Re: USER_IN_WHITELIST shortcircuits VBOUNCE, please help...

[RW]

On Sat, 7 Oct 2017 07:27:00 -0700 (MST)
djkraz wrote:

> I have a user that is getting thousands of backscatter a minute for a
> couple days now.  I've tried everything I can find on the web to get
> vbounce working with no luck as the user is obviously in the
> whitelist since they exist on the server.  

USER_IN_WHITELIST is based on the sender address, and for backscatter
that's going to be on a series of random third-party domains. It seems
very unlikely that this is affecting backscatter - unless you've
whitelisted everything.  

SpamAssassin doesn't short-circuit by default, so if  VBOUNCE is
short-circuited by anything then it must be down to you own settings. 

Re: USER_IN_WHITELIST shortcircuits VBOUNCE, please help...

[John Hardin]

On Sat, 7 Oct 2017, Antony Stone wrote:


On Saturday 07 October 2017 at 16:27:00, djkraz wrote:


I have a user that is getting thousands of backscatter a minute for a
couple days now.  I've tried everything I can find on the web to get
vbounce working with no luck as the user is obviously in the whitelist
since they exist on the server.  I've tried setting the priority of
vbounce higher but it doesn't seem to make any difference.  Does anyone
have any experience in resolving this?  FYI, I'm running Exchange 2013 on
Win2kR2 with Exchange Server Toolbox.  Thanks in advance!


Put an example (full headers as minimum, body not really important for this I
think) on pastebin or similar, post the link here and also show us your
vbounce settings so we can have an opinion.


The body of a bounce can be critical, if it has things like a SMTP status 
message or trace. Please provide a complete backscatter message.


Also: where and how exactly is vbounce hooked into Exchange? Or does 
"Exchange Server Toolkbox" answer that question? (Pardon my ignorance 
here.)


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Ignorance is no excuse for a law.
---
 191 days since the first commercial re-flight of an orbital booster (SpaceX)

Re: USER_IN_WHITELIST shortcircuits VBOUNCE, please help...

[Antony Stone]

On Saturday 07 October 2017 at 16:27:00, djkraz wrote:

> I have a user that is getting thousands of backscatter a minute for a
> couple days now.  I've tried everything I can find on the web to get
> vbounce working with no luck as the user is obviously in the whitelist
> since they exist on the server.  I've tried setting the priority of
> vbounce higher but it doesn't seem to make any difference.  Does anyone
> have any experience in resolving this?  FYI, I'm running Exchange 2013 on
> Win2kR2 with Exchange Server Toolbox.  Thanks in advance!

Put an example (full headers as minimum, body not really important for this I 
think) on pastebin or similar, post the link here and also show us your 
vbounce settings so we can have an opinion.


Antony.

-- 
I wasn't sure about having a beard at first, but then it grew on me.

   Please reply to the list;
 please *don't* CC me.

USER_IN_WHITELIST shortcircuits VBOUNCE, please help...

[djkraz]

I have a user that is getting thousands of backscatter a minute for a couple
days now.  I've tried everything I can find on the web to get vbounce
working with no luck as the user is obviously in the whitelist since they
exist on the server.  I've tried setting the priority of vbounce higher but
it doesn't seem to make any difference.  Does anyone have any experience in
resolving this?  FYI, I'm running Exchange 2013 on Win2kR2 with Exchange
Server Toolbox.  Thanks in advance!



--
Sent from: http://spamassassin.1065346.n5.nabble.com/SpamAssassin-Users-f3.html

Re: USER_IN_WHITELIST

[Sidney Markowitz]

Lorenzo Thurman wrote on 8/07/16 9:26 AM:
> Thanks for the info. Does anyone know how I can use whitelistfrom_rcvd? I 
> can't find any clear answers via Google. 
> 

Excuse my typo for the correct spelling whitelist_from_rcvd.

To use it, look at the legitimate emails that you want to whitelist and check
the Received header that shows where your receiving mail server received the
email from the sending mail server. Typically for a corporate address like
microsoft.com the mail will have come from a host with a name like
smtp.microsoft.com or maila.microsoft.com. If the Received header does show
that the mail came from some ip address and also shows a host name for it in
the microsoft.com (for example) then you can use whitelist_from_recvd to
whitelist such mails. You can only put one address on a line, so you would
need two entries to get the two that you want:

whitelist_from_rcvd *@microsoft.com microsoft.com
whitelist_from_rcvd *.microsoft.com microsoft.com

But do check your emails to see if you get the proper Received headers to be
able to do this. Some mail servers do not do the reverse domain name lookup to
add the host name to the ip address in Received headers. Some email addresses
you may want to whitelist are not set up to reliably send from the same few
mail servers.

If somebody sends mail from a non-Microsoft mail server but with a
microsoft.com From address, it will not get whitelisted by this. That's
exactly what you want to not whitelist spammers who forge a microsoft.com
address.

 Sidney

Re: USER_IN_WHITELIST

[Reindl Harald]

Am 07.07.2016 um 23:26 schrieb Lorenzo Thurman:

Thanks for the info. Does anyone know how I can use whitelistfrom_rcvd? I can't 
find any clear answers via Google.


besides the typo the same way as the other whitelist options

the only difference is the second param with is the DNS-PTR of the 
sending host


whitelist_from_rcvd *@example.net example.com

look at the difference between .net / .com

when the PTR of the sending host ends with "example.com" sender 
"example.net" is fine

_

for subdomains

*@example.net
*@*.example.net
_

.example.net is imprtant because it dont match "somefucker-example.net"



signature.asc
Description: OpenPGP digital signature

Re: USER_IN_WHITELIST

[Lorenzo Thurman]

"My Break-Dancing days are over, but there's always the Funky Chicken" -- The 
Full Monty

> On Jul 7, 2016, at 3:57 PM, Sidney Markowitz  wrote:
> 
> Lorenzo Thurman wrote on 8/07/16 3:03 AM:
>>> On Jul 7, 2016, at 8:14 AM, Antony Stone 
>>>  wrote:
>>> \.microsoft\.com$ will match anything ending in ".microsoft.com"
> 
> RW already pointed this out, but to make sure nobody reading this thread
> misses it, the above is wrong because whitelist does not use regexps.
> 
> See
> https://spamassassin.apache.org/full/3.4.x/doc/Mail_SpamAssassin_Conf.html#whitelist_and_blacklist_options
> 
> where it says
> 
> "Whitelist and blacklist addresses are now file-glob-style patterns, so
> fri...@somewhere.com, *@isp.com, or *.domain.net will all work. Specifically,
> * and ? are allowed, but all other metacharacters are not. Regular expressions
> are not used for security reasons. Matching is case-insensitive.
> 
> Multiple addresses per line, separated by spaces, is OK. Multiple
> whitelist_from lines are also OK."
> 
> Notice the last example there. Spamassassin is parsing out the email addresses
> and matching them with the patterns so you don't have to do tricky stuff like
> *@*.microsoft.com. Specifically, you can use
> 
> whitelist_from *@microsoft.com *.microsoft.com
> 
> which will match what you want but will not match anyth...@onmicrosoft.com and
> will not match foo.microsoft@example.com
> 
> As the page also points out if you can figure out how to use
> whitelistfrom_rcvd instead of whitelist_from it will protect against spammers
> spoofing the From address. Whether you can do that depends on whether the
> domain you are whitelisting has restrictions on what servers can send mail 
> for it.
> 
> Sidney
> 
> 

Thanks for the info. Does anyone know how I can use whitelistfrom_rcvd? I can't 
find any clear answers via Google. 

Re: USER_IN_WHITELIST

[Sidney Markowitz]

Lorenzo Thurman wrote on 8/07/16 3:03 AM:
>> On Jul 7, 2016, at 8:14 AM, Antony Stone 
>>  wrote:
>> \.microsoft\.com$ will match anything ending in ".microsoft.com"

RW already pointed this out, but to make sure nobody reading this thread
misses it, the above is wrong because whitelist does not use regexps.

See
https://spamassassin.apache.org/full/3.4.x/doc/Mail_SpamAssassin_Conf.html#whitelist_and_blacklist_options

where it says

"Whitelist and blacklist addresses are now file-glob-style patterns, so
fri...@somewhere.com, *@isp.com, or *.domain.net will all work. Specifically,
* and ? are allowed, but all other metacharacters are not. Regular expressions
are not used for security reasons. Matching is case-insensitive.

Multiple addresses per line, separated by spaces, is OK. Multiple
whitelist_from lines are also OK."

Notice the last example there. Spamassassin is parsing out the email addresses
and matching them with the patterns so you don't have to do tricky stuff like
*@*.microsoft.com. Specifically, you can use

whitelist_from *@microsoft.com *.microsoft.com

which will match what you want but will not match anyth...@onmicrosoft.com and
will not match foo.microsoft@example.com

As the page also points out if you can figure out how to use
whitelistfrom_rcvd instead of whitelist_from it will protect against spammers
spoofing the From address. Whether you can do that depends on whether the
domain you are whitelisting has restrictions on what servers can send mail for 
it.

 Sidney

Re: USER_IN_WHITELIST

[RW]

On Thu, 7 Jul 2016 10:03:37 -0500
Lorenzo Thurman wrote:

y
> 
> > On Jul 7, 2016, at 8:14 AM, Antony Stone
> >  wrote:

> > There's a big difference between subdomains, and domains with
> > letters in front of "microsoft".
> > 
> > \.microsoft\.com$ will match anything ending in ".microsoft.com"
> > 
> > That means it will match www.microsoft.com and cdn.microsoft.com
> > for example, but it will not match
> > kajsdhfkjasghdskghlaskfhmicrosoft.com or onmicrosoft.com
> > 
> > The dot in front of "microsoft" in the regex is important :)

> 
> Great, thanks. 

You can't use a regex in a whitelisting entry.

Re: USER_IN_WHITELIST

[Lorenzo Thurman]

"My Break-Dancing days are over, but there's always the Funky Chicken" -- The 
Full Monty

> On Jul 7, 2016, at 8:14 AM, Antony Stone 
>  wrote:
> 
> On Thursday 07 July 2016 at 15:08:44, Lorenzo Thurman wrote:
> 
>>> On Jul 7, 2016, at 7:15 AM, Reindl Harald  wrote:
 Am 07.07.2016 um 14:12 schrieb Joe Quinn:
 In addition to the above, it's easy for a spammer to register something
 like kajsdhfkjasghdskghlaskfhmicrosoft.com which would also be
 whitelisted for you. I would recommend against using wildcard whitelist
 patterns like that
>>> 
>>> should at least look similar to that:
>>> ^.*\.microsoft\.com$
>>> 
>>> well the ^ followed by .* is also pointless
>> 
>> I see. Thanks for the tip, I'll make changes. The reason I did wild cards
>> was so that I could also capture us domains. Is there a rule that allows
>> me to get subdomains w/o opening myself like I have?
> 
> There's a big difference between subdomains, and domains with letters in 
> front 
> of "microsoft".
> 
> \.microsoft\.com$ will match anything ending in ".microsoft.com"
> 
> That means it will match www.microsoft.com and cdn.microsoft.com for example, 
> but it will not match kajsdhfkjasghdskghlaskfhmicrosoft.com or onmicrosoft.com
> 
> The dot in front of "microsoft" in the regex is important :)
> 
> 
> Antony.
> 
> -- 
> Tax inspectors are just accountants who work for the evil dictators of 
> democracy.
> 
>   Please reply to the list;
> please *don't* CC me.

Great, thanks. 

Re: USER_IN_WHITELIST

[RW]

On Thu, 7 Jul 2016 08:08:44 -0500
Lorenzo Thurman wrote:

> > 
> > well the ^ followed by .* is also pointless  
> 
> 
> I see. Thanks for the tip, 

It wasn't really a tip. The globs (wildcards) get converted into
regularly expressions that aren't quite as mimimalist as the could be
- but that's not under your control. 

> I'll make changes. The reason I did wild
> cards was so that I could also capture us domains. Is there a rule
> that allows me to get subdomains w/o opening myself like I have?

You need a separate entry, something like *.microsoft.com.

Re: USER_IN_WHITELIST

[Antony Stone]

On Thursday 07 July 2016 at 15:08:44, Lorenzo Thurman wrote:

> > On Jul 7, 2016, at 7:15 AM, Reindl Harald  wrote:
> >> Am 07.07.2016 um 14:12 schrieb Joe Quinn:
> >> In addition to the above, it's easy for a spammer to register something
> >> like kajsdhfkjasghdskghlaskfhmicrosoft.com which would also be
> >> whitelisted for you. I would recommend against using wildcard whitelist
> >> patterns like that
> > 
> > should at least look similar to that:
> > ^.*\.microsoft\.com$
> > 
> > well the ^ followed by .* is also pointless
> 
> I see. Thanks for the tip, I'll make changes. The reason I did wild cards
> was so that I could also capture us domains. Is there a rule that allows
> me to get subdomains w/o opening myself like I have?

There's a big difference between subdomains, and domains with letters in front 
of "microsoft".

\.microsoft\.com$ will match anything ending in ".microsoft.com"

That means it will match www.microsoft.com and cdn.microsoft.com for example, 
but it will not match kajsdhfkjasghdskghlaskfhmicrosoft.com or onmicrosoft.com

The dot in front of "microsoft" in the regex is important :)


Antony.

-- 
Tax inspectors are just accountants who work for the evil dictators of 
democracy.

   Please reply to the list;
 please *don't* CC me.

Re: USER_IN_WHITELIST

[RW]

On Thu, 7 Jul 2016 14:15:18 +0200
Reindl Harald wrote:


> should at least look similar to that:
> ^.*\.microsoft\.com$
> 
> well the ^ followed by .* is also pointless

It's generated from a glob in the configuration.  

Re: USER_IN_WHITELIST

[Lorenzo Thurman]

"My Break-Dancing days are over, but there's always the Funky Chicken" -- The 
Full Monty

> On Jul 7, 2016, at 7:15 AM, Reindl Harald  wrote:
> 
> 
> 
>> Am 07.07.2016 um 14:12 schrieb Joe Quinn:
>>> On 7/6/2016 11:42 PM, Bill Cole wrote:
>>> On 6 Jul 2016, at 23:10, lorenzo wrote:
>>> 
>>> [...]
 The output from spamassassin -t -D < In-whitelist.txt gives the
 answer, I believe:
 
 address hefg...@hkjhkjhk.onmicrosoft.com matches whitelist or
 blacklist regexp: ^.*microsoft\.com$
 
 Very sneaky. I think I can handle this one from here.
 Thanks again.
>>> 
>>> Happy to be of help.
>>> 
>>> For what it's worth: *.onmicrosoft.com domains are part of free trials
>>> of Office365 and generate almost entirely spam. I suppose one could be
>>> a regular paying O365 customer and keep that free domain, but no one
>>> who does that can care much about their email. Spammers have been
>>> using those domains for years and MS really seems not to care about
>>> the fact that they've become a de facto indication of spam.
>> In addition to the above, it's easy for a spammer to register something
>> like kajsdhfkjasghdskghlaskfhmicrosoft.com which would also be
>> whitelisted for you. I would recommend against using wildcard whitelist
>> patterns like that
> 
> should at least look similar to that:
> ^.*\.microsoft\.com$
> 
> well the ^ followed by .* is also pointless


I see. Thanks for the tip, I'll make changes. The reason I did wild cards was 
so that I could also capture us domains. Is there a rule that allows me to get 
subdomains w/o opening myself like I have?
> 

Re: USER_IN_WHITELIST

[Reindl Harald]

Am 07.07.2016 um 14:12 schrieb Joe Quinn:

On 7/6/2016 11:42 PM, Bill Cole wrote:

On 6 Jul 2016, at 23:10, lorenzo wrote:

[...]

The output from spamassassin -t -D < In-whitelist.txt gives the
answer, I believe:

address hefg...@hkjhkjhk.onmicrosoft.com matches whitelist or
blacklist regexp: ^.*microsoft\.com$

Very sneaky. I think I can handle this one from here.
Thanks again.


Happy to be of help.

For what it's worth: *.onmicrosoft.com domains are part of free trials
of Office365 and generate almost entirely spam. I suppose one could be
a regular paying O365 customer and keep that free domain, but no one
who does that can care much about their email. Spammers have been
using those domains for years and MS really seems not to care about
the fact that they've become a de facto indication of spam.

In addition to the above, it's easy for a spammer to register something
like kajsdhfkjasghdskghlaskfhmicrosoft.com which would also be
whitelisted for you. I would recommend against using wildcard whitelist
patterns like that


should at least look similar to that:
^.*\.microsoft\.com$

well the ^ followed by .* is also pointless



signature.asc
Description: OpenPGP digital signature

Re: USER_IN_WHITELIST

[Joe Quinn]

On 7/6/2016 11:42 PM, Bill Cole wrote:

On 6 Jul 2016, at 23:10, lorenzo wrote:

[...]
The output from spamassassin -t -D < In-whitelist.txt gives the 
answer, I believe:


address hefg...@hkjhkjhk.onmicrosoft.com matches whitelist or 
blacklist regexp: ^.*microsoft\.com$


Very sneaky. I think I can handle this one from here.
Thanks again.


Happy to be of help.

For what it's worth: *.onmicrosoft.com domains are part of free trials 
of Office365 and generate almost entirely spam. I suppose one could be 
a regular paying O365 customer and keep that free domain, but no one 
who does that can care much about their email. Spammers have been 
using those domains for years and MS really seems not to care about 
the fact that they've become a de facto indication of spam.
In addition to the above, it's easy for a spammer to register something 
like kajsdhfkjasghdskghlaskfhmicrosoft.com which would also be 
whitelisted for you. I would recommend against using wildcard whitelist 
patterns like that.

Re: USER_IN_WHITELIST

[Bill Cole]

On 6 Jul 2016, at 23:10, lorenzo wrote:

[...]
The output from spamassassin -t -D < In-whitelist.txt gives the 
answer, I believe:


address hefg...@hkjhkjhk.onmicrosoft.com matches whitelist or 
blacklist regexp: ^.*microsoft\.com$


Very sneaky. I think I can handle this one from here.
Thanks again.


Happy to be of help.

For what it's worth: *.onmicrosoft.com domains are part of free trials 
of Office365 and generate almost entirely spam. I suppose one could be a 
regular paying O365 customer and keep that free domain, but no one who 
does that can care much about their email. Spammers have been using 
those domains for years and MS really seems not to care about the fact 
that they've become a de facto indication of spam.

Re: USER_IN_WHITELIST

[lorenzo]

> On Jul 6, 2016, at 8:50 PM, Bill Cole 
> <sausers-20150...@billmail.scconsult.com> wrote:
> 
> On 6 Jul 2016, at 21:13, Lorenzo Thurman wrote:
> 
>> I’ve been receiving some spam where spamassassin identifies the sender with 
>> USER_IN_WHITELIST. These senders (or domains) are most definitely not in my 
>> whitelist. How can I get around this problem?
> 
> There are so many relevant variables unspecified that no one here has any 
> hope of solving your problem.
> 
> To make it easier for us, please provide more information:
> 
> 1. How are you using SpamAssassin? Specifically, if you have it hooked into 
> an MTA like Postfix or Sendmail, tell us which one AND what mechanism you are 
> using to integrate SA and the MTA.
> 
> 2. If your system involved the use of spamd, what are its arguments and what 
> user is it running as?
> 
> 3. If you scan a message with this problem manually by piping it into 
> 'spamassassin -t -D' what does the resulting flood of debugging information 
> say about what address it is finding as being in the whitelist?
> 

Ah, ok. Here’s some info:
spamassassin v3.4.0 - Postfix 2.11.0  Ubuntu 14.04
/usr/sbin/spamd --create-prefs --max-children 5 --helper-home-dir -d 
--pidfile=/var/run/spamd.pid

In /etc/postfix/master.cf
smtp  inet  n   -   -   -   -   smtpd -vvv -o 
content_filter=spamassassin
spamassassin unix - n   n   -   -   pipe flags=Rq 
user=nobody argv=/usr/bin/spamfilter.sh -oi -f ${sender} ${recipient}

The output from spamassassin -t -D < In-whitelist.txt gives the answer, I 
believe:

address hefg...@hkjhkjhk.onmicrosoft.com matches whitelist or blacklist regexp: 
^.*microsoft\.com$

Very sneaky. I think I can handle this one from here.
Thanks again.

Re: USER_IN_WHITELIST

[Bill Cole]

On 6 Jul 2016, at 21:58, David B Funk wrote:

> On Wed, 6 Jul 2016, Lorenzo Thurman wrote:
>
>> I’ve been receiving some spam where spamassassin identifies the sender with 
>> USER_IN_WHITELIST. These senders (or domains) are
>> most definitely not in my whitelist. How can I get around this problem?Thanks
>>
>
> SpamAssassin comes with some built-in whitelists (which should be pretty safe 
> to
> use). Look in your SA rules kit for things like: 60_whitelist.cf 
> 60_whitelist_dkim.cf and 60_whitelist_spf.cf

Those should not cause USER_IN_WHITELIST matches but rather 
USER_IN_DEF_WHITELIST and similarly labeled forms of the SPF and DKIM 
variations.


signature.asc
Description: OpenPGP digital signature

Re: USER_IN_WHITELIST

[David B Funk]

On Wed, 6 Jul 2016, Lorenzo Thurman wrote:


I’ve been receiving some spam where spamassassin identifies the sender with 
USER_IN_WHITELIST. These senders (or domains) are
most definitely not in my whitelist. How can I get around this problem?Thanks



SpamAssassin comes with some built-in whitelists (which should be pretty safe to
use). Look in your SA rules kit for things like: 60_whitelist.cf 
60_whitelist_dkim.cf and 60_whitelist_spf.cf

You might also have some 3'rd party rules files that contain whitelists.

You can explicitly negate the effect of an entry from one of these files by
using the appropriate "unwhitelist_from" type configuration statements in your
local.cf config files.

Theoretically you could edit the system config files but those edits could be
lost with the next system rules update, so using the unwhitelist_from technique
is the way to go.

--
Dave Funk  University of Iowa
College of Engineering
319/335-5751   FAX: 319/384-0549   1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include 
Better is not better, 'standard' is better. B{

smime.p7s
Description: S/MIME Cryptographic Signature

Re: USER_IN_WHITELIST

[Bill Cole]

On 6 Jul 2016, at 21:13, Lorenzo Thurman wrote:

I’ve been receiving some spam where spamassassin identifies the 
sender with USER_IN_WHITELIST. These senders (or domains) are most 
definitely not in my whitelist. How can I get around this problem?


There are so many relevant variables unspecified that no one here has 
any hope of solving your problem.


To make it easier for us, please provide more information:

1. How are you using SpamAssassin? Specifically, if you have it hooked 
into an MTA like Postfix or Sendmail, tell us which one AND what 
mechanism you are using to integrate SA and the MTA.


2. If your system involved the use of spamd, what are its arguments and 
what user is it running as?


3. If you scan a message with this problem manually by piping it into 
'spamassassin -t -D' what does the resulting flood of debugging 
information say about what address it is finding as being in the 
whitelist?

USER_IN_WHITELIST

[Lorenzo Thurman]

I’ve been receiving some spam where spamassassin identifies the sender with 
USER_IN_WHITELIST. These senders (or domains) are most definitely not in my 
whitelist. How can I get around this problem?
Thanks

Re: USER_IN_WHITELIST and SPF_FAIL

[Per Jessen]

John Hardin wrote:

 On Tue, 19 Jun 2012, Benny Pedersen wrote:
 
 Den 2012-06-19 22:39, Kevin A. McGrail skrev:

  I think that's the concept behind the whitelist_from_spf

 but some use whitelist_from, its nothing new there :=)

 can user_in_whitelist be changed to not have -100 as default score,
 or is whitelist_from planned for removements ?
 
 It's needed for whan none of the other more-strict whitelist options
 will work, so we can't get just rid of it.
 
 I'd suggest instead a lint warning if it is used, alerting the admin
 that it's discouraged and that it has problems like this and is very
 easy to spoof.

It's well documented. From the man page:

whitelist_from a...@ress.com
Used to whitelist sender addresses which send mail that is often tagged
(incorrectly) as spam.

Use of this setting is not recommended, since it blindly trusts the
message, which is routinely and easily forged by spammers and phish
senders. The recommended solution is to instead use whitelist_auth or
other authenticated whitelisting methods, or whitelist_from_rcvd.



-- 
Per Jessen, Zürich (21.1°C)

Re: USER_IN_WHITELIST and SPF_FAIL

[Per Jessen]

RW wrote:

 On Tue, 19 Jun 2012 19:14:11 -0400
 Jeff Mincy wrote:
 
From: RW rwmailli...@googlemail.com
Date: Tue, 19 Jun 2012 23:43:57 +0100
 
If used sensibly USER_IN_WHITELIST is probably the most reliable
 rule we have, for the overwhelming majority of addresses it's far
 more accurate than spf based whitelisting. It's not always right to
 treat users as idiots.
 
 Huh?  What you mean by used sensibly?
 
 I mean, don't use it on well-known addresses, or if you're a candidate
 for  spear-phishing and can't be trusted not to fall for it. Don't
 whitelist domains unless they are extremely obscure.
 
 whitelist_from_rcvd is very reliable.
 
 Not if someone sends an email through a different mail system, 

I think that is what whitelist_allows_relays is intended to take care
of. 



-- 
Per Jessen, Zürich (23.2°C)

Re: USER_IN_WHITELIST and SPF_FAIL

[Per Jessen]

RW wrote:

 On Wed, 20 Jun 2012 03:25:53 +0200
 Benny Pedersen wrote:
 
 Den 2012-06-20 03:09, RW skrev:
 
  The overwhelming majority of email addresses are never spoofed.
 
 seen from my mta logs off sender addresses that miss the smtp auth
 password here postfix dont agree with you, if sender uses something
 belongs to my domain i may start asking for passwords, this check is
 not needing spf or dkim or even dmarc tests
  
 I've no idea what that means, but what I wrote wasn't entirely clear -
 particularly when taken out context.
 
 What I mean is that if I whitelist a private email address, the
 chances of a spammer ever sending me a spam spoofing that address is
 very small.

Happened to me twice only yesterday - somebody sent me mails appearing
to come from one of my email addresses.  I don't think it's as rare an
event as you suggest.


-- 
Per Jessen, Zürich (23.2°C)

Re: USER_IN_WHITELIST and SPF_FAIL

[RW]

On Wed, 20 Jun 2012 11:33:49 +0200
Per Jessen wrote:

 RW wrote:
 
  On Wed, 20 Jun 2012 03:25:53 +0200
  Benny Pedersen wrote:
  
  Den 2012-06-20 03:09, RW skrev:
  
   The overwhelming majority of email addresses are never spoofed.
  
  seen from my mta logs off sender addresses that miss the smtp auth
  password here postfix dont agree with you, if sender uses something
  belongs to my domain i may start asking for passwords, this check
  is not needing spf or dkim or even dmarc tests
   
  I've no idea what that means, but what I wrote wasn't entirely
  clear - particularly when taken out context.
  
  What I mean is that if I whitelist a private email address, the
  chances of a spammer ever sending me a spam spoofing that address is
  very small.
 
 Happened to me twice only yesterday - somebody sent me mails appearing
 to come from one of my email addresses.  I don't think it's as rare an
 event as you suggest.

Are you being deliberately obtuse? Of course that happens all the
time, but why would one whitelist such an address? 

Re: USER_IN_WHITELIST and SPF_FAIL

[Greg Troxel]

  My suggestion was intended to minimize the effect on existing
  behavior. I agree, it would probably be a very good idea to allow
  whitelist_from to be scored differently than the other whitelist
  variants, and to ship it with a smaller default score, but that change
  is fairly disruptive.

I would like to see

  whitelist_score_from points address

which acts just like whitelist_from address, but which has a score of
points rather than some fixed score.

That way I could do:

  whitelist_from -5 f...@yahoo.com

for people that post legit but spammy-looking mail to mailinglists, and
get their regular mail in the right folder instead of a spam folder, but
not let their account-hijacked spam bleed through like -100 would do.

And also use -20 for people I know, -50 for customers, etc.



pgpdwqXt7OO8j.pgp
Description: PGP signature

Re: USER_IN_WHITELIST and SPF_FAIL

[Kevin A. McGrail]

On 6/20/2012 8:05 AM, Greg Troxel wrote:

I would like to see...
As an open source project, we encourage people to submit patches and 
step up to coding on the project.


You can really start small with one line patches and I'll do my best to 
support you.


Regards,
KAM

Re: USER_IN_WHITELIST and SPF_FAIL

[RW]

On Wed, 20 Jun 2012 11:22:08 +0200
Per Jessen wrote:

 RW wrote:

  Not if someone sends an email through a different mail system, 
 
 I think that is what whitelist_allows_relays is intended to take
 care of. 

If it made a difference to the case I was referring to then it would
effectively turn whitelist_from_rcvd into whitelist_from for
the specified addresses.

I looked it up, whitelist_allows_relays is a list of addresses 
excluded from check_forged_in_whitelist, which is not used in the
current rules.

Re: USER_IN_WHITELIST and SPF_FAIL

[Benny Pedersen]

Den 2012-06-20 14:05, Greg Troxel skrev:


That way I could do:

  whitelist_from -5 f...@yahoo.com


AWL plugin basicly could be extended to use dkim/spf and more bound to 
whitelist_* so the awl score is more live calculated, with default awl 
its bound to 0.0.x.x/16 but it could be changed to /8 /24 /32 matching, 
so scores is more accurate pr sender


but your way could very well extend problems or usefullness depending 
on with side of the screen one sits :)


awl can track dkim senders, but it would be nice dkim is not alone 
there


awl is imho dropped in spamassassin 3.4 and replaced with history 
plugin, i dont know what or why or even code to this plugin


maybe score sets should just be extended to more then 4 colums ?

score foo set1 set2 set3 set4 spf dkim

just an stupid idear maybe ?

Re: USER_IN_WHITELIST and SPF_FAIL

[Flemming Jacobsen]

RW wrote:
 On Wed, 20 Jun 2012 11:33:49 +0200 Per Jessen wrote:
  RW wrote:
   What I mean is that if I whitelist a private email address, the
   chances of a spammer ever sending me a spam spoofing that address is
   very small.
  
  Happened to me twice only yesterday - somebody sent me mails appearing
  to come from one of my email addresses.  I don't think it's as rare an
  event as you suggest.
 
 Are you being deliberately obtuse? Of course that happens all the
 time, but why would one whitelist such an address? 

Because you use email to send yourself reminder notes or small
files. I have addresses on several distinct systems (private,
work, google, user group, ...).
And I whitelist them because I do not want mail to get lost.


Regards,
Flemming

-- 
Flemming Jacobsen  Email: f...@batmule.dk

There is nobody so irritating as somebody with less intelligence
and more sense than we have.  -- Don Herold

Re: USER_IN_WHITELIST and SPF_FAIL

[Benny Pedersen]

Den 2012-06-20 18:38, Flemming Jacobsen skrev:


Because you use email to send yourself reminder notes or small
files. I have addresses on several distinct systems (private,
work, google, user group, ...).
And I whitelist them because I do not want mail to get lost.


with shared imap folders nothing get lost, all that mail does not need 
to travel, but implementions need to be more usefull, its like forwards 
that breaks spf, its lie, since known forward hosts must be 
trusted_networks, draw back in make 0.0.0.0/0 trusted_networks it 
removes all domain based trustness


for such problems it would be more usefull to disable dnsrbl and only 
check content based on body/rawbody


unless one use rbl in mta

Re: USER_IN_WHITELIST and SPF_FAIL

[RW]

On Wed, 20 Jun 2012 18:38:49 +0200
Flemming Jacobsen wrote:

 RW wrote:
  On Wed, 20 Jun 2012 11:33:49 +0200 Per Jessen wrote:
   RW wrote:
What I mean is that if I whitelist a private email address, the
chances of a spammer ever sending me a spam spoofing that
address is very small.
   
   Happened to me twice only yesterday - somebody sent me mails
   appearing to come from one of my email addresses.  I don't think
   it's as rare an event as you suggest.
  
  Are you being deliberately obtuse? Of course that happens all the
  time, but why would one whitelist such an address? 
 
 Because you use email to send yourself reminder notes or small
 files. I have addresses on several distinct systems (private,
 work, google, user group, ...).
 And I whitelist them because I do not want mail to get lost.

If it's an unrelated external address then it's just one address in
billions and it wont be randomly spoofed. 

USER_IN_WHITELIST and SPF_FAIL

[Flemming Jacobsen]

Hey

I finally got around to enabling SPF checks in SA.
(v. 3.3.2, via spamd on FreeBSD)

It appears that even though SPF checks fail (i.e. SPF_FAIL),
USER_IN_WHITELIST still adds -100 points to the score.
Since the sender probably is spoofed, should USER_IN_WHITELIST
not be ignored/neutral (not sure of the terminology here)?


Regards,
Flemming Jacobsen

-- 
Flemming Jacobsen  Email: f...@batmule.dk

It is hard to believe that a man is telling the truth when you know that
you would lie if you were in his place.  -- H. L. Mencken

Re: USER_IN_WHITELIST and SPF_FAIL

[Kevin A. McGrail]

On 6/19/2012 4:21 PM, Flemming Jacobsen wrote:

Hey

I finally got around to enabling SPF checks in SA.
(v. 3.3.2, via spamd on FreeBSD)

It appears that even though SPF checks fail (i.e. SPF_FAIL),
USER_IN_WHITELIST still adds -100 points to the score.
Since the sender probably is spoofed, should USER_IN_WHITELIST
not be ignored/neutral (not sure of the terminology here)?


I think that's the concept behind the whitelist_from_spf

http://spamassassin.apache.org/full/3.3.x/doc/Mail_SpamAssassin_Plugin_SPF.html

Regards,
KAM

Re: USER_IN_WHITELIST and SPF_FAIL

[Benny Pedersen]

Den 2012-06-19 22:21, Flemming Jacobsen skrev:


It appears that even though SPF checks fail (i.e. SPF_FAIL),
USER_IN_WHITELIST still adds -100 points to the score.
Since the sender probably is spoofed, should USER_IN_WHITELIST
not be ignored/neutral (not sure of the terminology here)?


nope, whitelist_from is stupid in the first place

but since so many use it, it will properly stay forever :(

imidiate fix is to:

score USER_IN_WHITELIST -0.01

or

meta spf fails with user_in_* (insecure)

Re: USER_IN_WHITELIST and SPF_FAIL

[Benny Pedersen]

Den 2012-06-19 22:39, Kevin A. McGrail skrev:


I think that's the concept behind the whitelist_from_spf


but some use whitelist_from, its nothing new there :=)

can user_in_whitelist be changed to not have -100 as default score, or 
is whitelist_from planned for removements ?

Re: USER_IN_WHITELIST and SPF_FAIL

[Axb]

On 06/19/2012 11:34 PM, Benny Pedersen wrote:

Den 2012-06-19 22:39, Kevin A. McGrail skrev:


I think that's the concept behind the whitelist_from_spf


but some use whitelist_from, its nothing new there :=)

can user_in_whitelist be changed to not have -100 as default score, or
is whitelist_from planned for removements ?


no  no

Re: USER_IN_WHITELIST and SPF_FAIL

[John Hardin]

On Tue, 19 Jun 2012, Benny Pedersen wrote:


Den 2012-06-19 22:39, Kevin A. McGrail skrev:


 I think that's the concept behind the whitelist_from_spf


but some use whitelist_from, its nothing new there :=)

can user_in_whitelist be changed to not have -100 as default score, or is 
whitelist_from planned for removements ?


It's needed for whan none of the other more-strict whitelist options will 
work, so we can't get just rid of it.


I'd suggest instead a lint warning if it is used, alerting the admin that 
it's discouraged and that it has problems like this and is very easy to 
spoof.


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Liberals love sex ed because it teaches kids to be safe around their
  sex organs. Conservatives love gun education because it teaches kids
  to be safe around guns. However, both believe that the other's
  education goals lead to dangers too terrible to contemplate.
---
 15 days until the 236th anniversary of the Declaration of Independence

Re: USER_IN_WHITELIST and SPF_FAIL

[Benny Pedersen]

Den 2012-06-19 23:44, John Hardin skrev:


I'd suggest instead a lint warning if it is used, alerting the admin
that it's discouraged and that it has problems like this and is very
easy to spoof.


fair, but Flemming might choise some meta like this:

meta WHITELIST_INSECURE_SPF (USER_IN_WHITELIST  SPF_FAIL)
score WHITELIST_INSECURE_SPF 50

but since Flemming did not provide an sample there might be other 
options, eg why accept spf_fail in mta ?

Re: USER_IN_WHITELIST and SPF_FAIL

[Jeff Mincy]

   From: John Hardin jhar...@impsec.org
   Date: Tue, 19 Jun 2012 14:44:29 -0700 (PDT)
   
   On Tue, 19 Jun 2012, Benny Pedersen wrote:
   
Den 2012-06-19 22:39, Kevin A. McGrail skrev:
   
 I think that's the concept behind the whitelist_from_spf
   
but some use whitelist_from, its nothing new there :=)
   
can user_in_whitelist be changed to not have -100 as default score, or is 
whitelist_from planned for removements ?
   
   It's needed for whan none of the other more-strict whitelist options will 
   work, so we can't get just rid of it.
   
True.

   I'd suggest instead a lint warning if it is used, alerting the admin that 
   it's discouraged and that it has problems like this and is very easy to 
   spoof.
   
How about creating a different score for whitelist_from that is
separate from whitelist_from_rcvd?   For example, whitelist_from could
trigger USER_IN_SIMPLE_WHITELIST (or some other variation).   The
description of the test could include warnings about how easy
it is to spoof whitelist_from.

-jeff

Re: USER_IN_WHITELIST and SPF_FAIL

[RW]

On Tue, 19 Jun 2012 18:02:28 -0400
Jeff Mincy wrote:

From: John Hardin jhar...@impsec.org
Date: Tue, 19 Jun 2012 14:44:29 -0700 (PDT)

On Tue, 19 Jun 2012, Benny Pedersen wrote:

 Den 2012-06-19 22:39, Kevin A. McGrail skrev:

  I think that's the concept behind the whitelist_from_spf

 but some use whitelist_from, its nothing new there :=)

 can user_in_whitelist be changed to not have -100 as default
 score, or is whitelist_from planned for removements ?

It's needed for whan none of the other more-strict whitelist
 options will work, so we can't get just rid of it.

 True.
 
I'd suggest instead a lint warning if it is used, alerting the
 admin that it's discouraged and that it has problems like this and is
 very easy to spoof.

 How about creating a different score for whitelist_from that is
 separate from whitelist_from_rcvd?   For example, whitelist_from could
 trigger USER_IN_SIMPLE_WHITELIST (or some other variation).   The
 description of the test could include warnings about how easy
 it is to spoof whitelist_from.

If used sensibly USER_IN_WHITELIST is probably the most reliable rule we
have, for the overwhelming majority of addresses it's far more accurate
than spf based whitelisting. It's not always right to treat users as
idiots.

Re: USER_IN_WHITELIST and SPF_FAIL

[Jeff Mincy]

   From: RW rwmailli...@googlemail.com
   Date: Tue, 19 Jun 2012 23:43:57 +0100
   
   On Tue, 19 Jun 2012 18:02:28 -0400
   Jeff Mincy wrote:
   
   From: John Hardin jhar...@impsec.org
   Date: Tue, 19 Jun 2012 14:44:29 -0700 (PDT)
   
   On Tue, 19 Jun 2012, Benny Pedersen wrote:
   
Den 2012-06-19 22:39, Kevin A. McGrail skrev:
   
 I think that's the concept behind the whitelist_from_spf
   
but some use whitelist_from, its nothing new there :=)
   
can user_in_whitelist be changed to not have -100 as default
score, or is whitelist_from planned for removements ?
   
   It's needed for whan none of the other more-strict whitelist
options will work, so we can't get just rid of it.
   
True.

   I'd suggest instead a lint warning if it is used, alerting the
admin that it's discouraged and that it has problems like this and is
very easy to spoof.
   
How about creating a different score for whitelist_from that is
separate from whitelist_from_rcvd?   For example, whitelist_from could
trigger USER_IN_SIMPLE_WHITELIST (or some other variation).   The
description of the test could include warnings about how easy
it is to spoof whitelist_from.
   
   If used sensibly USER_IN_WHITELIST is probably the most reliable rule we
   have, for the overwhelming majority of addresses it's far more accurate
   than spf based whitelisting. It's not always right to treat users as
   idiots.

Huh?  What you mean by used sensibly?  whitelist_from_rcvd is very
reliable.  whitelist_from is trivial to spoof.  whitelist_from_rcvd
and whitelist_from both trigger USER_IN_WHITELIST.

It is easy to get into trouble using whitelist_from - having a
separate score just for whitelist_from would make identifying the
problem easier for the user.

-jeff

Re: USER_IN_WHITELIST and SPF_FAIL

[John Hardin]

On Tue, 19 Jun 2012, Jeff Mincy wrote:


  From: John Hardin jhar...@impsec.org

  I'd suggest instead a lint warning if it is used, alerting the admin that
  it's discouraged and that it has problems like this and is very easy to
  spoof.

How about creating a different score for whitelist_from that is
separate from whitelist_from_rcvd?   For example, whitelist_from could
trigger USER_IN_SIMPLE_WHITELIST (or some other variation).   The
description of the test could include warnings about how easy
it is to spoof whitelist_from.


My suggestion was intended to minimize the effect on existing behavior. I 
agree, it would probably be a very good idea to allow whitelist_from to be 
scored differently than the other whitelist variants, and to ship it with 
a smaller default score, but that change is fairly disruptive.


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Usually Microsoft doesn't develop products, we buy products.
  -- Arno Edelmann, Microsoft product manager
---
 15 days until the 236th anniversary of the Declaration of Independence

Re: USER_IN_WHITELIST and SPF_FAIL

[John Hardin]

On Tue, 19 Jun 2012, Flemming Jacobsen wrote:


I finally got around to enabling SPF checks in SA.
(v. 3.3.2, via spamd on FreeBSD)

It appears that even though SPF checks fail (i.e. SPF_FAIL),
USER_IN_WHITELIST still adds -100 points to the score.
Since the sender probably is spoofed, should USER_IN_WHITELIST
not be ignored/neutral (not sure of the terminology here)?


Which whitelist is the problematic user in? whitelist_from is a naive 
check of the from address and is trivially easy to spoof.


You should review your whitelists and, now that you have SPF working, move 
senders that are in authenticated domains from whitelist_from to 
whitelist_auth so that you take advantage of SPF (and DKIM, if you have 
that working as well).


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Usually Microsoft doesn't develop products, we buy products.
  -- Arno Edelmann, Microsoft product manager
---
 15 days until the 236th anniversary of the Declaration of Independence

Re: USER_IN_WHITELIST and SPF_FAIL

[RW]

On Tue, 19 Jun 2012 19:14:11 -0400
Jeff Mincy wrote:

From: RW rwmailli...@googlemail.com
Date: Tue, 19 Jun 2012 23:43:57 +0100

If used sensibly USER_IN_WHITELIST is probably the most reliable
 rule we have, for the overwhelming majority of addresses it's far
 more accurate than spf based whitelisting. It's not always right to
 treat users as idiots.
 
 Huh?  What you mean by used sensibly?  

I mean, don't use it on well-known addresses, or if you're a candidate
for  spear-phishing and can't be trusted not to fall for it. Don't
whitelist domains unless they are extremely obscure.

 whitelist_from_rcvd is very reliable.  

Not if someone sends an email through a different mail system, which is
a scenario where Bayes is much more likely to miss-classify and an FP
is most likely. It's also broken by forwarding, like spf is.

 whitelist_from is trivial to spoof. 

The overwhelming majority of email addresses are never spoofed.

Re: USER_IN_WHITELIST and SPF_FAIL

[Benny Pedersen]

Den 2012-06-20 03:09, RW skrev:


The overwhelming majority of email addresses are never spoofed.


seen from my mta logs off sender addresses that miss the smtp auth 
password here postfix dont agree with you, if sender uses something 
belongs to my domain i may start asking for passwords, this check is not 
needing spf or dkim or even dmarc tests

Re: USER_IN_WHITELIST and SPF_FAIL

[RW]

On Wed, 20 Jun 2012 03:25:53 +0200
Benny Pedersen wrote:

 Den 2012-06-20 03:09, RW skrev:
 
  The overwhelming majority of email addresses are never spoofed.

 seen from my mta logs off sender addresses that miss the smtp auth 
 password here postfix dont agree with you, if sender uses something 
 belongs to my domain i may start asking for passwords, this check is
 not needing spf or dkim or even dmarc tests
 
I've no idea what that means, but what I wrote wasn't entirely clear -
particularly when taken out context.

What I mean is that if I whitelist a private email address, the chances
of a spammer ever sending me a spam spoofing that address is very
small. 

USER_IN_WHITELIST Not Scoring

[boogybren]

My local root user sends me nightly emails with mail/spam statistics and
information.  Because of the spam information contained in the email, it
sometimes flagged as spam itself.

In my local.cf, I have put the root user's email address in the
whitelist_from line, however whenever I send an email as the root user to my
legitimate email account, it is not getting scored.

I have explicitly entered:

score USER_IN_WHITELIST -100

in my local.cf.  I have also disabled the AWL plugin.  However, no matter
what I do, it still won't score -100.  The recipient's user_prefs is
completely empty.

Any suggestions would be greatly appreciated.  Attached is my local.cf

Best regards,
Brenden

http://www.nabble.com/file/p24428065/local.cf local.cf 
-- 
View this message in context: 
http://www.nabble.com/USER_IN_WHITELIST-Not-Scoring-tp24428065p24428065.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

Re: USER_IN_WHITELIST Not Scoring

[Daniel Schaefer]

boogybren wrote:

Any suggestions would be greatly appreciated.  Attached is my local.cf
  

Simple solution, but you may not have tried it...restart spamassassin

--
Dan Schaefer
Application Developer
Performance Administration Corp.

Re: USER_IN_WHITELIST Not Scoring

[boogybren]

Thanks Dan, indeed I have bounced the daemon after modifying the local.cf.

Brenden


Daniel Schaefer wrote:
 
 boogybren wrote:
 Any suggestions would be greatly appreciated.  Attached is my local.cf
   
 Simple solution, but you may not have tried it...restart spamassassin
 
 -- 
 Dan Schaefer
 Application Developer
 Performance Administration Corp.
 
 
 

-- 
View this message in context: 
http://www.nabble.com/USER_IN_WHITELIST-Not-Scoring-tp24428065p24428665.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

Re: USER_IN_WHITELIST Not Scoring

[John Hardin]

On Fri, 10 Jul 2009, boogybren wrote:

My local root user sends me nightly emails with mail/spam statistics and 
information.  Because of the spam information contained in the email, it 
sometimes flagged as spam itself.


I would suggest you look into MTA configs that will allow you to 
completely bypass SA on messages that originate from trusted hosts (e.g. 
localhost and your local network) and are destined for local recipients. 
Save the CPU cycles.


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  The Constitution is a written instrument. As such its meaning does
  not alter. That which it meant when adopted, it means now.
-- U.S. Supreme Court
   SOUTH CAROLINA v. US, 199 U.S. 437, 448 (1905)
---
 10 days until the 40th anniversary of Apollo 11 landing on the Moon

Re: USER_IN_WHITELIST Not Scoring

[boogybren]

I have been wanting to do something like that but haven't done the legwork to
figure it out.

I will certainly look up how to do this in sendmail.  Do you have any
suggestions?


John Hardin wrote:
 
 On Fri, 10 Jul 2009, boogybren wrote:
 
 My local root user sends me nightly emails with mail/spam statistics and 
 information.  Because of the spam information contained in the email, it 
 sometimes flagged as spam itself.
 
 I would suggest you look into MTA configs that will allow you to 
 completely bypass SA on messages that originate from trusted hosts (e.g. 
 localhost and your local network) and are destined for local recipients. 
 Save the CPU cycles.
 
 -- 
   John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
   jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
   key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
 ---
The Constitution is a written instrument. As such its meaning does
not alter. That which it meant when adopted, it means now.
  -- U.S. Supreme Court
 SOUTH CAROLINA v. US, 199 U.S. 437, 448 (1905)
 ---
   10 days until the 40th anniversary of Apollo 11 landing on the Moon
 
 

-- 
View this message in context: 
http://www.nabble.com/USER_IN_WHITELIST-Not-Scoring-tp24428065p24432060.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

Re: USER_IN_WHITELIST Not Scoring

[John Hardin]

On Fri, 10 Jul 2009, boogybren wrote:

I have been wanting to do something like that but haven't done the 
legwork to figure it out.


I will certainly look up how to do this in sendmail.  Do you have any 
suggestions?


We also need to know how you're gluing SA into your mailer chain. 
Procmail? A milter of some sort?



John Hardin wrote:


On Fri, 10 Jul 2009, boogybren wrote:


My local root user sends me nightly emails with mail/spam statistics and
information.  Because of the spam information contained in the email, it
sometimes flagged as spam itself.


I would suggest you look into MTA configs that will allow you to
completely bypass SA on messages that originate from trusted hosts (e.g.
localhost and your local network) and are destined for local recipients.
Save the CPU cycles.


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Gun Control laws cannot reduce violent crime, because gun control
  laws focus obsessively on a tool a criminal might use to commit a
  crime rather than the criminal himself and his act of violence.
---
 10 days until the 40th anniversary of Apollo 11 landing on the Moon

Re: USER_IN_WHITELIST Not Scoring

[boogybren]

Am using procmail.


John Hardin wrote:
 
 On Fri, 10 Jul 2009, boogybren wrote:
 
 I have been wanting to do something like that but haven't done the 
 legwork to figure it out.

 I will certainly look up how to do this in sendmail.  Do you have any 
 suggestions?
 
 We also need to know how you're gluing SA into your mailer chain. 
 Procmail? A milter of some sort?
 
 John Hardin wrote:

 On Fri, 10 Jul 2009, boogybren wrote:

 My local root user sends me nightly emails with mail/spam statistics
 and
 information.  Because of the spam information contained in the email,
 it
 sometimes flagged as spam itself.

 I would suggest you look into MTA configs that will allow you to
 completely bypass SA on messages that originate from trusted hosts (e.g.
 localhost and your local network) and are destined for local recipients.
 Save the CPU cycles.
 
 -- 
   John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
   jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
   key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
 ---
Gun Control laws cannot reduce violent crime, because gun control
laws focus obsessively on a tool a criminal might use to commit a
crime rather than the criminal himself and his act of violence.
 ---
   10 days until the 40th anniversary of Apollo 11 landing on the Moon
 
 

-- 
View this message in context: 
http://www.nabble.com/USER_IN_WHITELIST-Not-Scoring-tp24428065p24432408.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

Re: USER_IN_WHITELIST Not Scoring

[John Hardin]

On Fri, 10 Jul 2009, boogybren wrote:


Am using procmail.


Take a look at http://www.impsec.org/~jhardin/antispam/ for a procmail SA 
ruleset that skips mail originating from localhost. If you need help 
generalizing that for your situation, contact me offlist.


Also, try to stop top-posting. Thanks.


John Hardin wrote:


On Fri, 10 Jul 2009, boogybren wrote:


I have been wanting to do something like that but haven't done the
legwork to figure it out.

I will certainly look up how to do this in sendmail.  Do you have any
suggestions?


We also need to know how you're gluing SA into your mailer chain.
Procmail? A milter of some sort?


John Hardin wrote:


On Fri, 10 Jul 2009, boogybren wrote:

My local root user sends me nightly emails with mail/spam statistics 
and information.  Because of the spam information contained in the 
email, it sometimes flagged as spam itself.


I would suggest you look into MTA configs that will allow you to 
completely bypass SA on messages that originate from trusted hosts 
(e.g. localhost and your local network) and are destined for local 
recipients. Save the CPU cycles.


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Gun Control laws cannot reduce violent crime, because gun control
  laws focus obsessively on a tool a criminal might use to commit a
  crime rather than the criminal himself and his act of violence.
---
 10 days until the 40th anniversary of Apollo 11 landing on the Moon

Re: USER_IN_WHITELIST Not Scoring

[Karsten Bräckelmann]

On Fri, 2009-07-10 at 06:53 -0700, an anonymous Nabble user wrote:
 My local root user sends me nightly emails with mail/spam statistics and
 information.  Because of the spam information contained in the email, it
 sometimes flagged as spam itself.
 
 In my local.cf, I have put the root user's email address in the
 whitelist_from line, however whenever I send an email as the root user to my
 legitimate email account, it is not getting scored.

  whitelist_from r...@myphonydomain.com

Don't use the un-constrained whitelist_from, unless as a last resort, if
there's no other way and you cannot use the proper constrained ones,
like whitelist_from_rcvd.

Anyway, no sample -- no way to point out your issue. Do paste at least
the headers of such a mail.


-- 
char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4;
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1:
(c=*++x); c128  (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}

Re: USER_IN_WHITELIST Not Scoring

[Karsten Bräckelmann]

On Fri, 2009-07-10 at 11:30 -0700, John Hardin wrote:
 On Fri, 10 Jul 2009, an anonymous Nabble user wrote:
 
  Am using procmail.
 
 Take a look at http://www.impsec.org/~jhardin/antispam/ for a procmail SA 
 ruleset that skips mail originating from localhost. If you need help 
 generalizing that for your situation, contact me offlist.

With procmail, you can trivially exonerate specific sender addresses
from scanning. Just add a condition like this to your spamc filtering
procmail recipe:

  * ! ^From: f...@example.net

However, with IMAP and server-side procmail filtering I personally
strongly prefer to sort the cron crap into a dedicated folder, not
cluttering up my Inbox.

For that, just add a delivery recipe *before* scanning with SA. Like
this example.

  :0 :
  * ^From: @example.net \(Cron Daemon\)
  * ^X-Cron-Env:
  cron


-- 
char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4;
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1:
(c=*++x); c128  (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}

Re: USER_IN_WHITELIST Not Scoring

[boogybren]

Here are the headers:

Return-Path: r...@myphonydomain.com
X-Spam-Tests:
* -1.8 ALL_TRUSTED Passed through trusted hosts only via SMTP
* -2.6 BAYES_00 BODY: Bayesian spam probability is 0 to 1%
*  [score: 0.]
*  2.2 TVD_SPACE_RATIO BODY: TVD_SPACE_RATIO
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on mcewan.net
X-Spam-Level:
X-Spam-Status: No, score=-2.2 required=4.0 tests=ALL_TRUSTED,BAYES_00,
TVD_SPACE_RATIO autolearn=disabled version=3.2.5
X-Spam-Relay-Country:
Received: from myphonydomain.com (localhost [127.0.0.1])
by myphonydomain.com (8.13.6.20060614/8.13.6) with ESMTP id
n6ALprFc064402
for bren...@myphonydomain.com; Fri, 10 Jul 2009 15:51:54 -0600 (MDT)
Received: from localhost (r...@localhost)
by mcewan.net (8.13.6.20060614/8.13.6/Submit) with ESMTP id
n6ALprfK064397
for bren...@myphonydomain.com; Fri, 10 Jul 2009 15:51:53 -0600 (MDT)
Date: Fri, 10 Jul 2009 15:51:53 -0600 (MDT)
From: Charlie Root r...@myphonydomain.com
To: Brenden McEwan bren...@myphonydomain.com
Subject: test message
Message-ID: 20090710155144.m85...@myphonydomain.com
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed



Karsten Bräckelmann-2 wrote:
 
 On Fri, 2009-07-10 at 06:53 -0700, an anonymous Nabble user wrote:
 My local root user sends me nightly emails with mail/spam statistics and
 information.  Because of the spam information contained in the email, it
 sometimes flagged as spam itself.
 
 In my local.cf, I have put the root user's email address in the
 whitelist_from line, however whenever I send an email as the root user to
 my
 legitimate email account, it is not getting scored.
 
   whitelist_from r...@myphonydomain.com
 
 Don't use the un-constrained whitelist_from, unless as a last resort, if
 there's no other way and you cannot use the proper constrained ones,
 like whitelist_from_rcvd.
 
 Anyway, no sample -- no way to point out your issue. Do paste at least
 the headers of such a mail.
 
 
 -- 
 char
 *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4;
 main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8?
 c=1:
 (c=*++x); c128  (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0;
 }}}
 
 
 

-- 
View this message in context: 
http://www.nabble.com/USER_IN_WHITELIST-Not-Scoring-tp24428065p24434950.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

Re: USER_IN_WHITELIST Not Scoring

[Jeff Mincy]

   From: Karsten Bräckelmann guent...@rudersport.de
   Date: Fri, 10 Jul 2009 23:43:03 +0200
   
   On Fri, 2009-07-10 at 06:53 -0700, an anonymous Nabble user wrote:
My local root user sends me nightly emails with mail/spam statistics and
information.  Because of the spam information contained in the email, it
sometimes flagged as spam itself.

In my local.cf, I have put the root user's email address in the
whitelist_from line, however whenever I send an email as the root user to 
my
legitimate email account, it is not getting scored.
   
 whitelist_from r...@myphonydomain.com
   
   Don't use the un-constrained whitelist_from, unless as a last resort, if
   there's no other way and you cannot use the proper constrained ones,
   like whitelist_from_rcvd.
   
A local root sender should be getting ALL_TRUSTED.  whitelist_from_rcvd
won't work on local email - you need at least one external hop to get the
'rcvd' part.  You could write SpamAssassin rules to look for the messages,
but you probably don't want to AUTOLEARN the messages since any tokens in
the email are probably spam hosts.  As pointed out earlier, this type of
email should bypass SpamAssassin in procmail (etc).

   Anyway, no sample -- no way to point out your issue. Do paste at least
   the headers of such a mail.
   
Yep.

-jeff

Re: USER_IN_WHITELIST Not Scoring

[Karsten Bräckelmann]

On Fri, 2009-07-10 at 14:53 -0700, an anonymous Nabble user wrote:
 Here are the headers:
 
 Return-Path: r...@myphonydomain.com
 X-Spam-Tests:
 * -1.8 ALL_TRUSTED Passed through trusted hosts only via SMTP
 * -2.6 BAYES_00 BODY: Bayesian spam probability is 0 to 1%
 *  [score: 0.]
 *  2.2 TVD_SPACE_RATIO BODY: TVD_SPACE_RATIO
 X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on mcewan.net
 X-Spam-Level:
 X-Spam-Status: No, score=-2.2 required=4.0 tests=ALL_TRUSTED,BAYES_00,
 TVD_SPACE_RATIO autolearn=disabled version=3.2.5
[...]
 From: Charlie Root r...@myphonydomain.com

whitelist_from r...@myphonydomain.com

Err... Since these do match, and you claimed to have restarted SA since
the conf change, my conclusion is you have a typo somewhere. After all,
neither your local.cf nor these headers appear to be raw and un-munged.

$ host myphonydomain.com
Host myphonydomain.com not found: 3(NXDOMAIN)


-- 
char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4;
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1:
(c=*++x); c128  (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}

Re: USER_IN_WHITELIST Not Scoring

[Karsten Bräckelmann]

On Fri, 2009-07-10 at 17:59 -0400, Jeff Mincy wrote:   
Don't use the un-constrained whitelist_from, unless as a last resort, if
there's no other way and you cannot use the proper constrained ones,
like whitelist_from_rcvd.

 A local root sender should be getting ALL_TRUSTED.  whitelist_from_rcvd
 won't work on local email - you need at least one external hop to get the
 'rcvd' part.  You could write SpamAssassin rules to look for the messages,

Ah, you're right. That option requires handover from the Internet to the
*internal* network. Thanks, my bad.

 but you probably don't want to AUTOLEARN the messages since any tokens in
 the email are probably spam hosts.  As pointed out earlier, this type of
 email should bypass SpamAssassin in procmail (etc).

Agreed, see my notes on that. :)

Anyway, no sample -- no way to point out your issue. Do paste at least
the headers of such a mail.

 Yep.

-- 
char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4;
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1:
(c=*++x); c128  (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}

Re: USER_IN_WHITELIST Not Scoring

[boogybren]

Thanks Karsten.

myphonydomain.com is just that, phony :-).  I am using it in lieu of my real
domain.


Karsten Bräckelmann-2 wrote:
 
 On Fri, 2009-07-10 at 14:53 -0700, an anonymous Nabble user wrote:
 Here are the headers:
 
 Return-Path: r...@myphonydomain.com
 X-Spam-Tests:
 * -1.8 ALL_TRUSTED Passed through trusted hosts only via SMTP
 * -2.6 BAYES_00 BODY: Bayesian spam probability is 0 to 1%
 *  [score: 0.]
 *  2.2 TVD_SPACE_RATIO BODY: TVD_SPACE_RATIO
 X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
 myphonydomain.com
 X-Spam-Level:
 X-Spam-Status: No, score=-2.2 required=4.0 tests=ALL_TRUSTED,BAYES_00,
 TVD_SPACE_RATIO autolearn=disabled version=3.2.5
 [...]
 From: Charlie Root r...@myphonydomain.com
 
whitelist_from r...@myphonydomain.com
 
 Err... Since these do match, and you claimed to have restarted SA since
 the conf change, my conclusion is you have a typo somewhere. After all,
 neither your local.cf nor these headers appear to be raw and un-munged.
 
 $ host myphonydomain.com
 Host myphonydomain.com not found: 3(NXDOMAIN)
 
 
 -- 
 char
 *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4;
 main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8?
 c=1:
 (c=*++x); c128  (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0;
 }}}
 
 
 

-- 
View this message in context: 
http://www.nabble.com/USER_IN_WHITELIST-Not-Scoring-tp24428065p24435281.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

Re: USER_IN_WHITELIST Not Scoring

[John Hardin]

On Fri, 10 Jul 2009, boogybren wrote:


Thanks Karsten.

myphonydomain.com is just that, phony :-).  I am using it in lieu of my 
real domain.


The example.com domain is explicitly reserved for that purpose. If you 
use example.com in the future, people will know that you are sanitizing 
your headers.


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  If healthcare is a Right means that the government is obligated
  to provide the people with hospitals, physicians, treatments and
  medications at low or no cost, then the right to free speech means
  the government is obligated to provide the people with printing
  presses and public address systems, the right to freedom of
  religion means the government is obligated to build churches for the
  people, and the right to keep and bear arms means the government is
  obligated to provide the people with guns, all at low or no cost.
---
 10 days until the 40th anniversary of Apollo 11 landing on the Moon

Re: USER_IN_WHITELIST Not Scoring

[Karsten Bräckelmann]

On Fri, 2009-07-10 at 15:30 -0700, an anonymous Nabble user wrote:
 Thanks Karsten.

So it actually was a typo preventing the whitelist option from working?

 myphonydomain.com is just that, phony :-).  I am using it in lieu of my real
 domain.

So I figured. Bad idea nonetheless, makes debugging harder.

 Karsten Bräckelmann wrote:
  Err... Since these do match, and you claimed to have restarted SA since
  the conf change, my conclusion is you have a typo somewhere. After all,
  neither your local.cf nor these headers appear to be raw and un-munged.
  
  $ host myphonydomain.com
  Host myphonydomain.com not found: 3(NXDOMAIN)

-- 
char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4;
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1:
(c=*++x); c128  (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}

USER_IN_WHITELIST problem.

[Bug]

Dear users !

I`m using exim + spamd + user_prefs in mysql. All works fine.

But I found a bug, when I`m using whitelist, and header rcpt to:  have
address with character description, whitelist failed to catch it in
database. For example:

1st message:
spamd: clean message (-91.7/10.0) for t...@localdomain.com:501 in 8.2 seconds, 
13522829 bytes.

2nd message:
spamd: identified spam (9.2/5.0) for some text t...@localdomain.com:501 in 
8.3 seconds, 14874071 bytes.



Where some text for example User Name in address book of senders
mail agent.


Mysql userpref struct:
 username | preference| value  | prefid
 ^^
 test | whitelist_from| sen...@hidden.com  | 1


 Mysql database query in sql.cf:
 user_scores_sql_custom_query SELECT preference, value FROM _TABLE_ WHERE 
username IN (_USERNAME_, '$GLOBAL', CONCAT(_MAILBOX_, '@' , 
_DOMAIN_),SUBSTRING_INDEX(_USERNAME_, '@', 1)) ORDER BY username ASC


All works fine, when address of recipient in incoming letter is canonical like 
t...@localdomain.com
How can I fix this ?


Thanks.
Wbr,
Steve

Re: USER_IN_WHITELIST problem.

[Matt Kettler]

Bug wrote:
 Dear users !

 I`m using exim + spamd + user_prefs in mysql. All works fine.

 But I found a bug, when I`m using whitelist, and header rcpt to:  have
 address with character description, whitelist failed to catch it in
 database. For example:

 1st message:
 spamd: clean message (-91.7/10.0) for t...@localdomain.com:501 in 8.2 
 seconds, 13522829 bytes.

 2nd message:
 spamd: identified spam (9.2/5.0) for some text t...@localdomain.com:501 in 
 8.3 seconds, 14874071 bytes.



 Where some text for example User Name in address book of senders
 mail agent.


 Mysql userpref struct:
  username | preference| value  | 
 prefid
  
 ^^
  test | whitelist_from| sen...@hidden.com  | 1


  Mysql database query in sql.cf:
  user_scores_sql_custom_query SELECT preference, value FROM _TABLE_ WHERE 
 username IN (_USERNAME_, '$GLOBAL', CONCAT(_MAILBOX_, '@' , 
 _DOMAIN_),SUBSTRING_INDEX(_USERNAME_, '@', 1)) ORDER BY username ASC


 All works fine, when address of recipient in incoming letter is canonical 
 like t...@localdomain.com
 How can I fix this ?
   
Stop passing extra garbage in the -u parameter to spamc?

The some text part can't legally occur in a RCPT TO: command (which is
not a header). Did you mean are you extracting the entire contents of
the To: header?

spamc isn't designed to parse all that extra data off, username or
usern...@domain only.

I'd try to find a way to get the RCPT TO not the To: anyway. The To:
header might not contain the actual recipient and isn't a useful header
for selecting user prefs. (i.e.: posts sent to mailing lists are RCPT
TO: you, but they are To: the list) This is precisely why SA doesn't try
to parse the To: header and use that for selecting prefs.. It is often
misleading.

Re[2]: USER_IN_WHITELIST problem. SOLVED

[Bug]

Thank you Matt!


Your letter helped me to understand my problem better.

I`m not using sa-spamc, my exim using ACL spam, that connects directly
to spamd ip/port.

My founded solution was described in Exim FAQ:

A0512:  Envelope-To: is added at delivery time, by the transport.
Therefore, the header doesn't exist at filter time. In a user filter, the 
values you probably
want are in $original_local_part and $original_domain. In a system filter, the 
complete list
of all envelope recipients is in $recipients.

Incorrect lines - commented, now working config of ACL spam looks like:


  warn  message = X-Spam-Score: $spam_score ($spam_bar)
spam= $recipients
#   spam= $h_to
  warn  message = X-Spam-Report: $spam_report
spam= $recipients
#   spam= $h_to



 Stop passing extra garbage in the -u parameter to spamc?

 The some text part can't legally occur in a RCPT TO: command (which is
 not a header). Did you mean are you extracting the entire contents of
 the To: header?

 spamc isn't designed to parse all that extra data off, username or
 usern...@domain only.

 I'd try to find a way to get the RCPT TO not the To: anyway. The To:
 header might not contain the actual recipient and isn't a useful header
 for selecting user prefs. (i.e.: posts sent to mailing lists are RCPT
 TO: you, but they are To: the list) This is precisely why SA doesn't try
 to parse the To: header and use that for selecting prefs.. It is often
 misleading.


 But I found a bug, when I`m using whitelist, and header rcpt to:  have
 address with character description, whitelist failed to catch it in
 database. For example:

 1st message:
 spamd: clean message (-91.7/10.0) for t...@localdomain.com:501 in 8.2 
 seconds, 13522829 bytes.

 2nd message:
 spamd: identified spam (9.2/5.0) for some text t...@localdomain.com:501 in 
 8.3 seconds, 14874071 bytes.


Thank you!
Wbr,
Good luck with spam fight!

USER_IN_WHITELIST triggered but whitelist_from* not in my config

[robanna]

Lately, we've been getting a bunch of spam with negative scores because it
has triggered USER_IN_WHITELIST but we don't use whitelist_from*. About 2
weeks ago I removed whitelist_from_rcvd. Could it still be triggering it.
Maybe the spam was sent a few weeks ago and just now being deliver to the
users?

Any ideas why?

Email head:
From:   user
Subject: RE: Get your mind cleared from additional problems. 
Date: November 12, 2008 11:25:03 AM MST
To:   user
Return-Path: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 3.1.9 (2007-02-13) on server
X-Spam-Level: 
X-Spam-Status: No, score=-70.5 required=5.5 tests=BAYES_50,HTML_50_60,
HTML_EXTRA_CLOSE,HTML_IMAGE_ONLY_20,HTML_MESSAGE,HTML_SHORT_LINK_IMG_3,
MIME_HTML_ONLY,MSGID_FROM_MTA_ID,NO_REAL_NAME,PYZOR_CHECK,URIBL_AB_SURBL,
URIBL_BLACK,URIBL_JP_SURBL,URIBL_OB_SURBL,URIBL_SBL,URIBL_WS_SURBL,
USER_IN_WHITELIST autolearn=no version=3.1.9
Received: from Jolanta (host-81-190-116-29.gdynia.mm.pl [81.190.116.29]) by
server with SMTP id mACIP34L021551 for user; Wed, 12 Nov 2008 11:25:04
-0700
Mime-Version: 1.0
Content-Type: text/html

/local.cf
# These values can be overridden by editing ~/.spamassassin/user_prefs.cf 
# (see spamassassin(1) for details)

# These should be safe assumptions and allow for simple visual sifting
# without risking lost emails.

required_hits 5.5
report_safe 0
rewrite_header Subject [SPAM]
use_auto_whitelist 0
# Enable the Bayes system
use_bayes   1
# Enable Bayes auto-learning
bayes_auto_learn  1
use_razor2  1
use_pyzor   1
skip_rbl_checks 1

internal_networks   192.168.1/24
internal_networks   192.168.2/24
internal_networks   192.168.3/24
internal_networks   192.168.4/24
internal_networks   192.168.5/24
trusted_networks   192.168.1/24
trusted_networks   192.168.2/24
trusted_networks   192.168.3/24
trusted_networks   192.168.4/24
trusted_networks   192.168.5/24

-- 
View this message in context: 
http://www.nabble.com/USER_IN_WHITELIST-triggered-but-whitelist_from*-not-in-my-config-tp20470780p20470780.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

Re: USER_IN_WHITELIST triggered but whitelist_from* not in my config

[robanna]

Nevermind. Someone has whitelisted our url in user-prefs.



robanna wrote:
 
 Lately, we've been getting a bunch of spam with negative scores because it
 has triggered USER_IN_WHITELIST but we don't use whitelist_from*. About 2
 weeks ago I removed whitelist_from_rcvd. Could it still be triggering it.
 Maybe the spam was sent a few weeks ago and just now being deliver to the
 users?
 
 Any ideas why?
 
 Email head:
 From:   user
 Subject: RE: Get your mind cleared from additional problems. 
 Date: November 12, 2008 11:25:03 AM MST
 To:   user
 Return-Path: [EMAIL PROTECTED]
 X-Spam-Checker-Version: SpamAssassin 3.1.9 (2007-02-13) on server
 X-Spam-Level: 
 X-Spam-Status: No, score=-70.5 required=5.5 tests=BAYES_50,HTML_50_60,
 HTML_EXTRA_CLOSE,HTML_IMAGE_ONLY_20,HTML_MESSAGE,HTML_SHORT_LINK_IMG_3,
 MIME_HTML_ONLY,MSGID_FROM_MTA_ID,NO_REAL_NAME,PYZOR_CHECK,URIBL_AB_SURBL,
 URIBL_BLACK,URIBL_JP_SURBL,URIBL_OB_SURBL,URIBL_SBL,URIBL_WS_SURBL,
 USER_IN_WHITELIST autolearn=no version=3.1.9
 Received: from Jolanta (host-81-190-116-29.gdynia.mm.pl [81.190.116.29])
 by server with SMTP id mACIP34L021551 for user; Wed, 12 Nov 2008
 11:25:04 -0700
 Mime-Version: 1.0
 Content-Type: text/html
 
 /local.cf
 # These values can be overridden by editing ~/.spamassassin/user_prefs.cf 
 # (see spamassassin(1) for details)
 
 # These should be safe assumptions and allow for simple visual sifting
 # without risking lost emails.
 
 required_hits 5.5
 report_safe 0
 rewrite_header Subject [SPAM]
 use_auto_whitelist 0
 # Enable the Bayes system
 use_bayes   1
 # Enable Bayes auto-learning
 bayes_auto_learn  1
 use_razor2  1
 use_pyzor   1
 skip_rbl_checks 1
 
 internal_networks   192.168.1/24
 internal_networks   192.168.2/24
 internal_networks   192.168.3/24
 internal_networks   192.168.4/24
 internal_networks   192.168.5/24
 trusted_networks   192.168.1/24
 trusted_networks   192.168.2/24
 trusted_networks   192.168.3/24
 trusted_networks   192.168.4/24
 trusted_networks   192.168.5/24
 
 

-- 
View this message in context: 
http://www.nabble.com/USER_IN_WHITELIST-triggered-but-whitelist_from*-not-in-my-config-tp20470780p20471035.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

USER_IN_WHITELIST Rule

[Matthew Goodman]

Why does spam continually get a hit on this rule? I noticed a lot more
spam coming in off the upgrade to 3.2.4. Are spammers getting crafty with
their mail messages to appear as coming from myself TO myself? I could
always reduce the adjustment that USER_IN_WHITELIST makes. However, I'd like
to avoid that if possible.

 

What's up with that?

 

 

Re: USER_IN_WHITELIST Rule

[Matt Kettler]

Matthew Goodman wrote:


Why does spam continually get a “hit” on this rule? I noticed a lot 
more spam coming in off the upgrade to 3.2.4. Are spammers getting 
crafty with their mail messages to appear as coming from myself TO 
myself? I could always reduce the adjustment that USER_IN_WHITELIST 
makes. However, I’d like to avoid that if possible.


 


What’s up with that?


My guess is you did something many new users do: whitelist_from 
[EMAIL PROTECTED], or whitelist_from [EMAIL PROTECTED]


Spammers *FREQUENTLY* forge your domain as either the From: or the 
Return-Path, both of which will match the whitelist_from, causing 
USER_IN_WHITELIST to trigger.


In general, don't use whitelist_from. Period. It just looks at a single, 
trivially forged header. I'd generally suggest avoiding white lists, but 
if you must, whitelist_from_rcvd is substantially better as it takes a 
second parameter that checks the reverse-dns lookup of the first 
external host in the Received: headers. This is a little more difficult 
to configure properly, but it's also fairly difficult to forge if 
configured properly. Another good option if you have SPF enabled and the 
sending domain has SPF would be whitelist_from_spf. This takes a single 
parameter, but requires the email match the SPF specs for the sending 
domain.


Regardless, USER_IN_WHITELIST will only trigger in response to a 
whitelist_from* type command, so it's definitely one of these that you 
explicitly added. There are some default white listings in SA, but they 
used the def_whitelist_* commands, which triggers USER_IN_DEF_WHITELIST 
instead.


Check your configs and see which whitelist command the spammers are abusing.

Re: user_in_whitelist , how do I find out which one?

[Matt Kettler]

Andrew Xiang wrote:
 I have many users in the whitelist_from in the local.cf.
 When I get forwarded spam email like this, how do I find which one it
 matched?
If you want to know for sure, you can run it through spamassassin -D and
wade through the debug output.


my guess is you've got a whitelist_from [EMAIL PROTECTED] or
whitelist_from [EMAIL PROTECTED] that's matching.
 Which FROM entry is it actually looking at?
Well, it's looking at all of them. SpamAssassin will dig for any hints
at the envelope sender, as well as the normal From: header.. It's going
to be looking at the embedded envelope-from's in the Received: headers,
as well as the From: header.

In particular, the list for this message could be:

[EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED]

Depending on what hosts SA is set to trust.

my guess is you've got a whitelist_from [EMAIL PROTECTED] or
whitelist_from [EMAIL PROTECTED] that's matching.

Don't use plain whitelist_from's unless you can't avoid it. Where
possible, use whitelist_from_rcvd or whitelist_from_spf instead..

user_in_whitelist , how do I find out which one?

[Andrew Xiang]

I have many users in the whitelist_from in the local.cf.
When I get forwarded spam email like this, how do I find which one it matched? 
Which FROM entry is it actually looking at?

-Andrew


X-Spam-Checker-Version: SpamAssassin 3.2.1 (2007-05-02) on xphotonics.com
X-Spam-Level: 
X-Spam-Status: No, score=-72.0 required=5.0 tests=BAYES_50,DCC_CHECK,
 DIGEST_MULTIPLE,DRUGS_ERECTILE,HTML_MESSAGE,HTML_MIME_NO_HTML_TAG,
 MIME_HTML_ONLY,PYZOR_CHECK,RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E4_51_100,
 RAZOR2_CHECK,SARE_FROM_DRUGS,UNPARSEABLE_RELAY,USER_IN_WHITELIST autolearn=no
 version=3.2.1
X-Spam-Pyzor: Reported 4263 times.
X-Spam-Report: 
 * -100 USER_IN_WHITELIST From: address is in the user's white-list
 *  1.7 SARE_FROM_DRUGS From a drug
 *  5.5 UNPARSEABLE_RELAY Informational: message has unparseable relay lines
 *  0.0 HTML_MESSAGE BODY: HTML included in message
 *  0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60%
 *  [score: 0.5000]
 *  3.5 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
 *  5.0 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)
 *  1.5 RAZOR2_CF_RANGE_E4_51_100 Razor2 gives engine 4 confidence level
 *  above 50%
 *  [cf: 100]
 *  0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
 *  [cf: 100]
 *  5.0 PYZOR_CHECK Listed in Pyzor (http://pyzor.sf.net/)
 *  5.0 DCC_CHECK Listed in DCC (http://rhyolite.com/anti-spam/dcc/)
 *  0.0 DIGEST_MULTIPLE Message hits more than one network digest check
 *  0.3 DRUGS_ERECTILE Refers to an erectile drug
 *  0.1 HTML_MIME_NO_HTML_TAG HTML-only message, but there is no HTML tag
Received: from xphotonics.com (localhost [127.0.0.1])
 by xphotonics.com (8.14.1/8.14.1) with ESMTP id l9MFJIOp032936
 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO)
 for [EMAIL PROTECTED]; Mon, 22 Oct 2007 11:19:18 -0400 (EDT)
 (envelope-from [EMAIL PROTECTED])
Received: (from [EMAIL PROTECTED])
 by xphotonics.com (8.14.1/8.14.1/Submit) id l9MFJIKX032935
 for xiang; Mon, 22 Oct 2007 11:19:18 -0400 (EDT)
 (envelope-from lian)
Received: from 029ae8f252bf4ac (84pavel.dialup.corbina.ru [85.21.237.209])
 by xphotonics.com (8.14.1/8.14.1) with SMTP id l9MFHg8N032899
 for [EMAIL PROTECTED]; Mon, 22 Oct 2007 11:17:44 -0400 (EDT)
 (envelope-from [EMAIL PROTECTED])
Date: Mon, 22 Oct 2007 11:17:42 -0400 (EDT)
Received: from Susana Ware (10.11.17.11) by 029ae8f252bf4ac (PowerMTA(TM) 
v3.2r4) id hfp31o62d55j87 for [EMAIL PROTECTED]; Mon, 22 Oct 2007 07:17:20 
+0300
Message-Id: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: October 79% OFF
From: VIAGRA ?Official Site [EMAIL PROTECTED]
MIME-Version: 1.0
Content-Type: text/html; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
X-Virus-Scanned: ClamAV 0.91.1/4559/Mon Oct 22 00:02:57 2007 on xphotonics.com
X-Virus-Scanned: ClamAV 0.91.1/4559/Mon Oct 22 00:02:57 2007 on xphotonics.com
X-Virus-Status: Clean

style
!DOCTYPE html PUBLIC -//W3C//DTD XHTML 1.0 Strict//EN 
http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd;
html dir=ltr
head
meta http-equiv=Content-Type content=text/html; charset=unicode
meta name=Generator content=Microsoft SafeHTML
titleWL 90-day Email 1a/title
table width=550 border=0 cellpadding=0 cellspacing=0 bgcolor=#99
/tr
tr valign=top
td colspan=5img src=http://ads1.oqr.com/ads/pronws/CIQ3536/1a_banner.jpg; 
alt=Windows
 Live Hotmail width=548 height=224 border=0/td

Re: user_in_whitelist , how do I find out which one?

[Karsten Bräckelmann]

On Mon, 2007-10-22 at 11:46 -0400, Andrew Xiang wrote:
 I have many users in the whitelist_from in the local.cf.
 When I get forwarded spam email like this, how do I find which one it
 matched? Which FROM entry is it actually looking at?

See the section Whitelist and Blacklist options in the docs.
  http://spamassassin.apache.org/full/3.2.x/doc/Mail_SpamAssassin_Conf.html

You'll also find recommendation not to use whitelist_from, and what to
use instead.

  guenther


-- 
char *t=[EMAIL PROTECTED];
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1:
(c=*++x); c128  (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}

Re: USER_IN_WHITELIST ??

[Lindsay Haisley]

Matt, looks like you hit that target on this.  There are tons of
whitelist_from_rcvd directives in /etc/spamassassin/70_sare_whitelist.cf
including the problem addresses.  I'll need to figure out a way to
override these.  Does blacklist_from take precedence over whitelist_from
or whitelist_from_rcvd?

Thanks!

On Sun, 2007-07-15 at 20:26 -0400, Matt Kettler wrote:
 Lindsay nHaisley wrote:
  I've recently discovered a couple of emails tagged by SA (v3.2.1-gr1)
  with USER_IN_WHITELIST and assigned score components of -100 accordingly
  according to 50_scores.cf on the basis of a call to
  eval:check_from_in_whitelist() in 60_whitelist.cf.

 What about whitelist_from_rcvd, or whitelist_from_spf?
 
 Do you have any whitelist commands at the site config level (ie:
 local.cf or add-on rulesets)?

-- 
Lindsay Haisley   | In an open world,| PGP public key
FMP Computer Services |who needs Windows  |  available at
512-259-1190  |  or Gates| http://pubkeys.fmp.com
http://www.fmp.com|   |

Re: USER_IN_WHITELIST ??

[Theo Van Dinter]

On Mon, Jul 16, 2007 at 01:38:22AM -0500, Lindsay Haisley wrote:
 override these.  Does blacklist_from take precedence over whitelist_from
 or whitelist_from_rcvd?

Whitelists and blacklists are independent, ie: no precedence involved.
You could have both hit on a message for a +100 - 100 = 0 total shift.

-- 
Randomly Selected Tagline:
Fatbot: I heard that in one single night you drank a whole keg, streaked across
 campus, and crammed fifty-eight humans into a phone booth.
 Bender: Yeah, well, a lot of 'em were children


pgpXyVyr4UbTp.pgp
Description: PGP signature

USER_IN_WHITELIST ??

[Lindsay Haisley]

I've recently discovered a couple of emails tagged by SA (v3.2.1-gr1)
with USER_IN_WHITELIST and assigned score components of -100 accordingly
according to 50_scores.cf on the basis of a call to
eval:check_from_in_whitelist() in 60_whitelist.cf.

I would assume that this would only be possible if I had configured
'whitelist_from xxx' in my user prefs (which are stored in a MySQL
database), but I have no such settings, so I don't have a manual
whitelist as described at
http://wiki.apache.org/spamassassin/ManualWhitelist.

On the other hand, both errant addresses _were_ in my AWL database which
should assign a much smaller (possibly positive) spam score, and
shouldn't evoke a hit on USER_IN_WHITELIST.

Am I missing something here, or is this a SA bug?

-- 
Lindsay Haisley   | In an open world,| PGP public key
FMP Computer Services |who needs Windows  |  available at
512-259-1190  |  or Gates| http://pubkeys.fmp.com
http://www.fmp.com|   |

Re: USER_IN_WHITELIST ??

[Matt Kettler]

Lindsay Haisley wrote:
 I've recently discovered a couple of emails tagged by SA (v3.2.1-gr1)
 with USER_IN_WHITELIST and assigned score components of -100 accordingly
 according to 50_scores.cf on the basis of a call to
 eval:check_from_in_whitelist() in 60_whitelist.cf.

 I would assume that this would only be possible if I had configured
 'whitelist_from xxx' in my user prefs (which are stored in a MySQL
 database), but I have no such settings, so I don't have a manual
 whitelist as described at
 http://wiki.apache.org/spamassassin/ManualWhitelist.
   
What about whitelist_from_rcvd, or whitelist_from_spf?

Do you have any whitelist commands at the site config level (ie:
local.cf or add-on rulesets)?

try a run of this:
 grep whitelist /etc/mail/spamassassin/*.cf


 On the other hand, both errant addresses _were_ in my AWL database which
 should assign a much smaller (possibly positive) spam score, and
 shouldn't evoke a hit on USER_IN_WHITELIST.

 Am I missing something here, or is this a SA bug?

   

Re: USER_IN_WHITELIST and autolearn

[Alexis Manning]

[EMAIL PROTECTED] says...
 Alexis Manning wrote:
  It seems that if USER_IN_WHITELIST is triggered then the message won?t
  be auto-learned.
 
 That is incorrect, however USER_IN_WHITELIST does not count toward any
 autolearning decisions.
[...]
 As far as the autolearner is concerned, this message scored 0.001.
 (BAYES_50 doesn't count either, to avoid bayes self-feeding.).

Matt, thanks very much for the comprehensive reply.  Off to read about 
AutoLearnThreshold now :)

Cheers,

-- A.

USER_IN_WHITELIST and autolearn

[Alexis Manning]

It seems that if USER_IN_WHITELIST is triggered then the message won't be
auto-learned.

 

X-Spam-Status: No, score=-100.0 required=7.5tests=BAYES_50=0.001,

HTML_MESSAGE=0.001,USER_IN_WHITELIST=-100 autolearn=no
version=3.1.7

 

I have a fair number of people in my whitelist and I would like to feed that
ham to the Bayes database: is there any option which will allow their
messages to be auto-learned too, or do I have to do it manually?

 

Thanks,

 

-- A.

Re: USER_IN_WHITELIST and autolearn

[Matt Kettler]

Alexis Manning wrote:

 It seems that if USER_IN_WHITELIST is triggered then the message won’t
 be auto-learned.

That is incorrect, however USER_IN_WHITELIST does not count toward any
autolearning decisions. The primary reason being that whitelists are
often misconfigured the first time around (ie: whitelist_from
[EMAIL PROTECTED]). If the whitelists counted towards autolearning, people
making whitelisting mistakes would have a lot of cleanup work to do
fixing the bayes DB as well.

As far as the autolearner is concerned, this message scored 0.001.
(BAYES_50 doesn't count either, to avoid bayes self-feeding.).

  

 X-Spam-Status: No, score=-100.0 required=7.5tests=BAYES_50=0.001,

 HTML_MESSAGE=0.001,USER_IN_WHITELIST=-100 autolearn=no
 version=3.1.7

  

 I have a fair number of people in my whitelist and I would like to
 feed that ham to the Bayes database: is there any option which will
 allow their messages to be auto-learned too, or do I have to do it
 manually?

They will be autolearned, but only on their own merits. The whitelisting
won't force autolearning as nonspam.

You might want to read the autolearner documentation to see how the
autolearner calculates score. It changes a few things and the score it
uses can be quite different than the final message score.

http://spamassassin.apache.org/full/3.1.x/doc/Mail_SpamAssassin_Plugin_AutoLearnThreshold.html

In this case, all the whitelist rules have the tflag userconf.


  

 Thanks,

  

 -- A.

USER_IN_WHITELIST

[-- [ UxBoD ] --]

Which rule sets this ? I have grep'd through /etc/mail/spamassassin and the 
variable is used but does not seem to get set anywhere ?
-- 
--[ UxBoD ]--
// PGP Key: curl -s http://www.splatnix.net/uxbod.asc | gpg --import
// Fingerprint: 543A E778 7F2D 98F1 3E50 9C1F F190 93E0 E8E8 0CF8
// Keyserver: www.keyserver.net Key-ID: 0xE8E80CF8
// Phone: +44 (0) 845 869 2749  SIP: [EMAIL PROTECTED]


-- 
This message has been scanned for viruses and dangerous content by MailScanner, 
and is
believed to be clean.

Re: USER_IN_WHITELIST

[Cedric BUSCHINI]

--[ UxBoD ]-- a écrit :


Which rule sets this ? I have grep'd through /etc/mail/spamassassin and the 
variable is used but does not seem to get set anywhere ?
 


Hi,

Have a look in /usr/share/spamassassin.
There is 60_whitelist.cf for rules and about scores it s in 50_scores.cf

BUT it's better to overwrite these parameters upadating the local.cf 
instead.


What is the problem ?
I may have the same !!

Cedric

--

Re: USER_IN_WHITELIST

[-- [ UxBoD ] --]

I have just performed a brand new server install with SA 3.2.0 and I noticed a 
email this morning that had scored -94.  I do not know the sender domain, so 
looked at how it had been scored and noticed that the rule USER_IN_WHITELIST 
had been hit with a -100.

On Tue, 15 May 2007 10:35:35 +0200, Cedric BUSCHINI [EMAIL PROTECTED] wrote:
 --[ UxBoD ]-- a écrit :
 
Which rule sets this ? I have grep'd through /etc/mail/spamassassin and
 the variable is used but does not seem to get set anywhere ?


 Hi,
 
 Have a look in /usr/share/spamassassin.
 There is 60_whitelist.cf for rules and about scores it s in 50_scores.cf
 
 BUT it's better to overwrite these parameters upadating the local.cf
 instead.
 
 What is the problem ?
 I may have the same !!
 
 Cedric
 
 --
 
 
 
 --
 This message has been scanned for viruses and dangerous content by
 MailScanner, and is
 believed to be clean.
-- 
--[ UxBoD ]--
// PGP Key: curl -s http://www.splatnix.net/uxbod.asc | gpg --import
// Fingerprint: 543A E778 7F2D 98F1 3E50 9C1F F190 93E0 E8E8 0CF8
// Keyserver: www.keyserver.net Key-ID: 0xE8E80CF8
// Phone: +44 (0) 845 869 2749  SIP: [EMAIL PROTECTED]


-- 
This message has been scanned for viruses and dangerous content by MailScanner, 
and is
believed to be clean.

Re: USER_IN_WHITELIST

[Cedric BUSCHINI]

ok - not the same problem I have

is -100 too high for you ?

--[ UxBoD ]-- a écrit :


I have just performed a brand new server install with SA 3.2.0 and I noticed a 
email this morning that had scored -94.  I do not know the sender domain, so 
looked at how it had been scored and noticed that the rule USER_IN_WHITELIST 
had been hit with a -100.

On Tue, 15 May 2007 10:35:35 +0200, Cedric BUSCHINI [EMAIL PROTECTED] wrote:
 


--[ UxBoD ]-- a écrit :

   


Which rule sets this ? I have grep'd through /etc/mail/spamassassin and
 


the variable is used but does not seem to get set anywhere ?
   

 


Hi,

Have a look in /usr/share/spamassassin.
There is 60_whitelist.cf for rules and about scores it s in 50_scores.cf

BUT it's better to overwrite these parameters upadating the local.cf
instead.

What is the problem ?
I may have the same !!

Cedric

--



--
This message has been scanned for viruses and dangerous content by
MailScanner, and is
believed to be clean.
   




--

Cedric BUSCHINI
   - CARAX -
 IT Department

Phone : + 33 1 4006 9864
fax   : + 33 1 4006 9865

Re: USER_IN_WHITELIST

[-- [ UxBoD ] --]

It wouldn't be if we had any user whitelists set up ! Thats the problem.  This 
is a vanilla installation and we have no individual user preferences setup.  
All is controlled by a single account, as the mail is then passed onto a Notes 
server.  I have looked at that rule and can see that it uses the function 
eval:check_from_in_whitelist(), but need to see how that works.

On Tue, 15 May 2007 10:48:47 +0200, Cedric BUSCHINI [EMAIL PROTECTED] wrote:
 ok - not the same problem I have
 is -100 too high for you ?
 
 --[ UxBoD ]-- a écrit :
 
I have just performed a brand new server install with SA 3.2.0 and I
 noticed a email this morning that had scored -94.  I do not know the sender
 domain, so looked at how it had been scored and noticed that the rule
 USER_IN_WHITELIST had been hit with a -100.

On Tue, 15 May 2007 10:35:35 +0200, Cedric BUSCHINI [EMAIL PROTECTED]
 wrote:


--[ UxBoD ]-- a écrit :



Which rule sets this ? I have grep'd through /etc/mail/spamassassin and


the variable is used but does not seem to get set anywhere ?




Hi,

Have a look in /usr/share/spamassassin.
There is 60_whitelist.cf for rules and about scores it s in 50_scores.cf

BUT it's better to overwrite these parameters upadating the local.cf
instead.

What is the problem ?
I may have the same !!

Cedric

--



--
This message has been scanned for viruses and dangerous content by
MailScanner, and is
believed to be clean.


 
 
 --
 
  Cedric BUSCHINI
 - CARAX -
   IT Department
 
 Phone : + 33 1 4006 9864
 fax   : + 33 1 4006 9865
 
 
 --
 This message has been scanned for viruses and dangerous content by
 MailScanner, and is
 believed to be clean.
-- 
--[ UxBoD ]--
// PGP Key: curl -s http://www.splatnix.net/uxbod.asc | gpg --import
// Fingerprint: 543A E778 7F2D 98F1 3E50 9C1F F190 93E0 E8E8 0CF8
// Keyserver: www.keyserver.net Key-ID: 0xE8E80CF8
// Phone: +44 (0) 845 869 2749  SIP: [EMAIL PROTECTED]


-- 
This message has been scanned for viruses and dangerous content by MailScanner, 
and is
believed to be clean.

Re: USER_IN_WHITELIST

[-- [ UxBoD ] --]

Resolved :) Thanks.

On Tue, 15 May 2007 10:48:47 +0200, Cedric BUSCHINI [EMAIL PROTECTED] wrote:
 ok - not the same problem I have
 
 is -100 too high for you ?
 
 --[ UxBoD ]-- a écrit :
 
I have just performed a brand new server install with SA 3.2.0 and I
 noticed a email this morning that had scored -94.  I do not know the sender
 domain, so looked at how it had been scored and noticed that the rule
 USER_IN_WHITELIST had been hit with a -100.

On Tue, 15 May 2007 10:35:35 +0200, Cedric BUSCHINI [EMAIL PROTECTED]
 wrote:


--[ UxBoD ]-- a écrit :



Which rule sets this ? I have grep'd through /etc/mail/spamassassin and


the variable is used but does not seem to get set anywhere ?




Hi,

Have a look in /usr/share/spamassassin.
There is 60_whitelist.cf for rules and about scores it s in 50_scores.cf

BUT it's better to overwrite these parameters upadating the local.cf
instead.

What is the problem ?
I may have the same !!

Cedric

--



--
This message has been scanned for viruses and dangerous content by
MailScanner, and is
believed to be clean.


 
 
 --
 
  Cedric BUSCHINI
 - CARAX -
   IT Department
 
 Phone : + 33 1 4006 9864
 fax   : + 33 1 4006 9865
 
 
 --
 This message has been scanned for viruses and dangerous content by
 MailScanner, and is
 believed to be clean.
-- 
--[ UxBoD ]--
// PGP Key: curl -s http://www.splatnix.net/uxbod.asc | gpg --import
// Fingerprint: 543A E778 7F2D 98F1 3E50 9C1F F190 93E0 E8E8 0CF8
// Keyserver: www.keyserver.net Key-ID: 0xE8E80CF8
// Phone: +44 (0) 845 869 2749  SIP: [EMAIL PROTECTED]


-- 
This message has been scanned for viruses and dangerous content by MailScanner, 
and is
believed to be clean.

Re: USER_IN_WHITELIST problem

[Jonas Eckerman]

Sherman Lilly wrote:

[Snipped text about forged mail from own domains whitelisted...]

 I was looking on the net and I came across a plugin on spamassassin I don't 
 think i have loaded. Will the SPF plugin help with this problem?

If you publish SPF records for your domains, you can use whitelist_from_spf 
instead of whitelist_from. That way you shouldn't whitelist forgeries.

OTH, why do you need to whitelist your own domain?

/Jonas
-- 
Jonas Eckerman, FSDB  Fruktträdet
http://whatever.frukt.org/
http://www.fsdb.org/
http://www.frukt.org/

RE: USER_IN_WHITELIST problem

[Will Nordmeyer]

René Berber wrote:
 Sherman Lilly wrote:
[snip]
  I get why they are getting through. They are spoofing the Return-Path.
  Is there any way to remedy this problem?
 
 Depends on your server.  For sendmail there is:
 
   http://ultra.ap.krakow.pl/~raj/sendmail/english.html
 
 the FEATURE(`local_sender_check') gets rid of all forged addresses
 pretending to be from your domain.
 --
Unfortunately, at least in my case, the addresses aren't forged - they are
actual addresses on my server (Some of my clients APPEAR to send themselves
quite a bit of this garbage), so the local_sender_check wouldn't help,
because the return path appears to be themselves.

--Will

Re: USER_IN_WHITELIST problem

[Ryan Pavely]

As of last Wednesday I am having this problem.  In fact it's more then 
just USER_IN_WHITELIST, I am getting many reports of incorrect 
USER_IN_BLACKLIST.


No I don't whitelist my domain.
Yes I checked the To/From/ReplyTo/EnvelopeFrom/etc.
No the users don't have whitelist/blacklist entries anywhere close to 
reported match in debug mode.





Green = Blacklist
Blue = Whitelist

The most recent change, on or around Wednesday, was I ran sa-update.  I 
now use the rule's located in /var/lib/spamassassin.
I checked my configs and noticed v310.pre now shows AWL enabled.  I 
disabled this, thought I saw all my graphs drop but sadly it was a 
momentary drop.
I reverted back to using /usr/local/share/spamassassin base rules.  No 
change.  So therefore I have rolled back any change made in the last week.


Here are two examples of a test I just ran.  I took two messages and ran 
them through a loop.  One gets scanned
normally and occassionally hits the blacklist.  The other does the 
inverse.  Both are from my inbox, dated today.


== Example 1
=== Scanned, normal score

X-Spam-Flag: YES
X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) on spamd3.oct
X-Spam-Level: ***
X-Spam-PrefsFile: nac.net/paradox
X-Spam-Status: Yes, score=19.5 required=5.0 
tests=RAZOR2_CF_RANGE_51_100=0.5,

RAZOR2_CF_RANGE_E8_51_100=1.5,RAZOR2_CHECK=0.5,
RCVD_IN_SORBS_DUL=1.988,RCVD_IN_XBL=3.114,SORTED_RECIPS=1.53,
SPF_HELO_PASS=-0.001,SPF_PASS=-0.001,URIBL_AB_SURBL=3.306,
URIBL_JP_SURBL=3.36,URIBL_OB_SURBL=2.617,URIBL_SBL=1.094

=== Scanned a moment later in a loop, Hit blacklist

X-Spam-Flag: YES
X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) on spamd3.oct
X-Spam-Level: **
X-Spam-PrefsFile: nac.net/paradox
X-Spam-Status: Yes, score=119.5 required=5.0 
tests=RAZOR2_CF_RANGE_51_100=0.5,

RAZOR2_CF_RANGE_E8_51_100=1.5,RAZOR2_CHECK=0.5,
RCVD_IN_SORBS_DUL=1.988,RCVD_IN_XBL=3.114,SORTED_RECIPS=1.53,
SPF_HELO_PASS=-0.001,SPF_PASS=-0.001,URIBL_AB_SURBL=3.306,
URIBL_JP_SURBL=3.36,URIBL_OB_SURBL=2.617,URIBL_SBL=1.094,
USER_IN_BLACKLIST=100 autolearn=disabled version=3.1.7


== Original Message

Return-Path: [EMAIL PROTECTED]
Delivered-To: [EMAIL PROTECTED]
Received: (qmail 95612 invoked by uid 0); 23 Jan 2007 08:34:19 -
Received: from 127.0.0.1 by mx2.oct.nac.net (envelope-from 
[EMAIL PROTECTED], uid 0) with qmail-scanner-1.25
 (clamdscan: 0.88.3/2095. f-prot: 4.6.6/3.16.14. spamassassin: 3.1.0.  
 Clear:RC:1(127.0.0.1):.

 Processed in 1.629328 secs); 23 Jan 2007 08:34:19 -
X-Qmail-Scanner-Mail-From: [EMAIL PROTECTED] via mx2.oct.nac.net
X-Qmail-Scanner-Rcpt-To: [EMAIL PROTECTED]
X-Qmail-Scanner: 1.25 (Clear:RC:1(127.0.0.1):. Processed in 1.629328 secs)
X-Qmail-Scanner-NAC-Block-Zips: 1
X-Qmail-Scanner-NAC-Redirect-This: 0
X-Qmail-Scanner-NAC-Redirect-To:
X-Qmail-Scanner-NAC-Scanners-Run:  clamdscan_scanner fprot_scanner
Received: from unknown (HELO mx2.oct.nac.net) (127.0.0.1)
  by localhost with SMTP; 23 Jan 2007 08:34:17 -
Received: (qmail 95433 invoked by alias); 23 Jan 2007 08:34:15 -
Delivered-To: [EMAIL PROTECTED]
Received: (qmail 95336 invoked by uid 0); 23 Jan 2007 08:34:12 -
Received: from 81.14.191.12 by mx2.oct.nac.net (envelope-from 
[EMAIL PROTECTED], uid 0) with qmail-scanner-1.25
 (clamdscan: 0.88.3/2095. f-prot: 4.6.6/3.16.14. spamassassin: 3.1.0.  
 Clear:RC:0(81.14.191.12):.

 Processed in 4.496398 secs); 23 Jan 2007 08:34:12 -
X-Qmail-Scanner-Mail-From: [EMAIL PROTECTED] via mx2.oct.nac.net
X-Qmail-Scanner-Rcpt-To: 
[EMAIL PROTECTED],[EMAIL PROTECTED],[EMAIL PROTECTED],[EMAIL PROTECTED],[EMAIL PROTECTED],[EMAIL PROTECTED],[EMAIL PROTECTED],[EMAIL PROTECTED]
X-Qmail-Scanner: 1.25 (Clear:RC:0(81.14.191.12):. Processed in 
4.496398 secs)

X-Qmail-Scanner-NAC-Block-Zips: 1
X-Qmail-Scanner-NAC-Redirect-This: 0
X-Qmail-Scanner-NAC-Redirect-To: REDIRECT_NONE
X-Qmail-Scanner-NAC-Scanners-Run:
Received: from unknown (HELO ovjkuxqmpy) (81.14.191.12)
  by rbl-mx.nac.net with SMTP; 23 Jan 2007 08:34:07 -
To: [EMAIL PROTECTED], [EMAIL PROTECTED], 
[EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], 
[EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED]

Date: Tue, 23 Jan 2007 09:35:01 +0100
From: Man Aida [EMAIL PROTECTED]
Message-ID: [EMAIL PROTECTED]
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=learned.dirty; 
d=dialupnet.com;

b=BkqGXQzAyMlUagemGOpLIxezlerUABJhtHFfMORxbSauBfGAoroqGlvDCVRpRfuXvGXXtGXmaabRNJwo;

User-Agent: Mozilla Thunderbird 1.5 (Windows/20060111)
X-Accept-Language: en-us, en
MIME-Version: 1.0
Subject: Be Rich, Get Yourself Rolex/AP/Bvlgari/PatekPhilippe  .. At 
$ 199 Each least street

Content-Type: text/plain;
charset=iso-8859-1
Content-Transfer-Encoding: 7bit

100% Similar Quality, from $ 199 Each

Show Off to your colleague that you can afford a ROLEX as well

More random text





== Message 2
=== Scanned ok

Re: USER_IN_WHITELIST problem

[Kelson]

Sherman Lilly wrote:
I was looking on the net and I came across a plugin on spamassassin I don't 
think i have loaded. Will the SPF plugin help with this problem?


Yes... *if* you replace whitelist_from with whitelist_from_spf

Alternatively you can try something like this:

whitelist_from_rcvd[EMAIL PROTECTED]yourmailserver.com

whitelist_from should always be a last resort because it's so easy for 
spammers to forge the From: and Return-Path: headers.  If at all 
possible, you should use one of the more specific whitelist functions 
that will double-check against the received headers, SPF, DKIM, etc.


--
Kelson Vibber
SpeedGate Communications www.speed.net

Re: USER_IN_WHITELIST problem

[Ryan Pavely]

Ok I have an update.  I picked a message that was getting marked 
USER_IN_WHITELIST once every 5 or so messages.  I took the from address 
and added this code to Perl..Mail\SpamAssassin\EvalTests.pm


   if ($addr =~ qr/$regexp/i) {
 dbg(rules: address $addr matches whitelist or blacklist regexp: 
$regexp);

  if ($addr eq [EMAIL PROTECTED]) {
info(PARADOX: rules: address $addr matches whitelist or 
blacklist regexp: $regexp);

foreach my $reg (values %{$list}) {
  info(PARADOX: $reg);
}
 }

I then ran my loop and watched the log.  After a few tries it hit.  
Guess the cool part.  It printed out hundreds and hundreds of lines of 
blacklist/whitelist settings.  I use a domain/username file based pref 
system, no sql, nothing broken there. 

The hundreds of lines were not 'all' my wl/bl's.  After some more 
debugging I am petty confident that I am seeing the list of all wl/bl's 
loaded in memory for any message being scanned at that moment.  On this 
particularly box probably around 25 or so.


Pretty cool huh?

How is this possible?  How did it just start happening out of nowhere?

 Ryan Pavely
  Director Research And Development
  Net Access Corporation
  http://www.nac.net/ http://www.15minuteservers.com/

Re: USER_IN_WHITELIST problem

[René Berber]

Will Nordmeyer wrote:
 
 René Berber wrote:
 Sherman Lilly wrote:
 [snip]
 I get why they are getting through. They are spoofing the Return-Path.
 Is there any way to remedy this problem?
 Depends on your server.  For sendmail there is:

  http://ultra.ap.krakow.pl/~raj/sendmail/english.html

 the FEATURE(`local_sender_check') gets rid of all forged addresses
 pretending to be from your domain.
 --
 Unfortunately, at least in my case, the addresses aren't forged - they are
 actual addresses on my server (Some of my clients APPEAR to send themselves
 quite a bit of this garbage), so the local_sender_check wouldn't help,
 because the return path appears to be themselves.

That could be solved with smtp auth, of course that means that your
clients/users need to change their configuration or implementing 
pop-before-send.

As for SA, the plugin Botnet will catch most spammers, over 90% in my experience
(even if it is redundant with some of the dynamic-ip-blacklist tests).
-- 
René Berber

USER_IN_WHITELIST problem

[Sherman Lilly]

I have spam getting through that would get filtered if they were not 
getting -100 because of the USER_IN_WHITELIST rule. I do have a whitelist but 
no of these spam email have anything close to my whitelist.

I am using the latest version of spamassassin and update my rules daily. I 
have also added the SARE rules to my configuration.

The system is doing a great job.I would say I am successfully filtering 95% of 
the spam coming in. Now I'm just doing some fine tuning and need some help.

Re: USER_IN_WHITELIST problem

[Daryl C. W. O'Shea]

Sherman Lilly wrote:
I have spam getting through that would get filtered if they were not 
getting -100 because of the USER_IN_WHITELIST rule. I do have a whitelist but 
no of these spam email have anything close to my whitelist.


Yes they do, otherwise you wouldn't see USER_IN_WHITELIST hitting.

It's probably hitting on whatever the envelope from address is (found in 
the Return-Path header).  Most of the time this happens when people 
whitelist their own domain using whitelist_from.



Daryl

RE: USER_IN_WHITELIST problem

[Drew Burchett]

Well, I certainly don't mean to be argumentative about this, but over
the weekend, I had to set USER_IN_WHITELIST score to 0 due to the number
of false hits it was receiving.  Seeing as I am the only one here who
has the ability to add and remove from whitelists or blacklists, I have
a pretty good idea of what is in them.  I can't say for sure, but there
certainly seems to be a bug in this particular rule.  If I could help to
troubleshoot it, I would be glad to provide whatever information is
necessary.

Drew Burchett
United Systems  Software
Ph:(270)527-3293
Fax:  (270)527-3132

-Original Message-
From: Daryl C. W. O'Shea [mailto:[EMAIL PROTECTED] 
Sent: Monday, January 22, 2007 10:40 AM
To: Sherman Lilly
Cc: users@spamassassin.apache.org
Subject: Re: USER_IN_WHITELIST problem

Sherman Lilly wrote:
 I have spam getting through that would get filtered if they were not 
 getting -100 because of the USER_IN_WHITELIST rule. I do have a
whitelist but 
 no of these spam email have anything close to my whitelist.

Yes they do, otherwise you wouldn't see USER_IN_WHITELIST hitting.

It's probably hitting on whatever the envelope from address is (found in

the Return-Path header).  Most of the time this happens when people 
whitelist their own domain using whitelist_from.


Daryl

--
CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is for 
the sole use of the intended recipient(s) and may contain confidential and 
privileged information. Any unauthorized review, use, disclosure or 
distribution is prohibited. If you are not the intended recipient, please 
contact the sender by reply e-mail and destroy all copies of the original 
message.

-- 
This message has been scanned for viruses and dangerous content by MailScanner 
and is believed to be clean.

Re: USER_IN_WHITELIST problem

[Jim Maul]

Drew Burchett wrote:

Well, I certainly don't mean to be argumentative about this, but over
the weekend, I had to set USER_IN_WHITELIST score to 0 due to the number
of false hits it was receiving.  Seeing as I am the only one here who
has the ability to add and remove from whitelists or blacklists, I have
a pretty good idea of what is in them.  I can't say for sure, but there
certainly seems to be a bug in this particular rule.  If I could help to
troubleshoot it, I would be glad to provide whatever information is
necessary.



All this guessing can easily be put to rest by posting:

1. The headers of the message in question
2. Your SA whitelist statements

-Jim




Drew Burchett
United Systems  Software
Ph:(270)527-3293
Fax:  (270)527-3132

-Original Message-
From: Daryl C. W. O'Shea [mailto:[EMAIL PROTECTED] 
Sent: Monday, January 22, 2007 10:40 AM

To: Sherman Lilly
Cc: users@spamassassin.apache.org
Subject: Re: USER_IN_WHITELIST problem

Sherman Lilly wrote:
I have spam getting through that would get filtered if they were not 
getting -100 because of the USER_IN_WHITELIST rule. I do have a
whitelist but 

no of these spam email have anything close to my whitelist.


Yes they do, otherwise you wouldn't see USER_IN_WHITELIST hitting.

It's probably hitting on whatever the envelope from address is (found in

the Return-Path header).  Most of the time this happens when people 
whitelist their own domain using whitelist_from.



Daryl

--
CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is for 
the sole use of the intended recipient(s) and may contain confidential and 
privileged information. Any unauthorized review, use, disclosure or 
distribution is prohibited. If you are not the intended recipient, please 
contact the sender by reply e-mail and destroy all copies of the original 
message.

Re: USER_IN_WHITELIST problem

[Sherman Lilly]

On Monday 22 January 2007 11:39, you wrote:
 Sherman Lilly wrote:
  I have spam getting through that would get filtered if they were not
  getting -100 because of the USER_IN_WHITELIST rule. I do have a whitelist
  but no of these spam email have anything close to my whitelist.

 Yes they do, otherwise you wouldn't see USER_IN_WHITELIST hitting.

 It's probably hitting on whatever the envelope from address is (found in
 the Return-Path header).  Most of the time this happens when people
 whitelist their own domain using whitelist_from.


 Daryl

Daryl,

You are completely right. I have whitelisted my domain and when I remove that 
rule from my cf the bad emails get blocked. Here is the header of an email 
that is getting through. It should have failed. The rule is 

WHITELIST_FROM [EMAIL PROTECTED]

Here is the header.

Return-Path: [EMAIL PROTECTED]
Delivered-To: unknown
Received: from 10.155.0.68 (10.155.0.68) by imap.knoxcounty.org with POP3; 22
  Jan 2007 13:02:37 -
X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) on mail.knoxcounty.org
X-Spam-Level: 
X-Spam-Status: No, score=-80.4 required=4.6 tests=EXTRA_MPART_TYPE,
HELO_DYNAMIC_DHCP,HELO_DYNAMIC_IPADDR,HTML_FONT_BIG,
HTML_IMAGE_ONLY_08,HTML_MESSAGE,MY_CID_AND_CLOSING,MY_CID_AND_STYLE,
PART_CID_STOCK,PART_CID_STOCK_LESS,RCVD_IN_SORBS_DUL,SARE_GIF_ATTACH,
SARE_GIF_STOX,TVD_FW_GRAPHIC_ID1,UNPARSEABLE_RELAY,USER_IN_WHITELIST 
autolearn=disabled version=3.1.7
Received: from winserv-dp-9880 ([10.155.0.69])
by mail.knoxcounty.org (8.13.8/8.11.6) with SMTP id l0LGfODE015790
for [EMAIL PROTECTED]; Sun, 21 Jan 2007 11:41:32 -0500
Received: from dsl-189-136-76-104.prod-infinitum.com.mx ([189.136.76.104])
 by winserv-dp-9880 (SMSSMTP 4.0.0.59) with SMTP id M2007012111435603309
 for [EMAIL PROTECTED]; Sun, 21 Jan 2007 11:43:56 -0500
Received: from el-molino.com (port=15590 helo=hsjyatbrlvpmk)
by dsl-189-136-76-104.prod-infinitum.com.mx with smtp
id 1dKU-cxFT-JI
for [EMAIL PROTECTED]; Sun, 21 Jan 2007 10:41:25 -0600
Message-ID: [EMAIL PROTECTED]
From: John [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: work: thou shalt see not hold of before the race is I: will make
Date: Sun, 21 Jan 2007 10:41:25 -0600
MIME-Version: 1.0
Content-Type: multipart/related;
  type=multipart/alternative;
  boundary==_NextPart_000_000B_01C73D48.AF3EDA20
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2869
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962
X-Length: 17836
X-UID: 2691

Thank You,
Sherman

RE: USER_IN_WHITELIST problem

[Drew Burchett]

Do you have some example headers?

This is a legitimate email, but it got flagged as USER_IN_WHITELIST
while CNN is not listed in my whitelist:

Received: from cnnimail33.turner.com (cnnimail33.turner.com
[64.236.25.90])
by spamfilter.onlineky.net (Postfix) with ESMTP id 2FB331757E
for [EMAIL PROTECTED]; Fri, 12 Jan 2007 09:36:50 -0600
(CST)
Received: from mail.cnn.com (10.165.130.21)
  by cnnimail33.turner.com with ESMTP; 12 Jan 2007 10:36:49 -0500
Message-Id: [EMAIL PROTECTED]
From: CNNMoney.com Alerts [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: Russia's Lukoil pumps $2.4B in profits
MIME-Version: 1.0
Content-Type: TEXT/HTML; charset=US-ASCII
Date: Fri, 12 Jan 2007 09:36:50 -0600 (CST)


This one is most likely spam as this email account has been inactive for
at least 6 months:

Received: from tigger.babycenter.com (tigger.babycenter.com
[10.128.130.152])
by cosby.mailsender.com (8.13.8/8.13.8) with ESMTP id
l0D5hne7011671
for [EMAIL PROTECTED]; Fri, 12 Jan 2007 21:44:03
-0800 (PST)
Message-ID:
[EMAIL PROTECTED]
Date: Fri, 12 Jan 2007 21:43:49 -0800 (PST)
From: BabyCenter Store [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: This weekend only. $50 off on top of sale prices.
Mime-Version: 1.0
Content-Type: text/html
Content-Transfer-Encoding: quoted-printable


Another one to that same user:
Received: from MYWX-S8.myweather.net (cliff.myweather.net
[64.73.35.115])
by spamfilter.onlineky.net (Postfix) with ESMTP id 8ED2119631
for [EMAIL PROTECTED]; Sat, 13 Jan 2007 02:31:14
-0600 (CST)
Received: by MYWX-S8.myweather.net (PowerMTA(TM) v2.0r13) id
hl2cd6046443; Sat, 13 Jan 2007 02:31:01 -0600 (envelope-from
[EMAIL PROTECTED])
Date: Sat, 13 Jan 2007 02:31:01 -0600
Subject: Your Personal Predictor
x-envid: 1168677003.1103304562
To: [EMAIL PROTECTED]
From: [EMAIL PROTECTED]
Content-type: text/html; charset=ISO-8859-1
Message-Id: [EMAIL PROTECTED]

This one got flagged as spam for several other users and then got the
USER_IN_WHITELIST out of the blue:

Received: from mta130.e.drugstore.com (mta130.e.drugstore.com
[66.165.105.168])
by spamfilter.onlineky.net (Postfix) with SMTP id 9BCA41BFA6
for [EMAIL PROTECTED]; Sun, 14 Jan 2007 07:41:04 -0600 (CST)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
  s=200505; d=e.drugstore.com;
 
b=cY8Vpx/rnCIRMKPGZRNHM4/KNsEpr4kHYii2STgI9W6HEF2b9Di5sIret/1YfAqwoGtfis
iuPTBVdqNgjuFdDrRKkSapc4KvdDIOMTJlusKwn4ViXq0Pp/hgoVBuJ5StpuOl4aJZGrRSte
srCsYmvwo1IaDqSRaqoOCVbTZq2lI=;
 
h=Date:Message-ID:List-Unsubscribe:From:To:Subject:MIME-Version:Reply-To
:Content-type;
Date: Sun, 14 Jan 2007 13:41:04 -
Message-ID:
[EMAIL PROTECTED]
List-Unsubscribe:
mailto:[EMAIL PROTECTED]
From: drugstore.com [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: Save up to 40% and stock up for the new year
MIME-Version: 1.0
Reply-To: drugstore.com
[EMAIL PROTECTED]
Content-type: multipart/alternative;
boundary==b19wt9ya08rqp8bx3mk4jbujgjpyka

Received: from nl-mail5.internet.com (nl-mail5.internet.com
[64.62.164.185])
by spamfilter.onlineky.net (Postfix) with ESMTP id CE73821EA0
for [EMAIL PROTECTED]; Tue, 16 Jan 2007 09:40:16 -0600
(CST)
Received: from nl.internet.com (192.168.5.118)
  by nl-mail5.internet.com with ESMTP; 16 Jan 2007 07:39:02 -0800
Received: by mail8.internet.com (Postfix, from userid 0)
id EDFA41190032; Tue, 16 Jan 2007 07:38:56 -0800 (PST)
To: [EMAIL PROTECTED]
Subject: Tech Brief: Manage Performance  Availability of .NET Apps
Reply-To: [EMAIL PROTECTED]
Content-description: [EMAIL PROTECTED]
Content-Type: text/plain; charset=us-ascii
From: DevX Skill Building Update
[EMAIL PROTECTED]
Message-Id: [EMAIL PROTECTED]
Date: Tue, 16 Jan 2007 07:38:56 -0800 (PST)

Received: from dc1img10.digitalriver.com (dc1img10.digitalriver.com
[66.192.69.11])
by spamfilter.onlineky.net (Postfix) with ESMTP id BC3021FEAC
for [EMAIL PROTECTED]; Tue, 16 Jan 2007 10:26:27 -0600
(CST)
Date: 16 Jan 2007 10:26:13 -0600
From: Nuance - Makers of PaperPort [EMAIL PROTECTED]
X-Complaints-to: [EMAIL PROTECTED]
To: Nancy [EMAIL PROTECTED]
Reply-To: Nuance - Makers of PaperPort [EMAIL PROTECTED]
Message-ID: [EMAIL PROTECTED]
Subject: Exclusive customer savings on OmniPage - 50% off
X-MID: 19198-bhb2fz7bz5vsedwr2
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary=06986E0E1E196312E032AFBC

-- 
Thanks,
James

--
CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is for 
the sole use of the intended recipient(s) and may contain confidential and 
privileged information. Any unauthorized review, use, disclosure or 
distribution is prohibited. If you are not the intended recipient, please 
contact the sender by reply e-mail and destroy all copies of the original 
message.

-- 
This message has been scanned for viruses and dangerous content by MailScanner 
and is believed to be clean.