You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by peter pilsl <pi...@goldfisch.at> on 2007/12/11 14:42:41 UTC

AWL giving me a headache


I use AWL and now I've got a user whos mail all get marked as spam cause
AWL give it a extra score

X-Spam-Report:
        * -1.8 ALL_TRUSTED Passed through trusted hosts only via SMTP
        * -2.6 BAYES_00 BODY: Bayesian spam probability is 0 to 1%
        *      [score: 0.0000]
        *  0.0 HTML_MESSAGE BODY: HTML included in message
        *  9.6 AWL AWL: From: address is in the auto white-list

I understand the reason for that: The user is marked in the AWL with a
high spamscore (whyever) and now sends a low-score mail and AWL kicks in
to correct.

But now I tried to check in deeper and used check_whitelist (which is
part of newer spamassassin-versions. Why?)  to examine my huge
autowhitelist:

There I see 138 of entries for that users emailadress. All paired with a
IP and most only from one or two emails and having a really high score
(>20). Seems like the users adress is often used as faked sender for spam.
And there is one entry for that user that has a low score based on many
mails. This is the "real" user. Sending a lot of low-scored mails from a
single ip-adress.

    <skipped load of high-score singlemailbased entries>
    24.6        (24.6/1)  --  user@domain.net|ip=86.138
    27.5        (27.5/1)  --  user@domain.net|ip=85.102
    16.7        (16.7/1)  --  user@domain.net|ip=85.105
    19.8        (19.8/1)  --  user@domain.net|ip=85.49
    20.7        (20.7/1)  --  user@domain.net|ip=85.130
    18.9        (18.9/1)  --  user@domain.net|ip=62.118
    -1.7    (-699.1/402)  --  user@domain.net|ip=85.126
    15.5        (15.5/1)  --  user@domain.net|ip=212.25
    17.2        (17.2/1)  --  user@domain.net|ip=78.162
    22.9        (22.9/1)  --  user@domain.net|ip=212.120
    22.9        (45.8/2)  --  user@domain.net|ip=85.141
    25.0        (25.0/1)  --  user@domain.net|ip=85.140
    23.2        (23.2/1)  --  user@domain.net|ip=190.95
    28.4        (28.4/1)  --  user@domain.net|ip=66.232
    25.9        (25.9/1)  --  user@domain.net|ip=80.252
     8.9         (8.9/1)  --  user@domain.net|ip=80.250
    18.2        (18.2/1)  --  user@domain.net|ip=62.148
    <skipped load of high-score singlemailbased entries>


I mean : to me as human its quite ununderstandable why spamassassin-AWL
punishes a mail from user@domain.net|ip=85.126 with an extrascore of 9.8
if the average-score for this mail/ip-combination is -1.7 in AWL ??

additionally I didnt find any manpage to check_whitelist or any
information what the clean and -n flags do and why this tool is not
included in version 3.2.2 any more?

thnx for your help,
peter





-- 
mag. peter pilsl - goldfisch.at
IT-Consulting
Tel: +43-650-3574035
Tel: +43-1-8900602
Fax: +43-1-8900602-15
skype: peter.pilsl
pilsl@goldfisch.at
www.goldfisch.at