You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Miles Fidelman <mf...@meetinghouse.net> on 2006/11/12 03:47:09 UTC
scoring question
Hi,
I got the following in a message from our list management software:
*X-Spam-Status: * Yes, hits=9.7 tagged_above=0.0 required=6.3 tests=AWL,
BAYES_20, NO_RELAYS
*X-Spam-Level: * *********
*X-Spam-Flag: * YES
Basic configuration:
Debian Sarge
Postfix
amavisd-new
spamassassin 3.001003
standard ruleset, plus updates from
- default channel
- saupdates.openprotect.com
The thing is, that if I'm reading things correctly, the scores for the
listed tests are:
AWL 1 (default)
50_scores.cf:score BAYES_20 0.0001 0.0001 -0.740 -0.740
50_scores.cf:score NO_RELAYS -0.001
Which should add up to .259 (net tests and Bayes turned on).
So... why is this showing hits=9.7? What am I missing?
Thanks very much,
Miles
Re: question re. whitelist_from_rcvd
Posted by Kelson <ke...@speed.net>.
Miles Fidelman wrote:
>>> whitelist_from_rcvd sympa@lists.fusn.org <ma...@lists.fusn.org>
>>>
> hmmm...not sure how that last bit made it into my email, I thought I'd
> just typed
>
> whitelist_from_rcvd sympa@lists.fusn.org
> must have to do with typing it at 2:46 in the am, sigh...
Nah, it's probably just your mail client. I see in the headers you're
using SeaMonkey. I'd guess it shares quite a bit of code with
Thunderbird, and Thunderbird has an annoying habit of plunking in an
extra copy of an email address if it's converting from HTML to
plaintext... even if the text of the link is the email address itself.
--
Kelson Vibber
SpeedGate Communications <www.speed.net>
Re: question re. whitelist_from_rcvd
Posted by Miles Fidelman <mf...@meetinghouse.net>.
Matt Kettler wrote:
> Miles Fidelman wrote:
>
>> Hi,
>>
>> I'm trying to figure out how to whitelist control messages generated
>> by our list manager (Sympa) - which are generated on the localhost and
>> sent to addresses on the localhost.
>>
>> In particular, here's a specific example:
>>
>> *From: * sympa@lists.fusn.org <ma...@lists.fusn.org>
>> *Received: * from localhost (localhost.localdomain [127.0.0.1]) by
>> server1.neighborhoods.net (Postfix) with ESMTP id 5CDE2B6C2F0 for
>> <leonard@tlw.com <ma...@tlw.com>>; Sat, 11 Nov 2006 10:22:18
>> -0500 (EST)
>>
>>
>> It's pretty clear that the entry in user_prefs would start with
>>
>> whitelist_from_rcvd sympa@lists.fusn.org <ma...@lists.fusn.org>
>>
hmmm...not sure how that last bit made it into my email, I thought I'd
just typed
whitelist_from_rcvd sympa@lists.fusn.org
must have to do with typing it at 2:46 in the am, sigh...
>> but what would I use as the domain part?
>>
> Actually, no.. it would not start like that... As written the "
> <ma...@lists.fusn.org>" would be interpreted as the Received:
> header check.
>
> Try:
> whitelist_from_rcvd sympa@lists.fusn.org localhost.localdomain
>
Thanks! Will do.
Miles
Re: question re. whitelist_from_rcvd
Posted by Miles Fidelman <mf...@meetinghouse.net>.
Not as easily done as said.
Matthias Leisi wrote:
> Miles Fidelman wrote:
>
> Do you *really* need to pass locally generated mail through
> Spamassassin? Most likely not.
>
>
I prefer to, since I have a number of users who use my machine as their
SMTP route to the world - and you never know when a desktop machine can
pick up a virus or trojan. Since I run a number of email lists, I like
to have multiple lines of defense to keep spam and viruses from getting
to lists. Beyond the obvious reason, it also reduces the likelihood of
getting listed in blocklists.
Hence I need something more fine-grained than eliminating filters from
all locally generated mail.
>> *Received: * from localhost (localhost.localdomain [127.0.0.1]) by
>> server1.neighborhoods.net (Postfix) with ESMTP id 5CDE2B6C2F0 for
>> <leonard@tlw.com <ma...@tlw.com>>; Sat, 11 Nov 2006 10:22:18
>> -0500 (EST)
>> *Received: * from server1.neighborhoods.net ([127.0.0.1]) by localhost
>> (server1 [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 31180-01-2
>> for <leonard@tlw.com <ma...@tlw.com>>; Sat, 11 Nov 2006
>> 10:22:12 -0500 (EST)
>> *Received: * by server1.neighborhoods.net (Postfix, from userid 114) id
>> 1A9BFB6C2F6; Sat, 11 Nov 2006 10:22:05 -0500 (EST)
>>
>> Any thoughts on other ways to whitelist locally originated messages from
>> a single address (sympa@lists.fusn.org) without just opening up the
>> world to spammers by using a simple whitelist_from command?
>>
>
> Looking at the Received: headers it looks as if you're running a mostly
> regular Postfix/Amavis setup, ie Postfix forwards to Amavis which in
> turn forwards it to Postfix.
>
> You can tell Postfix which conent filters it should use depending on
> where mail comes from. Since the mail in question is generated locally
> ("from userid 114"), you can tell Postfix not to use the content filter
> in the pickup process:
>
> +-- /etc/postfix/master.cf --
> | pickup fifo n - - 60 1 pickup
> | -o content_filter=
> +-- --
>
> See [1] for a more complete example.
>
> -- Matthias
>
> [1]
> http://matthias.leisi.net/archives/120-Unblocking-an-EICAR-with-PostfixAmavisClamAV.html
>
Re: question re. whitelist_from_rcvd
Posted by Matthias Leisi <ma...@leisi.net>.
Miles Fidelman wrote:
Do you *really* need to pass locally generated mail through
Spamassassin? Most likely not.
> *Received: * from localhost (localhost.localdomain [127.0.0.1]) by
> server1.neighborhoods.net (Postfix) with ESMTP id 5CDE2B6C2F0 for
> <leonard@tlw.com <ma...@tlw.com>>; Sat, 11 Nov 2006 10:22:18
> -0500 (EST)
> *Received: * from server1.neighborhoods.net ([127.0.0.1]) by localhost
> (server1 [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 31180-01-2
> for <leonard@tlw.com <ma...@tlw.com>>; Sat, 11 Nov 2006
> 10:22:12 -0500 (EST)
> *Received: * by server1.neighborhoods.net (Postfix, from userid 114) id
> 1A9BFB6C2F6; Sat, 11 Nov 2006 10:22:05 -0500 (EST)
>
> Any thoughts on other ways to whitelist locally originated messages from
> a single address (sympa@lists.fusn.org) without just opening up the
> world to spammers by using a simple whitelist_from command?
Looking at the Received: headers it looks as if you're running a mostly
regular Postfix/Amavis setup, ie Postfix forwards to Amavis which in
turn forwards it to Postfix.
You can tell Postfix which conent filters it should use depending on
where mail comes from. Since the mail in question is generated locally
("from userid 114"), you can tell Postfix not to use the content filter
in the pickup process:
+-- /etc/postfix/master.cf --
| pickup fifo n - - 60 1 pickup
| -o content_filter=
+-- --
See [1] for a more complete example.
-- Matthias
[1]
http://matthias.leisi.net/archives/120-Unblocking-an-EICAR-with-PostfixAmavisClamAV.html
Re: question re. whitelist_from_rcvd
Posted by Miles Fidelman <mf...@meetinghouse.net>.
Matt Kettler wrote:
> Miles Fidelman wrote:
>
>> Hi,
>>
>> I'm trying to figure out how to whitelist control messages generated
>> by our list manager (Sympa) - which are generated on the localhost and
>> sent to addresses on the localhost.
>>
>> In particular, here's a specific example:
>>
>> *From: * sympa@lists.fusn.org <ma...@lists.fusn.org>
>> *Received: * from localhost (localhost.localdomain [127.0.0.1]) by
>> server1.neighborhoods.net (Postfix) with ESMTP id 5CDE2B6C2F0 for
>> <leonard@tlw.com <ma...@tlw.com>>; Sat, 11 Nov 2006 10:22:18
>> -0500 (EST)
>>
>>
>> It's pretty clear that the entry in user_prefs would start with
>>
>> whitelist_from_rcvd sympa@lists.fusn.org <ma...@lists.fusn.org>
>>
>> but what would I use as the domain part?
>>
> Actually, no.. it would not start like that... As written the "
> <ma...@lists.fusn.org>" would be interpreted as the Received:
> header check.
>
> Try:
> whitelist_from_rcvd sympa@lists.fusn.org localhost.localdomain
>
>
Well that doesn't seem to work. I also tried
whitelist_from_rcvd sympa@lists.fusn.org server1.neighborhoods.net
whitelist_from_rcvd sympa@lists.fusn.org 127.0.0.1
I think the problem is that the reverse lookups don't match in any of
these combinations (look closely at the headers):
*From: * sympa@lists.fusn.org <ma...@lists.fusn.org>
*Subject: * ****SPAM*** Message diffusion*
*Date: * November 11, 2006 10:22:05 AM EST
*To: * leonard@tlw.com <ma...@tlw.com>
*Return-Path: * <fusn-owner@lists.fusn.org
<ma...@lists.fusn.org>>
*X-Original-To: * leonard@tlw.com <ma...@tlw.com>
*Delivered-To: * leonard@tlw.com <ma...@tlw.com>
*Received: * from localhost (localhost.localdomain [127.0.0.1]) by
server1.neighborhoods.net (Postfix) with ESMTP id 5CDE2B6C2F0 for
<leonard@tlw.com <ma...@tlw.com>>; Sat, 11 Nov 2006 10:22:18
-0500 (EST)
*Received: * from server1.neighborhoods.net ([127.0.0.1]) by localhost
(server1 [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 31180-01-2
for <leonard@tlw.com <ma...@tlw.com>>; Sat, 11 Nov 2006
10:22:12 -0500 (EST)
*Received: * by server1.neighborhoods.net (Postfix, from userid 114) id
1A9BFB6C2F6; Sat, 11 Nov 2006 10:22:05 -0500 (EST)
Any thoughts on other ways to whitelist locally originated messages from
a single address (sympa@lists.fusn.org) without just opening up the
world to spammers by using a simple whitelist_from command?
Thanks again,
Miles
Re: question re. whitelist_from_rcvd
Posted by Matt Kettler <mk...@verizon.net>.
Miles Fidelman wrote:
> Hi,
>
> I'm trying to figure out how to whitelist control messages generated
> by our list manager (Sympa) - which are generated on the localhost and
> sent to addresses on the localhost.
>
> In particular, here's a specific example:
>
> *From: * sympa@lists.fusn.org <ma...@lists.fusn.org>
> *Received: * from localhost (localhost.localdomain [127.0.0.1]) by
> server1.neighborhoods.net (Postfix) with ESMTP id 5CDE2B6C2F0 for
> <leonard@tlw.com <ma...@tlw.com>>; Sat, 11 Nov 2006 10:22:18
> -0500 (EST)
>
>
> It's pretty clear that the entry in user_prefs would start with
>
> whitelist_from_rcvd sympa@lists.fusn.org <ma...@lists.fusn.org>
>
> but what would I use as the domain part?
Actually, no.. it would not start like that... As written the "
<ma...@lists.fusn.org>" would be interpreted as the Received:
header check.
Try:
whitelist_from_rcvd sympa@lists.fusn.org localhost.localdomain
question re. whitelist_from_rcvd
Posted by Miles Fidelman <mf...@meetinghouse.net>.
Hi,
I'm trying to figure out how to whitelist control messages generated by
our list manager (Sympa) - which are generated on the localhost and sent
to addresses on the localhost.
In particular, here's a specific example:
*From: * sympa@lists.fusn.org <ma...@lists.fusn.org>
*Subject: * ****SPAM*** Message diffusion*
*Date: * November 11, 2006 10:22:05 AM EST
*To: * leonard@tlw.com <ma...@tlw.com>
*Return-Path: * <fusn-owner@lists.fusn.org
<ma...@lists.fusn.org>>
*X-Original-To: * leonard@tlw.com <ma...@tlw.com>
*Delivered-To: * leonard@tlw.com <ma...@tlw.com>
*Received: * from localhost (localhost.localdomain [127.0.0.1]) by
server1.neighborhoods.net (Postfix) with ESMTP id 5CDE2B6C2F0 for
<leonard@tlw.com <ma...@tlw.com>>; Sat, 11 Nov 2006 10:22:18
-0500 (EST)
*Received: * from server1.neighborhoods.net ([127.0.0.1]) by localhost
(server1 [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 31180-01-2
for <leonard@tlw.com <ma...@tlw.com>>; Sat, 11 Nov 2006
10:22:12 -0500 (EST)
*Received: * by server1.neighborhoods.net (Postfix, from userid 114) id
1A9BFB6C2F6; Sat, 11 Nov 2006 10:22:05 -0500 (EST)
*Mime-Version: * 1.0
*Content-Type: * text/plain; charset=utf-8;
*Content-Transfer-Encoding: * 8bit
*Message-Id: * <20061111152205.1A9BFB6C2F6@server1.neighborhoods.net
<ma...@server1.neighborhoods.net>>
*X-Virus-Scanned: * by amavisd-new-20030616-p10 (Debian) at
neighborhoods.net
*X-Spam-Status: * Yes, hits=9.7 tagged_above=0.0 required=6.3 tests=AWL,
BAYES_20, NO_RELAYS
*X-Spam-Level: * *********
*X-Spam-Flag: * YES
*Status:** *
It's pretty clear that the entry in user_prefs would start with
whitelist_from_rcvd sympa@lists.fusn.org <ma...@lists.fusn.org>
but what would I use as the domain part?
Thanks very much,
Miles
Re: scoring question
Posted by Matt Kettler <mk...@verizon.net>.
Miles Fidelman wrote:
> Hi,
>
> I got the following in a message from our list management software:
>
> *X-Spam-Status: * Yes, hits=9.7 tagged_above=0.0 required=6.3
> tests=AWL, BAYES_20, NO_RELAYS
> *X-Spam-Level: * *********
> *X-Spam-Flag: * YES
>
> Basic configuration:
> Debian Sarge
> Postfix
> amavisd-new
> spamassassin 3.001003
> standard ruleset, plus updates from
> - default channel
> - saupdates.openprotect.com
>
> The thing is, that if I'm reading things correctly, the scores for the
> listed tests are:
> AWL 1 (default)
Nope... the AWL has a variable score. It's the "Automatic whitelist"
which is really more of a "History-tracking score averager" than
anything else. It's only called AWL because its most common effect is to
push down scores when a normally low-scoring sender sends a message that
gets a high score. In this case, it went the other way. A sender that
was high-scoring in the past sent a low scoring message and got pushed up.
> 50_scores.cf:score BAYES_20 0.0001 0.0001 -0.740 -0.740
> 50_scores.cf:score NO_RELAYS -0.001
>
> Which should add up to .259 (net tests and Bayes turned on).
>
> So... why is this showing hits=9.7? What am I missing?
See above, the variable score for the AWL would have been on the order
of +9.45 or so.
Apparently the past average for this sender is somewhere around +20,
causing the AWL to add a lot to this message.
The AWL score is based on the current pre-awl score, and the past
average for that sender.
Basically the AWL always looks at the difference between the current
score, and the past average. It then adds half that difference in.
See http://wiki.apache.org/spamassassin/AutoWhitelist
>
>
>
>