You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Joe Acquisto-j4 <jo...@j4computers.com> on 2015/06/24 22:05:32 UTC
whitelisted email address got scanned and marked up
I am off site so cannot provide more details, but, basically, a smooth running SA with a white listed email address, that has worked fine, ie, being let thru
without muss or fuss, decided to scan one email from that address, anyway. And of course it got marked up and marked as possible SPAM.
It's odd, as that particular one was sent about 12 minutes after one that came thru unscathed, as have several others, since white listing. The emails were virtually identical containing a PDF attachment, revised in the second (marked) one, and some text changes indicating there were changes to the PDF.
Anything leap out? Other than I should provide more details?
Re: whitelisted email address got scanned and marked up
Posted by Joe Acquisto-j4 <jo...@j4computers.com>.
>>> On 6/25/2015 at 7:15 PM, RW <rw...@googlemail.com> wrote:
> On Wed, 24 Jun 2015 20:47:07 -0400
> Joe Acquisto-j4 wrote:
>
>> Thanks. I don't feel comfortable doing pastebin with this particular
>> email. Anyway, I found I left out underscore in whitelist_from.
>>
>> To continue my dumbo routine, how can I re-submit this email to
>> test?
>
> What you should be doing is running:
>
> spamassassin --lint
>
> to detect syntax errors. For global configuration and rules you can
> run it as any unix user.
Actually, I used to do that. Until I became complacent . . . err,
Until my data entry skills became infallible. Ahem.
Re: whitelisted email address got scanned and marked up
Posted by RW <rw...@googlemail.com>.
On Wed, 24 Jun 2015 20:47:07 -0400
Joe Acquisto-j4 wrote:
> Thanks. I don't feel comfortable doing pastebin with this particular
> email. Anyway, I found I left out underscore in whitelist_from.
>
> To continue my dumbo routine, how can I re-submit this email to
> test?
What you should be doing is running:
spamassassin --lint
to detect syntax errors. For global configuration and rules you can
run it as any unix user.
Re: whitelisted email address got scanned and marked up
Posted by "Kevin A. McGrail" <KM...@PCCC.com>.
On 6/24/2015 8:47 PM, Joe Acquisto-j4 wrote:
> Thanks. I don't feel comfortable doing pastebin with this particular
> email. Anyway, I found I left out underscore in whitelist_from.
That would do it ;-)
Regards,
KAM
Re: whitelisted email address got scanned and marked up
Posted by David B Funk <db...@engineering.uiowa.edu>.
On Thu, 25 Jun 2015, Joe Acquisto-j4 wrote:
>>>> On 6/24/2015 at 8:54 PM, Reindl Harald <h....@thelounge.net> wrote:
>
>> Am 25.06.2015 um 02:47 schrieb Joe Acquisto-j4:
>>> Thanks. I don't feel comfortable doing pastebin with this particular email.
>> Anyway, I found I left out underscore in whitelist_from.
>>>
>>> To continue my dumbo routine, how can I re-submit this email to test? The
>> sender has closed shop for the day. I thought there might be a way to
>> "resend" this on my own, by feeding the message into SA, but have come up dry
>> in searches. So maybe I'm off track on that. Par for the course lately.
>>
>> save the mail as eml-file and just spass it through spamc
>
> Thanks. I could not get it to actually deliver the message, but I could see it noted that the address was in white list. I took that as "good enough for now".
"spamc" is a tool to feed messages just into SA for scoring, not to feed them
into your mail system for delivery. Usually spamc (or its functional equivalent)
is used internally in your mail system for scoring messages and then some other
component of your mail system makes delivery/quarantine/discard decisions based
upon the spamc scoring.
So feeding a message directly into spamc lets you test a message for its SA
score with out messing with your mail processing/delivery system.
If you just want to see the message SA score use:
spamc -R < message.eml
--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{
Re: whitelisted email address got scanned and marked up
Posted by Joe Acquisto-j4 <jo...@j4computers.com>.
>>> On 6/24/2015 at 8:54 PM, Reindl Harald <h....@thelounge.net> wrote:
> Am 25.06.2015 um 02:47 schrieb Joe Acquisto-j4:
>> Thanks. I don't feel comfortable doing pastebin with this particular email.
> Anyway, I found I left out underscore in whitelist_from.
>>
>> To continue my dumbo routine, how can I re-submit this email to test? The
> sender has closed shop for the day. I thought there might be a way to
> "resend" this on my own, by feeding the message into SA, but have come up dry
> in searches. So maybe I'm off track on that. Par for the course lately.
>
> save the mail as eml-file and just spass it through spamc
Thanks. I could not get it to actually deliver the message, but I could see it noted that the address was in white list. I took that as "good enough for now".
Re: whitelisted email address got scanned and marked up
Posted by Reindl Harald <h....@thelounge.net>.
Am 25.06.2015 um 02:47 schrieb Joe Acquisto-j4:
> Thanks. I don't feel comfortable doing pastebin with this particular email. Anyway, I found I left out underscore in whitelist_from.
>
> To continue my dumbo routine, how can I re-submit this email to test? The sender has closed shop for the day. I thought there might be a way to "resend" this on my own, by feeding the message into SA, but have come up dry in searches. So maybe I'm off track on that. Par for the course lately.
save the mail as eml-file and just spass it through spamc
Re: whitelisted email address got scanned and marked up
Posted by Joe Acquisto-j4 <jo...@j4computers.com>.
>>> On 6/24/2015 at 6:22 PM, "Kevin A. McGrail" <KM...@PCCC.com> wrote:
> On 6/24/2015 6:18 PM, Joe Acquisto-j4 wrote:
>> Oh, no. Poor wording on my part.
>>
>> The whitelisting is in main.cf. I just expected it would not be subjected
> to being marked as SPAM, due to being whitelisted. That was my
> understanding.
> The user in whitelist rule should equate to a -100 scoring rule if
> memory serves, so it would be very tough to be marked as spam.
>
> What rules did the email hit? Have you double checked the headers that
> the from is formatted exactly the way the whitelist is done?
>
> I would post the headers from the two emails ( you said one was
> whitelisted correctly and one was marked...) on pastebin so people can
> intelligently comment.
>
> Regards,
> KAM
Thanks. I don't feel comfortable doing pastebin with this particular email. Anyway, I found I left out underscore in whitelist_from.
To continue my dumbo routine, how can I re-submit this email to test? The sender has closed shop for the day. I thought there might be a way to "resend" this on my own, by feeding the message into SA, but have come up dry in searches. So maybe I'm off track on that. Par for the course lately.
Re: whitelisted email address got scanned and marked up
Posted by "Kevin A. McGrail" <KM...@PCCC.com>.
On 6/24/2015 6:18 PM, Joe Acquisto-j4 wrote:
> Oh, no. Poor wording on my part.
>
> The whitelisting is in main.cf. I just expected it would not be subjected to being marked as SPAM, due to being whitelisted. That was my understanding.
The user in whitelist rule should equate to a -100 scoring rule if
memory serves, so it would be very tough to be marked as spam.
What rules did the email hit? Have you double checked the headers that
the from is formatted exactly the way the whitelist is done?
I would post the headers from the two emails ( you said one was
whitelisted correctly and one was marked...) on pastebin so people can
intelligently comment.
Regards,
KAM
Re: whitelisted email address got scanned and marked up
Posted by Joe Acquisto-j4 <jo...@j4computers.com>.
>>> On 6/24/2015 at 5:23 PM, John Hardin <jh...@impsec.org> wrote:
> On Wed, 24 Jun 2015, Joe Acquisto-j4 wrote:
>
>> I am off site so cannot provide more details, but, basically, a smooth
>> running SA with a white listed email address, that has worked fine, ie,
>> being let thru without muss or fuss, decided to scan one email from that
>> address, anyway. And of course it got marked up and marked as possible
>> SPAM.
>>
>> It's odd, as that particular one was sent about 12 minutes after one
>> that came thru unscathed, as have several others, since white listing.
>> The emails were virtually identical containing a PDF attachment, revised
>> in the second (marked) one, and some text changes indicating there were
>> changes to the PDF.
>>
>> Anything leap out? Other than I should provide more details?
>
> Your saying "got scanned" and "got marked up" suggests you were not
> expecting the message to go through SA at all due to the whitelisting,
> i.e. the whitelisting is at the glue level rather than within SA itself.
> Is that the case?
>
> --
> John Hardin KA7OHZ http://www.impsec.org/~jhardin/
Oh, no. Poor wording on my part.
The whitelisting is in main.cf. I just expected it would not be subjected to being marked as SPAM, due to being whitelisted. That was my understanding.
Re: whitelisted email address got scanned and marked up
Posted by John Hardin <jh...@impsec.org>.
On Wed, 24 Jun 2015, Joe Acquisto-j4 wrote:
> I am off site so cannot provide more details, but, basically, a smooth
> running SA with a white listed email address, that has worked fine, ie,
> being let thru without muss or fuss, decided to scan one email from that
> address, anyway. And of course it got marked up and marked as possible
> SPAM.
>
> It's odd, as that particular one was sent about 12 minutes after one
> that came thru unscathed, as have several others, since white listing.
> The emails were virtually identical containing a PDF attachment, revised
> in the second (marked) one, and some text changes indicating there were
> changes to the PDF.
>
> Anything leap out? Other than I should provide more details?
Your saying "got scanned" and "got marked up" suggests you were not
expecting the message to go through SA at all due to the whitelisting,
i.e. the whitelisting is at the glue level rather than within SA itself.
Is that the case?
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
If you are "fighting for social justice," then you are defining
yourself as someone who considers regular old everyday
*equal* justice to be something you don't want. -- GOF at TSM
-----------------------------------------------------------------------
10 days until the 239th anniversary of the Declaration of Independence