You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Clay Irving <cl...@panix.com> on 2005/12/27 23:40:46 UTC

Whitelisted spam

Here's one that has me a bit confused. I'm receiving mail from spammers 
and the messages are being scored 30+, but they're also hitting on 
USER_IN_WHITELIST which pushes the score positive. The commonality
between messages is:

  - they are being sent to a mail alias

  - in the mail logs, it looks like they are from <>

This is the log from one of the messages:

  Dec 27 05:15:34 chatter postfix/nqmgr[14336]: 5617E81484C: from=<>, 
  size=1427, nrcpt=1 (queue active)

  Dec 27 05:15:35 chatter postfix/local[22329]: 5617E81484C: 
  to=<cl...@mydomain.com>, orig_to=<db...@mydomain.com>, relay=local, 
  delay=1, status=sent (delivered to command: /usr/local/bin/procmail)

Notice the Return-Path in the one of the message headers:

  From MAILER-DAEMON  Tue Dec 27 14:04:52 2005
  Return-Path: <>
  X-Original-To: dba@mydomain.com
  Delivered-To: dba@mydomain.com
  Received: by mail.mydomain.com (Postfix, from userid 2331)
          id 425518146AE; Tue, 27 Dec 2005 14:04:52 -0800 (PST)
  X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on
          chatter.mydomain.com
  X-Spam-Level:
  X-Spam-Status: No, score=-70.2 required=6.5 tests=BAYES_99,
          DATE_IN_FUTURE_06_12,RATWARE_MS_HASH,RATWARE_OUTLOOK_NONAME,
          RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E4_51_100,RAZOR2_CHECK,
          RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_NJABL_DUL,RCVD_IN_SORBS_DUL,
          RCVD_IN_WHOIS_INVALID,SKX_TO_DBA,USER_IN_WHITELIST autolearn=no
          version=3.1.0
  Received: from ordi-xpsp2.noos.fr (m96.net81-64-161.noos.fr [81.64.161.96])
          by mail.mydomain.com (Postfix) with SMTP id 1FA7581459E
          for <db...@mydomain.com>; Tue, 27 Dec 2005 14:04:49 -0800 (PST)
  Message-Id: <00...@ordi-xpsp2>
  From: Jodi Santiago <xt...@dearborn.com>
  To: dba@mydomain.com

The user isn't in a whitelist, at least that I can find.

-- 
Clay Irving <cl...@panix.com>
Yesterday I parked my car in a tow-away zone...when I came back the entire area
was missing.  
- Steven Wright

Re: Whitelisted spam

Posted by Matt Kettler <mk...@comcast.net>.
At 05:40 PM 12/27/2005, Clay Irving wrote:
>Here's one that has me a bit confused. I'm receiving mail from spammers
>and the messages are being scored 30+, but they're also hitting on
>USER_IN_WHITELIST which pushes the score positive.


>   Return-Path: <>
>   X-Original-To: dba@mydomain.com
>   Delivered-To: dba@mydomain.com
>   Received: by mail.mydomain.com (Postfix, from userid 2331)
>           id 425518146AE; Tue, 27 Dec 2005 14:04:52 -0800 (PST)
>   X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on
>           chatter.mydomain.com
>   X-Spam-Status: No, score=-70.2 required=6.5 tests=BAYES_99,
>           DATE_IN_FUTURE_06_12,RATWARE_MS_HASH,RATWARE_OUTLOOK_NONAME,
>           RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E4_51_100,RAZOR2_CHECK,
>           RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_NJABL_DUL,RCVD_IN_SORBS_DUL,
>           RCVD_IN_WHOIS_INVALID,SKX_TO_DBA,USER_IN_WHITELIST autolearn=no
>           version=3.1.0
>   From: Jodi Santiago <xt...@dearborn.com>
>   To: dba@mydomain.com
>
>The user isn't in a whitelist, at least that I can find.

Well, finding it is what we need to do. I've never seen a USER_IN_WHITELIST 
FP before..



Hmm, well.. Let's see here.. USER_IN_WHITELIST points to it matching a 
whitelist_from, or whitelist_from_rcvd. Anything else would show up as a 
different hit.

SA will match either the Return-Path or the From: header address to 
whitelists, so we need to find something that would match 
"xthecnwth@dearborn.com" or "".


First, I'd suggest a spamassassin --lint run. Maybe there's some typo 
somewhere that's REALLY confusing SA..  I doubt it, but we should rule that 
out before going ahead.

After that I'd suggest grepping your configs for all the whitelist_from 
commands.

check the site_config dir,  assuming /etc/mail/spamassassin is your site 
config:
         grep whitelist_from /etc/mail/spamassassin/*.cf

I'd also check around for user_prefs files in the following spots:
/root/.spamassassin/
/home/dba/.spamassassin/
/home/<real delivery user>/.spamassassin/
~nobody/.spamassassin/

Re: Whitelisted spam

Posted by Arias Hung <ar...@m-a-g.net>.
On Tue, 27 Dec 2005, Clay Irving delivered in simple text monotype:

> The user isn't in a whitelist, at least that I can find.
<---snip--->

I'm having similar issues, where 99% of my false positives are due to being whitelisted.  Since my personal whitelist is practically nil after process of elimination, i wonder if there's a relatively simple way to narrow down the cultprit whitelist.

I haven't looked at it too carefully yet, but perhaps there are additional debug type flags in the AWL perl modules?