AWL gone crazy

[The Doctor <do...@doctor.nl2k.ab.ca>]

All right why is AWL going to score 30+  when it was told to go to -1000

as in

score AWL -1000

??

-- 
Member - Liberal International	This is doctor@nl2k.ab.ca
Ici doctor@nl2k.ab.ca God, Queen and country! Beware Anti-Christ rising!
Never Satan President Republic!
Point to http://tv.cityonahillproductions.com/ 

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

Re: AWL gone crazy

[Benny Pedersen <me...@junc.org>]

On Thu, March 26, 2009 01:22, The Doctor wrote:
> All right why is AWL going to score 30+  when it was told to go to
> -1000 as in
> score AWL -1000

AWL cant be static assigned with score

-- 
http://localhost/ 100% uptime and 100% mirrored :)

Re: {?} Re: {?} Re: AWL gone crazy

[LuKreme <kr...@kreme.com>]

On 26-Mar-2009, at 20:06, Matt Kettler wrote:
> The name "AWL" is misleading and as a member of the SpamAssassin  
> Project
> Management Committee, I can say we've talked about changing it many
> times, mostly because it misleads people such as yourself.


Averaging Weight List

Do it! Come on, you know you want to.

-- 
Wife: Who are you talking to?
Husb: [on phone] Jon
Wife: Aren't you going to talk to me?
Husb: I talked to you at dinner, do I need to talk to you again?

Re: {?} Re: {?} Re: AWL gone crazy

[Matt Kettler <mk...@verizon.net>]

The Doctor wrote:
>
> Key on the word intranet.  This sender is from inside the LAN.
>
> This sender should be score -1000 on the AWL and not +30.
>   
This is 100% wrong. You're fundamentally thinking of the AWL as a
whitelist. Obviously, you've failed to read the wiki.

The AWL is not a whitelist.

Please repeat this out loud 5 times. No really. It's not. Don't think of
it as one.

The name "AWL" is misleading and as a member of the SpamAssassin Project
Management Committee, I can say we've talked about changing it many
times, mostly because it misleads people such as yourself.

Positive AWL scores assigned to nonspam senders, even "intranet" users
is ****NORMAL****!

Provided that the AWL isn't pushing the total score over your
required_score and making them get tagged as spam, this is perfectly
normal and does not mean the AWL thinks the sender is a spammer. Period.

Blank your conceptions about what the AWL is, and read:

http://wiki.apache.org/spamassassin/AwlWrongWay

> Right then spamassassin --remove-addr-from-whitelist
>
> is that spamassassin --remove-addr-from-whitelist <friendly e-mail address>?  
>  
>   
That command deletes the AWL entries for a given sender and erases their
score history.

However, please make sure you get your brain around what the AWL really
is, and how it really works, before mucking around.

Re: AWL gone crazy

[Karsten Bräckelmann <gu...@rudersport.de>]

On Thu, 2009-03-26 at 06:55 -0600, The Doctor wrote:
> On Thu, Mar 26, 2009 at 08:45:46AM -0400, Matt Kettler wrote:

> > > > http://wiki.apache.org/spamassassin/AutoWhitelist
> > http://wiki.apache.org/spamassassin/AwlWrongWay

> Key on the word intranet.  This sender is from inside the LAN.
> 
> This sender should be score -1000 on the AWL and not +30.

Nope. AWL is based on the senders email address, the originating net
block and the past history. That's it. There's no concept of "internal
network" in there.

Since it's generated inside your internal network, ALL_TRUSTED should
fire. Maybe you need to correct your internal and trusted networks
settings.


> Right then spamassassin --remove-addr-from-whitelist
> 
> is that spamassassin --remove-addr-from-whitelist <friendly e-mail address>?  

As per the docs, it is --remove-addr-from-whitelist=addr

Note the equals sign here, and no space. Also its irrelevant if it is a
friendly, hostile or just plain forged address...


Anyway, what was the overall score for that message, and which rules
fired?

What about the past messages scores and hits? You'll need that info to
find out why AWL suddenly "goes crazy". The above is just a quick fix,
though not necessarily a solution.


-- 
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}

Re: {?} Re: {?} Re: AWL gone crazy

[Matus UHLAR - fantomas <uh...@fantomas.sk>]

On 26.03.09 06:55, The Doctor wrote:
> Key on the word intranet.  This sender is from inside the LAN.
> 
> This sender should be score -1000 on the AWL and not +30.

The most important question from Mark was:

>> Well, was the message really low scoring, despite the +30 AWL score?

you didn't answert that, did you?

> Right then spamassassin --remove-addr-from-whitelist
> 
> is that spamassassin --remove-addr-from-whitelist <friendly e-mail address>?  

the poing ot AWL is, if sender usually scores low, (s)he should score low
even if (s)he sends something spammy, and vice versa. The poinit not to
whitelist sender by -1000. The whitelist_from* is for this.

-- 
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Linux is like a teepee: no Windows, no Gates and an apache inside...

Re: {?} Re: {?} Re: AWL gone crazy

[The Doctor <do...@doctor.nl2k.ab.ca>]

On Thu, Mar 26, 2009 at 08:45:46AM -0400, Matt Kettler wrote:
> The Doctor wrote:
> > On Wed, Mar 25, 2009 at 10:11:25PM -0400, Matt Kettler wrote:
> >   
> >> The Doctor wrote:
> >>     
> >>> All right why is AWL going to score 30+  when it was told to go to -1000
> >>>
> >>> as in
> >>>
> >>> score AWL -1000
> >>>       
> >> You can't assign static scores to the AWL, this goes against the
> >> definition of what it is. It's score is, by design, dynamic on a
> >> per-message basis. Otherwise it would essentially be adding -1000 to
> >> more-or-less all of your mail, spam or not. The AWL doesn't decide what
> >> to whitelist, it merely decides what score to give based on past
> >> history. If anyone sends you two emails, the second one will always
> >> match the AWL. However, that score might be negative or positive.
> >>
> >> Read up on what the AWL really is, and how it really works:
> >>
> >> http://wiki.apache.org/spamassassin/AutoWhitelist
> >>
> >>
> >>     
> >
> > All right then this is really odd!!!
> >
> > The person has always sent me mail from the intranet no problem.
> >
> > I just updated the perl to 5.10.0 threading
> > and then I am like how did AWL change?
> >  
> Well, was the message really low scoring, despite the +30 AWL score?
> 
> If a sender has an average of -10, and suddenly they send one that
> scores -70, the AWL will add +30, and this is not an indication the AWL
> thinks he's a spammer.
> 
> This could easily happen if you've driven the score of a rule really low.
> 
> http://wiki.apache.org/spamassassin/AwlWrongWay
> 
> 
>
Key on the word intranet.  This sender is from inside the LAN.

This sender should be score -1000 on the AWL and not +30.

Right then spamassassin --remove-addr-from-whitelist

is that spamassassin --remove-addr-from-whitelist <friendly e-mail address>?  
 
> 
> -- 
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
> 

-- 
Member - Liberal International	This is doctor@nl2k.ab.ca
Ici doctor@nl2k.ab.ca God, Queen and country! Beware Anti-Christ rising!
Never Satan President Republic!
Point to http://tv.cityonahillproductions.com/ 

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

Re: {?} Re: AWL gone crazy

[Matt Kettler <mk...@verizon.net>]

The Doctor wrote:
> On Wed, Mar 25, 2009 at 10:11:25PM -0400, Matt Kettler wrote:
>   
>> The Doctor wrote:
>>     
>>> All right why is AWL going to score 30+  when it was told to go to -1000
>>>
>>> as in
>>>
>>> score AWL -1000
>>>       
>> You can't assign static scores to the AWL, this goes against the
>> definition of what it is. It's score is, by design, dynamic on a
>> per-message basis. Otherwise it would essentially be adding -1000 to
>> more-or-less all of your mail, spam or not. The AWL doesn't decide what
>> to whitelist, it merely decides what score to give based on past
>> history. If anyone sends you two emails, the second one will always
>> match the AWL. However, that score might be negative or positive.
>>
>> Read up on what the AWL really is, and how it really works:
>>
>> http://wiki.apache.org/spamassassin/AutoWhitelist
>>
>>
>>     
>
> All right then this is really odd!!!
>
> The person has always sent me mail from the intranet no problem.
>
> I just updated the perl to 5.10.0 threading
> and then I am like how did AWL change?
>  
Well, was the message really low scoring, despite the +30 AWL score?

If a sender has an average of -10, and suddenly they send one that
scores -70, the AWL will add +30, and this is not an indication the AWL
thinks he's a spammer.

This could easily happen if you've driven the score of a rule really low.

http://wiki.apache.org/spamassassin/AwlWrongWay

Re: {?} Re: AWL gone crazy

[Matt Kettler <mk...@verizon.net>]

Benny Pedersen wrote:
> On Thu, March 26, 2009 13:22, The Doctor wrote:
>   
>> All right then this is really odd!!!
>> The person has always sent me mail from the intranet no problem.
>> I just updated the perl to 5.10.0 threading
>> and then I am like how did AWL change?
>>     
>
> spammers begin to use your friends email addr as sender, awl sees this
>
> to fight back, use spf on mta
>
>   
That shouldn't happen, unless your spammers are also using your friends
ISP.. or your trusted_networks is broken.

An AWL entry is defined by two fields. email address, and the top two
bytes of the IP address of the first untrusted host.

So If I send you email, it would be:

mkettler_sa@verizon.net|ip=206.46

206.46.173.7 being the verizon server that my emails goes out over.

If Karsten Braeckelmann (picking another person off the thread) forged
my address, the AWL entry would be this:

mkettler_sa@verizon.net|ip=213.157

Because 213.157.0.165 is Karsten's outbound server.

To the AWL, these are two different senders, with different score
histories. Karsten can forge my address all he likes, and it won't
affect what the AWL thinks of email I send.

Re: {?} Re: AWL gone crazy

[Benny Pedersen <me...@junc.org>]

On Thu, March 26, 2009 13:22, The Doctor wrote:
> All right then this is really odd!!!
> The person has always sent me mail from the intranet no problem.
> I just updated the perl to 5.10.0 threading
> and then I am like how did AWL change?

spammers begin to use your friends email addr as sender, awl sees this

to fight back, use spf on mta

-- 
http://localhost/ 100% uptime and 100% mirrored :)

Re: {?} Re: AWL gone crazy

[The Doctor <do...@doctor.nl2k.ab.ca>]

On Wed, Mar 25, 2009 at 10:11:25PM -0400, Matt Kettler wrote:
> The Doctor wrote:
> > All right why is AWL going to score 30+  when it was told to go to -1000
> >
> > as in
> >
> > score AWL -1000
> 
> You can't assign static scores to the AWL, this goes against the
> definition of what it is. It's score is, by design, dynamic on a
> per-message basis. Otherwise it would essentially be adding -1000 to
> more-or-less all of your mail, spam or not. The AWL doesn't decide what
> to whitelist, it merely decides what score to give based on past
> history. If anyone sends you two emails, the second one will always
> match the AWL. However, that score might be negative or positive.
> 
> Read up on what the AWL really is, and how it really works:
> 
> http://wiki.apache.org/spamassassin/AutoWhitelist
> 
>

All right then this is really odd!!!

The person has always sent me mail from the intranet no problem.

I just updated the perl to 5.10.0 threading
and then I am like how did AWL change?
 
> 
> -- 
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
> 

-- 
Member - Liberal International	This is doctor@nl2k.ab.ca
Ici doctor@nl2k.ab.ca God, Queen and country! Beware Anti-Christ rising!
Never Satan President Republic!
Point to http://tv.cityonahillproductions.com/ 

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

Re: AWL gone crazy

[Matt Kettler <mk...@verizon.net>]

The Doctor wrote:
> All right why is AWL going to score 30+  when it was told to go to -1000
>
> as in
>
> score AWL -1000

You can't assign static scores to the AWL, this goes against the
definition of what it is. It's score is, by design, dynamic on a
per-message basis. Otherwise it would essentially be adding -1000 to
more-or-less all of your mail, spam or not. The AWL doesn't decide what
to whitelist, it merely decides what score to give based on past
history. If anyone sends you two emails, the second one will always
match the AWL. However, that score might be negative or positive.

Read up on what the AWL really is, and how it really works:

http://wiki.apache.org/spamassassin/AutoWhitelist

Re: AWL gone crazy

[RW <rw...@googlemail.com>]

On Wed, 25 Mar 2009 18:22:46 -0600
The Doctor <do...@doctor.nl2k.ab.ca> wrote:

> All right why is AWL going to score 30+  when it was told to go to
> -1000
> 
> as in
> 
> score AWL -1000

the AWL score is calculated, see the wiki page