You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Ron Shuck <rs...@Buchanan.com> on 2005/05/02 16:38:24 UTC

RE: Blacklist Not Working

First, Thanks for the help.

Craig noticed that the rule ALL_TRUSTED was matched. There was a
potential issue with Trusted Path if trusted_networks was not
configured. I tried that. The final mail server is Exchange, and I am
having a hard time getting the headers back from the users.

I posted a link to the Trusted Path issue in my response to Craig.

Thanks again,


Ron Shuck, CISSP, GCIA, CCSE - Managing Consultant
Buchanan Associates - People. Process. Technology.

-----Original Message-----
From: Matt Kettler [mailto:mkettler@evi-inc.com] 
Sent: Friday, April 29, 2005 11:56 AM
To: Ron Shuck
Cc: Craig McLean; users@spamassassin.apache.org
Subject: Re: Blacklist Not Working

Ron Shuck wrote:

>Here is the log. I don't have the message, but as you can see it did 
>not match the blacklist.
>
>-------log------
>Apr 24 04:39:43 mail postfix/smtpd[25746]: connect from 
>castile.calmra.com[72.11.146.117]
>Apr 24 04:39:44 mail postfix/smtpd[25746]: AE20883C:
>client=castile.calmra.com[72.11.146.117]
>Apr 24 04:39:45 mail postfix/cleanup[26437]: AE20883C:
>message-id=<53...@zwd_Z-jhokhamnkj>
>Apr 24 04:39:45 mail postfix/qmgr[4304]: AE20883C:
>from=<Le...@calmra.com>, size=2034, nrcpt=1 (queue active) Apr 24 
>04:39:45 mail spamd[14218]: connection from localhost.localdomain 
>[127.0.0.1] at port 48918 Apr 24 04:39:45 mail spamd[14218]: info: 
>setuid to filter succeeded Apr 24 04:39:45 mail spamd[14218]: 
>processing message <53...@zwd_Z-jhokhamnkj> for filter:501.
>Apr 24 04:39:46 mail spamd[14218]: clean message (4.8/5.0) for
>filter:501 in 1.2 seconds, 2000 bytes.
>Apr 24 04:39:46 mail spamd[14218]: result: .  4 - 
>ALL_TRUSTED,AWL,BAYES_20,DNS_FROM_AHBL_RHSBL,HTML_50_60,HTML_IMAGE_ONLY
>_ 
>12,HTML_IMAGE_RATIO_02,HTML_MESSAGE,MIME_HTML_MOSTLY,MPART_ALT_DIFF,URI
>B
>L_OB_SURBL,URIBL_SBL,URIBL_WS_SURBL
>scantime=1.2,size=2000,mid=<53...@zwd_Z-jhokhamnkj>,bayes=0.062705367
>0
>923895,autolearn=no
>
>----local.cf snippet----
>blacklist_from  *@calmra.com
>  
>
<snip>

Ok, now what did the headers in the message look like? The "from" quoted
in your logfile is the envelope, which might not have been present in
the message at the time SA saw it.

SA doesn't get the envelope directly, so that from is completely
irrelevant unless your MTA or MDA inserted it into a Return-Path: header
before SpamAssassin got called.