whitelist_from_rcvd [EMAIL PROTECTED] borland.com
will probably do what you want. Although Borland doesn't publish an SPF, you
may find all their MXs have borland.com rDNS.
You'd have to watch it a while to see if you miss any legitimate Borland
email that's not via a borland.com server.
Dan
-Original Message-
From: Martin G. Diehl [mailto:[EMAIL PROTECTED]
Sent: Wednesday, May 02, 2007 3:31 PM
To: users@spamassassin.apache.org
Subject: Spoofed from address but matched my whitelist -- please clarify
Greetings,
I have a piece of SPAM with an obviously spoofed (obvious to me,
that is) from address ... but didn't get flagged as SPAM.
The message claims to originate from borland.com
borland.com has IP 63.175.76.152
The message actually originates from napfehfu 86.60.37.183
borland.com is listed in my whitelist.
My questions ...
(1) Shouldn't this message have been flagged as SPAM?
(2) Is the DomainKey-Signature also spoofed or fake?
(3) Which headers (types of from addresses) are compared to my whitelist?
Some of the significant header lines (I reversed the sequence)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=south.disappoint;
d=borland.com;
b=GfpMxmdJQIBAeYlLWrgcDOJbZZJXiYVEpoeUbVUmwMrmrQbfMFvNqqczKSjQWxIoppVlOJSHMQ
iZhlik;
From: Abbey Delisa [EMAIL PROTECTED]
Received: from unknown (HELO napfehfu) (86.60.37.183)
by rbl-mx.nac.net with SMTP; 1 May 2007 16:42:53 -
Received: from 86.60.37.183 by mx2.oct.nac.net (envelope-from
[EMAIL PROTECTED], uid 0) with qmail-scanner-1.25
(clamdscan: 0.88.3/2095. f-prot: 4.6.6/3.16.14. spamassassin: 3.1.0.
Clear:RC:0(86.60.37.183):.
Here are all of the headers ...
===
X-UIDL: 1178037793.M276441P78860.mx2.oct.nac.net
X-Mozilla-Status:
X-Mozilla-Status2:
Return-Path: [EMAIL PROTECTED]
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) on spamd1.oct
X-Spam-Level:
X-Spam-PrefsFile: nac.net/mdiehl
X-Spam-Status: No, score=-77.8 required=4.7 tests=HTML_FONT_BIG=0.256,
HTML_MESSAGE=0.001,MIME_HTML_ONLY=0.001,RAZOR2_CF_RANGE_51_100=0.5,
RAZOR2_CF_RANGE_E4_51_100=1.5,RAZOR2_CF_RANGE_E8_51_100=1.5,
RAZOR2_CHECK=0.5,RCVD_IN_SORBS_DUL=1.988,TW_ZW=0.077,
URIBL_AB_SURBL=3.306,URIBL_BLACK=3,URIBL_JP_SURBL=3.36,
URIBL_OB_SURBL=2.617,URIBL_SC_SURBL=3.6,USER_IN_WHITELIST=-100
autolearn=disabled version=3.1.7
Received: (qmail 78558 invoked by uid 0); 1 May 2007 16:42:54 -
Received: from 86.60.37.183 by mx2.oct.nac.net (envelope-from
[EMAIL PROTECTED], uid 0) with qmail-scanner-1.25
(clamdscan: 0.88.3/2095. f-prot: 4.6.6/3.16.14. spamassassin: 3.1.0.
Clear:RC:0(86.60.37.183):.
Processed in 0.524071 secs); 01 May 2007 16:42:54 -
X-Qmail-Scanner-Mail-From: [EMAIL PROTECTED] via mx2.oct.nac.net
X-Qmail-Scanner-Rcpt-To: [EMAIL PROTECTED],[EMAIL PROTECTED],[EMAIL PROTECTED]
X-Qmail-Scanner: 1.25 (Clear:RC:0(86.60.37.183):. Processed in 0.524071
secs)
X-Qmail-Scanner-NAC-Block-Zips: 1
X-Qmail-Scanner-NAC-Redirect-This: 0
X-Qmail-Scanner-NAC-Redirect-To:
X-Qmail-Scanner-NAC-Scanners-Run: clamdscan_scanner fprot_scanner
Received: from unknown (HELO napfehfu) (86.60.37.183)
by rbl-mx.nac.net with SMTP; 1 May 2007 16:42:53 -
To: [EMAIL PROTECTED]
Date: Tue, 01 May 2007 09:42:45 -0800
From: Abbey Delisa [EMAIL PROTECTED]
Message-ID: [EMAIL PROTECTED]
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=south.disappoint;
d=borland.com;
b=GfpMxmdJQIBAeYlLWrgcDOJbZZJXiYVEpoeUbVUmwMrmrQbfMFvNqqczKSjQWxIoppVlOJSHMQ
iZhlik;
User-Agent: Mozilla Thunderbird 1.5 (Windows/20060111)
X-Accept-Language: en-us, en
MIME-Version: 1.0
Subject: SPECIAL PHARMACY DISCOUNT, you pay we ship, no question
asked, established by reputable Canadian Doctor qizwx
Content-Type: text/html;
charset=iso-8859-1
Content-Transfer-Encoding: 7bit
===
Thanks for any and all comments, help, or advice.
--
MGD
