You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Clay Irving <cl...@panix.com> on 2005/12/27 23:40:46 UTC
Whitelisted spam
Here's one that has me a bit confused. I'm receiving mail from spammers
and the messages are being scored 30+, but they're also hitting on
USER_IN_WHITELIST which pushes the score positive. The commonality
between messages is:
- they are being sent to a mail alias
- in the mail logs, it looks like they are from <>
This is the log from one of the messages:
Dec 27 05:15:34 chatter postfix/nqmgr[14336]: 5617E81484C: from=<>,
size=1427, nrcpt=1 (queue active)
Dec 27 05:15:35 chatter postfix/local[22329]: 5617E81484C:
to=<cl...@mydomain.com>, orig_to=<db...@mydomain.com>, relay=local,
delay=1, status=sent (delivered to command: /usr/local/bin/procmail)
Notice the Return-Path in the one of the message headers:
From MAILER-DAEMON Tue Dec 27 14:04:52 2005
Return-Path: <>
X-Original-To: dba@mydomain.com
Delivered-To: dba@mydomain.com
Received: by mail.mydomain.com (Postfix, from userid 2331)
id 425518146AE; Tue, 27 Dec 2005 14:04:52 -0800 (PST)
X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on
chatter.mydomain.com
X-Spam-Level:
X-Spam-Status: No, score=-70.2 required=6.5 tests=BAYES_99,
DATE_IN_FUTURE_06_12,RATWARE_MS_HASH,RATWARE_OUTLOOK_NONAME,
RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E4_51_100,RAZOR2_CHECK,
RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_NJABL_DUL,RCVD_IN_SORBS_DUL,
RCVD_IN_WHOIS_INVALID,SKX_TO_DBA,USER_IN_WHITELIST autolearn=no
version=3.1.0
Received: from ordi-xpsp2.noos.fr (m96.net81-64-161.noos.fr [81.64.161.96])
by mail.mydomain.com (Postfix) with SMTP id 1FA7581459E
for <db...@mydomain.com>; Tue, 27 Dec 2005 14:04:49 -0800 (PST)
Message-Id: <00...@ordi-xpsp2>
From: Jodi Santiago <xt...@dearborn.com>
To: dba@mydomain.com
The user isn't in a whitelist, at least that I can find.
--
Clay Irving <cl...@panix.com>
Yesterday I parked my car in a tow-away zone...when I came back the entire area
was missing.
- Steven Wright
Re: Whitelisted spam
Posted by Matt Kettler <mk...@comcast.net>.
At 05:40 PM 12/27/2005, Clay Irving wrote:
>Here's one that has me a bit confused. I'm receiving mail from spammers
>and the messages are being scored 30+, but they're also hitting on
>USER_IN_WHITELIST which pushes the score positive.
> Return-Path: <>
> X-Original-To: dba@mydomain.com
> Delivered-To: dba@mydomain.com
> Received: by mail.mydomain.com (Postfix, from userid 2331)
> id 425518146AE; Tue, 27 Dec 2005 14:04:52 -0800 (PST)
> X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on
> chatter.mydomain.com
> X-Spam-Status: No, score=-70.2 required=6.5 tests=BAYES_99,
> DATE_IN_FUTURE_06_12,RATWARE_MS_HASH,RATWARE_OUTLOOK_NONAME,
> RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E4_51_100,RAZOR2_CHECK,
> RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_NJABL_DUL,RCVD_IN_SORBS_DUL,
> RCVD_IN_WHOIS_INVALID,SKX_TO_DBA,USER_IN_WHITELIST autolearn=no
> version=3.1.0
> From: Jodi Santiago <xt...@dearborn.com>
> To: dba@mydomain.com
>
>The user isn't in a whitelist, at least that I can find.
Well, finding it is what we need to do. I've never seen a USER_IN_WHITELIST
FP before..
Hmm, well.. Let's see here.. USER_IN_WHITELIST points to it matching a
whitelist_from, or whitelist_from_rcvd. Anything else would show up as a
different hit.
SA will match either the Return-Path or the From: header address to
whitelists, so we need to find something that would match
"xthecnwth@dearborn.com" or "".
First, I'd suggest a spamassassin --lint run. Maybe there's some typo
somewhere that's REALLY confusing SA.. I doubt it, but we should rule that
out before going ahead.
After that I'd suggest grepping your configs for all the whitelist_from
commands.
check the site_config dir, assuming /etc/mail/spamassassin is your site
config:
grep whitelist_from /etc/mail/spamassassin/*.cf
I'd also check around for user_prefs files in the following spots:
/root/.spamassassin/
/home/dba/.spamassassin/
/home/<real delivery user>/.spamassassin/
~nobody/.spamassassin/
Re: Whitelisted spam
Posted by Arias Hung <ar...@m-a-g.net>.
On Tue, 27 Dec 2005, Clay Irving delivered in simple text monotype:
> The user isn't in a whitelist, at least that I can find.
<---snip--->
I'm having similar issues, where 99% of my false positives are due to being whitelisted. Since my personal whitelist is practically nil after process of elimination, i wonder if there's a relatively simple way to narrow down the cultprit whitelist.
I haven't looked at it too carefully yet, but perhaps there are additional debug type flags in the AWL perl modules?