Re: spam is marked as "user_in_whitelist"

[Greg Skouby <gs...@sitesnow.com>]

On Wed, Nov 29, 2006 at 10:22:11AM -0500, Stas Khromoy wrote:
> *keep getting the following spam
> which spamassassin for some reason
> give a scrore of -100 or - 70
> keeps saying the user is in whitelist
> 
> 
> 
> Subject:* both of those that is of the people, of the Lord your words of
> subject :me: a certain man that hear O house of man from among the land 
> of our
> or other of similar context .. they look like quotes from the bible :)
> 
> 
> with offers to buy  some crap  from
> s a b a n z e n dot com
> 
> X-Spam-Status: No, score=-74.498 tagged_above=-150 required=3
>     tests=[BAYES_80=2, EXTRA_MPART_TYPE=1.091, HELO_DYNAMIC_IPADDR2=3.818,
>     HTML_IMAGE_ONLY_08=3.126, HTML_MESSAGE=0.001, RCVD_IN_DYNABLOCK=1,
>     RCVD_IN_NJABL_DUL=1.946, RCVD_IN_SBL_XBL=1.5, RCVD_IN_SORBS=1,
>     RCVD_IN_SORBS_DUL=2.046, RCVD_IN_XBL=3.897, SARE_GIF_ATTACH=0.75,
>     SARE_GIF_STOX=1.66, SARE_RECV_SPAM_DOMN0b=1.666,
>     UNPARSEABLE_RELAY=0.001, USER_IN_WHITELIST=-100]
> 
> 
> i can't think of anything at this point aside from getting rid of the 
> old whitelist and starting a new one.
> 


Hi Stas,


I am betting that the "envelope-sender" is the user that is in the whitelist and you are looking at the "from" address and thinking that the "from" address is not in the whitelist. 
We have run into a fair amount of the above situation on our system. I think it might be a good idea to make USER_IN_WHITELIST have a score of ~ -15 instead of ~100.




--Greg

Re: spam is marked as "user_in_whitelist"

[Stas Khromoy <st...@edpausa.com>]

hey greg:

you got me there
i was looking at :


Received: from myserver ([127.0.0.1])
     by localhost (myserver [127.0.0.1]) (amavisd-new, port
10024)
     with ESMTP id TnlkYt9U0aRr for <myuser>;
     Wed, 29 Nov 2006 06:09:20 -0500 (EST)
Received: from 218-171-61-71.dynamic.hinet.net
(218-171-61-71.dynamic.hinet.net [218.171.61.71])
     by myserver (Postfix) with ESMTP id 76A9DC97AC
     for <myuser>; Wed, 29 Nov 2006 06:09:06 -0500 (EST)
Received: from insersudamerica.com (port=2457 helo=hhdyayyfbpavq)
     by 218-171-61-71.dynamic.hinet.net with smtp
     id 666-jMbg-4o
     for myuser; Wed, 29 Nov 2006 19:08:40 +0800



and i don't see the envelope-from field at all in the header
i can post the full header if that would help


-------- Original Message  --------
Subject: Re:spam is marked as "user_in_whitelist"
From: Greg Skouby <gs...@sitesnow.com>
To: users@spamassassin.apache.org
Date: 11/29/2006 10:27 AM
> On Wed, Nov 29, 2006 at 10:22:11AM -0500, Stas Khromoy wrote:
>   
>> *keep getting the following spam
>> which spamassassin for some reason
>> give a scrore of -100 or - 70
>> keeps saying the user is in whitelist
>>
>>
>>
>> Subject:* both of those that is of the people, of the Lord your words of
>> subject :me: a certain man that hear O house of man from among the land 
>> of our
>> or other of similar context .. they look like quotes from the bible :)
>>
>>
>> with offers to buy  some crap  from
>> s a b a n z e n dot com
>>
>> X-Spam-Status: No, score=-74.498 tagged_above=-150 required=3
>>     tests=[BAYES_80=2, EXTRA_MPART_TYPE=1.091, HELO_DYNAMIC_IPADDR2=3.818,
>>     HTML_IMAGE_ONLY_08=3.126, HTML_MESSAGE=0.001, RCVD_IN_DYNABLOCK=1,
>>     RCVD_IN_NJABL_DUL=1.946, RCVD_IN_SBL_XBL=1.5, RCVD_IN_SORBS=1,
>>     RCVD_IN_SORBS_DUL=2.046, RCVD_IN_XBL=3.897, SARE_GIF_ATTACH=0.75,
>>     SARE_GIF_STOX=1.66, SARE_RECV_SPAM_DOMN0b=1.666,
>>     UNPARSEABLE_RELAY=0.001, USER_IN_WHITELIST=-100]
>>
>>
>> i can't think of anything at this point aside from getting rid of the 
>> old whitelist and starting a new one.
>>
>>     
>
>
> Hi Stas,
>
>
> I am betting that the "envelope-sender" is the user that is in the whitelist and you are looking at the "from" address and thinking that the "from" address is not in the whitelist. 
> We have run into a fair amount of the above situation on our system. I think it might be a good idea to make USER_IN_WHITELIST have a score of ~ -15 instead of ~100.
>
>
>
>
> --Greg
>
>
>