You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Nelson Serafica <nt...@gmail.com> on 2008/10/29 10:18:36 UTC
whitelist_from not working
I'm using spamassassin 3.2.5. Now, I must a whitelist_from containing *@
foo.com in my local.cf.
However, there are still 1 email that has been tagged as spam. In my
understanding, if a domain was in whitelist_from, even if it was tagged as
spam, it will delivered to the recipient. I restart the spamd after I edit
local.cf so it must take effect.
Is this the right way to whitelist? As I check, when using 3.2.5, this is
the right way of whitelisting a domain.
Re: whitelist_from not working
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
On 29.10.08 17:18, Nelson Serafica wrote:
> I'm using spamassassin 3.2.5. Now, I must a whitelist_from containing *@
> foo.com in my local.cf.
>
> However, there are still 1 email that has been tagged as spam.
Only one? show the headers or upload it somewhere..
> In my understanding, if a domain was in whitelist_from, even if it was
> tagged as spam, it will delivered to the recipient.
No, It will have -100 points added, so it should get classified as not spam
(ham). It seems does not work.
> I restart the spamd after I edit
> local.cf so it must take effect.
>
> Is this the right way to whitelist? As I check, when using 3.2.5, this is
> the right way of whitelisting a domain.
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Support bacteria - they're the only culture some people have.
Re: whitelist_from not working
Posted by Henrik K <he...@hege.li>.
On Wed, Oct 29, 2008 at 08:24:25AM -0400, Matt Kettler wrote:
>
> There are some messages you can't whitelist in SA using any other method.
> (ie: when the sender's server doesn't have reverse DNS).
You can use trusted_networks + ALL_TRUSTED to whitelist. Given of course
that there aren't any dynamic IPs in the path.
Re: whitelist_from not working
Posted by Greg Troxel <gd...@ir.bbn.com>.
Jeff Mincy <je...@delphioutpost.com> writes:
> Agreed. whitelist_from sucks. However, it's there as a method of
> last-resort. There are some messages you can't whitelist in SA using any
> other method. (ie: when the sender's server doesn't have reverse DNS).
>
> Since whitelist_from is spoofable wouldn't it make sense to have
> different scores assigned to whitelist_from and whitelist_from_rcvd?
> Right now if an email is in either you get a hit on USER_IN_WHITELIST,
> which is scored at a -100 by default. So split out
> USER_IN_RCVD_WHITELIST hits from USER_IN_WHITELIST.
I use whitelist_from to be sure I whitelist mail from some people (not
part of my organization). For those addreses, it's better to get FN on
spam than a single FP. I don't know what IP addresses they use, and
they keep changing. So the 'better' whitelist rules won't work.
I have sometimes wanted a way to give a per-rule score for whitelist
entries, instead of a fixed -100. But not enough to implement it :-)
Re: whitelist_from not working
Posted by Jeff Mincy <je...@delphioutpost.com>.
From: Matt Kettler <mk...@verizon.net>
Date: Wed, 29 Oct 2008 08:24:25 -0400
Benny Pedersen wrote:
> On Wed, October 29, 2008 10:18, Nelson Serafica wrote:
>
>
>> Is this the right way to whitelist? As I check, when using 3.2.5, this is
>> the right way of whitelisting a domain.
>>
>
> the more i hear about whitelist_from the more i want to make a bug on it,
> whitelist_from should imho newer have being implemented
>
Agreed. whitelist_from sucks. However, it's there as a method of
last-resort. There are some messages you can't whitelist in SA using any
other method. (ie: when the sender's server doesn't have reverse DNS).
Since whitelist_from is spoofable wouldn't it make sense to have
different scores assigned to whitelist_from and whitelist_from_rcvd?
Right now if an email is in either you get a hit on USER_IN_WHITELIST,
which is scored at a -100 by default. So split out
USER_IN_RCVD_WHITELIST hits from USER_IN_WHITELIST.
-jeff
Re: whitelist_from not working
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
> >On Wed, 2008-10-29 at 07:52 -0700, John Hardin wrote:
> >>I'm going to suggest again that, given how much pain it causes noobs,
> >>perhaps the use of whitelist_from should generate a lint _warning_ that it
> >>should only be used if no other whitelist method will work...
> On Wed, 29 Oct 2008, Karsten Br�ckelmann wrote:
> >The thing with noobs and whitelist_from (according to my experience on
> >this list) appears to be a lack of reading. I got the impression most of
> >them just blindly whitelist_from their own domain to be on the safe
> >side, without any prior investigation and usually without any need.
On 29.10.08 11:15, John Hardin wrote:
> Agreed, and if they aren't reading the documentation carefully enough to
> see the warnings about using whitelist_from, then they probably aren't
> running a lint either...
>
> However, if emitting a warning in lint saves having some "why are spams
> hitting USER_IN_WHITELIST??" messages sent to the list, it's probably
> worth doing.
Actually, it's completely safe to whitelist some domains, if your MTA does
the SPF check for you, and you expect no fails to pass fotr those domains...
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
There's a long-standing bug relating to the x86 architecture that
allows you to install Windows. -- Matthew D. Fuller
Re: whitelist_from not working
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Wed, 2008-10-29 at 11:15 -0700, John Hardin wrote:
> On Wed, 29 Oct 2008, Karsten Bräckelmann wrote:
> > The thing with noobs and whitelist_from (according to my experience on
> > this list) appears to be a lack of reading. I got the impression most of
> > them just blindly whitelist_from their own domain to be on the safe
> > side, without any prior investigation and usually without any need.
>
> Agreed, and if they aren't reading the documentation carefully enough to
> see the warnings about using whitelist_from, then they probably aren't
> running a lint either...
>
> However, if emitting a warning in lint saves having some "why are spams
> hitting USER_IN_WHITELIST??" messages sent to the list, it's probably
> worth doing.
I'm not convinced this would help much, for the reason you mention in
your first paragraph. ;) Also, this would be rather annoying for those
who use it legitimately [1] and know what they are doing.
What I am really wondering about is, *why* they set it in the first
place, and where they found out about this, without actually reading
much documentation.
The funny thing is, that quite a lot of the recent threads regarding
whitelist_from are not asking about spam slipping through, but the
opposite -- they are claiming that whitelisting does *not* work, despite
the setting.
guenther
[1] Meh, this one was exceptionally hard to spell correctly. ;)
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: whitelist_from not working
Posted by John Hardin <jh...@impsec.org>.
On Wed, 29 Oct 2008, Karsten Br�ckelmann wrote:
> On Wed, 2008-10-29 at 07:52 -0700, John Hardin wrote:
>> I'm going to suggest again that, given how much pain it causes noobs,
>> perhaps the use of whitelist_from should generate a lint _warning_ that it
>> should only be used if no other whitelist method will work...
>
> The thing with noobs and whitelist_from (according to my experience on
> this list) appears to be a lack of reading. I got the impression most of
> them just blindly whitelist_from their own domain to be on the safe
> side, without any prior investigation and usually without any need.
Agreed, and if they aren't reading the documentation carefully enough to
see the warnings about using whitelist_from, then they probably aren't
running a lint either...
However, if emitting a warning in lint saves having some "why are spams
hitting USER_IN_WHITELIST??" messages sent to the list, it's probably
worth doing.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
...the Fates notice those who buy chainsaws...
-- www.darwinawards.com
-----------------------------------------------------------------------
2 days until Halloween
Re: whitelist_from not working
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Wed, 2008-10-29 at 07:52 -0700, John Hardin wrote:
> I'm going to suggest again that, given how much pain it causes noobs,
> perhaps the use of whitelist_from should generate a lint _warning_ that it
> should only be used if no other whitelist method will work...
The thing with noobs and whitelist_from (according to my experience on
this list) appears to be a lack of reading. I got the impression most of
them just blindly whitelist_from their own domain to be on the safe
side, without any prior investigation and usually without any need.
I believe some of the recent threads like this clearly showed that SA
has been set up right before that, for the first time, and this is kind
of the very first customization...
guenther
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: whitelist_from not working
Posted by John Hardin <jh...@impsec.org>.
On Wed, 29 Oct 2008, Matt Kettler wrote:
> Benny Pedersen wrote:
>
>> the more i hear about whitelist_from the more i want to make a bug on it,
>> whitelist_from should imho newer have being implemented
>
> Agreed. whitelist_from sucks. However, it's there as a method of
> last-resort. There are some messages you can't whitelist in SA using any
> other method. (ie: when the sender's server doesn't have reverse DNS).
I'm going to suggest again that, given how much pain it causes noobs,
perhaps the use of whitelist_from should generate a lint _warning_ that it
should only be used if no other whitelist method will work...
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
...the Fates notice those who buy chainsaws...
-- www.darwinawards.com
-----------------------------------------------------------------------
2 days until Halloween
Re: whitelist_from not working
Posted by Matt Kettler <mk...@verizon.net>.
Benny Pedersen wrote:
> On Wed, October 29, 2008 10:18, Nelson Serafica wrote:
>
>
>> Is this the right way to whitelist? As I check, when using 3.2.5, this is
>> the right way of whitelisting a domain.
>>
>
> the more i hear about whitelist_from the more i want to make a bug on it,
> whitelist_from should imho newer have being implemented
>
Agreed. whitelist_from sucks. However, it's there as a method of
last-resort. There are some messages you can't whitelist in SA using any
other method. (ie: when the sender's server doesn't have reverse DNS).
> use whitelist_auth, whitelist_from_spf, whitelist_from_dkim, whitelist_from_rcvd
>
> see perldocs how to make this
>
>
Agreed, and the man Mail::SpamAssassin::Conf section on whitelist_from
(which should have been read in the first place) will tell you the same.
Re: whitelist_from not working
Posted by Benny Pedersen <me...@junc.org>.
On Wed, October 29, 2008 10:18, Nelson Serafica wrote:
> Is this the right way to whitelist? As I check, when using 3.2.5, this is
> the right way of whitelisting a domain.
the more i hear about whitelist_from the more i want to make a bug on it,
whitelist_from should imho newer have being implemented
use whitelist_auth, whitelist_from_spf, whitelist_from_dkim, whitelist_from_rcvd
see perldocs how to make this
--
Benny Pedersen
Need more webspace ? http://www.servage.net/?coupon=cust37098
Re: whitelist_from not working
Posted by Matt Kettler <mk...@verizon.net>.
Nelson Serafica wrote:
> I'm using spamassassin 3.2.5. <http://3.2.5.> Now, I must a
> whitelist_from containing *@foo.com <http://foo.com> in my local.cf
> <http://local.cf>.
>
> However, there are still 1 email that has been tagged as spam. In my
> understanding, if a domain was in whitelist_from, even if it was
> tagged as spam, it will delivered to the recipient.
First, be aware that SpamAssassin itself does not directly cause
messages to be deleted, rejected, or otherwise alter delivery.
SpamAssassin itself *ONLY* tags. The way it inserts itself into the mail
chain is very flexible, but gives SA no direct power over message
delivery, so tagging is the only thing it can possibly do. If it were to
try to delete the message, most mail tools would assume SA had crashed
and recover the original, unscanned message and deliver that.
Therefore, there is nothing in the SpamAssassin configuration that can
cause a message to be delivered "even if it is tagged as spam". SA can
only tag, or not tag. whitelist_from causes messages to be hit with a
-100 point rule named USER_IN_WHITELIST. This large negative score makes
it more-or-less impossible for the message to be tagged as spam. Pretty
much the only way to get SA to tag it when matching a whitelist would be
to put a GTUBE test signature into the message.
Your previously posted example was working perfectly, in that the
whitelist configuration caused SA to match USER_IN_WHITELIST, which
generated a hugely negative score, and therefore was not tagged as spam.
That's exactly what it should do.
If you've got something else that deletes mail when SA tags messages,
then that is the tool you'd need to configure if you want the message to
get tagged as spam, but still be delivered. Reconfiguring SA can't
change this, because SA doesn't (and in fact can't) delete the messages.
> I restart the spamd after I edit local.cf <http://local.cf> so it must
> take effect.
>
> Is this the right way to whitelist? As I check, when using 3.2.5, this
> is the right way of whitelisting a domain.
whitelist_from is never the "right" way to do anything. It is horribly
easy to forge. Use whitelist_from_rcvd, or preferably, whitelist in your
tools that call SA, bypassing it entirely and saving CPU time.