whitelist

[Jack Gostl <go...@argoscomp.com>]

-----BEGIN PGP SIGNED MESSAGE-----

I have an odd problem. I have a user receiving spam from something like
abcde@verybigcompany.com. Since he does business with verybigcompany.com,
he had them in his white list, and as expected, the spam slipped through.

Based on the advice I got in this newsgroup, I changed him from a straight:

      whitelist_from    *@verybigcompany.com

to

    whitelist_from_rcvd *@verybigcompany.com verybigcompany.com

I think I did that right. So now the odd thing is that spam from
verybigcompany.com is coming through on my PERSONAL account even though its
not in my whitelist. The headers show that this is a "user in whitelist"
situation. It may be happening to others, I haven't checked, but its weird
enough that its happening to me.

Now if I haven't confused everyone, I'm open to ideas.

I am on SpamAssassin version 3.1.8 running on Perl version 5.8.2 under AIX
5.3


-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.5.3 (Build 5003)

wpUDBQFHWATLFhDacYjJc7UBAW6QBACyE2GnQXEgSY/89kXWo2kk6OFE0IAg3CfS
K3mrslL5OxkWGhqAptLw5nE5J3plAR3a16r8XLk9YuMNLJJD/9q3Dk+SVpB1NVsk
1igoTTX0rlZMTKzIFiLLzitInXUXeg2Gwl7s57OCZtjdTl8vxmBkynno3nl3csjk
Xfp9aRKP2w==
=ub+v
-----END PGP SIGNATURE-----

Re: whitelist

[Jack Gostl <go...@argoscomp.com>]

----- Original Message ----- 
From: "Daryl C. W. O'Shea" <sp...@dostech.ca>
To: "Matt Kettler" <mk...@verizon.net>
Cc: "Jack Gostl" <go...@argoscomp.com>; "spam" 
<us...@spamassassin.apache.org>
Sent: Thursday, December 06, 2007 11:08 PM
Subject: Re: whitelist


> Matt Kettler wrote:
>> Matt Kettler wrote:
>>> Jack Gostl wrote:
>>>
>>>> I have an odd problem. I have a user receiving spam from something like
>>>> abcde@verybigcompany.com. Since he does business with 
>>>> verybigcompany.com,
>>>> he had them in his white list, and as expected, the spam slipped 
>>>> through.
>>>>
>>>> Based on the advice I got in this newsgroup, I changed him from a
>>>> straight:
>>>>
>>>>      whitelist_from    *@verybigcompany.com
>>>>
>>>> to
>>>>
>>>>    whitelist_from_rcvd *@verybigcompany.com verybigcompany.com
>>>>
>>>> I think I did that right. So now the odd thing is that spam from
>>>> verybigcompany.com is coming through on my PERSONAL account even
>>>> though its
>>>> not in my whitelist. The headers show that this is a "user in 
>>>> whitelist"
>>>> situation. It may be happening to others, I haven't checked, but its 
>>>> weird
>>>> enough that its happening to me.
>>>>
>>>> Now if I haven't confused everyone, I'm open to ideas.
>>>>
>>> Have you checked *all* the "from like" headers to see if any of them
>>> match your whitelist. (ie: return-path, envelope-sender, etc, etc, etc)
>>>
>>> Have you tried running the same message through spamassassin -D to see
>>> which exact address SA matched against?
>>>
>>>
>>>
>>
>> One other thing to check.. if you use spamd you're probably subject to
>> this bug:
>>
>> http://issues.apache.org/SpamAssassin/show_bug.cgi?id=4179
>
> No, it's not that bug.  That bug is about user rules getting compiled into 
> methods at runtime and then not disposed off when the username gets 
> changed.
>
> The whitelist (and blacklist) config structures are copied in and out of 
> existance by copy_config fine AFAIK.
>
> Jack -- are you using spamd?  Are usernames being passed along somehow 
> (via spamc -u, some other client?)?  How are user preferences stored?

Sorry for the delay in responding, I thought it was a closed issue.

Yes, I'm using spamd.

Here is the line from my .procmailrc file:
        |/usr/local/bin/spamc

As you can see, no user specified. Each user has their own user_prefs in 
$HOME/.spamassassin.

Re: whitelist

["Daryl C. W. O'Shea" <sp...@dostech.ca>]

Matt Kettler wrote:
> Matt Kettler wrote:
>> Jack Gostl wrote:
>>   
>>> I have an odd problem. I have a user receiving spam from something like
>>> abcde@verybigcompany.com. Since he does business with verybigcompany.com,
>>> he had them in his white list, and as expected, the spam slipped through.
>>>
>>> Based on the advice I got in this newsgroup, I changed him from a
>>> straight:
>>>
>>>      whitelist_from    *@verybigcompany.com
>>>
>>> to
>>>
>>>    whitelist_from_rcvd *@verybigcompany.com verybigcompany.com
>>>
>>> I think I did that right. So now the odd thing is that spam from
>>> verybigcompany.com is coming through on my PERSONAL account even
>>> though its
>>> not in my whitelist. The headers show that this is a "user in whitelist"
>>> situation. It may be happening to others, I haven't checked, but its weird
>>> enough that its happening to me.
>>>
>>> Now if I haven't confused everyone, I'm open to ideas.
>>>     
>> Have you checked *all* the "from like" headers to see if any of them
>> match your whitelist. (ie: return-path, envelope-sender, etc, etc, etc)
>>
>> Have you tried running the same message through spamassassin -D to see
>> which exact address SA matched against?
>>
>>
>>   
> 
> One other thing to check.. if you use spamd you're probably subject to
> this bug:
> 
> http://issues.apache.org/SpamAssassin/show_bug.cgi?id=4179

No, it's not that bug.  That bug is about user rules getting compiled 
into methods at runtime and then not disposed off when the username gets 
changed.

The whitelist (and blacklist) config structures are copied in and out of 
existance by copy_config fine AFAIK.

Jack -- are you using spamd?  Are usernames being passed along somehow 
(via spamc -u, some other client?)?  How are user preferences stored?

Daryl

Re: whitelist

[Matt Kettler <mk...@verizon.net>]

Jack Gostl wrote:
>
> ----- Original Message ----- From: "Matt Kettler"
> <mk...@verizon.net>
> To: "Jack Gostl" <go...@argoscomp.com>
> Cc: "spam" <us...@spamassassin.apache.org>
> Sent: Thursday, December 06, 2007 8:19 PM
> Subject: Re: whitelist
>
>
>> Matt Kettler wrote:
>>> Jack Gostl wrote:
>>>
>>>> I have an odd problem. I have a user receiving spam from something
>>>> like
>>>> abcde@verybigcompany.com. Since he does business with
>>>> verybigcompany.com,
>>>> he had them in his white list, and as expected, the spam slipped
>>>> through.
>>>>
>>>> Based on the advice I got in this newsgroup, I changed him from a
>>>> straight:
>>>>
>>>>      whitelist_from    *@verybigcompany.com
>>>>
>>>> to
>>>>
>>>>    whitelist_from_rcvd *@verybigcompany.com verybigcompany.com
>>>>
>>>> I think I did that right. So now the odd thing is that spam from
>>>> verybigcompany.com is coming through on my PERSONAL account even
>>>> though its
>>>> not in my whitelist. The headers show that this is a "user in
>>>> whitelist"
>>>> situation. It may be happening to others, I haven't checked, but
>>>> its weird
>>>> enough that its happening to me.
>>>>
>>>> Now if I haven't confused everyone, I'm open to ideas.
>>>>
>>> Have you checked *all* the "from like" headers to see if any of them
>>> match your whitelist. (ie: return-path, envelope-sender, etc, etc, etc)
>>>
>>> Have you tried running the same message through spamassassin -D to see
>>> which exact address SA matched against?
>>>
>>>
>>>
>>
>> One other thing to check.. if you use spamd you're probably subject to
>> this bug:
>>
>> http://issues.apache.org/SpamAssassin/show_bug.cgi?id=4179
>
> This looks close enough to worry. I'm not used to reading those
> bugzilla reports. Is there a fix? Would I have to upgrade to the
> current release?
>
>
>
No, there's no published fix yet, but there's a patch targeted to go
into the next 3.2.x release if it gets enough votes from the PMC.

Re: whitelist

[Jack Gostl <go...@argoscomp.com>]

----- Original Message ----- 
From: "Matt Kettler" <mk...@verizon.net>
To: "Jack Gostl" <go...@argoscomp.com>
Cc: "spam" <us...@spamassassin.apache.org>
Sent: Thursday, December 06, 2007 8:19 PM
Subject: Re: whitelist


> Matt Kettler wrote:
>> Jack Gostl wrote:
>>
>>> I have an odd problem. I have a user receiving spam from something like
>>> abcde@verybigcompany.com. Since he does business with 
>>> verybigcompany.com,
>>> he had them in his white list, and as expected, the spam slipped 
>>> through.
>>>
>>> Based on the advice I got in this newsgroup, I changed him from a
>>> straight:
>>>
>>>      whitelist_from    *@verybigcompany.com
>>>
>>> to
>>>
>>>    whitelist_from_rcvd *@verybigcompany.com verybigcompany.com
>>>
>>> I think I did that right. So now the odd thing is that spam from
>>> verybigcompany.com is coming through on my PERSONAL account even
>>> though its
>>> not in my whitelist. The headers show that this is a "user in whitelist"
>>> situation. It may be happening to others, I haven't checked, but its 
>>> weird
>>> enough that its happening to me.
>>>
>>> Now if I haven't confused everyone, I'm open to ideas.
>>>
>> Have you checked *all* the "from like" headers to see if any of them
>> match your whitelist. (ie: return-path, envelope-sender, etc, etc, etc)
>>
>> Have you tried running the same message through spamassassin -D to see
>> which exact address SA matched against?
>>
>>
>>
>
> One other thing to check.. if you use spamd you're probably subject to
> this bug:
>
> http://issues.apache.org/SpamAssassin/show_bug.cgi?id=4179

This looks close enough to worry. I'm not used to reading those bugzilla 
reports. Is there a fix? Would I have to upgrade to the current release?

Re: whitelist

[Matt Kettler <mk...@verizon.net>]

Matt Kettler wrote:
> Jack Gostl wrote:
>   
>> I have an odd problem. I have a user receiving spam from something like
>> abcde@verybigcompany.com. Since he does business with verybigcompany.com,
>> he had them in his white list, and as expected, the spam slipped through.
>>
>> Based on the advice I got in this newsgroup, I changed him from a
>> straight:
>>
>>      whitelist_from    *@verybigcompany.com
>>
>> to
>>
>>    whitelist_from_rcvd *@verybigcompany.com verybigcompany.com
>>
>> I think I did that right. So now the odd thing is that spam from
>> verybigcompany.com is coming through on my PERSONAL account even
>> though its
>> not in my whitelist. The headers show that this is a "user in whitelist"
>> situation. It may be happening to others, I haven't checked, but its weird
>> enough that its happening to me.
>>
>> Now if I haven't confused everyone, I'm open to ideas.
>>     
> Have you checked *all* the "from like" headers to see if any of them
> match your whitelist. (ie: return-path, envelope-sender, etc, etc, etc)
>
> Have you tried running the same message through spamassassin -D to see
> which exact address SA matched against?
>
>
>   

One other thing to check.. if you use spamd you're probably subject to
this bug:

http://issues.apache.org/SpamAssassin/show_bug.cgi?id=4179

Re: whitelist

[Matt Kettler <mk...@verizon.net>]

Jack Gostl wrote:
> I have an odd problem. I have a user receiving spam from something like
> abcde@verybigcompany.com. Since he does business with verybigcompany.com,
> he had them in his white list, and as expected, the spam slipped through.
>
> Based on the advice I got in this newsgroup, I changed him from a
> straight:
>
>      whitelist_from    *@verybigcompany.com
>
> to
>
>    whitelist_from_rcvd *@verybigcompany.com verybigcompany.com
>
> I think I did that right. So now the odd thing is that spam from
> verybigcompany.com is coming through on my PERSONAL account even
> though its
> not in my whitelist. The headers show that this is a "user in whitelist"
> situation. It may be happening to others, I haven't checked, but its weird
> enough that its happening to me.
>
> Now if I haven't confused everyone, I'm open to ideas.
Have you checked *all* the "from like" headers to see if any of them
match your whitelist. (ie: return-path, envelope-sender, etc, etc, etc)

Have you tried running the same message through spamassassin -D to see
which exact address SA matched against?


>
>