,
today I'm receiving spam messages as good ones as follow:
-----
X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on ns2.dms.it
X-Spam-Level:
X-Spam-Status: No, score=-76.1 required=5.0 tests=DRUGS_ANXIETY,
DRUGS_ANXIETY_EREC,DRUGS_ERECTILE,DRUGS_MANYKINDS,DRUGS_MUSCLE,
DRUGS_SLEEP_EREC,FB_CIALIS_LEO3,INVALID_DATE,LOW_PRICE,ONLINE_PHARMACY,
PYZOR_CHECK,RCVD_IN_PBL,RDNS_DYNAMIC,TVD_VISIT_PHARMA,URIBL_BLACK,
URIBL_JP_SURBL,URIBL_SBL,URIBL_WS_SURBL,USER_IN_WHITELIST autolearn=no
version=3.2.3
-----
as you can see, they receive -76.1 points, also if they are drugs spam.
Any solutions?
Where I'm wrong?
Thaks to all
--
.:FaberK:.
R: False positives
Posted by Giampaolo Tomassoni <g....@libero.it>.
> -----Messaggio originale-----
> Da: FaberK [mailto:f.faberk@gmail.com]
>
> Hi,
> today I'm receiving spam messages as good ones as follow:
> -----
> X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on ns2.dms.it
> X-Spam-Level:
> X-Spam-Status: No, score=-76.1 required=5.0 tests=DRUGS_ANXIETY,
> DRUGS_ANXIETY_EREC,DRUGS_ERECTILE,DRUGS_MANYKINDS,DRUGS_MUSCLE,
> DRUGS_SLEEP_EREC,FB_CIALIS_LEO3,INVALID_DATE,LOW_PRICE,ONLINE_PHA
> RMACY,
> PYZOR_CHECK,RCVD_IN_PBL,RDNS_DYNAMIC,TVD_VISIT_PHARMA,URIBL_BLACK
> ,
> URIBL_JP_SURBL,URIBL_SBL,URIBL_WS_SURBL,USER_IN_WHITELIST
> autolearn=no
> version=3.2.3
> -----
> as you can see, they receive -76.1 points, also if they are drugs spam.
> Any solutions?
> Where I'm wrong?
What about here?
USER_IN_WHITELIST
You probably whitelisted the sender. Use whitelist_from_spf or
whitelist_from_rcvd instead of the too broad whitelist_from.
Giampaolo
>
> Thaks to all
>
> --
> .:FaberK:.
Re: False positives
Posted by Martin Schütte <li...@mschuette.name>.
FaberK schrieb:
> Where I'm wrong?
> URIBL_JP_SURBL,URIBL_SBL,URIBL_WS_SURBL,USER_IN_WHITELIST autolearn=no
^^^^^^^^^^^^^^^^^
--
Martin
Re: False positives
Posted by FaberK <f....@gmail.com>.
Thanks to all.
;o)
2007/8/20, SM <sm...@resistor.net>:
>
> At 06:48 20-08-2007, FaberK wrote:
> >Into my <http://sendmail.cf>sendmail.cf I got this:
>
> This has nothing to do with sendmail. The Return-Path: address is
> what gets passed through the SMTP envelope. Don't whitelist your domain.
>
> Regards,
> -sm
>
>
--
.:FaberK:.
Re: False positives
Posted by SM <sm...@resistor.net>.
At 06:48 20-08-2007, FaberK wrote:
>Into my <http://sendmail.cf>sendmail.cf I got this:
This has nothing to do with sendmail. The Return-Path: address is
what gets passed through the SMTP envelope. Don't whitelist your domain.
Regards,
-sm
Re: False positives
Posted by FaberK <f....@gmail.com>.
Into my sendmail.cf I got this:
----------
#########################
# Format of headers #
#########################
H?P?Return-Path: <$g>
HReceived: $?sfrom $s $.$?_($?s$|from $.$_)
$.$?{auth_type}(authenticated$?{auth_ssf} bits=${auth_ssf}$.)
$.by $j ($v/$Z)$?r with $r$. id $i$?{tls_version}
(version=${tls_version} cipher=${cipher} bits=${cipher_bits}
verify=${verify})$.$?u
for $u; $|;
$.$b
H?D?Resent-Date: $a
H?D?Date: $a
H?F?Resent-From: $?x$x <$g>$|$g$.
H?F?From: $?x$x <$g>$|$g$.
H?x?Full-Name: $x
# HPosted-Date: $a
# H?l?Received-Date: $b
H?M?Resent-Message-Id: <$t.$i@$j>
H?M?Message-Id: <$t.$i@$j>
----------
2007/8/20, FaberK <f....@gmail.com>:
>
> Hi,
> following your suggestions, I've noticed that those mails got as
>
> Return-Path:
>
> my address that is in whitelist.
> Also, normally the first record in any mail is:
> From:
> but not in this cases.
> More, I'm using Sendmail 8.14.1 Spamassassin 3.2.3
> Thanks
>
> 2007/8/20, Jari Fredriksson <ja...@iki.fi>:
> >
> > > Hi,
> > > today I'm receiving spam messages as good ones as follow:
> > > -----
> > > X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08)
> > > on ns2.dms.it X-Spam-Level:
> > > X-Spam-Status: No, score=-76.1 required=5.0
> > > tests=DRUGS_ANXIETY,
> > > DRUGS_ANXIETY_EREC,DRUGS_ERECTILE,DRUGS_MANYKINDS,DRUGS_MUSCLE,
> > >
> > DRUGS_SLEEP_EREC,FB_CIALIS_LEO3,INVALID_DATE,LOW_PRICE,ONLINE_PHARMACY,
> > > PYZOR_CHECK,RCVD_IN_PBL,RDNS_DYNAMIC,TVD_VISIT_PHARMA,URIBL_BLACK,
> > > URIBL_JP_SURBL,URIBL_SBL,URIBL_WS_SURBL,USER_IN_WHITELIST
> > > autolearn=no version=3.2.3 -----
> > > as you can see, they receive - 76.1 points, also if they
> > > are drugs spam. Any solutions?
> > > Where I'm wrong?
> > >
> > > Thaks to all
> >
> > Don't whitelist your own domain, that's what spammers often use as
> > sender address.
> >
> >
>
>
> --
> .:FaberK:.
--
.:FaberK:.
Re: False positives
Posted by "John D. Hardin" <jh...@impsec.org>.
On Mon, 20 Aug 2007, FaberK wrote:
> Hi,
> following your suggestions, I've noticed that those mails got as
>
> Return-Path:
>
> my address that is in whitelist.
It is trivially easy for an external mail client to forge the sender
address to make the message appear as if it is coming from your
domain. This is why using whitelist_from is a *last resort*. Remove
your domain from whitelist_from.
The first question to ask is, why do you feel you need to whitelist
your own domain?
If you want to bypass SA for locally-originated mail for some reason
either:
(1) Tell your MTA to not pass internally-originated email to SA in the
first place (better), or
(2) Use whitelist_from_rcvd to tell SA that mail from your domain name
originates from your local network space only.
Does that better clarify things?
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
So Microsoft's invented the ASCII equivalent to ugly ink spots that
appear on your letter when your pen is malfunctioning.
-- Greg Andrews, about Microsoft's way to encode apostrophes
-----------------------------------------------------------------------
5 days until The 1928th anniversary of the destruction of Pompeii
Re: False positives
Posted by FaberK <f....@gmail.com>.
Hi,
following your suggestions, I've noticed that those mails got as
Return-Path:
my address that is in whitelist.
Also, normally the first record in any mail is:
From:
but not in this cases.
More, I'm using Sendmail 8.14.1 Spamassassin 3.2.3
Thanks
2007/8/20, Jari Fredriksson <ja...@iki.fi>:
>
> > Hi,
> > today I'm receiving spam messages as good ones as follow:
> > -----
> > X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08)
> > on ns2.dms.it X-Spam-Level:
> > X-Spam-Status: No, score=-76.1 required=5.0
> > tests=DRUGS_ANXIETY,
> > DRUGS_ANXIETY_EREC,DRUGS_ERECTILE,DRUGS_MANYKINDS,DRUGS_MUSCLE,
> > DRUGS_SLEEP_EREC,FB_CIALIS_LEO3,INVALID_DATE,LOW_PRICE,ONLINE_PHARMACY,
> > PYZOR_CHECK,RCVD_IN_PBL,RDNS_DYNAMIC,TVD_VISIT_PHARMA,URIBL_BLACK,
> > URIBL_JP_SURBL,URIBL_SBL,URIBL_WS_SURBL,USER_IN_WHITELIST
> > autolearn=no version=3.2.3 -----
> > as you can see, they receive -76.1 points, also if they
> > are drugs spam. Any solutions?
> > Where I'm wrong?
> >
> > Thaks to all
>
> Don't whitelist your own domain, that's what spammers often use as sender
> address.
>
>
--
.:FaberK:.
Re: False positives
Posted by Jari Fredriksson <ja...@iki.fi>.
> Hi,
> today I'm receiving spam messages as good ones as follow:
> -----
> X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08)
> on ns2.dms.it X-Spam-Level:
> X-Spam-Status: No, score=-76.1 required=5.0
> tests=DRUGS_ANXIETY,
> DRUGS_ANXIETY_EREC,DRUGS_ERECTILE,DRUGS_MANYKINDS,DRUGS_MUSCLE,
> DRUGS_SLEEP_EREC,FB_CIALIS_LEO3,INVALID_DATE,LOW_PRICE,ONLINE_PHARMACY,
> PYZOR_CHECK,RCVD_IN_PBL,RDNS_DYNAMIC,TVD_VISIT_PHARMA,URIBL_BLACK,
> URIBL_JP_SURBL,URIBL_SBL,URIBL_WS_SURBL,USER_IN_WHITELIST
> autolearn=no version=3.2.3 -----
> as you can see, they receive -76.1 points, also if they
> are drugs spam. Any solutions?
> Where I'm wrong?
>
> Thaks to all
Don't whitelist your own domain, that's what spammers often use as sender address.