You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by "Gary G. Taylor" <ga...@donavan.org> on 2006/07/25 17:19:04 UTC

Auto White List problem

I have noticed that several spams are getting through because they have 
entries in the Auto White List, sometimes with very large numbers.

Here is a sample header from a message not flagged as spam:

Return-Path: 
<Wa...@shop.walmart.com>
 Received: from mailrelay03.walmart.com (161.170.254.40) by wesurvu.net with
 SMTP (Eudora Internet Mail Server X 3.2.8) for <ga...@donavan.org>;
 Tue, 25 Jul 2006 01:48:12 -0700
 Received: from shop.walmart.com (172.29.138.22)
  by mailrelay03.walmart.com with ESMTP; 25 Jul 2006 01:47:37 -0700
 Accreditor: Habeas
 X-Habeas-Report: Please report use of this mark in spam to 
<http://www.habeas.com/report/>
 Message-ID: <16...@172.29.138.26>
 Date: Tue, 25 Jul 2006 01:47:36 -0700 (PDT)
 From: Wal-Mart Wire <wa...@walmart.com>
 To: gary@donavan.org
 Subject: Furnishings 101: Fun & Affordable
 Mime-Version: 1.0
 Content-Type: text/html;
  charset=ISO-8859-1
 Content-Transfer-Encoding: quoted-printable
 X-Mailer-Version: 3.5.14 build 759
 X-Mailer: Accucast
 X-Accutrak: Wal-Mart_Wire-#2.13690.2d322e343633333732384537@shop.walmart.com
 X-Spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on 
manduck.donavan.org
 X-Spam-Level: 
 X-Spam-Status: No, score=-13.0 required=5.0 tests=AWL,HTML_90_100,
        HTML_IMAGE_RATIO_04,HTML_MESSAGE,MIME_HTML_ONLY,USER_IN_DEF_WHITELIST 
        autolearn=no version=3.0.4
 X-UID: 
 Status: R
 X-Status: NC
 X-KMail-EncryptionState: 
 X-KMail-SignatureState: 
 X-KMail-MDN-Sent: 

-------------

And here is a header from a beliefnet (gag) message SA caught:

Return-Path: <li...@partner.beliefnet.com>
 Received: from cmn1lsm4.beliefnet.com (129.33.230.138) by wesurvu.net with
 SMTP (Eudora Internet Mail Server X 3.2.8) for <ga...@donavan.org>;
 Mon, 24 Jul 2006 13:07:25 -0700
 Received: from partner.beliefnet.com (10.2.2.61)
  by cmn1lsm4.beliefnet.com with SMTP; 24 Jul 2006 16:06:43 -0400
 From: PetLovers <Pa...@partner.beliefnet.com>
 Subject: [SPAM] Take a survey - Get a $500 Pet Store Gift Card
 Date: 24 Jul 2006 16:06:43 -0400
 To: gary@donavan.org
 Mime-Version: 1.0
 Content-Type: text/html;
  charset=us-ascii
 Content-Transfer-Encoding: 8bit
 Message-ID: <10...@wesurvu.net>
 X-Spam-Prev-Subject: Take a survey - Get a $500 Pet Store Gift Card
 X-Spam-Flag: YES
 X-Spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on 
manduck.donavan.org
 X-Spam-Level: *****
 X-Spam-Status: Yes, score=5.4 required=5.0 tests=AWL,HELO_DYNAMIC_DHCP,
        HTML_80_90,HTML_IMAGE_RATIO_02,HTML_MESSAGE,MIME_HTML_ONLY 
        autolearn=no version=3.0.4
 X-Spam-Report: 
        *  2.8 HELO_DYNAMIC_DHCP Relay HELO'd using suspicious hostname (DHCP)
        *  0.0 HTML_80_90 BODY: Message is 80% to 90% HTML
        *  1.7 HTML_IMAGE_RATIO_02 BODY: HTML has a low ratio of text to image 
area
        *  0.0 HTML_MESSAGE BODY: HTML included in message
        *  1.2 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
        * -0.4 AWL AWL: From: address is in the auto white-list
 X-UID: 
 Status: R
 X-Status: NPC
 X-KMail-EncryptionState: 
 X-KMail-SignatureState: 
 X-KMail-MDN-Sent: 

How the fsck did these idiots get into the AWL?!

When I view the AWL file I find probably two or three hundred different URLs 
and email addresses. I am running SpamAssassin 3.0.4 installed as an rpm from 
Mandrakesoft and I have not designated any block of senders as ham.

The questions are:
1) How do I clean out the white list?
2) The installation of SpamAssassin set up KMail with filters for spam. There 
are two actions available: Filter a message as spam, and filter a message as 
ham; each goes into its own separate folder within KMail. Is using these 
manual filters the right thing to do, and then run sa-learn through them at 
the appropriate time?
-- 
Gary G. Taylor * Pomona, CA * 34.074630°N 117.754195°W
gary@donavan.org * http://www.donavan.org
"The two most abundant substance in the Universe are hydrogen
and stupidity." --Frank Zappa, R.A. Heinlein and many others

Re: Auto White List problem

Posted by Matt Kettler <mk...@comcast.net>.

Gary G. Taylor wrote:
>
> And here is a header from a beliefnet (gag) message SA caught:
>   
<snip>
>  X-Spam-Status: Yes, score=5.4 required=5.0 tests=AWL,HELO_DYNAMIC_DHCP,
>         HTML_80_90,HTML_IMAGE_RATIO_02,HTML_MESSAGE,MIME_HTML_ONLY 
>         autolearn=no version=3.0.4
>  
>   
<snip>
> How the fsck did these idiots get into the AWL?!
>   

Step 1: Ditch any preconceptions that the AWL is a whitelist. It's not,
it's a score-averager. It's called AWL due to lack of a better name
that's not absurdly long.

Step 2:  The above example is perfectly normal and expected for the AWL.
Note that the message was still tagged as spam. This is perfectly normal.

The AWL, in the above example, felt the score of the message should be
5.0. SA scored it 5.8, so the AWL split the difference and made it 5.4
by subtracting 0.4 points. Still tagged as spam, no problem.

Step 3: Read the WIKI to get a better idea of what the AWL really is,
and what it does.

Why the AWL sometimes "Scores the wrong way":

http://wiki.apache.org/spamassassin/AwlWrongWay

What the AWL is and how it works:

http://wiki.apache.org/spamassassin/AutoWhitelist

> When I view the AWL file I find probably two or three hundred different URLs 
> and email addresses. I am running SpamAssassin 3.0.4 installed as an rpm from 
> Mandrakesoft and I have not designated any block of senders as ham.
>
> The questions are:
> 1) How do I clean out the white list?
>   
It's not really a whitelist, as noted above, but you can clean out any
"one off" addresses by using the check-whitelist script that comes in
the tools subdirectory of the tarball.
Note: most RPMs do not come with this, so you WILL have to download the
tarball to get it. However, you don't need to install anything. It's
just a stand-alone perl script. Read the top of the file to get usage
directions.
> 2) The installation of SpamAssassin set up KMail with filters for spam. There 
> are two actions available: Filter a message as spam, and filter a message as 
> ham; each goes into its own separate folder within KMail. Is using these 
> manual filters the right thing to do, and then run sa-learn through them at 
> the appropriate time?
>   
Sounds reasonable to me.