You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Sherman Lilly <sh...@knoxcounty.org> on 2007/01/22 15:28:57 UTC
USER_IN_WHITELIST problem
I have spam getting through that would get filtered if they were not
getting -100 because of the USER_IN_WHITELIST rule. I do have a whitelist but
no of these spam email have anything close to my whitelist.
I am using the latest version of spamassassin and update my rules daily. I
have also added the SARE rules to my configuration.
The system is doing a great job.I would say I am successfully filtering 95% of
the spam coming in. Now I'm just doing some fine tuning and need some help.
Re: USER_IN_WHITELIST problem
Posted by Ryan Pavely <pa...@nac.net>.
Ok I have an update. I picked a message that was getting marked
USER_IN_WHITELIST once every 5 or so messages. I took the from address
and added this code to Perl..Mail\SpamAssassin\EvalTests.pm
if ($addr =~ qr/$regexp/i) {
dbg("rules: address $addr matches whitelist or blacklist regexp:
$regexp");
> if ("$addr" eq "xrispatial\@torkildson.com") {
> info("PARADOX: rules: address $addr matches whitelist or
blacklist regexp: $regexp");
> foreach my $reg (values %{$list}) {
> info("PARADOX: $reg");
> }
}
I then ran my loop and watched the log. After a few tries it hit.
Guess the cool part. It printed out hundreds and hundreds of lines of
blacklist/whitelist settings. I use a domain/username file based pref
system, no sql, nothing broken there.
The hundreds of lines were not 'all' my wl/bl's. After some more
debugging I am petty confident that I am seeing the list of all wl/bl's
loaded in memory for any message being scanned at that moment. On this
particularly box probably around 25 or so.
Pretty cool huh?
How is this possible? How did it just start happening out of nowhere?
Ryan Pavely
Director Research And Development
Net Access Corporation
http://www.nac.net/ http://www.15minuteservers.com/
Re: USER_IN_WHITELIST problem
Posted by Ryan Pavely <pa...@nac.net>.
As of last Wednesday I am having this problem. In fact it's more then
just USER_IN_WHITELIST, I am getting many reports of incorrect
USER_IN_BLACKLIST.
No I don't whitelist my domain.
Yes I checked the To/From/ReplyTo/EnvelopeFrom/etc.
No the users don't have whitelist/blacklist entries anywhere close to
reported match in debug mode.
Green = Blacklist
Blue = Whitelist
The most recent change, on or around Wednesday, was I ran sa-update. I
now use the rule's located in /var/lib/spamassassin.
I checked my configs and noticed v310.pre now shows AWL enabled. I
disabled this, thought I saw all my graphs drop but sadly it was a
momentary drop.
I reverted back to using /usr/local/share/spamassassin base rules. No
change. So therefore I have rolled back any change made in the last week.
Here are two examples of a test I just ran. I took two messages and ran
them through a loop. One gets scanned
normally and occassionally hits the blacklist. The other does the
inverse. Both are from my inbox, dated today.
== Example 1
=== Scanned, normal score
> X-Spam-Flag: YES
> X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) on spamd3.oct
> X-Spam-Level: *******************
> X-Spam-PrefsFile: nac.net/paradox
> X-Spam-Status: Yes, score=19.5 required=5.0
> tests=RAZOR2_CF_RANGE_51_100=0.5,
> RAZOR2_CF_RANGE_E8_51_100=1.5,RAZOR2_CHECK=0.5,
> RCVD_IN_SORBS_DUL=1.988,RCVD_IN_XBL=3.114,SORTED_RECIPS=1.53,
> SPF_HELO_PASS=-0.001,SPF_PASS=-0.001,URIBL_AB_SURBL=3.306,
> URIBL_JP_SURBL=3.36,URIBL_OB_SURBL=2.617,URIBL_SBL=1.094
=== Scanned a moment later in a loop, Hit blacklist
> X-Spam-Flag: YES
> X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) on spamd3.oct
> X-Spam-Level: **************************************************
> X-Spam-PrefsFile: nac.net/paradox
> X-Spam-Status: Yes, score=119.5 required=5.0
> tests=RAZOR2_CF_RANGE_51_100=0.5,
> RAZOR2_CF_RANGE_E8_51_100=1.5,RAZOR2_CHECK=0.5,
> RCVD_IN_SORBS_DUL=1.988,RCVD_IN_XBL=3.114,SORTED_RECIPS=1.53,
> SPF_HELO_PASS=-0.001,SPF_PASS=-0.001,URIBL_AB_SURBL=3.306,
> URIBL_JP_SURBL=3.36,URIBL_OB_SURBL=2.617,URIBL_SBL=1.094,
> USER_IN_BLACKLIST=100 autolearn=disabled version=3.1.7
== Original Message
> Return-Path: <yr...@dialupnet.com>
> Delivered-To: paradox@nac.net
> Received: (qmail 95612 invoked by uid 0); 23 Jan 2007 08:34:19 -0000
> Received: from 127.0.0.1 by mx2.oct.nac.net (envelope-from
> <yr...@dialupnet.com>, uid 0) with qmail-scanner-1.25
> (clamdscan: 0.88.3/2095. f-prot: 4.6.6/3.16.14. spamassassin: 3.1.0.
> Clear:RC:1(127.0.0.1):.
> Processed in 1.629328 secs); 23 Jan 2007 08:34:19 -0000
> X-Qmail-Scanner-Mail-From: yreq3hgn@dialupnet.com via mx2.oct.nac.net
> X-Qmail-Scanner-Rcpt-To: paradox@nac.net
> X-Qmail-Scanner: 1.25 (Clear:RC:1(127.0.0.1):. Processed in 1.629328 secs)
> X-Qmail-Scanner-NAC-Block-Zips: 1
> X-Qmail-Scanner-NAC-Redirect-This: 0
> X-Qmail-Scanner-NAC-Redirect-To:
> X-Qmail-Scanner-NAC-Scanners-Run: clamdscan_scanner fprot_scanner
> Received: from unknown (HELO mx2.oct.nac.net) (127.0.0.1)
> by localhost with SMTP; 23 Jan 2007 08:34:17 -0000
> Received: (qmail 95433 invoked by alias); 23 Jan 2007 08:34:15 -0000
> Delivered-To: network@mail.nac.net
> Received: (qmail 95336 invoked by uid 0); 23 Jan 2007 08:34:12 -0000
> Received: from 81.14.191.12 by mx2.oct.nac.net (envelope-from
> <yr...@dialupnet.com>, uid 0) with qmail-scanner-1.25
> (clamdscan: 0.88.3/2095. f-prot: 4.6.6/3.16.14. spamassassin: 3.1.0.
> Clear:RC:0(81.14.191.12):.
> Processed in 4.496398 secs); 23 Jan 2007 08:34:12 -0000
> X-Qmail-Scanner-Mail-From: yreq3hgn@dialupnet.com via mx2.oct.nac.net
> X-Qmail-Scanner-Rcpt-To:
> nebling@mail.nac.net,network@mail.nac.net,newbyscj@mail.nac.net,newman@mail.nac.net,newton@mail.nac.net,ngarner@mail.nac.net,nguyen@mail.nac.net,nguyenc@mail.nac.net
> X-Qmail-Scanner: 1.25 (Clear:RC:0(81.14.191.12):. Processed in
> 4.496398 secs)
> X-Qmail-Scanner-NAC-Block-Zips: 1
> X-Qmail-Scanner-NAC-Redirect-This: 0
> X-Qmail-Scanner-NAC-Redirect-To: REDIRECT_NONE
> X-Qmail-Scanner-NAC-Scanners-Run:
> Received: from unknown (HELO ovjkuxqmpy) (81.14.191.12)
> by rbl-mx.nac.net with SMTP; 23 Jan 2007 08:34:07 -0000
> To: <ne...@mail.nac.net>, <ne...@mail.nac.net>,
> <ne...@mail.nac.net>, <ne...@mail.nac.net>, <ne...@mail.nac.net>,
> <ng...@mail.nac.net>, <ng...@mail.nac.net>, <ng...@mail.nac.net>
> Date: Tue, 23 Jan 2007 09:35:01 +0100
> From: "Man Aida" <yr...@dialupnet.com>
> Message-ID: <11...@dialupnet.com>
> DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=learned.dirty;
> d=dialupnet.com;
>
> b=BkqGXQzAyMlUagemGOpLIxezlerUABJhtHFfMORxbSauBfGAoroqGlvDCVRpRfuXvGXXtGXmaabRNJwo;
> User-Agent: Mozilla Thunderbird 1.5 (Windows/20060111)
> X-Accept-Language: en-us, en
> MIME-Version: 1.0
> Subject: Be Rich, Get Yourself Rolex/AP/Bvlgari/PatekPhilippe & .. At
> $ 199 Each least street
> Content-Type: text/plain;
> charset="iso-8859-1"
> Content-Transfer-Encoding: 7bit
>
> 100% Similar Quality, from $ 199 Each
>
> Show Off to your colleague that you can afford a ROLEX as well
>
> <More random text>
== Message 2
=== Scanned ok
> X-Spam-Flag: YES
> X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) on spamd3.oct
> X-Spam-Level: ********************
> X-Spam-PrefsFile: nac.net/paradox
> X-Spam-Status: Yes, score=20.9 required=5.0 tests=HTML_10_20=0.945,
> HTML_MESSAGE=0.001,RAZOR2_CF_RANGE_51_100=0.5,
>
> RAZOR2_CF_RANGE_E8_51_100=1.5,RAZOR2_CHECK=0.5,SARE_GIF_ATTACH=0.75,
> SARE_STOCK_MSG_ID2=2.22,TW_RQ=0.077,URIBL_AB_SURBL=3.306,
> URIBL_JP_SURBL=3.36,URIBL_OB_SURBL=2.617,URIBL_SC_SURBL=3.6,
> URIBL_WS_SURBL=1.533 autolearn=disabled version=3.1.7
=== Scanned, hit whitelist
> X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) on spamd3.oct
> X-Spam-Level:
> X-Spam-PrefsFile: nac.net/paradox
> X-Spam-Status: No, score=-79.1 required=5.0 tests=HTML_10_20=0.945,
> HTML_MESSAGE=0.001,RAZOR2_CF_RANGE_51_100=0.5,
>
> RAZOR2_CF_RANGE_E8_51_100=1.5,RAZOR2_CHECK=0.5,SARE_GIF_ATTACH=0.75,
> SARE_STOCK_MSG_ID2=2.22,TW_RQ=0.077,URIBL_AB_SURBL=3.306,
> URIBL_JP_SURBL=3.36,URIBL_OB_SURBL=2.617,URIBL_SC_SURBL=3.6,
> URIBL_WS_SURBL=1.533,USER_IN_WHITELIST=-100 autolearn=disabled
=== Origional Message
> Return-Path: <ha...@sandramorante.net>
> Delivered-To: paradox@nac.net
> Received: (qmail 93280 invoked by uid 0); 23 Jan 2007 10:24:15 -0000
> Received: from 89.228.238.70 by mx7.oct.nac.net (envelope-from
> <ha...@sandramorante.net>, uid 0) with qmail-scanner-1.
> 25
> (clamdscan: 0.88.3/2095. f-prot: 4.6.6/3.16.14. spamassassin: 3.1.0.
> Clear:RC:0(89.228.238.70):.
> Processed in 29.545472 secs); 23 Jan 2007 10:24:15 -0000
> Received: from unknown (HELO xp-7211e87ff35b) (89.228.238.70)
> by rbl-mx.nac.net with SMTP; 23 Jan 2007 10:23:45 -0000
> Return-Path: <ha...@sandramorante.net>
> Received: from 86.109.98.134 (HELO mail.cdmon.net)
> by nac.net with esmtp (L+-@604'9/70 H4*9)
> id 0:'+F,-8Q/7E5-05
> for pam@nac.net; Tue, 23 Jan 2007 10:23:43 -0060
> Date: Tue, 23 Jan 2007 10:23:43 -0060
> From: "Darnell Ball" <ha...@sandramorante.net>
> X-Mailer: The Bat! (v2.00.2) Business
> X-Priority: 3 (Normal)
> Message-ID: <17...@thebat.net>
> To: pam@nac.net
> Subject: Hey dude top brands available
> MIME-Version: 1.0
> Content-Type: multipart/mixed;
> boundary="----------A6EB829A6780C93"
>
> ------------A6EB829A6780C93
> Content-Type: multipart/alternative;
> boundary="----------E4BFDADADAD329AD"
>
>
> ------------E4BFDADADAD329AD
> Content-Type: text/plain; charset=windows-1250
> Content-Transfer-Encoding: quoted-printable
>
>
> Can u believe that we will make you happy? .... <more text, contains
> image>
Ryan Pavely
Director Research And Development
Net Access Corporation
http://www.nac.net/ http://www.15minuteservers.com/
Drew Burchett wrote:
>> Do you have some example headers?
>>
>
> This is a legitimate email, but it got flagged as USER_IN_WHITELIST
> while CNN is not listed in my whitelist:
>
> Received: from cnnimail33.turner.com (cnnimail33.turner.com
> [64.236.25.90])
> by spamfilter.onlineky.net (Postfix) with ESMTP id 2FB331757E
> for <cd...@giftoflifeinc.org>; Fri, 12 Jan 2007 09:36:50 -0600
> (CST)
> Received: from mail.cnn.com (10.165.130.21)
> by cnnimail33.turner.com with ESMTP; 12 Jan 2007 10:36:49 -0500
> Message-Id: <2j...@cnnimail33.turner.com>
> From: CNNMoney.com Alerts <cn...@mail.cnn.com>
> Reply-To: cnnalerts@cnn.com
> To: cdavis@giftoflifeinc.org
> Subject: Russia's Lukoil pumps $2.4B in profits
> MIME-Version: 1.0
> Content-Type: TEXT/HTML; charset=US-ASCII
> Date: Fri, 12 Jan 2007 09:36:50 -0600 (CST)
>
>
> This one is most likely spam as this email account has been inactive for
> at least 6 months:
>
> Received: from tigger.babycenter.com (tigger.babycenter.com
> [10.128.130.152])
> by cosby.mailsender.com (8.13.8/8.13.8) with ESMTP id
> l0D5hne7011671
> for <dd...@wadc.utilitydistrict.com>; Fri, 12 Jan 2007 21:44:03
> -0800 (PST)
> Message-ID:
> <31...@tigger.babycenter.com>
> Date: Fri, 12 Jan 2007 21:43:49 -0800 (PST)
> From: BabyCenter Store <ba...@nrsvp.babycenter.com>
> Reply-To: newsletter@babycenter.com
> To: dd@wadc.utilitydistrict.com
> Subject: This weekend only. $50 off on top of sale prices.
> Mime-Version: 1.0
> Content-Type: text/html
> Content-Transfer-Encoding: quoted-printable
>
>
> Another one to that same user:
> Received: from MYWX-S8.myweather.net (cliff.myweather.net
> [64.73.35.115])
> by spamfilter.onlineky.net (Postfix) with ESMTP id 8ED2119631
> for <dd...@WADC.utilitydistrict.com>; Sat, 13 Jan 2007 02:31:14
> -0600 (CST)
> Received: by MYWX-S8.myweather.net (PowerMTA(TM) v2.0r13) id
> hl2cd6046443; Sat, 13 Jan 2007 02:31:01 -0600 (envelope-from
> <WK...@subs.myweather.net>)
> Date: Sat, 13 Jan 2007 02:31:01 -0600
> Subject: Your Personal Predictor
> x-envid: 1168677003.1103304562
> To: dd@WADC.utilitydistrict.com
> From: WKRN-PersonalPredictor@subs.myweather.net
> Content-type: text/html; charset="ISO-8859-1"
> Message-Id: <20...@spamfilter.onlineky.net>
>
> This one got flagged as spam for several other users and then got the
> USER_IN_WHITELIST out of the blue:
>
> Received: from mta130.e.drugstore.com (mta130.e.drugstore.com
> [66.165.105.168])
> by spamfilter.onlineky.net (Postfix) with SMTP id 9BCA41BFA6
> for <le...@clayworld.com>; Sun, 14 Jan 2007 07:41:04 -0600 (CST)
> DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
> s=200505; d=e.drugstore.com;
>
> b=cY8Vpx/rnCIRMKPGZRNHM4/KNsEpr4kHYii2STgI9W6HEF2b9Di5sIret/1YfAqwoGtfis
> iuPTBVdqNgjuFdDrRKkSapc4KvdDIOMTJlusKwn4ViXq0Pp/hgoVBuJ5StpuOl4aJZGrRSte
> srCsYmvwo1IaDqSRaqoOCVbTZq2lI=;
>
> h=Date:Message-ID:List-Unsubscribe:From:To:Subject:MIME-Version:Reply-To
> :Content-type;
> Date: Sun, 14 Jan 2007 13:41:04 -0000
> Message-ID:
> <b1...@mta130.e.drugstore.com>
> List-Unsubscribe:
> <ma...@e.drugstore.com>
> From: "drugstore.com" <dr...@e.drugstore.com>
> To: lee@clayworld.com
> Subject: Save up to 40% and stock up for the new year
> MIME-Version: 1.0
> Reply-To: "drugstore.com"
> <su...@e.drugstore.com>
> Content-type: multipart/alternative;
> boundary="=b19wt9ya08rqp8bx3mk4jbujgjpyka
>
> Received: from nl-mail5.internet.com (nl-mail5.internet.com
> [64.62.164.185])
> by spamfilter.onlineky.net (Postfix) with ESMTP id CE73821EA0
> for <to...@united-systems.com>; Tue, 16 Jan 2007 09:40:16 -0600
> (CST)
> Received: from nl.internet.com (192.168.5.118)
> by nl-mail5.internet.com with ESMTP; 16 Jan 2007 07:39:02 -0800
> Received: by mail8.internet.com (Postfix, from userid 0)
> id EDFA41190032; Tue, 16 Jan 2007 07:38:56 -0800 (PST)
> To: tomw@united-systems.com
> Subject: Tech Brief: Manage Performance & Availability of .NET Apps
> Reply-To: reply-21819-2143-207ade54a4@nl.internet.com
> Content-description: 207ade54a4tomw@united-systems.com!1!21819!
> Content-Type: text/plain; charset="us-ascii"
> From: "DevX Skill Building Update"
> <re...@nl.internet.com>
> Message-Id: <20...@mail8.internet.com>
> Date: Tue, 16 Jan 2007 07:38:56 -0800 (PST)
>
> Received: from dc1img10.digitalriver.com (dc1img10.digitalriver.com
> [66.192.69.11])
> by spamfilter.onlineky.net (Postfix) with ESMTP id BC3021FEAC
> for <ja...@mtginsurance.com>; Tue, 16 Jan 2007 10:26:27 -0600
> (CST)
> Date: 16 Jan 2007 10:26:13 -0600
> From: "Nuance - Makers of PaperPort" <nu...@reply.digitalriver.com>
> X-Complaints-to: abuse@digitalriver.com
> To: "Nancy" <ja...@mtginsurance.com>
> Reply-To: "Nuance - Makers of PaperPort" <nu...@reply.digitalriver.com>
> Message-ID: <17...@dc1img01.digitalriver.com>
> Subject: Exclusive customer savings on OmniPage - 50% off
> X-MID: 19198-bhb2fz7bz5vsedwr2
> MIME-Version: 1.0
> Content-Type: multipart/alternative;
> boundary="------------06986E0E1E196312E032AFBC"
>
>
Re: USER_IN_WHITELIST problem
Posted by "Daryl C. W. O'Shea" <sp...@dostech.ca>.
Drew Burchett wrote:
>> Do you have some example headers?
>
> This is a legitimate email, but it got flagged as USER_IN_WHITELIST
> while CNN is not listed in my whitelist:
You didn't include the envelope from address in any of your examples.
Daryl
RE: USER_IN_WHITELIST problem
Posted by Drew Burchett <Dr...@united-systems.com>.
>Do you have some example headers?
This is a legitimate email, but it got flagged as USER_IN_WHITELIST
while CNN is not listed in my whitelist:
Received: from cnnimail33.turner.com (cnnimail33.turner.com
[64.236.25.90])
by spamfilter.onlineky.net (Postfix) with ESMTP id 2FB331757E
for <cd...@giftoflifeinc.org>; Fri, 12 Jan 2007 09:36:50 -0600
(CST)
Received: from mail.cnn.com (10.165.130.21)
by cnnimail33.turner.com with ESMTP; 12 Jan 2007 10:36:49 -0500
Message-Id: <2j...@cnnimail33.turner.com>
From: CNNMoney.com Alerts <cn...@mail.cnn.com>
Reply-To: cnnalerts@cnn.com
To: cdavis@giftoflifeinc.org
Subject: Russia's Lukoil pumps $2.4B in profits
MIME-Version: 1.0
Content-Type: TEXT/HTML; charset=US-ASCII
Date: Fri, 12 Jan 2007 09:36:50 -0600 (CST)
This one is most likely spam as this email account has been inactive for
at least 6 months:
Received: from tigger.babycenter.com (tigger.babycenter.com
[10.128.130.152])
by cosby.mailsender.com (8.13.8/8.13.8) with ESMTP id
l0D5hne7011671
for <dd...@wadc.utilitydistrict.com>; Fri, 12 Jan 2007 21:44:03
-0800 (PST)
Message-ID:
<31...@tigger.babycenter.com>
Date: Fri, 12 Jan 2007 21:43:49 -0800 (PST)
From: BabyCenter Store <ba...@nrsvp.babycenter.com>
Reply-To: newsletter@babycenter.com
To: dd@wadc.utilitydistrict.com
Subject: This weekend only. $50 off on top of sale prices.
Mime-Version: 1.0
Content-Type: text/html
Content-Transfer-Encoding: quoted-printable
Another one to that same user:
Received: from MYWX-S8.myweather.net (cliff.myweather.net
[64.73.35.115])
by spamfilter.onlineky.net (Postfix) with ESMTP id 8ED2119631
for <dd...@WADC.utilitydistrict.com>; Sat, 13 Jan 2007 02:31:14
-0600 (CST)
Received: by MYWX-S8.myweather.net (PowerMTA(TM) v2.0r13) id
hl2cd6046443; Sat, 13 Jan 2007 02:31:01 -0600 (envelope-from
<WK...@subs.myweather.net>)
Date: Sat, 13 Jan 2007 02:31:01 -0600
Subject: Your Personal Predictor
x-envid: 1168677003.1103304562
To: dd@WADC.utilitydistrict.com
From: WKRN-PersonalPredictor@subs.myweather.net
Content-type: text/html; charset="ISO-8859-1"
Message-Id: <20...@spamfilter.onlineky.net>
This one got flagged as spam for several other users and then got the
USER_IN_WHITELIST out of the blue:
Received: from mta130.e.drugstore.com (mta130.e.drugstore.com
[66.165.105.168])
by spamfilter.onlineky.net (Postfix) with SMTP id 9BCA41BFA6
for <le...@clayworld.com>; Sun, 14 Jan 2007 07:41:04 -0600 (CST)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
s=200505; d=e.drugstore.com;
b=cY8Vpx/rnCIRMKPGZRNHM4/KNsEpr4kHYii2STgI9W6HEF2b9Di5sIret/1YfAqwoGtfis
iuPTBVdqNgjuFdDrRKkSapc4KvdDIOMTJlusKwn4ViXq0Pp/hgoVBuJ5StpuOl4aJZGrRSte
srCsYmvwo1IaDqSRaqoOCVbTZq2lI=;
h=Date:Message-ID:List-Unsubscribe:From:To:Subject:MIME-Version:Reply-To
:Content-type;
Date: Sun, 14 Jan 2007 13:41:04 -0000
Message-ID:
<b1...@mta130.e.drugstore.com>
List-Unsubscribe:
<ma...@e.drugstore.com>
From: "drugstore.com" <dr...@e.drugstore.com>
To: lee@clayworld.com
Subject: Save up to 40% and stock up for the new year
MIME-Version: 1.0
Reply-To: "drugstore.com"
<su...@e.drugstore.com>
Content-type: multipart/alternative;
boundary="=b19wt9ya08rqp8bx3mk4jbujgjpyka
Received: from nl-mail5.internet.com (nl-mail5.internet.com
[64.62.164.185])
by spamfilter.onlineky.net (Postfix) with ESMTP id CE73821EA0
for <to...@united-systems.com>; Tue, 16 Jan 2007 09:40:16 -0600
(CST)
Received: from nl.internet.com (192.168.5.118)
by nl-mail5.internet.com with ESMTP; 16 Jan 2007 07:39:02 -0800
Received: by mail8.internet.com (Postfix, from userid 0)
id EDFA41190032; Tue, 16 Jan 2007 07:38:56 -0800 (PST)
To: tomw@united-systems.com
Subject: Tech Brief: Manage Performance & Availability of .NET Apps
Reply-To: reply-21819-2143-207ade54a4@nl.internet.com
Content-description: 207ade54a4tomw@united-systems.com!1!21819!
Content-Type: text/plain; charset="us-ascii"
From: "DevX Skill Building Update"
<re...@nl.internet.com>
Message-Id: <20...@mail8.internet.com>
Date: Tue, 16 Jan 2007 07:38:56 -0800 (PST)
Received: from dc1img10.digitalriver.com (dc1img10.digitalriver.com
[66.192.69.11])
by spamfilter.onlineky.net (Postfix) with ESMTP id BC3021FEAC
for <ja...@mtginsurance.com>; Tue, 16 Jan 2007 10:26:27 -0600
(CST)
Date: 16 Jan 2007 10:26:13 -0600
From: "Nuance - Makers of PaperPort" <nu...@reply.digitalriver.com>
X-Complaints-to: abuse@digitalriver.com
To: "Nancy" <ja...@mtginsurance.com>
Reply-To: "Nuance - Makers of PaperPort" <nu...@reply.digitalriver.com>
Message-ID: <17...@dc1img01.digitalriver.com>
Subject: Exclusive customer savings on OmniPage - 50% off
X-MID: 19198-bhb2fz7bz5vsedwr2
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="------------06986E0E1E196312E032AFBC"
--
Thanks,
James
--
CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.
--
This message has been scanned for viruses and dangerous content by MailScanner and is believed to be clean.
Re: USER_IN_WHITELIST problem
Posted by JamesDR <ja...@trusswood.net>.
Sherman Lilly wrote:
> I have spam getting through that would get filtered if they were not
> getting -100 because of the USER_IN_WHITELIST rule. I do have a whitelist but
> no of these spam email have anything close to my whitelist.
>
> I am using the latest version of spamassassin and update my rules daily. I
> have also added the SARE rules to my configuration.
>
> The system is doing a great job.I would say I am successfully filtering 95% of
> the spam coming in. Now I'm just doing some fine tuning and need some help.
>
>
Do you have some example headers?
--
Thanks,
James
Re: USER_IN_WHITELIST problem
Posted by Jim Maul <jm...@elih.org>.
Drew Burchett wrote:
> Well, I certainly don't mean to be argumentative about this, but over
> the weekend, I had to set USER_IN_WHITELIST score to 0 due to the number
> of false hits it was receiving. Seeing as I am the only one here who
> has the ability to add and remove from whitelists or blacklists, I have
> a pretty good idea of what is in them. I can't say for sure, but there
> certainly seems to be a bug in this particular rule. If I could help to
> troubleshoot it, I would be glad to provide whatever information is
> necessary.
>
All this guessing can easily be put to rest by posting:
1. The headers of the message in question
2. Your SA whitelist statements
-Jim
> Drew Burchett
> United Systems & Software
> Ph: (270)527-3293
> Fax: (270)527-3132
>
> -----Original Message-----
> From: Daryl C. W. O'Shea [mailto:spamassassin@dostech.ca]
> Sent: Monday, January 22, 2007 10:40 AM
> To: Sherman Lilly
> Cc: users@spamassassin.apache.org
> Subject: Re: USER_IN_WHITELIST problem
>
> Sherman Lilly wrote:
>> I have spam getting through that would get filtered if they were not
>> getting -100 because of the USER_IN_WHITELIST rule. I do have a
> whitelist but
>> no of these spam email have anything close to my whitelist.
>
> Yes they do, otherwise you wouldn't see USER_IN_WHITELIST hitting.
>
> It's probably hitting on whatever the envelope from address is (found in
>
> the Return-Path header). Most of the time this happens when people
> whitelist their own domain using whitelist_from.
>
>
> Daryl
>
> --
> CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.
>
RE: USER_IN_WHITELIST problem
Posted by Drew Burchett <Dr...@united-systems.com>.
Well, I certainly don't mean to be argumentative about this, but over
the weekend, I had to set USER_IN_WHITELIST score to 0 due to the number
of false hits it was receiving. Seeing as I am the only one here who
has the ability to add and remove from whitelists or blacklists, I have
a pretty good idea of what is in them. I can't say for sure, but there
certainly seems to be a bug in this particular rule. If I could help to
troubleshoot it, I would be glad to provide whatever information is
necessary.
Drew Burchett
United Systems & Software
Ph: (270)527-3293
Fax: (270)527-3132
-----Original Message-----
From: Daryl C. W. O'Shea [mailto:spamassassin@dostech.ca]
Sent: Monday, January 22, 2007 10:40 AM
To: Sherman Lilly
Cc: users@spamassassin.apache.org
Subject: Re: USER_IN_WHITELIST problem
Sherman Lilly wrote:
> I have spam getting through that would get filtered if they were not
> getting -100 because of the USER_IN_WHITELIST rule. I do have a
whitelist but
> no of these spam email have anything close to my whitelist.
Yes they do, otherwise you wouldn't see USER_IN_WHITELIST hitting.
It's probably hitting on whatever the envelope from address is (found in
the Return-Path header). Most of the time this happens when people
whitelist their own domain using whitelist_from.
Daryl
--
CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.
--
This message has been scanned for viruses and dangerous content by MailScanner and is believed to be clean.
Re: USER_IN_WHITELIST problem
Posted by "Daryl C. W. O'Shea" <sp...@dostech.ca>.
Sherman Lilly wrote:
> I have spam getting through that would get filtered if they were not
> getting -100 because of the USER_IN_WHITELIST rule. I do have a whitelist but
> no of these spam email have anything close to my whitelist.
Yes they do, otherwise you wouldn't see USER_IN_WHITELIST hitting.
It's probably hitting on whatever the envelope from address is (found in
the Return-Path header). Most of the time this happens when people
whitelist their own domain using whitelist_from.
Daryl