Re: AWL: Puzzling 'count' from check_whitelist & confused user (me)

2005-02-07 Thread David N 
Thus spake Michael Parker ([EMAIL PROTECTED]):

> On Mon, Feb 07, 2005 at 05:44:00PM +0000, David N wrote:
> > As I understand, '[EMAIL PROTECTED]|ip=142.55' is supposed to be unique to
> > emails originating from 142.55.x.x, yet it shows 65 occurrences, and an
> > (apparently) incorrect score of -5.4.
>
> Possibly you got 64 mails where the IP could not be determined so it
> was placed in the database as "none."  When you got one with an IP
> that AWL could make use of it upgraded the "none" entry to the one
> with the IP.

That makes some sense to me, but I do have an entry in the database
for '[EMAIL PROTECTED]|ip=none'... however the count is '1'!! I would
expect the 'ip=none' to have more than a count of 1 but have no empirical
evidence to prove it

The 'ip=none' also includes the case where all ip addresses known come
from private subnets too doesn't it? -- If that's the case, then 64 would
make a LOT of sense. [Additionally, since I received that bum spam message,
I've send exactly 1 email to an internal mailing list that returns the
mail from me, but all private IP's - once again, the shoe fits].

Now then, if this scenario is correct, I end up in a situation where
I send a buncha emails internally, accumulate a good -6.6 score in
the AWL, and along comes Mr. Spammer & forges a 'from' from me,
and the AWL code hijacks my good -6.6 score & passes the message?
Is that an accurate description? If so:

1) Can I turn off this 'upgrading', or is there something I can do
  to say include private addresses 192.168.223.x?? Or do I just
  need to disable AWL entirely?

2) How can I delete the bum record from my AWL database?

Thanks!
-- 
David N, dn7534 at-sign tditx com

AWL: Puzzling 'count' from check_whitelist & confused user (me)

2005-02-07 Thread David N 
I have run into a wall trying to understand what's happening with my AWL stats
-- If someone could point me to what else I should look at, I'd really
appreciate it..

Using SA 3.0.2, redhat linux

check_whitelist shows my email address like this:
  -5.4 (-350.5/65) -- [EMAIL PROTECTED]|ip=142.55

--

Well, a spam got thru and AWL showed up in the list of rules that hit, and upon
investigation, it appears that the above -5.4 adjustment was used in the
computation of the score resulting in passing the message. Excerpts from the
headers are:

  Return-path: [EMAIL PROTECTED]
  :
  Received: ... crucify.ytrikur.cl ([142.55.146.242] helo=mail.uccfootmen.org)
  From: Francisco Andrews <[EMAIL PROTECTED]>

So .. in short, a forgery from 'me' to 'me', and SA seems to think the IP is
142.55... check_whitelist, however, shows a count of 65 occurrences. I've gone
back & scanned ALL mail I've received since I put up 3.0.2, and there are no
other occurrences of 142.55 besides the one that sneaked in...

As I understand, '[EMAIL PROTECTED]|ip=142.55' is supposed to be unique to
emails originating from 142.55.x.x, yet it shows 65 occurrences, and an
(apparently) incorrect score of -5.4.

Please, oh please what am I missing here?

Thanks!