You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by romanovsky <ro...@gmail.com> on 2008/03/13 13:16:36 UTC
autowhitelisting of recipient itself
OS: Debian Sarge
SpamAssassin: 3.0.3-2
Problem description:
user@domain sends a ham message to himself (i.e. From:==To:==user@domain).
Autowhiltelisting mechanism adds user@domain to the whiltelist.
A spammer sends spam to user@domain from forged address user@domain.
Spam gets through with USER_IN_WHITELIST rule.
The question is: how to disable autowhiltelisting in case of From:==To:?
Thanks for your help.
--
View this message in context: http://www.nabble.com/autowhitelisting-of-recipient-itself-tp16024979p16024979.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: autowhitelisting of recipient itself
Posted by Benny Pedersen <me...@junc.org>.
On Thu, March 13, 2008 13:16, romanovsky wrote:
> SpamAssassin: 3.0.3-2
old
> Problem description:
> user@domain sends a ham message to himself (i.e. From:==To:==user@domain).
> Autowhiltelisting mechanism adds user@domain to the whiltelist.
why is whitelistning of your own mail needed ?
> A spammer sends spam to user@domain from forged address user@domain.
> Spam gets through with USER_IN_WHITELIST rule.
> The question is: how to disable autowhiltelisting in case of From:==To:?
remove whitelist_from
enable AWL pluging
solved
more in detail with AWL
you send mail with will be recorded in AWL db with from, ip, score
when a spammer users YOUR email it will be recorded with from, ip, score
ip will most time stop the spammer here :-)
> Thanks for your help.
no problem
Benny Pedersen
Need more webspace ? http://www.servage.net/?coupon=cust37098
Re: autowhitelisting of recipient itself
Posted by Matt Kettler <mk...@verizon.net>.
Jari Fredriksson wrote:
>> OS: Debian Sarge
>> SpamAssassin: 3.0.3-2
>> Problem description:
>> user@domain sends a ham message to himself (i.e.
>> From:==To:==user@domain). Autowhiltelisting mechanism
>> adds user@domain to the whiltelist.
>> A spammer sends spam to user@domain from forged address
>> user@domain.
>> Spam gets through with USER_IN_WHITELIST rule.
>> The question is: how to disable autowhiltelisting in case
>> of From:==To:?
>>
>> Thanks for your help.
>>
>
> I disabled AWL alltogether because of these.
Well, did it solve them? It shouldn't have, because the AWL doesn't
affect USER_IN_WHITELIST. It affects the rule named AWL.
> Seems to be an unnecessary feature to me.
>
>
Well, the AWL is nice in some cases.. remember, it's also an ABL
(auto-blacklist).. Well, actually, it's neither a whitelist nor a
blacklist, but it has those effects, because it tracks a sender's
historical average. The Wiki articles on the AWL should be a good
introduction to the topic...
However, the AWL has *NOTHING* to do with the problem in this thread...
The AWL will never cause USER_IN_WHITELIST to fire.. Ever..
Re: autowhitelisting of recipient itself
Posted by Matt Kettler <mk...@verizon.net>.
Jari Fredriksson wrote:
>
> Yes, I did read the thread in a hurry.. The original poster wrote about autowhitelisting so I went in AWL mode.
>
> Anyway, I disabled AWL plugin when I got a spam with a forget sender address, my own address.. and the AWL put -14 AWL points to that...
>
> My configuration does not use SA on outgoing email, and I never receive mail from myself. Dunno why AWL had so big points on my email, but it did.
>
Did you try the check-whitelist script? It might have been interesting
to see what was in there
> I thought that AWL is useless, because all spam has random, forged sender addresses anyways, I hardly never receive spam from a same sender address twice.. No need to keep statistics on sender addresses.
>
> My configuration also has a setup, which whitelists some addresses alltogether (at maildrop level; maildrop calls spamc in my setup) so that SA is never called. The whitelists are in a text file which maildrop reads and decides if SA is called or not. I have no whitelist_from* in my SA local.cf
>
Bypassing SA the best sure-fire way to whitelist.. Saves CPU utilization
too.
> Whitelisting mail in maildrop level allows some spam to get thru, but not too much, I can handle those. I understand that a SA whitelist_from_spf or whitelist_from_rcvd or similar would be better (more accurate) but I want to keep most of my legit email out of SA because it (SA) is so demanding on hardware.
>
It'd be better if your maildrop script accounted for Received or SPF,
but nothing's perfect.. Sounds like you've picked a good trade off. (in
general I oppose use of whitelist_from because you're suffering both the
hit of CPU time and lack of accuracy)
Re: autowhitelisting of recipient itself
Posted by Jari Fredriksson <ja...@iki.fi>.
> On Fri, Mar 14, 2008 at 04:47:18PM +0200, Jari
> Fredriksson wrote:
>>> OS: Debian Sarge
>>> SpamAssassin: 3.0.3-2
>>> Problem description:
>>> user@domain sends a ham message to himself (i.e.
>>> From:==To:==user@domain). Autowhiltelisting mechanism
>>> adds user@domain to the whiltelist.
>>> A spammer sends spam to user@domain from forged address
>>> user@domain.
>>> Spam gets through with USER_IN_WHITELIST rule.
>>> The question is: how to disable autowhiltelisting in
>>> case of From:==To:?
>>>
>>> Thanks for your help.
>>
>> I disabled AWL alltogether because of these. Seems to be
>> an unnecessary feature to me.
>
> Please read this thread or some documentation, this has
> nothing to do with AWL. AWL itself works just fine, if
> you don't have some silly misconfigured system.
Yes, I did read the thread in a hurry.. The original poster wrote about autowhitelisting so I went in AWL mode.
Anyway, I disabled AWL plugin when I got a spam with a forget sender address, my own address.. and the AWL put -14 AWL points to that...
My configuration does not use SA on outgoing email, and I never receive mail from myself. Dunno why AWL had so big points on my email, but it did.
I thought that AWL is useless, because all spam has random, forged sender addresses anyways, I hardly never receive spam from a same sender address twice.. No need to keep statistics on sender addresses.
My configuration also has a setup, which whitelists some addresses alltogether (at maildrop level; maildrop calls spamc in my setup) so that SA is never called. The whitelists are in a text file which maildrop reads and decides if SA is called or not. I have no whitelist_from* in my SA local.cf
Whitelisting mail in maildrop level allows some spam to get thru, but not too much, I can handle those. I understand that a SA whitelist_from_spf or whitelist_from_rcvd or similar would be better (more accurate) but I want to keep most of my legit email out of SA because it (SA) is so demanding on hardware.
Re: autowhitelisting of recipient itself
Posted by Henrik K <he...@hege.li>.
On Fri, Mar 14, 2008 at 04:47:18PM +0200, Jari Fredriksson wrote:
> > OS: Debian Sarge
> > SpamAssassin: 3.0.3-2
> > Problem description:
> > user@domain sends a ham message to himself (i.e.
> > From:==To:==user@domain). Autowhiltelisting mechanism
> > adds user@domain to the whiltelist.
> > A spammer sends spam to user@domain from forged address
> > user@domain.
> > Spam gets through with USER_IN_WHITELIST rule.
> > The question is: how to disable autowhiltelisting in case
> > of From:==To:?
> >
> > Thanks for your help.
>
> I disabled AWL alltogether because of these. Seems to be an unnecessary
> feature to me.
Please read this thread or some documentation, this has nothing to do with
AWL. AWL itself works just fine, if you don't have some silly misconfigured
system.
Re: autowhitelisting of recipient itself
Posted by Jari Fredriksson <ja...@iki.fi>.
> OS: Debian Sarge
> SpamAssassin: 3.0.3-2
> Problem description:
> user@domain sends a ham message to himself (i.e.
> From:==To:==user@domain). Autowhiltelisting mechanism
> adds user@domain to the whiltelist.
> A spammer sends spam to user@domain from forged address
> user@domain.
> Spam gets through with USER_IN_WHITELIST rule.
> The question is: how to disable autowhiltelisting in case
> of From:==To:?
>
> Thanks for your help.
I disabled AWL alltogether because of these. Seems to be an unnecessary feature to me.
Re: autowhitelisting of recipient itself
Posted by John Hardin <jh...@impsec.org>.
On Thu, 13 Mar 2008, Matus UHLAR - fantomas wrote:
>> On Thu, 13 Mar 2008, romanovsky wrote:
>>
>>> The question is: how to disable autowhiltelisting in case of From:==To:?
>
> On 13.03.08 05:48, John Hardin wrote:
>> Consider not calling SA at all if from == to. How is SA hooked in? If it's
>> via procmail, that's a fairly simple rule.
>
> what would not help him, since it's spammer who sets From: value to To: and
> he wants to have such messages tagged as spam
Er, yes, good point. You'd only want to do that if the message originated
locally...
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
What nuts do with guns is terrible, certainly. But what evil or crazy
people do with *anything* is not a valid argument for banning that
item. -- John C. Randolph <jc...@idiom.com>
-----------------------------------------------------------------------
Tomorrow: Albert Einstein's 129th Birthday
Re: autowhitelisting of recipient itself
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
> On Thu, 13 Mar 2008, romanovsky wrote:
>
> >The question is: how to disable autowhiltelisting in case of From:==To:?
On 13.03.08 05:48, John Hardin wrote:
> Consider not calling SA at all if from == to. How is SA hooked in? If it's
> via procmail, that's a fairly simple rule.
what would not help him, since it's spammer who sets From: value to To: and
he wants to have such messages tagged as spam
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
99 percent of lawyers give the rest a bad name.
Re: autowhitelisting of recipient itself
Posted by romanovsky <ro...@gmail.com>.
SA is called from amavisd-new.
I suppose that the problem should be solved on the level it was created,
i.e. on SA level.
I already have few patches of amavisd-new. Sure I can write another one.
Before do that dirty hack I'd like to search for a good solution.
Thanks for trying to help, John.
> Consider not calling SA at all if from == to. How is SA hooked in?
> If it's via procmail, that's a fairly simple rule.
--
View this message in context: http://www.nabble.com/autowhitelisting-of-recipient-itself-tp16024979p16028076.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: autowhitelisting of recipient itself
Posted by John Hardin <jh...@impsec.org>.
On Thu, 13 Mar 2008, romanovsky wrote:
> The question is: how to disable autowhiltelisting in case of From:==To:?
Consider not calling SA at all if from == to. How is SA hooked in? If it's
via procmail, that's a fairly simple rule.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Usually Microsoft doesn't develop products, we buy products.
-- Arno Edelmann, Microsoft product manager
-----------------------------------------------------------------------
Tomorrow: Albert Einstein's 129th Birthday
Re: autowhitelisting of recipient itself
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
> romanovsky wrote:
> >OS: Debian Sarge
> >SpamAssassin: 3.0.3-2
> >Problem description:
> >user@domain sends a ham message to himself (i.e. From:==To:==user@domain).
> >Autowhiltelisting mechanism adds user@domain to the whiltelist.
> >A spammer sends spam to user@domain from forged address user@domain.
> >Spam gets through with USER_IN_WHITELIST rule.
> >The question is: how to disable autowhiltelisting in case of From:==To:?
On 13.03.08 09:18, Matt Kettler wrote:
> USER_IN_WHITELIST has nothing to do with the autowhitelist. The
> autowhitelist will show up as a rule named AWL.
>
> USER_IN_WHITELIST means the message matched a whitelist_from,
> whitelist_from_rcvd, or whitelist_from_spf statement in your configfiles.
>
> Odds are, there's a well meaning, but woefully mistaken "whitelist_from
> *@domain" in the config somewhere..
whitelisting own domain is an obvious mistake and causes many falze
negatives - spammers found out this issue long ago and are forging from
addresses to be from the same domain (or even user) as the recipient.
someone should make an FAQ entry in wiki for whitelisting...
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I feel like I'm diagonally parked in a parallel universe.
Re: autowhitelisting of recipient itself
Posted by Benny Pedersen <me...@junc.org>.
On Thu, March 13, 2008 14:18, Matt Kettler wrote:
> USER_IN_WHITELIST means the message matched a whitelist_from,
> whitelist_from_rcvd, or whitelist_from_spf statement in your configfiles.
spf no
Benny Pedersen
Need more webspace ? http://www.servage.net/?coupon=cust37098
Re: autowhitelisting of recipient itself
Posted by romanovsky <ro...@gmail.com>.
Matt,
You're absolutely right!
Thanks for you notice.
I found whitelist_from for some domains in the config.
> Odds are, there's a well meaning, but woefully mistaken "whitelist_from
> *@domain" in the config somewhere..
--
View this message in context: http://www.nabble.com/autowhitelisting-of-recipient-itself-tp16024979p16028660.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: autowhitelisting of recipient itself
Posted by Matt Kettler <mk...@verizon.net>.
romanovsky wrote:
> OS: Debian Sarge
> SpamAssassin: 3.0.3-2
> Problem description:
> user@domain sends a ham message to himself (i.e. From:==To:==user@domain).
> Autowhiltelisting mechanism adds user@domain to the whiltelist.
> A spammer sends spam to user@domain from forged address user@domain.
> Spam gets through with USER_IN_WHITELIST rule.
> The question is: how to disable autowhiltelisting in case of From:==To:?
>
USER_IN_WHITELIST has nothing to do with the autowhitelist. The
autowhitelist will show up as a rule named AWL.
USER_IN_WHITELIST means the message matched a whitelist_from,
whitelist_from_rcvd, or whitelist_from_spf statement in your configfiles.
Odds are, there's a well meaning, but woefully mistaken "whitelist_from
*@domain" in the config somewhere..
> Thanks for your help.
>