You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@spamassassin.apache.org by Marc Perkel <ma...@perkel.com> on 2004/04/02 20:00:19 UTC

False Positives on FORGED_DEF_WHITELIST

Been getting false Positives on FORGED_DEF_WHITELIST rule on mail comibg 
from paypal.

Re: False Positives on FORGED_DEF_WHITELIST

Posted by Sidney Markowitz <si...@sidney.com>.

Marc Perkel wrote:

> Let me see if I can find the message. But - suppose someone has a 
> secondary store and forward server - then if the main server goes down 
> and the secondar server gets it - and then the main server comes up and 
> transfers it to the main server - then the last server it comes from is 
> the secondary server.

My intent was to check the server that is first used to send the mail, 
and for that I rely on a (in this case) paypal.com mail server talking 
to a trusted server of the receiver. If people are receiving mail from 
one of their own servers that SpamAssassin does not know is trusted, 
then there is no way to tell if a Received header is forged.

  -- sidney

Re: False Positives on FORGED_DEF_WHITELIST

Posted by Marc Perkel <ma...@perkel.com>.

Let me see if I can find the message. But - suppose someone has a 
secondary store and forward server - then if the main server goes down 
and the secondar server gets it - and then the main server comes up and 
transfers it to the main server - then the last server it comes from is 
the secondary server.

I was just wondering if you check all the received lines or just the 
last one?

Sidney Markowitz wrote:

> Marc Perkel wrote:
>
>> Been getting false Positives on FORGED_DEF_WHITELIST rule on mail 
>> comibg from paypal.
>
>
> Can you open a Bugzilla ticket and attach the headers from an example? 
> (deleting private info is ok for this, and I don't need the body)
>
> I wrote the rule recently and I can well believe that there is a bug 
> that I missed.
>
> The theory is that any address on the default whitelist is only sent 
> from a mail server in its domain. If you read the doc I wrote on it 
> you'll see that there is a way to specify that it is not the case for 
> a specific whitelist entry, but I've never seen PayPal mail that 
> doesn't get sent through a paypal.com mail server.
>
>  -- sidney
>
>

Re: False Positives on FORGED_DEF_WHITELIST

Posted by Sidney Markowitz <si...@sidney.com>.

Marc Perkel wrote:

> Been getting false Positives on FORGED_DEF_WHITELIST rule on mail comibg 
> from paypal.

Can you open a Bugzilla ticket and attach the headers from an example? 
(deleting private info is ok for this, and I don't need the body)

I wrote the rule recently and I can well believe that there is a bug 
that I missed.

The theory is that any address on the default whitelist is only sent 
from a mail server in its domain. If you read the doc I wrote on it 
you'll see that there is a way to specify that it is not the case for a 
specific whitelist entry, but I've never seen PayPal mail that doesn't 
get sent through a paypal.com mail server.

  -- sidney

Re: False Positives on FORGED_DEF_WHITELIST

Posted by Marc Perkel <ma...@perkel.com>.

I have a question about this rule.

If the MX record points to Server A - but the mail is then forwarded on 
to Server B - and server B runs SpamAssassin - would this rule falsely 
kick in?

Marc Perkel wrote:

> Been getting false Positives on FORGED_DEF_WHITELIST rule on mail 
> comibg from paypal.
>
>
>
>