You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by "Martin G. Diehl" <md...@nac.net> on 2005/05/07 16:01:45 UTC
SpamAssassin 3.0.2 flags messages from users@spamassassin.apache.org
Greetings,
I am seeing some SpamAssassin eMail messages flagged as SPAM.
That's probably not unusual, given the nature of our discussions and
especially because we quote actual SPAM examples within our messages.
I know that someone is going to say, "whitelist" ...
The settings for my profile include
Allowed Email Addresses
users@spamassassin.apache.org
dev@spamassassin.apache.org
For the most part, that works ... with only ~ 1% getting flagged as SPAM.
I don't know exactly which package is doing the whitelist filtering, nor
how that is integrated with the SpamAssassin scanning.
In the example quoted in this here, I think these are the applicable headers ...
Return-Path: <us...@spamassassin.apache.org>
Received: from unknown (HELO mail.apache.org) (209.237.227.199)
by rbl-mx3.oct.nac.net with SMTP; 7 May 2005 10:37:36 -0000
From: "martin smith" <ma...@ntlworld.com>
To: "'Rakesh'" <ra...@netcore.co.in>,
"Spamassassin" <us...@spamassassin.apache.org>
My 4 questions ...
(1) is it customary for a whitelist test to be done _only_ on the
address in the 'From:' header?
(2) OR should a whitelist test be done on all of the addresses in any of
these headers ...
'Return-Path:', 'Received:'. 'From:', 'To:' ... ?
(3) could the whitelist failure be caused by
"Spamassassin" <us...@spamassassin.apache.org>
appearing as the _second_ 'To:' address?
Something else that troubles me about this eMail example ...
X-Spam-Report:
* 1.1 FORGED_RCVD_HELO Received: contains a forged HELO
... even though this looks OK ...
Received: from unknown (HELO mail.apache.org) (209.237.227.199)
by rbl-mx3.oct.nac.net with SMTP; 7 May 2005 10:37:36 -0000
OTOH, 209.237.227.199 resolves to mail.apache.org ... and
spamassassin.apache.org resolves to 209.237.227.199
(4) could that cause the whitelist failure?
Anything else I should consider?
Thanks for listening.
Here are all of the headers and the message text ...
> From - Sat May 07 08:28:31 2005
> X-UIDL: 1115462268.M554851P37120.mx3.oct
> X-Mozilla-Status: 0001
> X-Mozilla-Status2: 00000000
> Return-Path: <us...@spamassassin.apache.org>
> Delivered-To: mdiehl@nac.net
> Received: (qmail 37070 invoked by uid 0); 7 May 2005 10:37:36 -0000
> Received: from 209.237.227.199 by mx3.oct (envelope-from <us...@spamassassin.apache.org>, uid 0) with qmail-scanner-1.25
> (uvscan: v4.2.40/v4295. sophie: 2.14/3.73. f-prot: 4.1.1/3.13.4. spamassassin: 2.60-cvs.
> Clear:RC:0(209.237.227.199):.
> Processed in 0.188536 secs); 07 May 2005 10:37:36 -0000
> X-Qmail-Scanner-Mail-From: users-return-26818-mdiehl=nac.net@spamassassin.apache.org via mx3.oct
> X-Qmail-Scanner: 1.25 (Clear:RC:0(209.237.227.199):. Processed in 0.188536 secs)
> Received: from unknown (HELO mail.apache.org) (209.237.227.199)
> by rbl-mx3.oct.nac.net with SMTP; 7 May 2005 10:37:36 -0000
> Received: (qmail 61841 invoked by uid 500); 7 May 2005 10:40:04 -0000
> Mailing-List: contact users-help@spamassassin.apache.org; run by ezmlm
> Precedence: bulk
> list-help: <ma...@spamassassin.apache.org>
> list-unsubscribe: <ma...@spamassassin.apache.org>
> List-Post: <ma...@spamassassin.apache.org>
> List-Id: <users.spamassassin.apache.org>
> Delivered-To: mailing list users@spamassassin.apache.org
> Received: (qmail 61826 invoked by uid 99); 7 May 2005 10:40:04 -0000
> X-ASF-Spam-Status: No, hits=0.0 required=10.0
> tests=
> Received-SPF: pass (hermes.apache.org: domain of marti@ntlworld.com designates 212.250.162.17 as permitted sender)
> Received: from smtpout17.mailhost.ntl.com (HELO mta09-winn.mailhost.ntl.com) (212.250.162.17)
> by apache.org (qpsmtpd/0.28) with ESMTP; Sat, 07 May 2005 03:40:04 -0700
> Received: from aamta04-winn.mailhost.ntl.com ([212.250.162.8])
> by mta09-winn.mailhost.ntl.com with ESMTP
> id <20...@aamta04-winn.mailhost.ntl.com>
> for <us...@spamassassin.apache.org>;
> Sat, 7 May 2005 11:37:05 +0100
> Received: from marti.mine.nu ([81.106.206.105])
> by aamta04-winn.mailhost.ntl.com with ESMTP
> id <20...@marti.mine.nu>
> for <us...@spamassassin.apache.org>;
> Sat, 7 May 2005 11:37:05 +0100
> Received: from p42000 (martin [192.168.1.98])
> by marti.mine.nu (8.12.6/8.12.6/SuSE Linux 0.6) with ESMTP id j47AawRY014071;
> Sat, 7 May 2005 11:36:58 +0100
> From: "martin smith" <ma...@ntlworld.com>
> To: "'Rakesh'" <ra...@netcore.co.in>,
> "Spamassassin" <us...@spamassassin.apache.org>
> Subject: *****SPAM***** RE: Way to evade URI checks
> Date: Sat, 7 May 2005 11:37:00 +0100
> Message-ID: <!~...@ntlworld.com>
> MIME-Version: 1.0
> Content-Type: text/plain;
> charset="us-ascii"
> Content-Transfer-Encoding: 7bit
> X-Mailer: Microsoft Office Outlook, Build 11.0.6353
> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2527
> Thread-Index: AcVS0HY4PWTqQht5TSKWb96NwD4Y8QAH9gAg
> In-Reply-To: <42...@netcore.co.in>
> X-Virus-Scanned: by AMaViS - amavis-milter (http://www.amavis.org/)
> X-Virus-Checked: Checked
> X-Spam-Prev-Subject: RE: Way to evade URI checks
> X-Spam-Flag: YES
> X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on spamd1.oct
> X-Spam-Level: ************
> X-Spam-PrefsFile: nac.net/mdiehl
> X-Spam-Status: Yes, score=12.7 required=4.7 tests=FORGED_RCVD_HELO,
> RAZOR2_CF_RANGE_51_100,RAZOR2_CHECK,URIBL_OB_SURBL,URIBL_SBL,
> URIBL_SC_SURBL,URIBL_WS_SURBL autolearn=disabled version=3.0.2
> X-Spam-Report:
> * 1.1 FORGED_RCVD_HELO Received: contains a forged HELO
> * 2.5 RAZOR2_CF_RANGE_51_100 BODY: Razor2 gives confidence level above 50%
> * [cf: 100]
> * 1.1 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)
> * 1.6 URIBL_SBL Contains an URL listed in the SBL blocklist
> * [URIs: coolestrxever.com]
> * 0.5 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist
> * [URIs: coolestrxever.com]
> * 2.0 URIBL_OB_SURBL Contains an URL listed in the OB SURBL blocklist
> * [URIs: coolestrxever.com]
> * 3.9 URIBL_SC_SURBL Contains an URL listed in the SC SURBL blocklist
> * [URIs: coolestrxever.com]
>
> M>-----Original Message-----
> M>From: Rakesh [mailto:rakesh@netcore.co.in]
> M>Sent: 07 May 2005 07:41
> M>To: zones@lists.surbl.org; users@spamassassin.apache.org
> M>Subject: Way to evade URI checks
> M>
> M>Seems Spammers have found a way to evade the URI checks
> M>
> M>the domain coolestrxever.com is listed in multi.surbl.org.
> M>But the spammers managed to to evade the URI checks by
> M>appending special charaters at the end of the url which are
> M>happily allowed by the browsers.
> M>
> M>The spam that I recieved had
> M>
> M>http://www.coolestrxever.com: (aa colon at the end of the url)
> M>
> M>After a bit of R&D I found the other options for spammers to
> M>carry this techinque
> M>
> M>http://www.coolestrxever.com; (a semicolon)
> M>http://www.coolestrxever.com, (a comma)
> M>http://www.coolestrxever.com. (a fullstop)
> M>http://www.coolestrxever.com? (a question mark)
> M>
> M>With all these special characters at the end of url, URI
> M>checks tries to make lookup as
> M>
> M>debug: querying for coolestrxever.com:.sc.surbl.org
> M>
> M>End result, passed the promising URI checks.
> M>
> M>I am seeing the first of its kind of spam. If any version of
> M>Spamassassin fixes this in its URI retrieval program please
> M>let me know
> M>
> M>--
> There is a fix for these in the bugzilla, came in correctly caught by SURBL
> here, using 3.0.2.
> There is two fixes I have applied and seems to catch the URL split over
> lines too, not sure if these are included in 3.0.3, I suspect this one is.
>
> Martin
--
Martin G. Diehl
Re: *****SPAM***** SpamAssassin 3.0.2 flags messages from users@spamassassin.apache.org
Posted by "Martin G. Diehl" <md...@nac.net>.
Martin G. Diehl wrote:
Thanks to everyone who responded ... you helped me think it through.
> Greetings,
>
> I am seeing some SpamAssassin eMail messages flagged as SPAM.
>
> That's probably not unusual, given the nature of our discussions and
> especially because we quote actual SPAM examples within our messages.
OTOH, try to visualize the congress critters trying (and failing) to
discuss 'int3rn3t p0rn' <g> without using any 'bad words' (TM). LOL
> I know that someone is going to say, "whitelist" ...
>
> The settings for my profile include
>
> Allowed Email Addresses
>
> users@spamassassin.apache.org
> dev@spamassassin.apache.org
I even added *@spamassassin.apache.org and I am still seeing whitelist
eMail giving false positives in SPAMassassin.
> For the most part, that works ... with only ~ 1% getting flagged as SPAM.
>
> I don't know exactly which package is doing the whitelist filtering, nor
> how that is integrated with the SpamAssassin scanning.
I was able to reach the eMail+QA administrator and discuss this issue ...
using one of today's misfires ... it seemed to be caused by the SPAMassassin
address being the 2nd address in the 'To:' not being checked against my
whitelist. ... will be refereed to their programmer.
> In the example quoted in this here, I think these are the applicable
> headers ...
>
> Return-Path:
> <us...@spamassassin.apache.org>
>
> Received: from unknown (HELO mail.apache.org) (209.237.227.199)
> by rbl-mx3.oct.nac.net with SMTP; 7 May 2005 10:37:36 -0000
>
> From: "martin smith" <ma...@ntlworld.com>
> To: "'Rakesh'" <ra...@netcore.co.in>,
> "Spamassassin" <us...@spamassassin.apache.org>
>
> My 4 questions ...
[snip]
(1) and (2) seemed not to be a factor.
> (3) could the whitelist failure be caused by
>
> "Spamassassin" <us...@spamassassin.apache.org>
>
> appearing as the _second_ 'To:' address?
Seems to be this form of addresses and how they are checking.
> Something else that troubles me about this eMail example ...
>
> X-Spam-Report:
> * 1.1 FORGED_RCVD_HELO Received: contains a forged HELO
>
> ... even though this looks OK ...
>
> Received: from unknown (HELO mail.apache.org) (209.237.227.199)
> by rbl-mx3.oct.nac.net with SMTP; 7 May 2005 10:37:36 -0000
>
> OTOH, 209.237.227.199 resolves to mail.apache.org ... and
> spamassassin.apache.org resolves to 209.237.227.199
>
> (4) could that cause the whitelist failure?
will ask them again in a few days.
> Anything else I should consider?
>
> Thanks for listening.
>
> Here are all of the headers and the message text ...
>
>> From - Sat May 07 08:28:31 2005
>> X-UIDL: 1115462268.M554851P37120.mx3.oct
>> X-Mozilla-Status: 0001
>> X-Mozilla-Status2: 00000000
>> Return-Path: <us...@spamassassin.apache.org>
>> Delivered-To: mdiehl@nac.net
>> Received: (qmail 37070 invoked by uid 0); 7 May 2005 10:37:36 -0000
>> Received: from 209.237.227.199 by mx3.oct (envelope-from
>> <us...@spamassassin.apache.org>, uid 0)
>> with qmail-scanner-1.25 (uvscan: v4.2.40/v4295. sophie: 2.14/3.73.
>> f-prot: 4.1.1/3.13.4. spamassassin: 2.60-cvs.
>> Clear:RC:0(209.237.227.199):. Processed in 0.188536 secs); 07 May
>> 2005 10:37:36 -0000
>> X-Qmail-Scanner-Mail-From:
>> users-return-26818-mdiehl=nac.net@spamassassin.apache.org via mx3.oct
>> X-Qmail-Scanner: 1.25 (Clear:RC:0(209.237.227.199):. Processed in
>> 0.188536 secs)
>> Received: from unknown (HELO mail.apache.org) (209.237.227.199)
>> by rbl-mx3.oct.nac.net with SMTP; 7 May 2005 10:37:36 -0000
>> Received: (qmail 61841 invoked by uid 500); 7 May 2005 10:40:04 -0000
>> Mailing-List: contact users-help@spamassassin.apache.org; run by ezmlm
>> Precedence: bulk
>> list-help: <ma...@spamassassin.apache.org>
>> list-unsubscribe: <ma...@spamassassin.apache.org>
>> List-Post: <ma...@spamassassin.apache.org>
>> List-Id: <users.spamassassin.apache.org>
>> Delivered-To: mailing list users@spamassassin.apache.org
>> Received: (qmail 61826 invoked by uid 99); 7 May 2005 10:40:04 -0000
>> X-ASF-Spam-Status: No, hits=0.0 required=10.0
>> tests=
>> Received-SPF: pass (hermes.apache.org: domain of marti@ntlworld.com
>> designates 212.250.162.17 as permitted sender)
>> Received: from smtpout17.mailhost.ntl.com (HELO
>> mta09-winn.mailhost.ntl.com) (212.250.162.17)
>> by apache.org (qpsmtpd/0.28) with ESMTP; Sat, 07 May 2005 03:40:04
>> -0700
>> Received: from aamta04-winn.mailhost.ntl.com ([212.250.162.8])
>> by mta09-winn.mailhost.ntl.com with ESMTP
>> id
>> <20...@aamta04-winn.mailhost.ntl.com>
>>
>> for <us...@spamassassin.apache.org>;
>> Sat, 7 May 2005 11:37:05 +0100
>> Received: from marti.mine.nu ([81.106.206.105])
>> by aamta04-winn.mailhost.ntl.com with ESMTP
>> id
>> <20...@marti.mine.nu>
>> for <us...@spamassassin.apache.org>;
>> Sat, 7 May 2005 11:37:05 +0100
>> Received: from p42000 (martin [192.168.1.98])
>> by marti.mine.nu (8.12.6/8.12.6/SuSE Linux 0.6) with ESMTP id
>> j47AawRY014071;
>> Sat, 7 May 2005 11:36:58 +0100
>> From: "martin smith" <ma...@ntlworld.com>
>> To: "'Rakesh'" <ra...@netcore.co.in>,
>> "Spamassassin" <us...@spamassassin.apache.org>
>> Subject: *****SPAM***** RE: Way to evade URI checks
>> Date: Sat, 7 May 2005 11:37:00 +0100
>> Message-ID:
>> <!~...@ntlworld.com>
>>
>> MIME-Version: 1.0
>> Content-Type: text/plain;
>> charset="us-ascii"
>> Content-Transfer-Encoding: 7bit
>> X-Mailer: Microsoft Office Outlook, Build 11.0.6353
>> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2527
>> Thread-Index: AcVS0HY4PWTqQht5TSKWb96NwD4Y8QAH9gAg
>> In-Reply-To: <42...@netcore.co.in>
>> X-Virus-Scanned: by AMaViS - amavis-milter (http://www.amavis.org/)
>> X-Virus-Checked: Checked
>> X-Spam-Prev-Subject: RE: Way to evade URI checks
>> X-Spam-Flag: YES
>> X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on spamd1.oct
>> X-Spam-Level: ************
>> X-Spam-PrefsFile: nac.net/mdiehl
>> X-Spam-Status: Yes, score=12.7 required=4.7 tests=FORGED_RCVD_HELO,
>> RAZOR2_CF_RANGE_51_100,RAZOR2_CHECK,URIBL_OB_SURBL,URIBL_SBL,
>> URIBL_SC_SURBL,URIBL_WS_SURBL autolearn=disabled version=3.0.2
>> X-Spam-Report: * 1.1 FORGED_RCVD_HELO Received: contains a forged
>> HELO
>> * 2.5 RAZOR2_CF_RANGE_51_100 BODY: Razor2 gives confidence level
>> above 50%
>> * [cf: 100]
>> * 1.1 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)
>> * 1.6 URIBL_SBL Contains an URL listed in the SBL blocklist
>> * [URIs: coolestrxever.com]
>> * 0.5 URIBL_WS_SURBL Contains an URL listed in the WS SURBL
>> blocklist
>> * [URIs: coolestrxever.com]
>> * 2.0 URIBL_OB_SURBL Contains an URL listed in the OB SURBL
>> blocklist
>> * [URIs: coolestrxever.com]
>> * 3.9 URIBL_SC_SURBL Contains an URL listed in the SC SURBL
>> blocklist
>> * [URIs: coolestrxever.com]
>>
>> M>-----Original Message-----
>> M>From: Rakesh [mailto:rakesh@netcore.co.in] M>Sent: 07 May 2005 07:41
>> M>To: zones@lists.surbl.org; users@spamassassin.apache.org
>> M>Subject: Way to evade URI checks
>> M>
>> M>Seems Spammers have found a way to evade the URI checks
>> M>
>> M>the domain coolestrxever.com is listed in multi.surbl.org. M>But the
>> spammers managed to to evade the URI checks by M>appending special
>> charaters at the end of the url which are M>happily allowed by the
>> browsers.
>> M>
>> M>The spam that I recieved had
>> M>
>> M>http://www.coolestrxever.com: (aa colon at the end of the url)
>> M>
>> M>After a bit of R&D I found the other options for spammers to M>carry
>> this techinque
>> M>
>> M>http://www.coolestrxever.com; (a semicolon)
>> M>http://www.coolestrxever.com, (a comma)
>> M>http://www.coolestrxever.com. (a fullstop)
>> M>http://www.coolestrxever.com? (a question mark)
>> M>
>> M>With all these special characters at the end of url, URI M>checks
>> tries to make lookup as
>> M>
>> M>debug: querying for coolestrxever.com:.sc.surbl.org
>> M>
>> M>End result, passed the promising URI checks.
>> M>
>> M>I am seeing the first of its kind of spam. If any version of
>> M>Spamassassin fixes this in its URI retrieval program please M>let me
>> know
>> M>
>> M>--
>> There is a fix for these in the bugzilla, came in correctly caught by
>> SURBL here, using 3.0.2.
>> There is two fixes I have applied and seems to catch the URL split over
>> lines too, not sure if these are included in 3.0.3, I suspect this one
>> is.
>>
>> Martin
--
Martin G. Diehl
Re: SpamAssassin 3.0.2 flags messages from users@spamassassin.apache.org
Posted by Joshua Tinnin <kr...@spymac.com>.
On Sun 8 May 05 18:46, "Thomas Cameron" <th...@camerontech.com>
wrote:
> > so I whitelist on:
> > List-Id: <users.spamassassin.apache.org>
>
> Do you mind posting the exact syntax in your local.cf to do this?
Well, I think Loren answered it, but I tend to use other filtering tools
to deal with that, so in procmail, I'd do something like:
:0:
* ^List-Id:.*users\.spamassassin\.apache\.org
SpamAssassin-users
This would be before the email passed through SpamAssassin and put it in
the folder SpamAssassin-users. Or, if you wanted to catch all the cc
replies too, use:
:0:
* ^List-Id:.*users\.spamassassin\.apache\.org|\
* ^TO_users@spamassassin\.apache\.org
SpamAssassin-users
- jt
Re: SpamAssassin 3.0.2 flags messages from users@spamassassin.apache.org
Posted by "Martin G. Diehl" <md...@nac.net>.
Thomas Cameron wrote:
>> so I whitelist on: List-Id: <users.spamassassin.apache.org>
>
> Do you mind posting the exact syntax in your local.cf to do this?
All that I was able to find out is that it locally coding and is part
of the user login.
> Thanks!
> Thomas
--
Martin G. Diehl
Re: SpamAssassin 3.0.2 flags messages from users@spamassassin.apache.org
Posted by Loren Wilton <lw...@earthlink.net>.
> > so I whitelist on:
> > List-Id: <users.spamassassin.apache.org>
>
> Do you mind posting the exact syntax in your local.cf to do this?
Don't know about the OP's, but mine is
header WHITELIST_SA List-Id =~
/(?:dev|users)\.spamassassin\.apache\.org/i
describe WHITELIST_SA SA List
score WHITELIST_SA -100
You can simplify that a bit if you aren't on the dev list.
If the line wraps, there are NO SPACES in the regex.
Loren
Of course, the better way to do this is not let the list mail get to SA in
the first place.
Re: SpamAssassin 3.0.2 flags messages from users@spamassassin.apache.org
Posted by Thomas Cameron <th...@camerontech.com>.
> so I whitelist on:
> List-Id: <users.spamassassin.apache.org>
Do you mind posting the exact syntax in your local.cf to do this?
Thanks!
Thomas
Re: SpamAssassin 3.0.2 flags messages from users@spamassassin.apache.org
Posted by Joshua Tinnin <kr...@spymac.com>.
Sorry it took a while ...
On Sat 7 May 05 16:23, "Martin G. Diehl" <md...@nac.net> wrote:
> Joshua Tinnin wrote:
>
> [thanks for your response]
>
> > On Sat 7 May 05 07:01, "Martin G. Diehl" <md...@nac.net> wrote:
> >>Greetings,
> >>
> >>I am seeing some SpamAssassin eMail messages flagged as SPAM.
> >>
> >>That's probably not unusual, given the nature of our discussions
> >> and especially because we quote actual SPAM examples within our
> >> messages.
> >>
> >>I know that someone is going to say, "whitelist" ...
> >
> > <snip>
> >
> >>(1) is it customary for a whitelist test to be done _only_ on the
> >> address in the 'From:' header?
> >>
> >>(2) OR should a whitelist test be done on all of the addresses in
> >> any of these headers ...
> >>
> >> 'Return-Path:', 'Received:'. 'From:', 'To:' ... ?
> >
> > I whitelist on:
> >
> > List-Id: <users.spamassassin.apache.org>
> >
> > I use KMail to whitelist using its filters, but something similar
> > is possible with procmail, meaning the mail from the list never
> > even touches SpamAssassin - it gets filtered before it hits SA.
> > IOW, you don't have to use SA's whitelist. I don't for practical
> > reasons - I find it better to spread out the load and have
> > something else perform whitelisting, much as blocklists at the
> > server level do rather than through SA.
>
> I was hoping to learn ...
>
> (a) the 'standard' way to apply a whitelist ... item (1) or (2),
> above
Well, whitelisting is simply diverting email from being classified as
spam. It doesn't much matter how you do it, except in terms of
functionality in your situation. As far as what's standard, I don't
rightly know (is there one?), but I find it best to whitelist on
headers that are unique to that type of email. In the case of email
lists, there is usually some non-standard header inserted. This list
uses List-Id, which is relatively common on email lists (as it greatly
simplifies filtering, such as whitelisting), so I whitelist on:
List-Id: <users.spamassassin.apache.org> It simply works, though I
don't really think about it being a non-standard way to whitelist. I've
been doing that for many years.
> (b) or if the original addressing was leading to the whitelist false
> negative
To be honest, I don't know. I don't have enough experience tinkering
with SA's whitelist.
> Here are some of the headers from the original message in that thread
> ...
>
> >> Date: Sat, 07 May 2005 12:10:53 +0530
> >> From: Rakesh <ra...@netcore.co.in>
> >> To: "zones@lists.surbl.org" <zo...@lists.surbl.org>,
> >> users@spamassassin.apache.org
> >> Subject: Way to evade URI checks
>
> Note that 'users@spamassassin' is the second address. ... Not that
> anything as trivial as the sequence of addresses should matter <g>
> ... OTOH (silly) questions like mine, which challenge an obvious good
> assumption _do_ find bugs on occasion.
>
> (c) In addition, as I said in my original message,
>
> >> Something else that troubles me about this eMail example ...
> >>
> >> X-Spam-Report:
> >> * 1.1 FORGED_RCVD_HELO Received: contains a forged
> >> HELO
> >>
> >> ... even though this looks OK ...
> >>
> >> Received: from unknown (HELO mail.apache.org)
> >> (209.237.227.199) by rbl-mx3.oct.nac.net with SMTP; 7 May 2005
> >> 10:37:36 -0000
> >>
> >> OTOH, 209.237.227.199 resolves to mail.apache.org ... and
> >> spamassassin.apache.org resolves to 209.237.227.199
Don't worry about that forged HELO. Happens a lot. Most of my ham has
that.
Can't seem to find it now, but did you say this SA setup was on a host
you don't control? Like, are you an email user on a system with SA, not
the admin? Maybe thinking of someone else ...
- jt
Re: SpamAssassin 3.0.2 flags messages from users@spamassassin.apache.org
Posted by "Martin G. Diehl" <md...@nac.net>.
Joshua Tinnin wrote:
[thanks for your response]
> On Sat 7 May 05 07:01, "Martin G. Diehl" <md...@nac.net> wrote:
>
>>Greetings,
>>
>>I am seeing some SpamAssassin eMail messages flagged as SPAM.
>>
>>That's probably not unusual, given the nature of our discussions and
>>especially because we quote actual SPAM examples within our messages.
>>
>>I know that someone is going to say, "whitelist" ...
>
> <snip>
>
>>(1) is it customary for a whitelist test to be done _only_ on the
>> address in the 'From:' header?
>>
>>(2) OR should a whitelist test be done on all of the addresses in any
>> of these headers ...
>>
>> 'Return-Path:', 'Received:'. 'From:', 'To:' ... ?
>
> I whitelist on:
>
> List-Id: <users.spamassassin.apache.org>
>
> I use KMail to whitelist using its filters, but something similar is
> possible with procmail, meaning the mail from the list never even
> touches SpamAssassin - it gets filtered before it hits SA. IOW, you
> don't have to use SA's whitelist. I don't for practical reasons - I
> find it better to spread out the load and have something else perform
> whitelisting, much as blocklists at the server level do rather than
> through SA.
>
> - jt
I was hoping to learn ...
(a) the 'standard' way to apply a whitelist ... item (1) or (2), above
(b) or if the original addressing was leading to the whitelist false negative
Here are some of the headers from the original message in that thread ...
>> Date: Sat, 07 May 2005 12:10:53 +0530
>> From: Rakesh <ra...@netcore.co.in>
>> To: "zones@lists.surbl.org" <zo...@lists.surbl.org>,
>> users@spamassassin.apache.org
>> Subject: Way to evade URI checks
Note that 'users@spamassassin' is the second address. ... Not that
anything as trivial as the sequence of addresses should matter <g> ...
OTOH (silly) questions like mine, which challenge an obvious good
assumption _do_ find bugs on occasion.
(c) In addition, as I said in my original message,
>> Something else that troubles me about this eMail example ...
>>
>> X-Spam-Report:
>> * 1.1 FORGED_RCVD_HELO Received: contains a forged HELO
>>
>> ... even though this looks OK ...
>>
>> Received: from unknown (HELO mail.apache.org) (209.237.227.199)
>> by rbl-mx3.oct.nac.net with SMTP; 7 May 2005 10:37:36 -0000
>>
>> OTOH, 209.237.227.199 resolves to mail.apache.org ... and
>> spamassassin.apache.org resolves to 209.237.227.199
--
Martin
Re: SpamAssassin 3.0.2 flags messages from users@spamassassin.apache.org
Posted by Joshua Tinnin <kr...@spymac.com>.
On Sat 7 May 05 07:01, "Martin G. Diehl" <md...@nac.net> wrote:
> Greetings,
>
> I am seeing some SpamAssassin eMail messages flagged as SPAM.
>
> That's probably not unusual, given the nature of our discussions and
> especially because we quote actual SPAM examples within our messages.
>
> I know that someone is going to say, "whitelist" ...
<snip>
> (1) is it customary for a whitelist test to be done _only_ on the
> address in the 'From:' header?
>
> (2) OR should a whitelist test be done on all of the addresses in any
> of these headers ...
>
> 'Return-Path:', 'Received:'. 'From:', 'To:' ... ?
I whitelist on:
List-Id: <users.spamassassin.apache.org>
I use KMail to whitelist using its filters, but something similar is
possible with procmail, meaning the mail from the list never even
touches SpamAssassin - it gets filtered before it hits SA. IOW, you
don't have to use SA's whitelist. I don't for practical reasons - I
find it better to spread out the load and have something else perform
whitelisting, much as blocklists at the server level do rather than
through SA.
- jt