You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Lorenzo Thurman <lo...@thethurmans.com> on 2016/07/07 01:13:52 UTC
USER_IN_WHITELIST
I’ve been receiving some spam where spamassassin identifies the sender with USER_IN_WHITELIST. These senders (or domains) are most definitely not in my whitelist. How can I get around this problem?
Thanks
Re: USER_IN_WHITELIST
Posted by Bill Cole <sa...@billmail.scconsult.com>.
On 6 Jul 2016, at 21:58, David B Funk wrote:
> On Wed, 6 Jul 2016, Lorenzo Thurman wrote:
>
>> I’ve been receiving some spam where spamassassin identifies the sender with USER_IN_WHITELIST. These senders (or domains) are
>> most definitely not in my whitelist. How can I get around this problem?Thanks
>>
>
> SpamAssassin comes with some built-in whitelists (which should be pretty safe to
> use). Look in your SA rules kit for things like: 60_whitelist.cf 60_whitelist_dkim.cf and 60_whitelist_spf.cf
Those should not cause USER_IN_WHITELIST matches but rather USER_IN_DEF_WHITELIST and similarly labeled forms of the SPF and DKIM variations.
Re: USER_IN_WHITELIST
Posted by David B Funk <db...@engineering.uiowa.edu>.
On Wed, 6 Jul 2016, Lorenzo Thurman wrote:
> I’ve been receiving some spam where spamassassin identifies the sender with USER_IN_WHITELIST. These senders (or domains) are
> most definitely not in my whitelist. How can I get around this problem?Thanks
>
SpamAssassin comes with some built-in whitelists (which should be pretty safe to
use). Look in your SA rules kit for things like: 60_whitelist.cf
60_whitelist_dkim.cf and 60_whitelist_spf.cf
You might also have some 3'rd party rules files that contain whitelists.
You can explicitly negate the effect of an entry from one of these files by
using the appropriate "unwhitelist_from" type configuration statements in your
local.cf config files.
Theoretically you could edit the system config files but those edits could be
lost with the next system rules update, so using the unwhitelist_from technique
is the way to go.
--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{
Re: USER_IN_WHITELIST
Posted by RW <rw...@googlemail.com>.
On Thu, 7 Jul 2016 10:03:37 -0500
Lorenzo Thurman wrote:
y
>
> > On Jul 7, 2016, at 8:14 AM, Antony Stone
> > <An...@spamassassin.open.source.it> wrote:
> > There's a big difference between subdomains, and domains with
> > letters in front of "microsoft".
> >
> > \.microsoft\.com$ will match anything ending in ".microsoft.com"
> >
> > That means it will match www.microsoft.com and cdn.microsoft.com
> > for example, but it will not match
> > kajsdhfkjasghdskghlaskfhmicrosoft.com or onmicrosoft.com
> >
> > The dot in front of "microsoft" in the regex is important :)
>
> Great, thanks.
You can't use a regex in a whitelisting entry.
Re: USER_IN_WHITELIST
Posted by Sidney Markowitz <si...@sidney.com>.
Lorenzo Thurman wrote on 8/07/16 9:26 AM:
> Thanks for the info. Does anyone know how I can use whitelistfrom_rcvd? I can't find any clear answers via Google.
>
Excuse my typo for the correct spelling whitelist_from_rcvd.
To use it, look at the legitimate emails that you want to whitelist and check
the Received header that shows where your receiving mail server received the
email from the sending mail server. Typically for a corporate address like
microsoft.com the mail will have come from a host with a name like
smtp.microsoft.com or maila.microsoft.com. If the Received header does show
that the mail came from some ip address and also shows a host name for it in
the microsoft.com (for example) then you can use whitelist_from_recvd to
whitelist such mails. You can only put one address on a line, so you would
need two entries to get the two that you want:
whitelist_from_rcvd *@microsoft.com microsoft.com
whitelist_from_rcvd *.microsoft.com microsoft.com
But do check your emails to see if you get the proper Received headers to be
able to do this. Some mail servers do not do the reverse domain name lookup to
add the host name to the ip address in Received headers. Some email addresses
you may want to whitelist are not set up to reliably send from the same few
mail servers.
If somebody sends mail from a non-Microsoft mail server but with a
microsoft.com From address, it will not get whitelisted by this. That's
exactly what you want to not whitelist spammers who forge a microsoft.com
address.
Sidney
Re: USER_IN_WHITELIST
Posted by Reindl Harald <h....@thelounge.net>.
Am 07.07.2016 um 23:26 schrieb Lorenzo Thurman:
> Thanks for the info. Does anyone know how I can use whitelistfrom_rcvd? I can't find any clear answers via Google.
besides the typo the same way as the other whitelist options
the only difference is the second param with is the DNS-PTR of the
sending host
whitelist_from_rcvd *@example.net example.com
look at the difference between .net / .com
when the PTR of the sending host ends with "example.com" sender
"example.net" is fine
_________________________
for subdomains
*@example.net
*@*.example.net
_________________________
.example.net is imprtant because it dont match "somefucker-example.net"
Re: USER_IN_WHITELIST
Posted by Lorenzo Thurman <lo...@thethurmans.com>.
"My Break-Dancing days are over, but there's always the Funky Chicken" -- The Full Monty
> On Jul 7, 2016, at 3:57 PM, Sidney Markowitz <si...@sidney.com> wrote:
>
> Lorenzo Thurman wrote on 8/07/16 3:03 AM:
>>> On Jul 7, 2016, at 8:14 AM, Antony Stone <An...@spamassassin.open.source.it> wrote:
>>> \.microsoft\.com$ will match anything ending in ".microsoft.com"
>
> RW already pointed this out, but to make sure nobody reading this thread
> misses it, the above is wrong because whitelist does not use regexps.
>
> See
> https://spamassassin.apache.org/full/3.4.x/doc/Mail_SpamAssassin_Conf.html#whitelist_and_blacklist_options
>
> where it says
>
> "Whitelist and blacklist addresses are now file-glob-style patterns, so
> friend@somewhere.com, *@isp.com, or *.domain.net will all work. Specifically,
> * and ? are allowed, but all other metacharacters are not. Regular expressions
> are not used for security reasons. Matching is case-insensitive.
>
> Multiple addresses per line, separated by spaces, is OK. Multiple
> whitelist_from lines are also OK."
>
> Notice the last example there. Spamassassin is parsing out the email addresses
> and matching them with the patterns so you don't have to do tricky stuff like
> *@*.microsoft.com. Specifically, you can use
>
> whitelist_from *@microsoft.com *.microsoft.com
>
> which will match what you want but will not match anything@onmicrosoft.com and
> will not match foo.microsoft.com@example.com
>
> As the page also points out if you can figure out how to use
> whitelistfrom_rcvd instead of whitelist_from it will protect against spammers
> spoofing the From address. Whether you can do that depends on whether the
> domain you are whitelisting has restrictions on what servers can send mail for it.
>
> Sidney
>
>
Thanks for the info. Does anyone know how I can use whitelistfrom_rcvd? I can't find any clear answers via Google.
Re: USER_IN_WHITELIST
Posted by Sidney Markowitz <si...@sidney.com>.
Lorenzo Thurman wrote on 8/07/16 3:03 AM:
>> On Jul 7, 2016, at 8:14 AM, Antony Stone <An...@spamassassin.open.source.it> wrote:
>> \.microsoft\.com$ will match anything ending in ".microsoft.com"
RW already pointed this out, but to make sure nobody reading this thread
misses it, the above is wrong because whitelist does not use regexps.
See
https://spamassassin.apache.org/full/3.4.x/doc/Mail_SpamAssassin_Conf.html#whitelist_and_blacklist_options
where it says
"Whitelist and blacklist addresses are now file-glob-style patterns, so
friend@somewhere.com, *@isp.com, or *.domain.net will all work. Specifically,
* and ? are allowed, but all other metacharacters are not. Regular expressions
are not used for security reasons. Matching is case-insensitive.
Multiple addresses per line, separated by spaces, is OK. Multiple
whitelist_from lines are also OK."
Notice the last example there. Spamassassin is parsing out the email addresses
and matching them with the patterns so you don't have to do tricky stuff like
*@*.microsoft.com. Specifically, you can use
whitelist_from *@microsoft.com *.microsoft.com
which will match what you want but will not match anything@onmicrosoft.com and
will not match foo.microsoft.com@example.com
As the page also points out if you can figure out how to use
whitelistfrom_rcvd instead of whitelist_from it will protect against spammers
spoofing the From address. Whether you can do that depends on whether the
domain you are whitelisting has restrictions on what servers can send mail for it.
Sidney
Re: USER_IN_WHITELIST
Posted by Lorenzo Thurman <lo...@thethurmans.com>.
"My Break-Dancing days are over, but there's always the Funky Chicken" -- The Full Monty
> On Jul 7, 2016, at 8:14 AM, Antony Stone <An...@spamassassin.open.source.it> wrote:
>
> On Thursday 07 July 2016 at 15:08:44, Lorenzo Thurman wrote:
>
>>> On Jul 7, 2016, at 7:15 AM, Reindl Harald <h....@thelounge.net> wrote:
>>>> Am 07.07.2016 um 14:12 schrieb Joe Quinn:
>>>> In addition to the above, it's easy for a spammer to register something
>>>> like kajsdhfkjasghdskghlaskfhmicrosoft.com which would also be
>>>> whitelisted for you. I would recommend against using wildcard whitelist
>>>> patterns like that
>>>
>>> should at least look similar to that:
>>> ^.*\.microsoft\.com$
>>>
>>> well the ^ followed by .* is also pointless
>>
>> I see. Thanks for the tip, I'll make changes. The reason I did wild cards
>> was so that I could also capture us domains. Is there a rule that allows
>> me to get subdomains w/o opening myself like I have?
>
> There's a big difference between subdomains, and domains with letters in front
> of "microsoft".
>
> \.microsoft\.com$ will match anything ending in ".microsoft.com"
>
> That means it will match www.microsoft.com and cdn.microsoft.com for example,
> but it will not match kajsdhfkjasghdskghlaskfhmicrosoft.com or onmicrosoft.com
>
> The dot in front of "microsoft" in the regex is important :)
>
>
> Antony.
>
> --
> Tax inspectors are just accountants who work for the evil dictators of
> democracy.
>
> Please reply to the list;
> please *don't* CC me.
Great, thanks.
Re: USER_IN_WHITELIST
Posted by Antony Stone <An...@spamassassin.open.source.it>.
On Thursday 07 July 2016 at 15:08:44, Lorenzo Thurman wrote:
> > On Jul 7, 2016, at 7:15 AM, Reindl Harald <h....@thelounge.net> wrote:
> >> Am 07.07.2016 um 14:12 schrieb Joe Quinn:
> >> In addition to the above, it's easy for a spammer to register something
> >> like kajsdhfkjasghdskghlaskfhmicrosoft.com which would also be
> >> whitelisted for you. I would recommend against using wildcard whitelist
> >> patterns like that
> >
> > should at least look similar to that:
> > ^.*\.microsoft\.com$
> >
> > well the ^ followed by .* is also pointless
>
> I see. Thanks for the tip, I'll make changes. The reason I did wild cards
> was so that I could also capture us domains. Is there a rule that allows
> me to get subdomains w/o opening myself like I have?
There's a big difference between subdomains, and domains with letters in front
of "microsoft".
\.microsoft\.com$ will match anything ending in ".microsoft.com"
That means it will match www.microsoft.com and cdn.microsoft.com for example,
but it will not match kajsdhfkjasghdskghlaskfhmicrosoft.com or onmicrosoft.com
The dot in front of "microsoft" in the regex is important :)
Antony.
--
Tax inspectors are just accountants who work for the evil dictators of
democracy.
Please reply to the list;
please *don't* CC me.
Re: USER_IN_WHITELIST
Posted by RW <rw...@googlemail.com>.
On Thu, 7 Jul 2016 14:15:18 +0200
Reindl Harald wrote:
> should at least look similar to that:
> ^.*\.microsoft\.com$
>
> well the ^ followed by .* is also pointless
It's generated from a glob in the configuration.
Re: USER_IN_WHITELIST
Posted by RW <rw...@googlemail.com>.
On Thu, 7 Jul 2016 08:08:44 -0500
Lorenzo Thurman wrote:
> >
> > well the ^ followed by .* is also pointless
>
>
> I see. Thanks for the tip,
It wasn't really a tip. The globs (wildcards) get converted into
regularly expressions that aren't quite as mimimalist as the could be
- but that's not under your control.
> I'll make changes. The reason I did wild
> cards was so that I could also capture us domains. Is there a rule
> that allows me to get subdomains w/o opening myself like I have?
You need a separate entry, something like *.microsoft.com.
Re: USER_IN_WHITELIST
Posted by Lorenzo Thurman <lo...@thethurmans.com>.
"My Break-Dancing days are over, but there's always the Funky Chicken" -- The Full Monty
> On Jul 7, 2016, at 7:15 AM, Reindl Harald <h....@thelounge.net> wrote:
>
>
>
>> Am 07.07.2016 um 14:12 schrieb Joe Quinn:
>>> On 7/6/2016 11:42 PM, Bill Cole wrote:
>>> On 6 Jul 2016, at 23:10, lorenzo wrote:
>>>
>>> [...]
>>>> The output from spamassassin -t -D < In-whitelist.txt gives the
>>>> answer, I believe:
>>>>
>>>> address hefghhh@hkjhkjhk.onmicrosoft.com matches whitelist or
>>>> blacklist regexp: ^.*microsoft\.com$
>>>>
>>>> Very sneaky. I think I can handle this one from here.
>>>> Thanks again.
>>>
>>> Happy to be of help.
>>>
>>> For what it's worth: *.onmicrosoft.com domains are part of free trials
>>> of Office365 and generate almost entirely spam. I suppose one could be
>>> a regular paying O365 customer and keep that free domain, but no one
>>> who does that can care much about their email. Spammers have been
>>> using those domains for years and MS really seems not to care about
>>> the fact that they've become a de facto indication of spam.
>> In addition to the above, it's easy for a spammer to register something
>> like kajsdhfkjasghdskghlaskfhmicrosoft.com which would also be
>> whitelisted for you. I would recommend against using wildcard whitelist
>> patterns like that
>
> should at least look similar to that:
> ^.*\.microsoft\.com$
>
> well the ^ followed by .* is also pointless
I see. Thanks for the tip, I'll make changes. The reason I did wild cards was so that I could also capture us domains. Is there a rule that allows me to get subdomains w/o opening myself like I have?
>
Re: USER_IN_WHITELIST
Posted by Reindl Harald <h....@thelounge.net>.
Am 07.07.2016 um 14:12 schrieb Joe Quinn:
> On 7/6/2016 11:42 PM, Bill Cole wrote:
>> On 6 Jul 2016, at 23:10, lorenzo wrote:
>>
>> [...]
>>> The output from spamassassin -t -D < In-whitelist.txt gives the
>>> answer, I believe:
>>>
>>> address hefghhh@hkjhkjhk.onmicrosoft.com matches whitelist or
>>> blacklist regexp: ^.*microsoft\.com$
>>>
>>> Very sneaky. I think I can handle this one from here.
>>> Thanks again.
>>
>> Happy to be of help.
>>
>> For what it's worth: *.onmicrosoft.com domains are part of free trials
>> of Office365 and generate almost entirely spam. I suppose one could be
>> a regular paying O365 customer and keep that free domain, but no one
>> who does that can care much about their email. Spammers have been
>> using those domains for years and MS really seems not to care about
>> the fact that they've become a de facto indication of spam.
> In addition to the above, it's easy for a spammer to register something
> like kajsdhfkjasghdskghlaskfhmicrosoft.com which would also be
> whitelisted for you. I would recommend against using wildcard whitelist
> patterns like that
should at least look similar to that:
^.*\.microsoft\.com$
well the ^ followed by .* is also pointless
Re: USER_IN_WHITELIST
Posted by Joe Quinn <jq...@pccc.com>.
On 7/6/2016 11:42 PM, Bill Cole wrote:
> On 6 Jul 2016, at 23:10, lorenzo wrote:
>
> [...]
>> The output from spamassassin -t -D < In-whitelist.txt gives the
>> answer, I believe:
>>
>> address hefghhh@hkjhkjhk.onmicrosoft.com matches whitelist or
>> blacklist regexp: ^.*microsoft\.com$
>>
>> Very sneaky. I think I can handle this one from here.
>> Thanks again.
>
> Happy to be of help.
>
> For what it's worth: *.onmicrosoft.com domains are part of free trials
> of Office365 and generate almost entirely spam. I suppose one could be
> a regular paying O365 customer and keep that free domain, but no one
> who does that can care much about their email. Spammers have been
> using those domains for years and MS really seems not to care about
> the fact that they've become a de facto indication of spam.
In addition to the above, it's easy for a spammer to register something
like kajsdhfkjasghdskghlaskfhmicrosoft.com which would also be
whitelisted for you. I would recommend against using wildcard whitelist
patterns like that.
Re: USER_IN_WHITELIST
Posted by Bill Cole <sa...@billmail.scconsult.com>.
On 6 Jul 2016, at 23:10, lorenzo wrote:
[...]
> The output from spamassassin -t -D < In-whitelist.txt gives the
> answer, I believe:
>
> address hefghhh@hkjhkjhk.onmicrosoft.com matches whitelist or
> blacklist regexp: ^.*microsoft\.com$
>
> Very sneaky. I think I can handle this one from here.
> Thanks again.
Happy to be of help.
For what it's worth: *.onmicrosoft.com domains are part of free trials
of Office365 and generate almost entirely spam. I suppose one could be a
regular paying O365 customer and keep that free domain, but no one who
does that can care much about their email. Spammers have been using
those domains for years and MS really seems not to care about the fact
that they've become a de facto indication of spam.
Re: USER_IN_WHITELIST
Posted by lorenzo <lo...@thethurmans.com>.
> On Jul 6, 2016, at 8:50 PM, Bill Cole <sa...@billmail.scconsult.com> wrote:
>
> On 6 Jul 2016, at 21:13, Lorenzo Thurman wrote:
>
>> I’ve been receiving some spam where spamassassin identifies the sender with USER_IN_WHITELIST. These senders (or domains) are most definitely not in my whitelist. How can I get around this problem?
>
> There are so many relevant variables unspecified that no one here has any hope of solving your problem.
>
> To make it easier for us, please provide more information:
>
> 1. How are you using SpamAssassin? Specifically, if you have it hooked into an MTA like Postfix or Sendmail, tell us which one AND what mechanism you are using to integrate SA and the MTA.
>
> 2. If your system involved the use of spamd, what are its arguments and what user is it running as?
>
> 3. If you scan a message with this problem manually by piping it into 'spamassassin -t -D' what does the resulting flood of debugging information say about what address it is finding as being in the whitelist?
>
Ah, ok. Here’s some info:
spamassassin v3.4.0 - Postfix 2.11.0 Ubuntu 14.04
/usr/sbin/spamd --create-prefs --max-children 5 --helper-home-dir -d --pidfile=/var/run/spamd.pid
In /etc/postfix/master.cf
smtp inet n - - - - smtpd -vvv -o content_filter=spamassassin
spamassassin unix - n n - - pipe flags=Rq user=nobody argv=/usr/bin/spamfilter.sh -oi -f ${sender} ${recipient}
The output from spamassassin -t -D < In-whitelist.txt gives the answer, I believe:
address hefghhh@hkjhkjhk.onmicrosoft.com matches whitelist or blacklist regexp: ^.*microsoft\.com$
Very sneaky. I think I can handle this one from here.
Thanks again.
Re: USER_IN_WHITELIST
Posted by Bill Cole <sa...@billmail.scconsult.com>.
On 6 Jul 2016, at 21:13, Lorenzo Thurman wrote:
> I\u2019ve been receiving some spam where spamassassin identifies the
> sender with USER_IN_WHITELIST. These senders (or domains) are most
> definitely not in my whitelist. How can I get around this problem?
There are so many relevant variables unspecified that no one here has
any hope of solving your problem.
To make it easier for us, please provide more information:
1. How are you using SpamAssassin? Specifically, if you have it hooked
into an MTA like Postfix or Sendmail, tell us which one AND what
mechanism you are using to integrate SA and the MTA.
2. If your system involved the use of spamd, what are its arguments and
what user is it running as?
3. If you scan a message with this problem manually by piping it into
'spamassassin -t -D' what does the resulting flood of debugging
information say about what address it is finding as being in the
whitelist?