You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by "Steven W. Orr" <st...@syslang.net> on 2006/12/05 04:12:26 UTC

Confused about white/black lists.

I have some spam getting through that has USER_IN_WHITELIST. I go and look 
and sher nuff, the From address is there in the email column of the awl 
table. I don't know how it got there but it's there. Can someone please 
'splain to me how this works?

* My understanding is that a positive value in the awl table in the
   totscore column is a blacklist entry. A negative value is a
   whitelist entry. Am I correct?
* What is the purpose of the count column. Is it used as a parameter
   in the calculation with the totscore value?
* Is there a command line interface to change something from a
   whitelist value to a blacklist value?
* If an address is added to the table for a user, can I make that
   address be made somehow 'global' so that it weighs against email to
   any user?
* Is all mail that comes in, both ham and spam, using From addresses
   to add to the awl table?
* (Last question). All spam that comes in is run through
   sa-learn --spam
   Is there something else I should do to better manage the awl?

TIA

-- 
Time flies like the wind. Fruit flies like a banana. Stranger things have  .0.
happened but none stranger than this. Does your driver's license say Organ ..0
Donor?Black holes are where God divided by zero. Listen to me! We are all- 000
individuals! What if this weren't a hypothetical question?
steveo at syslang.net

Re: Confused about white/black lists.

Posted by Matt Kettler <mk...@verizon.net>.

Steven W. Orr wrote:
> I have some spam getting through that has USER_IN_WHITELIST. I go and
> look and sher nuff, the From address is there in the email column of
> the awl table. 
USER_IN_WHITELIST has NOTHING to do with the AWL.

This is strictly a whitelist_from, whitelist_from_rcvd or
whitelist_from_spf thing.

Be sure to check *all* header that SA considers to be From: equivalents,
including Return-Path.


> I don't know how it got there but it's there. Can someone please
> 'splain to me how this works?
>
> * My understanding is that a positive value in the awl table in the
>   totscore column is a blacklist entry. A negative value is a
>   whitelist entry. Am I correct?
No. That's the total score. The AWL is a score-averager, not a black or
whitelist.

AWL score = (totalscore/count)-(current message score before AWL) * (awl
factor, default 0.5).


> * What is the purpose of the count column. Is it used as a parameter
>   in the calculation with the totscore value?
Yes. See above
> * Is there a command line interface to change something from a
>   whitelist value to a blacklist value?
no, because it's not a black or whitelist. In theory
--add-addr-to-whitelist and --add-addr-to-blacklist can be used to bias
these numbers, but last time I tried it didn't work properly for
existing entries.

> * If an address is added to the table for a user, can I make that
>   address be made somehow 'global' so that it weighs against email to
>   any user?
Not unless you use a global AWL.
> * Is all mail that comes in, both ham and spam, using From addresses
>   to add to the awl table?
Yes.
> * (Last question). All spam that comes in is run through
>   sa-learn --spam
>   Is there something else I should do to better manage the awl?
sa-learn --spam has no affect on the AWL. That affects the BAYES system.

Re: Confused about white/black lists.

Posted by Theo Van Dinter <fe...@apache.org>.

On Tue, Dec 05, 2006 at 10:43:51PM -0500, Steven W. Orr wrote:
> =>> I have some spam getting through that has USER_IN_WHITELIST. I go and look 
> =>USER_IN_WHITELIST has nothing to do with the AWL.  You'll want to find your
> =>whitelist_from/whitelist_from_rcvd entry that matches the mail.
> I promise that the addresses that got through do not have any such 
> entries in any cf file. But I guess the problem I have is this:

I would disagree, since you got the rule hit, but ... :)

> It would seem to me that the ones that get through would be acting as a 
> type of poison for the awl table. When a spam message comes through, 
> should I not do something to tell the awl table that the address it saved 
> is bad the same way that I run sa-learn to fix th4e bayes tables?

You can remove the addr from the DB, but I generally wouldn't worry
about it too much.

-- 
Randomly Selected Tagline:
Bit - The increment by which programmers slowly go mad.

Re: Confused about white/black lists.

Posted by "Steven W. Orr" <st...@syslang.net>.

On Monday, Dec 4th 2006 at 23:34 -0500, quoth Theo Van Dinter:

=>On Mon, Dec 04, 2006 at 10:12:26PM -0500, Steven W. Orr wrote:
=>> I have some spam getting through that has USER_IN_WHITELIST. I go and look 
=>> and sher nuff, the From address is there in the email column of the awl 
=>> table. I don't know how it got there but it's there. Can someone please 
=>> 'splain to me how this works?
=>
=>USER_IN_WHITELIST has nothing to do with the AWL.  You'll want to find your
=>whitelist_from/whitelist_from_rcvd entry that matches the mail.

I promise that the addresses that got through do not have any such 
entries in any cf file. But I guess the problem I have is this:

I reject all mail that hits a 5 via a milter before reception completes. 
It would seem to me that the ones that get through would be acting as a 
type of poison for the awl table. When a spam message comes through, 
should I not do something to tell the awl table that the address it saved 
is bad the same way that I run sa-learn to fix th4e bayes tables?

-- 
Time flies like the wind. Fruit flies like a banana. Stranger things have  .0.
happened but none stranger than this. Does your driver's license say Organ ..0
Donor?Black holes are where God divided by zero. Listen to me! We are all- 000
individuals! What if this weren't a hypothetical question?
steveo at syslang.net

Re: Confused about white/black lists.

Posted by Theo Van Dinter <fe...@apache.org>.

On Mon, Dec 04, 2006 at 10:12:26PM -0500, Steven W. Orr wrote:
> I have some spam getting through that has USER_IN_WHITELIST. I go and look 
> and sher nuff, the From address is there in the email column of the awl 
> table. I don't know how it got there but it's there. Can someone please 
> 'splain to me how this works?

USER_IN_WHITELIST has nothing to do with the AWL.  You'll want to find your
whitelist_from/whitelist_from_rcvd entry that matches the mail.

-- 
Randomly Selected Tagline:
"Linux is not beautiful. Because power means rawness. And its up to the
 user to paint it. When he gets there don't get scared. Everyone has a
 Picasso inside."                        - Unknown user from /.