You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Andrew Xiang <xi...@gratingworks.com> on 2007/10/22 17:46:34 UTC

user_in_whitelist , how do I find out which one?

I have many users in the whitelist_from in the local.cf.
When I get forwarded spam email like this, how do I find which one it matched? Which FROM entry is it actually looking at?

-Andrew


X-Spam-Checker-Version: SpamAssassin 3.2.1 (2007-05-02) on xphotonics.com
X-Spam-Level: 
X-Spam-Status: No, score=-72.0 required=5.0 tests=BAYES_50,DCC_CHECK,
 DIGEST_MULTIPLE,DRUGS_ERECTILE,HTML_MESSAGE,HTML_MIME_NO_HTML_TAG,
 MIME_HTML_ONLY,PYZOR_CHECK,RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E4_51_100,
 RAZOR2_CHECK,SARE_FROM_DRUGS,UNPARSEABLE_RELAY,USER_IN_WHITELIST autolearn=no
 version=3.2.1
X-Spam-Pyzor: Reported 4263 times.
X-Spam-Report: 
 * -100 USER_IN_WHITELIST From: address is in the user's white-list
 *  1.7 SARE_FROM_DRUGS From a drug
 *  5.5 UNPARSEABLE_RELAY Informational: message has unparseable relay lines
 *  0.0 HTML_MESSAGE BODY: HTML included in message
 *  0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60%
 *      [score: 0.5000]
 *  3.5 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
 *  5.0 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)
 *  1.5 RAZOR2_CF_RANGE_E4_51_100 Razor2 gives engine 4 confidence level
 *      above 50%
 *      [cf: 100]
 *  0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
 *      [cf: 100]
 *  5.0 PYZOR_CHECK Listed in Pyzor (http://pyzor.sf.net/)
 *  5.0 DCC_CHECK Listed in DCC (http://rhyolite.com/anti-spam/dcc/)
 *  0.0 DIGEST_MULTIPLE Message hits more than one network digest check
 *  0.3 DRUGS_ERECTILE Refers to an erectile drug
 *  0.1 HTML_MIME_NO_HTML_TAG HTML-only message, but there is no HTML tag
Received: from xphotonics.com (localhost [127.0.0.1])
 by xphotonics.com (8.14.1/8.14.1) with ESMTP id l9MFJIOp032936
 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO)
 for <xi...@xphotonics.com>; Mon, 22 Oct 2007 11:19:18 -0400 (EDT)
 (envelope-from lian@xphotonics.com)
Received: (from lian@localhost)
 by xphotonics.com (8.14.1/8.14.1/Submit) id l9MFJIKX032935
 for xiang; Mon, 22 Oct 2007 11:19:18 -0400 (EDT)
 (envelope-from lian)
Received: from 029ae8f252bf4ac (84pavel.dialup.corbina.ru [85.21.237.209])
 by xphotonics.com (8.14.1/8.14.1) with SMTP id l9MFHg8N032899
 for <li...@gratingworks.com>; Mon, 22 Oct 2007 11:17:44 -0400 (EDT)
 (envelope-from vepe@gratings.co.za)
Date: Mon, 22 Oct 2007 11:17:42 -0400 (EDT)
Received: from Susana Ware (10.11.17.11) by 029ae8f252bf4ac (PowerMTA(TM) v3.2r4) id hfp31o62d55j87 for <li...@gratingworks.com>; Mon, 22 Oct 2007 07:17:20 +0300
Message-Id: <20...@029ae8f252bf4ac>
To: <li...@gratingworks.com>
Subject: October 79% OFF
From: VIAGRA ?Official Site <li...@gratingworks.com>
MIME-Version: 1.0
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
X-Virus-Scanned: ClamAV 0.91.1/4559/Mon Oct 22 00:02:57 2007 on xphotonics.com
X-Virus-Scanned: ClamAV 0.91.1/4559/Mon Oct 22 00:02:57 2007 on xphotonics.com
X-Virus-Status: Clean

<style>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html dir="ltr">
    <head>
        <meta http-equiv=Content-Type content="text/html; charset=unicode">
<meta name=Generator content="Microsoft SafeHTML">
<title>WL 90-day Email 1a</title>
<table width=550 border=0 cellpadding=0 cellspacing=0 bgcolor="#999999">
</tr>
<tr valign=top>
<td colspan=5><img src="http://ads1.oqr.com/ads/pronws/CIQ3536/1a_banner.jpg" alt="Windows
 Live Hotmail" width=548 height=224 border=0></td>

Re: user_in_whitelist , how do I find out which one?

Posted by Karsten Bräckelmann <gu...@rudersport.de>.

On Mon, 2007-10-22 at 11:46 -0400, Andrew Xiang wrote:
> I have many users in the whitelist_from in the local.cf.
> When I get forwarded spam email like this, how do I find which one it
> matched? Which FROM entry is it actually looking at?

See the section Whitelist and Blacklist options in the docs.
  http://spamassassin.apache.org/full/3.2.x/doc/Mail_SpamAssassin_Conf.html

You'll also find recommendation not to use whitelist_from, and what to
use instead.

  guenther

-- 
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}

Re: Would PersistentPerl Help?

Posted by Matt Kettler <mk...@verizon.net>.

gordan@bobich.net wrote:
> Would using PersistentPerl in a setup where SpamAssassin is used with
> MailScanner help speed it up? I tried it, but couldn't spot a huge
> difference.
>
> Gordan
>
No, it would not help with MailScanner.

MailScanner loads the SA perl API directly into its own persistent
process, and keeps it running for quite a while (the exact reload
interval depends on your MailScanner.conf)

In effect, MailScanner acts as it's own spamd.

The only thing that could benefit from PersistentPerl would be the
"spamassassin" command-line script, and anyone using that should switch
to spamc/spamd instead.

And what's this got to do with user_in_whitelist?

hint: when making new threads, don't reply. Threaded mail readers will
bury your message under the one you replied to. Changing the subject
doesn't make it a new thread, because it contains:

In-reply-to: <13...@ds.mot.com>

Which is a message about the user_in_whitelist option.

Re: Would PersistentPerl Help?

Posted by Jari Fredriksson <ja...@iki.fi>.

> Would using PersistentPerl in a setup where SpamAssassin
> is used with MailScanner help speed it up? I tried it,
> but couldn't spot a huge difference.
> 
> Gordan

I doubt it. I don't know about MailScanner, but spamd itself, and Amavis for example are persistent processes; which I thing MailScanner is too.

pperl does not help those solutions.

Would PersistentPerl Help?

Posted by go...@bobich.net.

Would using PersistentPerl in a setup where SpamAssassin is used with 
MailScanner help speed it up? I tried it, but couldn't spot a huge 
difference.

Gordan

Re: user_in_whitelist , how do I find out which one?

Posted by Matt Kettler <mk...@verizon.net>.

Andrew Xiang wrote:
> I have many users in the whitelist_from in the local.cf.
> When I get forwarded spam email like this, how do I find which one it
> matched?
If you want to know for sure, you can run it through spamassassin -D and
wade through the debug output.

my guess is you've got a whitelist_from *@gratingworks.com or
whitelist_from *@xphotonics.com that's matching.
> Which FROM entry is it actually looking at?
Well, it's looking at "all" of them. SpamAssassin will dig for any hints
at the envelope sender, as well as the normal From: header.. It's going
to be looking at the embedded envelope-from's in the Received: headers,
as well as the From: header.

In particular, the list for this message could be:

lian@gratingworks.com vepe@gratings.co.za lian@xphotonics.com

Depending on what hosts SA is set to trust.

my guess is you've got a whitelist_from *@gratingworks.com or
whitelist_from *@xphotonics.com that's matching.

Don't use plain whitelist_from's unless you can't avoid it. Where
possible, use whitelist_from_rcvd or whitelist_from_spf instead..