Re: spam is marked as "user_in_whitelist"

[Stas Khromoy]

hey greg:

you got me there
i was looking at :


Received: from myserver ([127.0.0.1])
by localhost (myserver [127.0.0.1]) (amavisd-new, port
10024)
with ESMTP id TnlkYt9U0aRr for ;
Wed, 29 Nov 2006 06:09:20 -0500 (EST)
Received: from 218-171-61-71.dynamic.hinet.net
(218-171-61-71.dynamic.hinet.net [218.171.61.71])
by myserver (Postfix) with ESMTP id 76A9DC97AC
for ; Wed, 29 Nov 2006 06:09:06 -0500 (EST)
Received: from insersudamerica.com (port=2457 helo=hhdyayyfbpavq)
by 218-171-61-71.dynamic.hinet.net with smtp
id 666-jMbg-4o
for myuser; Wed, 29 Nov 2006 19:08:40 +0800



and i don't see the envelope-from field at all in the header
i can post the full header if that would help


 Original Message  
Subject: Re:spam is marked as "user_in_whitelist"
From: Greg Skouby <[EMAIL PROTECTED]>
To: users@spamassassin.apache.org
Date: 11/29/2006 10:27 AM

On Wed, Nov 29, 2006 at 10:22:11AM -0500, Stas Khromoy wrote:
  

*keep getting the following spam
which spamassassin for some reason
give a scrore of -100 or - 70
keeps saying the user is in whitelist



Subject:* both of those that is of the people, of the Lord your words of
subject :me: a certain man that hear O house of man from among the land 
of our

or other of similar context .. they look like quotes from the bible :)


with offers to buy  some crap  from
s a b a n z e n dot com

X-Spam-Status: No, score=-74.498 tagged_above=-150 required=3
tests=[BAYES_80=2, EXTRA_MPART_TYPE=1.091, HELO_DYNAMIC_IPADDR2=3.818,
HTML_IMAGE_ONLY_08=3.126, HTML_MESSAGE=0.001, RCVD_IN_DYNABLOCK=1,
RCVD_IN_NJABL_DUL=1.946, RCVD_IN_SBL_XBL=1.5, RCVD_IN_SORBS=1,
RCVD_IN_SORBS_DUL=2.046, RCVD_IN_XBL=3.897, SARE_GIF_ATTACH=0.75,
SARE_GIF_STOX=1.66, SARE_RECV_SPAM_DOMN0b=1.666,
UNPARSEABLE_RELAY=0.001, USER_IN_WHITELIST=-100]


i can't think of anything at this point aside from getting rid of the 
old whitelist and starting a new one.






Hi Stas,


I am betting that the "envelope-sender" is the user that is in the whitelist and you are looking at the "from" address and thinking that the "from" address is not in the whitelist. 
We have run into a fair amount of the above situation on our system. I think it might be a good idea to make USER_IN_WHITELIST have a score of ~ -15 instead of ~100.





--Greg


  

Re: spam is marked as "user_in_whitelist"

[Greg Skouby]

On Wed, Nov 29, 2006 at 10:22:11AM -0500, Stas Khromoy wrote:
> *keep getting the following spam
> which spamassassin for some reason
> give a scrore of -100 or - 70
> keeps saying the user is in whitelist
> 
> 
> 
> Subject:* both of those that is of the people, of the Lord your words of
> subject :me: a certain man that hear O house of man from among the land 
> of our
> or other of similar context .. they look like quotes from the bible :)
> 
> 
> with offers to buy  some crap  from
> s a b a n z e n dot com
> 
> X-Spam-Status: No, score=-74.498 tagged_above=-150 required=3
> tests=[BAYES_80=2, EXTRA_MPART_TYPE=1.091, HELO_DYNAMIC_IPADDR2=3.818,
> HTML_IMAGE_ONLY_08=3.126, HTML_MESSAGE=0.001, RCVD_IN_DYNABLOCK=1,
> RCVD_IN_NJABL_DUL=1.946, RCVD_IN_SBL_XBL=1.5, RCVD_IN_SORBS=1,
> RCVD_IN_SORBS_DUL=2.046, RCVD_IN_XBL=3.897, SARE_GIF_ATTACH=0.75,
> SARE_GIF_STOX=1.66, SARE_RECV_SPAM_DOMN0b=1.666,
> UNPARSEABLE_RELAY=0.001, USER_IN_WHITELIST=-100]
> 
> 
> i can't think of anything at this point aside from getting rid of the 
> old whitelist and starting a new one.
> 


Hi Stas,


I am betting that the "envelope-sender" is the user that is in the whitelist 
and you are looking at the "from" address and thinking that the "from" address 
is not in the whitelist. 
We have run into a fair amount of the above situation on our system. I think it 
might be a good idea to make USER_IN_WHITELIST have a score of ~ -15 instead of 
~100.




--Greg