Re: USER_IN_WHITELIST shortcircuits VBOUNCE, please help...
On Sat, 7 Oct 2017 07:27:00 -0700 (MST) djkraz wrote: > I have a user that is getting thousands of backscatter a minute for a > couple days now. I've tried everything I can find on the web to get > vbounce working with no luck as the user is obviously in the > whitelist since they exist on the server. USER_IN_WHITELIST is based on the sender address, and for backscatter that's going to be on a series of random third-party domains. It seems very unlikely that this is affecting backscatter - unless you've whitelisted everything. SpamAssassin doesn't short-circuit by default, so if VBOUNCE is short-circuited by anything then it must be down to you own settings.
Re: USER_IN_WHITELIST shortcircuits VBOUNCE, please help...
On Sat, 7 Oct 2017, Antony Stone wrote: On Saturday 07 October 2017 at 16:27:00, djkraz wrote: I have a user that is getting thousands of backscatter a minute for a couple days now. I've tried everything I can find on the web to get vbounce working with no luck as the user is obviously in the whitelist since they exist on the server. I've tried setting the priority of vbounce higher but it doesn't seem to make any difference. Does anyone have any experience in resolving this? FYI, I'm running Exchange 2013 on Win2kR2 with Exchange Server Toolbox. Thanks in advance! Put an example (full headers as minimum, body not really important for this I think) on pastebin or similar, post the link here and also show us your vbounce settings so we can have an opinion. The body of a bounce can be critical, if it has things like a SMTP status message or trace. Please provide a complete backscatter message. Also: where and how exactly is vbounce hooked into Exchange? Or does "Exchange Server Toolkbox" answer that question? (Pardon my ignorance here.) -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Ignorance is no excuse for a law. --- 191 days since the first commercial re-flight of an orbital booster (SpaceX)
Re: USER_IN_WHITELIST shortcircuits VBOUNCE, please help...
On Saturday 07 October 2017 at 16:27:00, djkraz wrote: > I have a user that is getting thousands of backscatter a minute for a > couple days now. I've tried everything I can find on the web to get > vbounce working with no luck as the user is obviously in the whitelist > since they exist on the server. I've tried setting the priority of > vbounce higher but it doesn't seem to make any difference. Does anyone > have any experience in resolving this? FYI, I'm running Exchange 2013 on > Win2kR2 with Exchange Server Toolbox. Thanks in advance! Put an example (full headers as minimum, body not really important for this I think) on pastebin or similar, post the link here and also show us your vbounce settings so we can have an opinion. Antony. -- I wasn't sure about having a beard at first, but then it grew on me. Please reply to the list; please *don't* CC me.
USER_IN_WHITELIST shortcircuits VBOUNCE, please help...
I have a user that is getting thousands of backscatter a minute for a couple days now. I've tried everything I can find on the web to get vbounce working with no luck as the user is obviously in the whitelist since they exist on the server. I've tried setting the priority of vbounce higher but it doesn't seem to make any difference. Does anyone have any experience in resolving this? FYI, I'm running Exchange 2013 on Win2kR2 with Exchange Server Toolbox. Thanks in advance! -- Sent from: http://spamassassin.1065346.n5.nabble.com/SpamAssassin-Users-f3.html
Re: USER_IN_WHITELIST
Lorenzo Thurman wrote on 8/07/16 9:26 AM: > Thanks for the info. Does anyone know how I can use whitelistfrom_rcvd? I > can't find any clear answers via Google. > Excuse my typo for the correct spelling whitelist_from_rcvd. To use it, look at the legitimate emails that you want to whitelist and check the Received header that shows where your receiving mail server received the email from the sending mail server. Typically for a corporate address like microsoft.com the mail will have come from a host with a name like smtp.microsoft.com or maila.microsoft.com. If the Received header does show that the mail came from some ip address and also shows a host name for it in the microsoft.com (for example) then you can use whitelist_from_recvd to whitelist such mails. You can only put one address on a line, so you would need two entries to get the two that you want: whitelist_from_rcvd *@microsoft.com microsoft.com whitelist_from_rcvd *.microsoft.com microsoft.com But do check your emails to see if you get the proper Received headers to be able to do this. Some mail servers do not do the reverse domain name lookup to add the host name to the ip address in Received headers. Some email addresses you may want to whitelist are not set up to reliably send from the same few mail servers. If somebody sends mail from a non-Microsoft mail server but with a microsoft.com From address, it will not get whitelisted by this. That's exactly what you want to not whitelist spammers who forge a microsoft.com address. Sidney
Re: USER_IN_WHITELIST
Am 07.07.2016 um 23:26 schrieb Lorenzo Thurman: Thanks for the info. Does anyone know how I can use whitelistfrom_rcvd? I can't find any clear answers via Google. besides the typo the same way as the other whitelist options the only difference is the second param with is the DNS-PTR of the sending host whitelist_from_rcvd *@example.net example.com look at the difference between .net / .com when the PTR of the sending host ends with "example.com" sender "example.net" is fine _ for subdomains *@example.net *@*.example.net _ .example.net is imprtant because it dont match "somefucker-example.net" signature.asc Description: OpenPGP digital signature
Re: USER_IN_WHITELIST
"My Break-Dancing days are over, but there's always the Funky Chicken" -- The Full Monty > On Jul 7, 2016, at 3:57 PM, Sidney Markowitzwrote: > > Lorenzo Thurman wrote on 8/07/16 3:03 AM: >>> On Jul 7, 2016, at 8:14 AM, Antony Stone >>> wrote: >>> \.microsoft\.com$ will match anything ending in ".microsoft.com" > > RW already pointed this out, but to make sure nobody reading this thread > misses it, the above is wrong because whitelist does not use regexps. > > See > https://spamassassin.apache.org/full/3.4.x/doc/Mail_SpamAssassin_Conf.html#whitelist_and_blacklist_options > > where it says > > "Whitelist and blacklist addresses are now file-glob-style patterns, so > fri...@somewhere.com, *@isp.com, or *.domain.net will all work. Specifically, > * and ? are allowed, but all other metacharacters are not. Regular expressions > are not used for security reasons. Matching is case-insensitive. > > Multiple addresses per line, separated by spaces, is OK. Multiple > whitelist_from lines are also OK." > > Notice the last example there. Spamassassin is parsing out the email addresses > and matching them with the patterns so you don't have to do tricky stuff like > *@*.microsoft.com. Specifically, you can use > > whitelist_from *@microsoft.com *.microsoft.com > > which will match what you want but will not match anyth...@onmicrosoft.com and > will not match foo.microsoft@example.com > > As the page also points out if you can figure out how to use > whitelistfrom_rcvd instead of whitelist_from it will protect against spammers > spoofing the From address. Whether you can do that depends on whether the > domain you are whitelisting has restrictions on what servers can send mail > for it. > > Sidney > > Thanks for the info. Does anyone know how I can use whitelistfrom_rcvd? I can't find any clear answers via Google.
Re: USER_IN_WHITELIST
Lorenzo Thurman wrote on 8/07/16 3:03 AM: >> On Jul 7, 2016, at 8:14 AM, Antony Stone >>wrote: >> \.microsoft\.com$ will match anything ending in ".microsoft.com" RW already pointed this out, but to make sure nobody reading this thread misses it, the above is wrong because whitelist does not use regexps. See https://spamassassin.apache.org/full/3.4.x/doc/Mail_SpamAssassin_Conf.html#whitelist_and_blacklist_options where it says "Whitelist and blacklist addresses are now file-glob-style patterns, so fri...@somewhere.com, *@isp.com, or *.domain.net will all work. Specifically, * and ? are allowed, but all other metacharacters are not. Regular expressions are not used for security reasons. Matching is case-insensitive. Multiple addresses per line, separated by spaces, is OK. Multiple whitelist_from lines are also OK." Notice the last example there. Spamassassin is parsing out the email addresses and matching them with the patterns so you don't have to do tricky stuff like *@*.microsoft.com. Specifically, you can use whitelist_from *@microsoft.com *.microsoft.com which will match what you want but will not match anyth...@onmicrosoft.com and will not match foo.microsoft@example.com As the page also points out if you can figure out how to use whitelistfrom_rcvd instead of whitelist_from it will protect against spammers spoofing the From address. Whether you can do that depends on whether the domain you are whitelisting has restrictions on what servers can send mail for it. Sidney
Re: USER_IN_WHITELIST
On Thu, 7 Jul 2016 10:03:37 -0500 Lorenzo Thurman wrote: y > > > On Jul 7, 2016, at 8:14 AM, Antony Stone > >wrote: > > There's a big difference between subdomains, and domains with > > letters in front of "microsoft". > > > > \.microsoft\.com$ will match anything ending in ".microsoft.com" > > > > That means it will match www.microsoft.com and cdn.microsoft.com > > for example, but it will not match > > kajsdhfkjasghdskghlaskfhmicrosoft.com or onmicrosoft.com > > > > The dot in front of "microsoft" in the regex is important :) > > Great, thanks. You can't use a regex in a whitelisting entry.
Re: USER_IN_WHITELIST
"My Break-Dancing days are over, but there's always the Funky Chicken" -- The Full Monty > On Jul 7, 2016, at 8:14 AM, Antony Stone >wrote: > > On Thursday 07 July 2016 at 15:08:44, Lorenzo Thurman wrote: > >>> On Jul 7, 2016, at 7:15 AM, Reindl Harald wrote: Am 07.07.2016 um 14:12 schrieb Joe Quinn: In addition to the above, it's easy for a spammer to register something like kajsdhfkjasghdskghlaskfhmicrosoft.com which would also be whitelisted for you. I would recommend against using wildcard whitelist patterns like that >>> >>> should at least look similar to that: >>> ^.*\.microsoft\.com$ >>> >>> well the ^ followed by .* is also pointless >> >> I see. Thanks for the tip, I'll make changes. The reason I did wild cards >> was so that I could also capture us domains. Is there a rule that allows >> me to get subdomains w/o opening myself like I have? > > There's a big difference between subdomains, and domains with letters in > front > of "microsoft". > > \.microsoft\.com$ will match anything ending in ".microsoft.com" > > That means it will match www.microsoft.com and cdn.microsoft.com for example, > but it will not match kajsdhfkjasghdskghlaskfhmicrosoft.com or onmicrosoft.com > > The dot in front of "microsoft" in the regex is important :) > > > Antony. > > -- > Tax inspectors are just accountants who work for the evil dictators of > democracy. > > Please reply to the list; > please *don't* CC me. Great, thanks.
Re: USER_IN_WHITELIST
On Thu, 7 Jul 2016 08:08:44 -0500 Lorenzo Thurman wrote: > > > > well the ^ followed by .* is also pointless > > > I see. Thanks for the tip, It wasn't really a tip. The globs (wildcards) get converted into regularly expressions that aren't quite as mimimalist as the could be - but that's not under your control. > I'll make changes. The reason I did wild > cards was so that I could also capture us domains. Is there a rule > that allows me to get subdomains w/o opening myself like I have? You need a separate entry, something like *.microsoft.com.
Re: USER_IN_WHITELIST
On Thursday 07 July 2016 at 15:08:44, Lorenzo Thurman wrote: > > On Jul 7, 2016, at 7:15 AM, Reindl Haraldwrote: > >> Am 07.07.2016 um 14:12 schrieb Joe Quinn: > >> In addition to the above, it's easy for a spammer to register something > >> like kajsdhfkjasghdskghlaskfhmicrosoft.com which would also be > >> whitelisted for you. I would recommend against using wildcard whitelist > >> patterns like that > > > > should at least look similar to that: > > ^.*\.microsoft\.com$ > > > > well the ^ followed by .* is also pointless > > I see. Thanks for the tip, I'll make changes. The reason I did wild cards > was so that I could also capture us domains. Is there a rule that allows > me to get subdomains w/o opening myself like I have? There's a big difference between subdomains, and domains with letters in front of "microsoft". \.microsoft\.com$ will match anything ending in ".microsoft.com" That means it will match www.microsoft.com and cdn.microsoft.com for example, but it will not match kajsdhfkjasghdskghlaskfhmicrosoft.com or onmicrosoft.com The dot in front of "microsoft" in the regex is important :) Antony. -- Tax inspectors are just accountants who work for the evil dictators of democracy. Please reply to the list; please *don't* CC me.
Re: USER_IN_WHITELIST
On Thu, 7 Jul 2016 14:15:18 +0200 Reindl Harald wrote: > should at least look similar to that: > ^.*\.microsoft\.com$ > > well the ^ followed by .* is also pointless It's generated from a glob in the configuration.
Re: USER_IN_WHITELIST
"My Break-Dancing days are over, but there's always the Funky Chicken" -- The Full Monty > On Jul 7, 2016, at 7:15 AM, Reindl Haraldwrote: > > > >> Am 07.07.2016 um 14:12 schrieb Joe Quinn: >>> On 7/6/2016 11:42 PM, Bill Cole wrote: >>> On 6 Jul 2016, at 23:10, lorenzo wrote: >>> >>> [...] The output from spamassassin -t -D < In-whitelist.txt gives the answer, I believe: address hefg...@hkjhkjhk.onmicrosoft.com matches whitelist or blacklist regexp: ^.*microsoft\.com$ Very sneaky. I think I can handle this one from here. Thanks again. >>> >>> Happy to be of help. >>> >>> For what it's worth: *.onmicrosoft.com domains are part of free trials >>> of Office365 and generate almost entirely spam. I suppose one could be >>> a regular paying O365 customer and keep that free domain, but no one >>> who does that can care much about their email. Spammers have been >>> using those domains for years and MS really seems not to care about >>> the fact that they've become a de facto indication of spam. >> In addition to the above, it's easy for a spammer to register something >> like kajsdhfkjasghdskghlaskfhmicrosoft.com which would also be >> whitelisted for you. I would recommend against using wildcard whitelist >> patterns like that > > should at least look similar to that: > ^.*\.microsoft\.com$ > > well the ^ followed by .* is also pointless I see. Thanks for the tip, I'll make changes. The reason I did wild cards was so that I could also capture us domains. Is there a rule that allows me to get subdomains w/o opening myself like I have? >
Re: USER_IN_WHITELIST
Am 07.07.2016 um 14:12 schrieb Joe Quinn: On 7/6/2016 11:42 PM, Bill Cole wrote: On 6 Jul 2016, at 23:10, lorenzo wrote: [...] The output from spamassassin -t -D < In-whitelist.txt gives the answer, I believe: address hefg...@hkjhkjhk.onmicrosoft.com matches whitelist or blacklist regexp: ^.*microsoft\.com$ Very sneaky. I think I can handle this one from here. Thanks again. Happy to be of help. For what it's worth: *.onmicrosoft.com domains are part of free trials of Office365 and generate almost entirely spam. I suppose one could be a regular paying O365 customer and keep that free domain, but no one who does that can care much about their email. Spammers have been using those domains for years and MS really seems not to care about the fact that they've become a de facto indication of spam. In addition to the above, it's easy for a spammer to register something like kajsdhfkjasghdskghlaskfhmicrosoft.com which would also be whitelisted for you. I would recommend against using wildcard whitelist patterns like that should at least look similar to that: ^.*\.microsoft\.com$ well the ^ followed by .* is also pointless signature.asc Description: OpenPGP digital signature
Re: USER_IN_WHITELIST
On 7/6/2016 11:42 PM, Bill Cole wrote: On 6 Jul 2016, at 23:10, lorenzo wrote: [...] The output from spamassassin -t -D < In-whitelist.txt gives the answer, I believe: address hefg...@hkjhkjhk.onmicrosoft.com matches whitelist or blacklist regexp: ^.*microsoft\.com$ Very sneaky. I think I can handle this one from here. Thanks again. Happy to be of help. For what it's worth: *.onmicrosoft.com domains are part of free trials of Office365 and generate almost entirely spam. I suppose one could be a regular paying O365 customer and keep that free domain, but no one who does that can care much about their email. Spammers have been using those domains for years and MS really seems not to care about the fact that they've become a de facto indication of spam. In addition to the above, it's easy for a spammer to register something like kajsdhfkjasghdskghlaskfhmicrosoft.com which would also be whitelisted for you. I would recommend against using wildcard whitelist patterns like that.
Re: USER_IN_WHITELIST
On 6 Jul 2016, at 23:10, lorenzo wrote: [...] The output from spamassassin -t -D < In-whitelist.txt gives the answer, I believe: address hefg...@hkjhkjhk.onmicrosoft.com matches whitelist or blacklist regexp: ^.*microsoft\.com$ Very sneaky. I think I can handle this one from here. Thanks again. Happy to be of help. For what it's worth: *.onmicrosoft.com domains are part of free trials of Office365 and generate almost entirely spam. I suppose one could be a regular paying O365 customer and keep that free domain, but no one who does that can care much about their email. Spammers have been using those domains for years and MS really seems not to care about the fact that they've become a de facto indication of spam.
Re: USER_IN_WHITELIST
> On Jul 6, 2016, at 8:50 PM, Bill Cole > <sausers-20150...@billmail.scconsult.com> wrote: > > On 6 Jul 2016, at 21:13, Lorenzo Thurman wrote: > >> I’ve been receiving some spam where spamassassin identifies the sender with >> USER_IN_WHITELIST. These senders (or domains) are most definitely not in my >> whitelist. How can I get around this problem? > > There are so many relevant variables unspecified that no one here has any > hope of solving your problem. > > To make it easier for us, please provide more information: > > 1. How are you using SpamAssassin? Specifically, if you have it hooked into > an MTA like Postfix or Sendmail, tell us which one AND what mechanism you are > using to integrate SA and the MTA. > > 2. If your system involved the use of spamd, what are its arguments and what > user is it running as? > > 3. If you scan a message with this problem manually by piping it into > 'spamassassin -t -D' what does the resulting flood of debugging information > say about what address it is finding as being in the whitelist? > Ah, ok. Here’s some info: spamassassin v3.4.0 - Postfix 2.11.0 Ubuntu 14.04 /usr/sbin/spamd --create-prefs --max-children 5 --helper-home-dir -d --pidfile=/var/run/spamd.pid In /etc/postfix/master.cf smtp inet n - - - - smtpd -vvv -o content_filter=spamassassin spamassassin unix - n n - - pipe flags=Rq user=nobody argv=/usr/bin/spamfilter.sh -oi -f ${sender} ${recipient} The output from spamassassin -t -D < In-whitelist.txt gives the answer, I believe: address hefg...@hkjhkjhk.onmicrosoft.com matches whitelist or blacklist regexp: ^.*microsoft\.com$ Very sneaky. I think I can handle this one from here. Thanks again.
Re: USER_IN_WHITELIST
On 6 Jul 2016, at 21:58, David B Funk wrote: > On Wed, 6 Jul 2016, Lorenzo Thurman wrote: > >> I’ve been receiving some spam where spamassassin identifies the sender with >> USER_IN_WHITELIST. These senders (or domains) are >> most definitely not in my whitelist. How can I get around this problem?Thanks >> > > SpamAssassin comes with some built-in whitelists (which should be pretty safe > to > use). Look in your SA rules kit for things like: 60_whitelist.cf > 60_whitelist_dkim.cf and 60_whitelist_spf.cf Those should not cause USER_IN_WHITELIST matches but rather USER_IN_DEF_WHITELIST and similarly labeled forms of the SPF and DKIM variations. signature.asc Description: OpenPGP digital signature
Re: USER_IN_WHITELIST
On Wed, 6 Jul 2016, Lorenzo Thurman wrote: I’ve been receiving some spam where spamassassin identifies the sender with USER_IN_WHITELIST. These senders (or domains) are most definitely not in my whitelist. How can I get around this problem?Thanks SpamAssassin comes with some built-in whitelists (which should be pretty safe to use). Look in your SA rules kit for things like: 60_whitelist.cf 60_whitelist_dkim.cf and 60_whitelist_spf.cf You might also have some 3'rd party rules files that contain whitelists. You can explicitly negate the effect of an entry from one of these files by using the appropriate "unwhitelist_from" type configuration statements in your local.cf config files. Theoretically you could edit the system config files but those edits could be lost with the next system rules update, so using the unwhitelist_from technique is the way to go. -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{ smime.p7s Description: S/MIME Cryptographic Signature
Re: USER_IN_WHITELIST
On 6 Jul 2016, at 21:13, Lorenzo Thurman wrote: I’ve been receiving some spam where spamassassin identifies the sender with USER_IN_WHITELIST. These senders (or domains) are most definitely not in my whitelist. How can I get around this problem? There are so many relevant variables unspecified that no one here has any hope of solving your problem. To make it easier for us, please provide more information: 1. How are you using SpamAssassin? Specifically, if you have it hooked into an MTA like Postfix or Sendmail, tell us which one AND what mechanism you are using to integrate SA and the MTA. 2. If your system involved the use of spamd, what are its arguments and what user is it running as? 3. If you scan a message with this problem manually by piping it into 'spamassassin -t -D' what does the resulting flood of debugging information say about what address it is finding as being in the whitelist?
USER_IN_WHITELIST
I’ve been receiving some spam where spamassassin identifies the sender with USER_IN_WHITELIST. These senders (or domains) are most definitely not in my whitelist. How can I get around this problem? Thanks
Re: USER_IN_WHITELIST and SPF_FAIL
John Hardin wrote: On Tue, 19 Jun 2012, Benny Pedersen wrote: Den 2012-06-19 22:39, Kevin A. McGrail skrev: I think that's the concept behind the whitelist_from_spf but some use whitelist_from, its nothing new there :=) can user_in_whitelist be changed to not have -100 as default score, or is whitelist_from planned for removements ? It's needed for whan none of the other more-strict whitelist options will work, so we can't get just rid of it. I'd suggest instead a lint warning if it is used, alerting the admin that it's discouraged and that it has problems like this and is very easy to spoof. It's well documented. From the man page: whitelist_from a...@ress.com Used to whitelist sender addresses which send mail that is often tagged (incorrectly) as spam. Use of this setting is not recommended, since it blindly trusts the message, which is routinely and easily forged by spammers and phish senders. The recommended solution is to instead use whitelist_auth or other authenticated whitelisting methods, or whitelist_from_rcvd. -- Per Jessen, Zürich (21.1°C)
Re: USER_IN_WHITELIST and SPF_FAIL
RW wrote: On Tue, 19 Jun 2012 19:14:11 -0400 Jeff Mincy wrote: From: RW rwmailli...@googlemail.com Date: Tue, 19 Jun 2012 23:43:57 +0100 If used sensibly USER_IN_WHITELIST is probably the most reliable rule we have, for the overwhelming majority of addresses it's far more accurate than spf based whitelisting. It's not always right to treat users as idiots. Huh? What you mean by used sensibly? I mean, don't use it on well-known addresses, or if you're a candidate for spear-phishing and can't be trusted not to fall for it. Don't whitelist domains unless they are extremely obscure. whitelist_from_rcvd is very reliable. Not if someone sends an email through a different mail system, I think that is what whitelist_allows_relays is intended to take care of. -- Per Jessen, Zürich (23.2°C)
Re: USER_IN_WHITELIST and SPF_FAIL
RW wrote: On Wed, 20 Jun 2012 03:25:53 +0200 Benny Pedersen wrote: Den 2012-06-20 03:09, RW skrev: The overwhelming majority of email addresses are never spoofed. seen from my mta logs off sender addresses that miss the smtp auth password here postfix dont agree with you, if sender uses something belongs to my domain i may start asking for passwords, this check is not needing spf or dkim or even dmarc tests I've no idea what that means, but what I wrote wasn't entirely clear - particularly when taken out context. What I mean is that if I whitelist a private email address, the chances of a spammer ever sending me a spam spoofing that address is very small. Happened to me twice only yesterday - somebody sent me mails appearing to come from one of my email addresses. I don't think it's as rare an event as you suggest. -- Per Jessen, Zürich (23.2°C)
Re: USER_IN_WHITELIST and SPF_FAIL
On Wed, 20 Jun 2012 11:33:49 +0200 Per Jessen wrote: RW wrote: On Wed, 20 Jun 2012 03:25:53 +0200 Benny Pedersen wrote: Den 2012-06-20 03:09, RW skrev: The overwhelming majority of email addresses are never spoofed. seen from my mta logs off sender addresses that miss the smtp auth password here postfix dont agree with you, if sender uses something belongs to my domain i may start asking for passwords, this check is not needing spf or dkim or even dmarc tests I've no idea what that means, but what I wrote wasn't entirely clear - particularly when taken out context. What I mean is that if I whitelist a private email address, the chances of a spammer ever sending me a spam spoofing that address is very small. Happened to me twice only yesterday - somebody sent me mails appearing to come from one of my email addresses. I don't think it's as rare an event as you suggest. Are you being deliberately obtuse? Of course that happens all the time, but why would one whitelist such an address?
Re: USER_IN_WHITELIST and SPF_FAIL
My suggestion was intended to minimize the effect on existing behavior. I agree, it would probably be a very good idea to allow whitelist_from to be scored differently than the other whitelist variants, and to ship it with a smaller default score, but that change is fairly disruptive. I would like to see whitelist_score_from points address which acts just like whitelist_from address, but which has a score of points rather than some fixed score. That way I could do: whitelist_from -5 f...@yahoo.com for people that post legit but spammy-looking mail to mailinglists, and get their regular mail in the right folder instead of a spam folder, but not let their account-hijacked spam bleed through like -100 would do. And also use -20 for people I know, -50 for customers, etc. pgpdwqXt7OO8j.pgp Description: PGP signature
Re: USER_IN_WHITELIST and SPF_FAIL
On 6/20/2012 8:05 AM, Greg Troxel wrote: I would like to see... As an open source project, we encourage people to submit patches and step up to coding on the project. You can really start small with one line patches and I'll do my best to support you. Regards, KAM
Re: USER_IN_WHITELIST and SPF_FAIL
On Wed, 20 Jun 2012 11:22:08 +0200 Per Jessen wrote: RW wrote: Not if someone sends an email through a different mail system, I think that is what whitelist_allows_relays is intended to take care of. If it made a difference to the case I was referring to then it would effectively turn whitelist_from_rcvd into whitelist_from for the specified addresses. I looked it up, whitelist_allows_relays is a list of addresses excluded from check_forged_in_whitelist, which is not used in the current rules.
Re: USER_IN_WHITELIST and SPF_FAIL
Den 2012-06-20 14:05, Greg Troxel skrev: That way I could do: whitelist_from -5 f...@yahoo.com AWL plugin basicly could be extended to use dkim/spf and more bound to whitelist_* so the awl score is more live calculated, with default awl its bound to 0.0.x.x/16 but it could be changed to /8 /24 /32 matching, so scores is more accurate pr sender but your way could very well extend problems or usefullness depending on with side of the screen one sits :) awl can track dkim senders, but it would be nice dkim is not alone there awl is imho dropped in spamassassin 3.4 and replaced with history plugin, i dont know what or why or even code to this plugin maybe score sets should just be extended to more then 4 colums ? score foo set1 set2 set3 set4 spf dkim just an stupid idear maybe ?
Re: USER_IN_WHITELIST and SPF_FAIL
RW wrote: On Wed, 20 Jun 2012 11:33:49 +0200 Per Jessen wrote: RW wrote: What I mean is that if I whitelist a private email address, the chances of a spammer ever sending me a spam spoofing that address is very small. Happened to me twice only yesterday - somebody sent me mails appearing to come from one of my email addresses. I don't think it's as rare an event as you suggest. Are you being deliberately obtuse? Of course that happens all the time, but why would one whitelist such an address? Because you use email to send yourself reminder notes or small files. I have addresses on several distinct systems (private, work, google, user group, ...). And I whitelist them because I do not want mail to get lost. Regards, Flemming -- Flemming Jacobsen Email: f...@batmule.dk There is nobody so irritating as somebody with less intelligence and more sense than we have. -- Don Herold
Re: USER_IN_WHITELIST and SPF_FAIL
Den 2012-06-20 18:38, Flemming Jacobsen skrev: Because you use email to send yourself reminder notes or small files. I have addresses on several distinct systems (private, work, google, user group, ...). And I whitelist them because I do not want mail to get lost. with shared imap folders nothing get lost, all that mail does not need to travel, but implementions need to be more usefull, its like forwards that breaks spf, its lie, since known forward hosts must be trusted_networks, draw back in make 0.0.0.0/0 trusted_networks it removes all domain based trustness for such problems it would be more usefull to disable dnsrbl and only check content based on body/rawbody unless one use rbl in mta
Re: USER_IN_WHITELIST and SPF_FAIL
On Wed, 20 Jun 2012 18:38:49 +0200 Flemming Jacobsen wrote: RW wrote: On Wed, 20 Jun 2012 11:33:49 +0200 Per Jessen wrote: RW wrote: What I mean is that if I whitelist a private email address, the chances of a spammer ever sending me a spam spoofing that address is very small. Happened to me twice only yesterday - somebody sent me mails appearing to come from one of my email addresses. I don't think it's as rare an event as you suggest. Are you being deliberately obtuse? Of course that happens all the time, but why would one whitelist such an address? Because you use email to send yourself reminder notes or small files. I have addresses on several distinct systems (private, work, google, user group, ...). And I whitelist them because I do not want mail to get lost. If it's an unrelated external address then it's just one address in billions and it wont be randomly spoofed.
USER_IN_WHITELIST and SPF_FAIL
Hey I finally got around to enabling SPF checks in SA. (v. 3.3.2, via spamd on FreeBSD) It appears that even though SPF checks fail (i.e. SPF_FAIL), USER_IN_WHITELIST still adds -100 points to the score. Since the sender probably is spoofed, should USER_IN_WHITELIST not be ignored/neutral (not sure of the terminology here)? Regards, Flemming Jacobsen -- Flemming Jacobsen Email: f...@batmule.dk It is hard to believe that a man is telling the truth when you know that you would lie if you were in his place. -- H. L. Mencken
Re: USER_IN_WHITELIST and SPF_FAIL
On 6/19/2012 4:21 PM, Flemming Jacobsen wrote: Hey I finally got around to enabling SPF checks in SA. (v. 3.3.2, via spamd on FreeBSD) It appears that even though SPF checks fail (i.e. SPF_FAIL), USER_IN_WHITELIST still adds -100 points to the score. Since the sender probably is spoofed, should USER_IN_WHITELIST not be ignored/neutral (not sure of the terminology here)? I think that's the concept behind the whitelist_from_spf http://spamassassin.apache.org/full/3.3.x/doc/Mail_SpamAssassin_Plugin_SPF.html Regards, KAM
Re: USER_IN_WHITELIST and SPF_FAIL
Den 2012-06-19 22:21, Flemming Jacobsen skrev: It appears that even though SPF checks fail (i.e. SPF_FAIL), USER_IN_WHITELIST still adds -100 points to the score. Since the sender probably is spoofed, should USER_IN_WHITELIST not be ignored/neutral (not sure of the terminology here)? nope, whitelist_from is stupid in the first place but since so many use it, it will properly stay forever :( imidiate fix is to: score USER_IN_WHITELIST -0.01 or meta spf fails with user_in_* (insecure)
Re: USER_IN_WHITELIST and SPF_FAIL
Den 2012-06-19 22:39, Kevin A. McGrail skrev: I think that's the concept behind the whitelist_from_spf but some use whitelist_from, its nothing new there :=) can user_in_whitelist be changed to not have -100 as default score, or is whitelist_from planned for removements ?
Re: USER_IN_WHITELIST and SPF_FAIL
On 06/19/2012 11:34 PM, Benny Pedersen wrote: Den 2012-06-19 22:39, Kevin A. McGrail skrev: I think that's the concept behind the whitelist_from_spf but some use whitelist_from, its nothing new there :=) can user_in_whitelist be changed to not have -100 as default score, or is whitelist_from planned for removements ? no no
Re: USER_IN_WHITELIST and SPF_FAIL
On Tue, 19 Jun 2012, Benny Pedersen wrote: Den 2012-06-19 22:39, Kevin A. McGrail skrev: I think that's the concept behind the whitelist_from_spf but some use whitelist_from, its nothing new there :=) can user_in_whitelist be changed to not have -100 as default score, or is whitelist_from planned for removements ? It's needed for whan none of the other more-strict whitelist options will work, so we can't get just rid of it. I'd suggest instead a lint warning if it is used, alerting the admin that it's discouraged and that it has problems like this and is very easy to spoof. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Liberals love sex ed because it teaches kids to be safe around their sex organs. Conservatives love gun education because it teaches kids to be safe around guns. However, both believe that the other's education goals lead to dangers too terrible to contemplate. --- 15 days until the 236th anniversary of the Declaration of Independence
Re: USER_IN_WHITELIST and SPF_FAIL
Den 2012-06-19 23:44, John Hardin skrev: I'd suggest instead a lint warning if it is used, alerting the admin that it's discouraged and that it has problems like this and is very easy to spoof. fair, but Flemming might choise some meta like this: meta WHITELIST_INSECURE_SPF (USER_IN_WHITELIST SPF_FAIL) score WHITELIST_INSECURE_SPF 50 but since Flemming did not provide an sample there might be other options, eg why accept spf_fail in mta ?
Re: USER_IN_WHITELIST and SPF_FAIL
From: John Hardin jhar...@impsec.org Date: Tue, 19 Jun 2012 14:44:29 -0700 (PDT) On Tue, 19 Jun 2012, Benny Pedersen wrote: Den 2012-06-19 22:39, Kevin A. McGrail skrev: I think that's the concept behind the whitelist_from_spf but some use whitelist_from, its nothing new there :=) can user_in_whitelist be changed to not have -100 as default score, or is whitelist_from planned for removements ? It's needed for whan none of the other more-strict whitelist options will work, so we can't get just rid of it. True. I'd suggest instead a lint warning if it is used, alerting the admin that it's discouraged and that it has problems like this and is very easy to spoof. How about creating a different score for whitelist_from that is separate from whitelist_from_rcvd? For example, whitelist_from could trigger USER_IN_SIMPLE_WHITELIST (or some other variation). The description of the test could include warnings about how easy it is to spoof whitelist_from. -jeff
Re: USER_IN_WHITELIST and SPF_FAIL
On Tue, 19 Jun 2012 18:02:28 -0400 Jeff Mincy wrote: From: John Hardin jhar...@impsec.org Date: Tue, 19 Jun 2012 14:44:29 -0700 (PDT) On Tue, 19 Jun 2012, Benny Pedersen wrote: Den 2012-06-19 22:39, Kevin A. McGrail skrev: I think that's the concept behind the whitelist_from_spf but some use whitelist_from, its nothing new there :=) can user_in_whitelist be changed to not have -100 as default score, or is whitelist_from planned for removements ? It's needed for whan none of the other more-strict whitelist options will work, so we can't get just rid of it. True. I'd suggest instead a lint warning if it is used, alerting the admin that it's discouraged and that it has problems like this and is very easy to spoof. How about creating a different score for whitelist_from that is separate from whitelist_from_rcvd? For example, whitelist_from could trigger USER_IN_SIMPLE_WHITELIST (or some other variation). The description of the test could include warnings about how easy it is to spoof whitelist_from. If used sensibly USER_IN_WHITELIST is probably the most reliable rule we have, for the overwhelming majority of addresses it's far more accurate than spf based whitelisting. It's not always right to treat users as idiots.
Re: USER_IN_WHITELIST and SPF_FAIL
From: RW rwmailli...@googlemail.com Date: Tue, 19 Jun 2012 23:43:57 +0100 On Tue, 19 Jun 2012 18:02:28 -0400 Jeff Mincy wrote: From: John Hardin jhar...@impsec.org Date: Tue, 19 Jun 2012 14:44:29 -0700 (PDT) On Tue, 19 Jun 2012, Benny Pedersen wrote: Den 2012-06-19 22:39, Kevin A. McGrail skrev: I think that's the concept behind the whitelist_from_spf but some use whitelist_from, its nothing new there :=) can user_in_whitelist be changed to not have -100 as default score, or is whitelist_from planned for removements ? It's needed for whan none of the other more-strict whitelist options will work, so we can't get just rid of it. True. I'd suggest instead a lint warning if it is used, alerting the admin that it's discouraged and that it has problems like this and is very easy to spoof. How about creating a different score for whitelist_from that is separate from whitelist_from_rcvd? For example, whitelist_from could trigger USER_IN_SIMPLE_WHITELIST (or some other variation). The description of the test could include warnings about how easy it is to spoof whitelist_from. If used sensibly USER_IN_WHITELIST is probably the most reliable rule we have, for the overwhelming majority of addresses it's far more accurate than spf based whitelisting. It's not always right to treat users as idiots. Huh? What you mean by used sensibly? whitelist_from_rcvd is very reliable. whitelist_from is trivial to spoof. whitelist_from_rcvd and whitelist_from both trigger USER_IN_WHITELIST. It is easy to get into trouble using whitelist_from - having a separate score just for whitelist_from would make identifying the problem easier for the user. -jeff
Re: USER_IN_WHITELIST and SPF_FAIL
On Tue, 19 Jun 2012, Jeff Mincy wrote: From: John Hardin jhar...@impsec.org I'd suggest instead a lint warning if it is used, alerting the admin that it's discouraged and that it has problems like this and is very easy to spoof. How about creating a different score for whitelist_from that is separate from whitelist_from_rcvd? For example, whitelist_from could trigger USER_IN_SIMPLE_WHITELIST (or some other variation). The description of the test could include warnings about how easy it is to spoof whitelist_from. My suggestion was intended to minimize the effect on existing behavior. I agree, it would probably be a very good idea to allow whitelist_from to be scored differently than the other whitelist variants, and to ship it with a smaller default score, but that change is fairly disruptive. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Usually Microsoft doesn't develop products, we buy products. -- Arno Edelmann, Microsoft product manager --- 15 days until the 236th anniversary of the Declaration of Independence
Re: USER_IN_WHITELIST and SPF_FAIL
On Tue, 19 Jun 2012, Flemming Jacobsen wrote: I finally got around to enabling SPF checks in SA. (v. 3.3.2, via spamd on FreeBSD) It appears that even though SPF checks fail (i.e. SPF_FAIL), USER_IN_WHITELIST still adds -100 points to the score. Since the sender probably is spoofed, should USER_IN_WHITELIST not be ignored/neutral (not sure of the terminology here)? Which whitelist is the problematic user in? whitelist_from is a naive check of the from address and is trivially easy to spoof. You should review your whitelists and, now that you have SPF working, move senders that are in authenticated domains from whitelist_from to whitelist_auth so that you take advantage of SPF (and DKIM, if you have that working as well). -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Usually Microsoft doesn't develop products, we buy products. -- Arno Edelmann, Microsoft product manager --- 15 days until the 236th anniversary of the Declaration of Independence
Re: USER_IN_WHITELIST and SPF_FAIL
On Tue, 19 Jun 2012 19:14:11 -0400 Jeff Mincy wrote: From: RW rwmailli...@googlemail.com Date: Tue, 19 Jun 2012 23:43:57 +0100 If used sensibly USER_IN_WHITELIST is probably the most reliable rule we have, for the overwhelming majority of addresses it's far more accurate than spf based whitelisting. It's not always right to treat users as idiots. Huh? What you mean by used sensibly? I mean, don't use it on well-known addresses, or if you're a candidate for spear-phishing and can't be trusted not to fall for it. Don't whitelist domains unless they are extremely obscure. whitelist_from_rcvd is very reliable. Not if someone sends an email through a different mail system, which is a scenario where Bayes is much more likely to miss-classify and an FP is most likely. It's also broken by forwarding, like spf is. whitelist_from is trivial to spoof. The overwhelming majority of email addresses are never spoofed.
Re: USER_IN_WHITELIST and SPF_FAIL
Den 2012-06-20 03:09, RW skrev: The overwhelming majority of email addresses are never spoofed. seen from my mta logs off sender addresses that miss the smtp auth password here postfix dont agree with you, if sender uses something belongs to my domain i may start asking for passwords, this check is not needing spf or dkim or even dmarc tests
Re: USER_IN_WHITELIST and SPF_FAIL
On Wed, 20 Jun 2012 03:25:53 +0200 Benny Pedersen wrote: Den 2012-06-20 03:09, RW skrev: The overwhelming majority of email addresses are never spoofed. seen from my mta logs off sender addresses that miss the smtp auth password here postfix dont agree with you, if sender uses something belongs to my domain i may start asking for passwords, this check is not needing spf or dkim or even dmarc tests I've no idea what that means, but what I wrote wasn't entirely clear - particularly when taken out context. What I mean is that if I whitelist a private email address, the chances of a spammer ever sending me a spam spoofing that address is very small.
USER_IN_WHITELIST Not Scoring
My local root user sends me nightly emails with mail/spam statistics and information. Because of the spam information contained in the email, it sometimes flagged as spam itself. In my local.cf, I have put the root user's email address in the whitelist_from line, however whenever I send an email as the root user to my legitimate email account, it is not getting scored. I have explicitly entered: score USER_IN_WHITELIST -100 in my local.cf. I have also disabled the AWL plugin. However, no matter what I do, it still won't score -100. The recipient's user_prefs is completely empty. Any suggestions would be greatly appreciated. Attached is my local.cf Best regards, Brenden http://www.nabble.com/file/p24428065/local.cf local.cf -- View this message in context: http://www.nabble.com/USER_IN_WHITELIST-Not-Scoring-tp24428065p24428065.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: USER_IN_WHITELIST Not Scoring
boogybren wrote: Any suggestions would be greatly appreciated. Attached is my local.cf Simple solution, but you may not have tried it...restart spamassassin -- Dan Schaefer Application Developer Performance Administration Corp.
Re: USER_IN_WHITELIST Not Scoring
Thanks Dan, indeed I have bounced the daemon after modifying the local.cf. Brenden Daniel Schaefer wrote: boogybren wrote: Any suggestions would be greatly appreciated. Attached is my local.cf Simple solution, but you may not have tried it...restart spamassassin -- Dan Schaefer Application Developer Performance Administration Corp. -- View this message in context: http://www.nabble.com/USER_IN_WHITELIST-Not-Scoring-tp24428065p24428665.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: USER_IN_WHITELIST Not Scoring
On Fri, 10 Jul 2009, boogybren wrote: My local root user sends me nightly emails with mail/spam statistics and information. Because of the spam information contained in the email, it sometimes flagged as spam itself. I would suggest you look into MTA configs that will allow you to completely bypass SA on messages that originate from trusted hosts (e.g. localhost and your local network) and are destined for local recipients. Save the CPU cycles. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- The Constitution is a written instrument. As such its meaning does not alter. That which it meant when adopted, it means now. -- U.S. Supreme Court SOUTH CAROLINA v. US, 199 U.S. 437, 448 (1905) --- 10 days until the 40th anniversary of Apollo 11 landing on the Moon
Re: USER_IN_WHITELIST Not Scoring
I have been wanting to do something like that but haven't done the legwork to figure it out. I will certainly look up how to do this in sendmail. Do you have any suggestions? John Hardin wrote: On Fri, 10 Jul 2009, boogybren wrote: My local root user sends me nightly emails with mail/spam statistics and information. Because of the spam information contained in the email, it sometimes flagged as spam itself. I would suggest you look into MTA configs that will allow you to completely bypass SA on messages that originate from trusted hosts (e.g. localhost and your local network) and are destined for local recipients. Save the CPU cycles. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- The Constitution is a written instrument. As such its meaning does not alter. That which it meant when adopted, it means now. -- U.S. Supreme Court SOUTH CAROLINA v. US, 199 U.S. 437, 448 (1905) --- 10 days until the 40th anniversary of Apollo 11 landing on the Moon -- View this message in context: http://www.nabble.com/USER_IN_WHITELIST-Not-Scoring-tp24428065p24432060.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: USER_IN_WHITELIST Not Scoring
On Fri, 10 Jul 2009, boogybren wrote: I have been wanting to do something like that but haven't done the legwork to figure it out. I will certainly look up how to do this in sendmail. Do you have any suggestions? We also need to know how you're gluing SA into your mailer chain. Procmail? A milter of some sort? John Hardin wrote: On Fri, 10 Jul 2009, boogybren wrote: My local root user sends me nightly emails with mail/spam statistics and information. Because of the spam information contained in the email, it sometimes flagged as spam itself. I would suggest you look into MTA configs that will allow you to completely bypass SA on messages that originate from trusted hosts (e.g. localhost and your local network) and are destined for local recipients. Save the CPU cycles. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Gun Control laws cannot reduce violent crime, because gun control laws focus obsessively on a tool a criminal might use to commit a crime rather than the criminal himself and his act of violence. --- 10 days until the 40th anniversary of Apollo 11 landing on the Moon
Re: USER_IN_WHITELIST Not Scoring
Am using procmail. John Hardin wrote: On Fri, 10 Jul 2009, boogybren wrote: I have been wanting to do something like that but haven't done the legwork to figure it out. I will certainly look up how to do this in sendmail. Do you have any suggestions? We also need to know how you're gluing SA into your mailer chain. Procmail? A milter of some sort? John Hardin wrote: On Fri, 10 Jul 2009, boogybren wrote: My local root user sends me nightly emails with mail/spam statistics and information. Because of the spam information contained in the email, it sometimes flagged as spam itself. I would suggest you look into MTA configs that will allow you to completely bypass SA on messages that originate from trusted hosts (e.g. localhost and your local network) and are destined for local recipients. Save the CPU cycles. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Gun Control laws cannot reduce violent crime, because gun control laws focus obsessively on a tool a criminal might use to commit a crime rather than the criminal himself and his act of violence. --- 10 days until the 40th anniversary of Apollo 11 landing on the Moon -- View this message in context: http://www.nabble.com/USER_IN_WHITELIST-Not-Scoring-tp24428065p24432408.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: USER_IN_WHITELIST Not Scoring
On Fri, 10 Jul 2009, boogybren wrote: Am using procmail. Take a look at http://www.impsec.org/~jhardin/antispam/ for a procmail SA ruleset that skips mail originating from localhost. If you need help generalizing that for your situation, contact me offlist. Also, try to stop top-posting. Thanks. John Hardin wrote: On Fri, 10 Jul 2009, boogybren wrote: I have been wanting to do something like that but haven't done the legwork to figure it out. I will certainly look up how to do this in sendmail. Do you have any suggestions? We also need to know how you're gluing SA into your mailer chain. Procmail? A milter of some sort? John Hardin wrote: On Fri, 10 Jul 2009, boogybren wrote: My local root user sends me nightly emails with mail/spam statistics and information. Because of the spam information contained in the email, it sometimes flagged as spam itself. I would suggest you look into MTA configs that will allow you to completely bypass SA on messages that originate from trusted hosts (e.g. localhost and your local network) and are destined for local recipients. Save the CPU cycles. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Gun Control laws cannot reduce violent crime, because gun control laws focus obsessively on a tool a criminal might use to commit a crime rather than the criminal himself and his act of violence. --- 10 days until the 40th anniversary of Apollo 11 landing on the Moon
Re: USER_IN_WHITELIST Not Scoring
On Fri, 2009-07-10 at 06:53 -0700, an anonymous Nabble user wrote: My local root user sends me nightly emails with mail/spam statistics and information. Because of the spam information contained in the email, it sometimes flagged as spam itself. In my local.cf, I have put the root user's email address in the whitelist_from line, however whenever I send an email as the root user to my legitimate email account, it is not getting scored. whitelist_from r...@myphonydomain.com Don't use the un-constrained whitelist_from, unless as a last resort, if there's no other way and you cannot use the proper constrained ones, like whitelist_from_rcvd. Anyway, no sample -- no way to point out your issue. Do paste at least the headers of such a mail. -- char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: USER_IN_WHITELIST Not Scoring
On Fri, 2009-07-10 at 11:30 -0700, John Hardin wrote: On Fri, 10 Jul 2009, an anonymous Nabble user wrote: Am using procmail. Take a look at http://www.impsec.org/~jhardin/antispam/ for a procmail SA ruleset that skips mail originating from localhost. If you need help generalizing that for your situation, contact me offlist. With procmail, you can trivially exonerate specific sender addresses from scanning. Just add a condition like this to your spamc filtering procmail recipe: * ! ^From: f...@example.net However, with IMAP and server-side procmail filtering I personally strongly prefer to sort the cron crap into a dedicated folder, not cluttering up my Inbox. For that, just add a delivery recipe *before* scanning with SA. Like this example. :0 : * ^From: @example.net \(Cron Daemon\) * ^X-Cron-Env: cron -- char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: USER_IN_WHITELIST Not Scoring
Here are the headers: Return-Path: r...@myphonydomain.com X-Spam-Tests: * -1.8 ALL_TRUSTED Passed through trusted hosts only via SMTP * -2.6 BAYES_00 BODY: Bayesian spam probability is 0 to 1% * [score: 0.] * 2.2 TVD_SPACE_RATIO BODY: TVD_SPACE_RATIO X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on mcewan.net X-Spam-Level: X-Spam-Status: No, score=-2.2 required=4.0 tests=ALL_TRUSTED,BAYES_00, TVD_SPACE_RATIO autolearn=disabled version=3.2.5 X-Spam-Relay-Country: Received: from myphonydomain.com (localhost [127.0.0.1]) by myphonydomain.com (8.13.6.20060614/8.13.6) with ESMTP id n6ALprFc064402 for bren...@myphonydomain.com; Fri, 10 Jul 2009 15:51:54 -0600 (MDT) Received: from localhost (r...@localhost) by mcewan.net (8.13.6.20060614/8.13.6/Submit) with ESMTP id n6ALprfK064397 for bren...@myphonydomain.com; Fri, 10 Jul 2009 15:51:53 -0600 (MDT) Date: Fri, 10 Jul 2009 15:51:53 -0600 (MDT) From: Charlie Root r...@myphonydomain.com To: Brenden McEwan bren...@myphonydomain.com Subject: test message Message-ID: 20090710155144.m85...@myphonydomain.com MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Karsten Bräckelmann-2 wrote: On Fri, 2009-07-10 at 06:53 -0700, an anonymous Nabble user wrote: My local root user sends me nightly emails with mail/spam statistics and information. Because of the spam information contained in the email, it sometimes flagged as spam itself. In my local.cf, I have put the root user's email address in the whitelist_from line, however whenever I send an email as the root user to my legitimate email account, it is not getting scored. whitelist_from r...@myphonydomain.com Don't use the un-constrained whitelist_from, unless as a last resort, if there's no other way and you cannot use the proper constrained ones, like whitelist_from_rcvd. Anyway, no sample -- no way to point out your issue. Do paste at least the headers of such a mail. -- char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}} -- View this message in context: http://www.nabble.com/USER_IN_WHITELIST-Not-Scoring-tp24428065p24434950.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: USER_IN_WHITELIST Not Scoring
From: Karsten Bräckelmann guent...@rudersport.de Date: Fri, 10 Jul 2009 23:43:03 +0200 On Fri, 2009-07-10 at 06:53 -0700, an anonymous Nabble user wrote: My local root user sends me nightly emails with mail/spam statistics and information. Because of the spam information contained in the email, it sometimes flagged as spam itself. In my local.cf, I have put the root user's email address in the whitelist_from line, however whenever I send an email as the root user to my legitimate email account, it is not getting scored. whitelist_from r...@myphonydomain.com Don't use the un-constrained whitelist_from, unless as a last resort, if there's no other way and you cannot use the proper constrained ones, like whitelist_from_rcvd. A local root sender should be getting ALL_TRUSTED. whitelist_from_rcvd won't work on local email - you need at least one external hop to get the 'rcvd' part. You could write SpamAssassin rules to look for the messages, but you probably don't want to AUTOLEARN the messages since any tokens in the email are probably spam hosts. As pointed out earlier, this type of email should bypass SpamAssassin in procmail (etc). Anyway, no sample -- no way to point out your issue. Do paste at least the headers of such a mail. Yep. -jeff
Re: USER_IN_WHITELIST Not Scoring
On Fri, 2009-07-10 at 14:53 -0700, an anonymous Nabble user wrote: Here are the headers: Return-Path: r...@myphonydomain.com X-Spam-Tests: * -1.8 ALL_TRUSTED Passed through trusted hosts only via SMTP * -2.6 BAYES_00 BODY: Bayesian spam probability is 0 to 1% * [score: 0.] * 2.2 TVD_SPACE_RATIO BODY: TVD_SPACE_RATIO X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on mcewan.net X-Spam-Level: X-Spam-Status: No, score=-2.2 required=4.0 tests=ALL_TRUSTED,BAYES_00, TVD_SPACE_RATIO autolearn=disabled version=3.2.5 [...] From: Charlie Root r...@myphonydomain.com whitelist_from r...@myphonydomain.com Err... Since these do match, and you claimed to have restarted SA since the conf change, my conclusion is you have a typo somewhere. After all, neither your local.cf nor these headers appear to be raw and un-munged. $ host myphonydomain.com Host myphonydomain.com not found: 3(NXDOMAIN) -- char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: USER_IN_WHITELIST Not Scoring
On Fri, 2009-07-10 at 17:59 -0400, Jeff Mincy wrote: Don't use the un-constrained whitelist_from, unless as a last resort, if there's no other way and you cannot use the proper constrained ones, like whitelist_from_rcvd. A local root sender should be getting ALL_TRUSTED. whitelist_from_rcvd won't work on local email - you need at least one external hop to get the 'rcvd' part. You could write SpamAssassin rules to look for the messages, Ah, you're right. That option requires handover from the Internet to the *internal* network. Thanks, my bad. but you probably don't want to AUTOLEARN the messages since any tokens in the email are probably spam hosts. As pointed out earlier, this type of email should bypass SpamAssassin in procmail (etc). Agreed, see my notes on that. :) Anyway, no sample -- no way to point out your issue. Do paste at least the headers of such a mail. Yep. -- char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: USER_IN_WHITELIST Not Scoring
Thanks Karsten. myphonydomain.com is just that, phony :-). I am using it in lieu of my real domain. Karsten Bräckelmann-2 wrote: On Fri, 2009-07-10 at 14:53 -0700, an anonymous Nabble user wrote: Here are the headers: Return-Path: r...@myphonydomain.com X-Spam-Tests: * -1.8 ALL_TRUSTED Passed through trusted hosts only via SMTP * -2.6 BAYES_00 BODY: Bayesian spam probability is 0 to 1% * [score: 0.] * 2.2 TVD_SPACE_RATIO BODY: TVD_SPACE_RATIO X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on myphonydomain.com X-Spam-Level: X-Spam-Status: No, score=-2.2 required=4.0 tests=ALL_TRUSTED,BAYES_00, TVD_SPACE_RATIO autolearn=disabled version=3.2.5 [...] From: Charlie Root r...@myphonydomain.com whitelist_from r...@myphonydomain.com Err... Since these do match, and you claimed to have restarted SA since the conf change, my conclusion is you have a typo somewhere. After all, neither your local.cf nor these headers appear to be raw and un-munged. $ host myphonydomain.com Host myphonydomain.com not found: 3(NXDOMAIN) -- char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}} -- View this message in context: http://www.nabble.com/USER_IN_WHITELIST-Not-Scoring-tp24428065p24435281.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: USER_IN_WHITELIST Not Scoring
On Fri, 10 Jul 2009, boogybren wrote: Thanks Karsten. myphonydomain.com is just that, phony :-). I am using it in lieu of my real domain. The example.com domain is explicitly reserved for that purpose. If you use example.com in the future, people will know that you are sanitizing your headers. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- If healthcare is a Right means that the government is obligated to provide the people with hospitals, physicians, treatments and medications at low or no cost, then the right to free speech means the government is obligated to provide the people with printing presses and public address systems, the right to freedom of religion means the government is obligated to build churches for the people, and the right to keep and bear arms means the government is obligated to provide the people with guns, all at low or no cost. --- 10 days until the 40th anniversary of Apollo 11 landing on the Moon
Re: USER_IN_WHITELIST Not Scoring
On Fri, 2009-07-10 at 15:30 -0700, an anonymous Nabble user wrote: Thanks Karsten. So it actually was a typo preventing the whitelist option from working? myphonydomain.com is just that, phony :-). I am using it in lieu of my real domain. So I figured. Bad idea nonetheless, makes debugging harder. Karsten Bräckelmann wrote: Err... Since these do match, and you claimed to have restarted SA since the conf change, my conclusion is you have a typo somewhere. After all, neither your local.cf nor these headers appear to be raw and un-munged. $ host myphonydomain.com Host myphonydomain.com not found: 3(NXDOMAIN) -- char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
USER_IN_WHITELIST problem.
Dear users ! I`m using exim + spamd + user_prefs in mysql. All works fine. But I found a bug, when I`m using whitelist, and header rcpt to: have address with character description, whitelist failed to catch it in database. For example: 1st message: spamd: clean message (-91.7/10.0) for t...@localdomain.com:501 in 8.2 seconds, 13522829 bytes. 2nd message: spamd: identified spam (9.2/5.0) for some text t...@localdomain.com:501 in 8.3 seconds, 14874071 bytes. Where some text for example User Name in address book of senders mail agent. Mysql userpref struct: username | preference| value | prefid ^^ test | whitelist_from| sen...@hidden.com | 1 Mysql database query in sql.cf: user_scores_sql_custom_query SELECT preference, value FROM _TABLE_ WHERE username IN (_USERNAME_, '$GLOBAL', CONCAT(_MAILBOX_, '@' , _DOMAIN_),SUBSTRING_INDEX(_USERNAME_, '@', 1)) ORDER BY username ASC All works fine, when address of recipient in incoming letter is canonical like t...@localdomain.com How can I fix this ? Thanks. Wbr, Steve
Re: USER_IN_WHITELIST problem.
Bug wrote: Dear users ! I`m using exim + spamd + user_prefs in mysql. All works fine. But I found a bug, when I`m using whitelist, and header rcpt to: have address with character description, whitelist failed to catch it in database. For example: 1st message: spamd: clean message (-91.7/10.0) for t...@localdomain.com:501 in 8.2 seconds, 13522829 bytes. 2nd message: spamd: identified spam (9.2/5.0) for some text t...@localdomain.com:501 in 8.3 seconds, 14874071 bytes. Where some text for example User Name in address book of senders mail agent. Mysql userpref struct: username | preference| value | prefid ^^ test | whitelist_from| sen...@hidden.com | 1 Mysql database query in sql.cf: user_scores_sql_custom_query SELECT preference, value FROM _TABLE_ WHERE username IN (_USERNAME_, '$GLOBAL', CONCAT(_MAILBOX_, '@' , _DOMAIN_),SUBSTRING_INDEX(_USERNAME_, '@', 1)) ORDER BY username ASC All works fine, when address of recipient in incoming letter is canonical like t...@localdomain.com How can I fix this ? Stop passing extra garbage in the -u parameter to spamc? The some text part can't legally occur in a RCPT TO: command (which is not a header). Did you mean are you extracting the entire contents of the To: header? spamc isn't designed to parse all that extra data off, username or usern...@domain only. I'd try to find a way to get the RCPT TO not the To: anyway. The To: header might not contain the actual recipient and isn't a useful header for selecting user prefs. (i.e.: posts sent to mailing lists are RCPT TO: you, but they are To: the list) This is precisely why SA doesn't try to parse the To: header and use that for selecting prefs.. It is often misleading.
Re[2]: USER_IN_WHITELIST problem. SOLVED
Thank you Matt! Your letter helped me to understand my problem better. I`m not using sa-spamc, my exim using ACL spam, that connects directly to spamd ip/port. My founded solution was described in Exim FAQ: A0512: Envelope-To: is added at delivery time, by the transport. Therefore, the header doesn't exist at filter time. In a user filter, the values you probably want are in $original_local_part and $original_domain. In a system filter, the complete list of all envelope recipients is in $recipients. Incorrect lines - commented, now working config of ACL spam looks like: warn message = X-Spam-Score: $spam_score ($spam_bar) spam= $recipients # spam= $h_to warn message = X-Spam-Report: $spam_report spam= $recipients # spam= $h_to Stop passing extra garbage in the -u parameter to spamc? The some text part can't legally occur in a RCPT TO: command (which is not a header). Did you mean are you extracting the entire contents of the To: header? spamc isn't designed to parse all that extra data off, username or usern...@domain only. I'd try to find a way to get the RCPT TO not the To: anyway. The To: header might not contain the actual recipient and isn't a useful header for selecting user prefs. (i.e.: posts sent to mailing lists are RCPT TO: you, but they are To: the list) This is precisely why SA doesn't try to parse the To: header and use that for selecting prefs.. It is often misleading. But I found a bug, when I`m using whitelist, and header rcpt to: have address with character description, whitelist failed to catch it in database. For example: 1st message: spamd: clean message (-91.7/10.0) for t...@localdomain.com:501 in 8.2 seconds, 13522829 bytes. 2nd message: spamd: identified spam (9.2/5.0) for some text t...@localdomain.com:501 in 8.3 seconds, 14874071 bytes. Thank you! Wbr, Good luck with spam fight!
USER_IN_WHITELIST triggered but whitelist_from* not in my config
Lately, we've been getting a bunch of spam with negative scores because it has triggered USER_IN_WHITELIST but we don't use whitelist_from*. About 2 weeks ago I removed whitelist_from_rcvd. Could it still be triggering it. Maybe the spam was sent a few weeks ago and just now being deliver to the users? Any ideas why? Email head: From: user Subject: RE: Get your mind cleared from additional problems. Date: November 12, 2008 11:25:03 AM MST To: user Return-Path: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 3.1.9 (2007-02-13) on server X-Spam-Level: X-Spam-Status: No, score=-70.5 required=5.5 tests=BAYES_50,HTML_50_60, HTML_EXTRA_CLOSE,HTML_IMAGE_ONLY_20,HTML_MESSAGE,HTML_SHORT_LINK_IMG_3, MIME_HTML_ONLY,MSGID_FROM_MTA_ID,NO_REAL_NAME,PYZOR_CHECK,URIBL_AB_SURBL, URIBL_BLACK,URIBL_JP_SURBL,URIBL_OB_SURBL,URIBL_SBL,URIBL_WS_SURBL, USER_IN_WHITELIST autolearn=no version=3.1.9 Received: from Jolanta (host-81-190-116-29.gdynia.mm.pl [81.190.116.29]) by server with SMTP id mACIP34L021551 for user; Wed, 12 Nov 2008 11:25:04 -0700 Mime-Version: 1.0 Content-Type: text/html /local.cf # These values can be overridden by editing ~/.spamassassin/user_prefs.cf # (see spamassassin(1) for details) # These should be safe assumptions and allow for simple visual sifting # without risking lost emails. required_hits 5.5 report_safe 0 rewrite_header Subject [SPAM] use_auto_whitelist 0 # Enable the Bayes system use_bayes 1 # Enable Bayes auto-learning bayes_auto_learn 1 use_razor2 1 use_pyzor 1 skip_rbl_checks 1 internal_networks 192.168.1/24 internal_networks 192.168.2/24 internal_networks 192.168.3/24 internal_networks 192.168.4/24 internal_networks 192.168.5/24 trusted_networks 192.168.1/24 trusted_networks 192.168.2/24 trusted_networks 192.168.3/24 trusted_networks 192.168.4/24 trusted_networks 192.168.5/24 -- View this message in context: http://www.nabble.com/USER_IN_WHITELIST-triggered-but-whitelist_from*-not-in-my-config-tp20470780p20470780.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: USER_IN_WHITELIST triggered but whitelist_from* not in my config
Nevermind. Someone has whitelisted our url in user-prefs. robanna wrote: Lately, we've been getting a bunch of spam with negative scores because it has triggered USER_IN_WHITELIST but we don't use whitelist_from*. About 2 weeks ago I removed whitelist_from_rcvd. Could it still be triggering it. Maybe the spam was sent a few weeks ago and just now being deliver to the users? Any ideas why? Email head: From: user Subject: RE: Get your mind cleared from additional problems. Date: November 12, 2008 11:25:03 AM MST To: user Return-Path: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 3.1.9 (2007-02-13) on server X-Spam-Level: X-Spam-Status: No, score=-70.5 required=5.5 tests=BAYES_50,HTML_50_60, HTML_EXTRA_CLOSE,HTML_IMAGE_ONLY_20,HTML_MESSAGE,HTML_SHORT_LINK_IMG_3, MIME_HTML_ONLY,MSGID_FROM_MTA_ID,NO_REAL_NAME,PYZOR_CHECK,URIBL_AB_SURBL, URIBL_BLACK,URIBL_JP_SURBL,URIBL_OB_SURBL,URIBL_SBL,URIBL_WS_SURBL, USER_IN_WHITELIST autolearn=no version=3.1.9 Received: from Jolanta (host-81-190-116-29.gdynia.mm.pl [81.190.116.29]) by server with SMTP id mACIP34L021551 for user; Wed, 12 Nov 2008 11:25:04 -0700 Mime-Version: 1.0 Content-Type: text/html /local.cf # These values can be overridden by editing ~/.spamassassin/user_prefs.cf # (see spamassassin(1) for details) # These should be safe assumptions and allow for simple visual sifting # without risking lost emails. required_hits 5.5 report_safe 0 rewrite_header Subject [SPAM] use_auto_whitelist 0 # Enable the Bayes system use_bayes 1 # Enable Bayes auto-learning bayes_auto_learn 1 use_razor2 1 use_pyzor 1 skip_rbl_checks 1 internal_networks 192.168.1/24 internal_networks 192.168.2/24 internal_networks 192.168.3/24 internal_networks 192.168.4/24 internal_networks 192.168.5/24 trusted_networks 192.168.1/24 trusted_networks 192.168.2/24 trusted_networks 192.168.3/24 trusted_networks 192.168.4/24 trusted_networks 192.168.5/24 -- View this message in context: http://www.nabble.com/USER_IN_WHITELIST-triggered-but-whitelist_from*-not-in-my-config-tp20470780p20471035.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
USER_IN_WHITELIST Rule
Why does spam continually get a hit on this rule? I noticed a lot more spam coming in off the upgrade to 3.2.4. Are spammers getting crafty with their mail messages to appear as coming from myself TO myself? I could always reduce the adjustment that USER_IN_WHITELIST makes. However, I'd like to avoid that if possible. What's up with that?
Re: USER_IN_WHITELIST Rule
Matthew Goodman wrote: Why does spam continually get a “hit” on this rule? I noticed a lot more spam coming in off the upgrade to 3.2.4. Are spammers getting crafty with their mail messages to appear as coming from myself TO myself? I could always reduce the adjustment that USER_IN_WHITELIST makes. However, I’d like to avoid that if possible. What’s up with that? My guess is you did something many new users do: whitelist_from [EMAIL PROTECTED], or whitelist_from [EMAIL PROTECTED] Spammers *FREQUENTLY* forge your domain as either the From: or the Return-Path, both of which will match the whitelist_from, causing USER_IN_WHITELIST to trigger. In general, don't use whitelist_from. Period. It just looks at a single, trivially forged header. I'd generally suggest avoiding white lists, but if you must, whitelist_from_rcvd is substantially better as it takes a second parameter that checks the reverse-dns lookup of the first external host in the Received: headers. This is a little more difficult to configure properly, but it's also fairly difficult to forge if configured properly. Another good option if you have SPF enabled and the sending domain has SPF would be whitelist_from_spf. This takes a single parameter, but requires the email match the SPF specs for the sending domain. Regardless, USER_IN_WHITELIST will only trigger in response to a whitelist_from* type command, so it's definitely one of these that you explicitly added. There are some default white listings in SA, but they used the def_whitelist_* commands, which triggers USER_IN_DEF_WHITELIST instead. Check your configs and see which whitelist command the spammers are abusing.
Re: user_in_whitelist , how do I find out which one?
Andrew Xiang wrote: I have many users in the whitelist_from in the local.cf. When I get forwarded spam email like this, how do I find which one it matched? If you want to know for sure, you can run it through spamassassin -D and wade through the debug output. my guess is you've got a whitelist_from [EMAIL PROTECTED] or whitelist_from [EMAIL PROTECTED] that's matching. Which FROM entry is it actually looking at? Well, it's looking at all of them. SpamAssassin will dig for any hints at the envelope sender, as well as the normal From: header.. It's going to be looking at the embedded envelope-from's in the Received: headers, as well as the From: header. In particular, the list for this message could be: [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Depending on what hosts SA is set to trust. my guess is you've got a whitelist_from [EMAIL PROTECTED] or whitelist_from [EMAIL PROTECTED] that's matching. Don't use plain whitelist_from's unless you can't avoid it. Where possible, use whitelist_from_rcvd or whitelist_from_spf instead..
user_in_whitelist , how do I find out which one?
I have many users in the whitelist_from in the local.cf. When I get forwarded spam email like this, how do I find which one it matched? Which FROM entry is it actually looking at? -Andrew X-Spam-Checker-Version: SpamAssassin 3.2.1 (2007-05-02) on xphotonics.com X-Spam-Level: X-Spam-Status: No, score=-72.0 required=5.0 tests=BAYES_50,DCC_CHECK, DIGEST_MULTIPLE,DRUGS_ERECTILE,HTML_MESSAGE,HTML_MIME_NO_HTML_TAG, MIME_HTML_ONLY,PYZOR_CHECK,RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E4_51_100, RAZOR2_CHECK,SARE_FROM_DRUGS,UNPARSEABLE_RELAY,USER_IN_WHITELIST autolearn=no version=3.2.1 X-Spam-Pyzor: Reported 4263 times. X-Spam-Report: * -100 USER_IN_WHITELIST From: address is in the user's white-list * 1.7 SARE_FROM_DRUGS From a drug * 5.5 UNPARSEABLE_RELAY Informational: message has unparseable relay lines * 0.0 HTML_MESSAGE BODY: HTML included in message * 0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60% * [score: 0.5000] * 3.5 MIME_HTML_ONLY BODY: Message only has text/html MIME parts * 5.0 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/) * 1.5 RAZOR2_CF_RANGE_E4_51_100 Razor2 gives engine 4 confidence level * above 50% * [cf: 100] * 0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50% * [cf: 100] * 5.0 PYZOR_CHECK Listed in Pyzor (http://pyzor.sf.net/) * 5.0 DCC_CHECK Listed in DCC (http://rhyolite.com/anti-spam/dcc/) * 0.0 DIGEST_MULTIPLE Message hits more than one network digest check * 0.3 DRUGS_ERECTILE Refers to an erectile drug * 0.1 HTML_MIME_NO_HTML_TAG HTML-only message, but there is no HTML tag Received: from xphotonics.com (localhost [127.0.0.1]) by xphotonics.com (8.14.1/8.14.1) with ESMTP id l9MFJIOp032936 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO) for [EMAIL PROTECTED]; Mon, 22 Oct 2007 11:19:18 -0400 (EDT) (envelope-from [EMAIL PROTECTED]) Received: (from [EMAIL PROTECTED]) by xphotonics.com (8.14.1/8.14.1/Submit) id l9MFJIKX032935 for xiang; Mon, 22 Oct 2007 11:19:18 -0400 (EDT) (envelope-from lian) Received: from 029ae8f252bf4ac (84pavel.dialup.corbina.ru [85.21.237.209]) by xphotonics.com (8.14.1/8.14.1) with SMTP id l9MFHg8N032899 for [EMAIL PROTECTED]; Mon, 22 Oct 2007 11:17:44 -0400 (EDT) (envelope-from [EMAIL PROTECTED]) Date: Mon, 22 Oct 2007 11:17:42 -0400 (EDT) Received: from Susana Ware (10.11.17.11) by 029ae8f252bf4ac (PowerMTA(TM) v3.2r4) id hfp31o62d55j87 for [EMAIL PROTECTED]; Mon, 22 Oct 2007 07:17:20 +0300 Message-Id: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: October 79% OFF From: VIAGRA ?Official Site [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: text/html; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Virus-Scanned: ClamAV 0.91.1/4559/Mon Oct 22 00:02:57 2007 on xphotonics.com X-Virus-Scanned: ClamAV 0.91.1/4559/Mon Oct 22 00:02:57 2007 on xphotonics.com X-Virus-Status: Clean style !DOCTYPE html PUBLIC -//W3C//DTD XHTML 1.0 Strict//EN http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd; html dir=ltr head meta http-equiv=Content-Type content=text/html; charset=unicode meta name=Generator content=Microsoft SafeHTML titleWL 90-day Email 1a/title table width=550 border=0 cellpadding=0 cellspacing=0 bgcolor=#99 /tr tr valign=top td colspan=5img src=http://ads1.oqr.com/ads/pronws/CIQ3536/1a_banner.jpg; alt=Windows Live Hotmail width=548 height=224 border=0/td
Re: user_in_whitelist , how do I find out which one?
On Mon, 2007-10-22 at 11:46 -0400, Andrew Xiang wrote: I have many users in the whitelist_from in the local.cf. When I get forwarded spam email like this, how do I find which one it matched? Which FROM entry is it actually looking at? See the section Whitelist and Blacklist options in the docs. http://spamassassin.apache.org/full/3.2.x/doc/Mail_SpamAssassin_Conf.html You'll also find recommendation not to use whitelist_from, and what to use instead. guenther -- char *t=[EMAIL PROTECTED]; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: USER_IN_WHITELIST ??
Matt, looks like you hit that target on this. There are tons of whitelist_from_rcvd directives in /etc/spamassassin/70_sare_whitelist.cf including the problem addresses. I'll need to figure out a way to override these. Does blacklist_from take precedence over whitelist_from or whitelist_from_rcvd? Thanks! On Sun, 2007-07-15 at 20:26 -0400, Matt Kettler wrote: Lindsay nHaisley wrote: I've recently discovered a couple of emails tagged by SA (v3.2.1-gr1) with USER_IN_WHITELIST and assigned score components of -100 accordingly according to 50_scores.cf on the basis of a call to eval:check_from_in_whitelist() in 60_whitelist.cf. What about whitelist_from_rcvd, or whitelist_from_spf? Do you have any whitelist commands at the site config level (ie: local.cf or add-on rulesets)? -- Lindsay Haisley | In an open world,| PGP public key FMP Computer Services |who needs Windows | available at 512-259-1190 | or Gates| http://pubkeys.fmp.com http://www.fmp.com| |
Re: USER_IN_WHITELIST ??
On Mon, Jul 16, 2007 at 01:38:22AM -0500, Lindsay Haisley wrote: override these. Does blacklist_from take precedence over whitelist_from or whitelist_from_rcvd? Whitelists and blacklists are independent, ie: no precedence involved. You could have both hit on a message for a +100 - 100 = 0 total shift. -- Randomly Selected Tagline: Fatbot: I heard that in one single night you drank a whole keg, streaked across campus, and crammed fifty-eight humans into a phone booth. Bender: Yeah, well, a lot of 'em were children pgpXyVyr4UbTp.pgp Description: PGP signature
USER_IN_WHITELIST ??
I've recently discovered a couple of emails tagged by SA (v3.2.1-gr1) with USER_IN_WHITELIST and assigned score components of -100 accordingly according to 50_scores.cf on the basis of a call to eval:check_from_in_whitelist() in 60_whitelist.cf. I would assume that this would only be possible if I had configured 'whitelist_from xxx' in my user prefs (which are stored in a MySQL database), but I have no such settings, so I don't have a manual whitelist as described at http://wiki.apache.org/spamassassin/ManualWhitelist. On the other hand, both errant addresses _were_ in my AWL database which should assign a much smaller (possibly positive) spam score, and shouldn't evoke a hit on USER_IN_WHITELIST. Am I missing something here, or is this a SA bug? -- Lindsay Haisley | In an open world,| PGP public key FMP Computer Services |who needs Windows | available at 512-259-1190 | or Gates| http://pubkeys.fmp.com http://www.fmp.com| |
Re: USER_IN_WHITELIST ??
Lindsay Haisley wrote: I've recently discovered a couple of emails tagged by SA (v3.2.1-gr1) with USER_IN_WHITELIST and assigned score components of -100 accordingly according to 50_scores.cf on the basis of a call to eval:check_from_in_whitelist() in 60_whitelist.cf. I would assume that this would only be possible if I had configured 'whitelist_from xxx' in my user prefs (which are stored in a MySQL database), but I have no such settings, so I don't have a manual whitelist as described at http://wiki.apache.org/spamassassin/ManualWhitelist. What about whitelist_from_rcvd, or whitelist_from_spf? Do you have any whitelist commands at the site config level (ie: local.cf or add-on rulesets)? try a run of this: grep whitelist /etc/mail/spamassassin/*.cf On the other hand, both errant addresses _were_ in my AWL database which should assign a much smaller (possibly positive) spam score, and shouldn't evoke a hit on USER_IN_WHITELIST. Am I missing something here, or is this a SA bug?
Re: USER_IN_WHITELIST and autolearn
[EMAIL PROTECTED] says... Alexis Manning wrote: It seems that if USER_IN_WHITELIST is triggered then the message won?t be auto-learned. That is incorrect, however USER_IN_WHITELIST does not count toward any autolearning decisions. [...] As far as the autolearner is concerned, this message scored 0.001. (BAYES_50 doesn't count either, to avoid bayes self-feeding.). Matt, thanks very much for the comprehensive reply. Off to read about AutoLearnThreshold now :) Cheers, -- A.
USER_IN_WHITELIST and autolearn
It seems that if USER_IN_WHITELIST is triggered then the message won't be auto-learned. X-Spam-Status: No, score=-100.0 required=7.5tests=BAYES_50=0.001, HTML_MESSAGE=0.001,USER_IN_WHITELIST=-100 autolearn=no version=3.1.7 I have a fair number of people in my whitelist and I would like to feed that ham to the Bayes database: is there any option which will allow their messages to be auto-learned too, or do I have to do it manually? Thanks, -- A.
Re: USER_IN_WHITELIST and autolearn
Alexis Manning wrote: It seems that if USER_IN_WHITELIST is triggered then the message won’t be auto-learned. That is incorrect, however USER_IN_WHITELIST does not count toward any autolearning decisions. The primary reason being that whitelists are often misconfigured the first time around (ie: whitelist_from [EMAIL PROTECTED]). If the whitelists counted towards autolearning, people making whitelisting mistakes would have a lot of cleanup work to do fixing the bayes DB as well. As far as the autolearner is concerned, this message scored 0.001. (BAYES_50 doesn't count either, to avoid bayes self-feeding.). X-Spam-Status: No, score=-100.0 required=7.5tests=BAYES_50=0.001, HTML_MESSAGE=0.001,USER_IN_WHITELIST=-100 autolearn=no version=3.1.7 I have a fair number of people in my whitelist and I would like to feed that ham to the Bayes database: is there any option which will allow their messages to be auto-learned too, or do I have to do it manually? They will be autolearned, but only on their own merits. The whitelisting won't force autolearning as nonspam. You might want to read the autolearner documentation to see how the autolearner calculates score. It changes a few things and the score it uses can be quite different than the final message score. http://spamassassin.apache.org/full/3.1.x/doc/Mail_SpamAssassin_Plugin_AutoLearnThreshold.html In this case, all the whitelist rules have the tflag userconf. Thanks, -- A.
USER_IN_WHITELIST
Which rule sets this ? I have grep'd through /etc/mail/spamassassin and the variable is used but does not seem to get set anywhere ? -- --[ UxBoD ]-- // PGP Key: curl -s http://www.splatnix.net/uxbod.asc | gpg --import // Fingerprint: 543A E778 7F2D 98F1 3E50 9C1F F190 93E0 E8E8 0CF8 // Keyserver: www.keyserver.net Key-ID: 0xE8E80CF8 // Phone: +44 (0) 845 869 2749 SIP: [EMAIL PROTECTED] -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Re: USER_IN_WHITELIST
--[ UxBoD ]-- a écrit : Which rule sets this ? I have grep'd through /etc/mail/spamassassin and the variable is used but does not seem to get set anywhere ? Hi, Have a look in /usr/share/spamassassin. There is 60_whitelist.cf for rules and about scores it s in 50_scores.cf BUT it's better to overwrite these parameters upadating the local.cf instead. What is the problem ? I may have the same !! Cedric --
Re: USER_IN_WHITELIST
I have just performed a brand new server install with SA 3.2.0 and I noticed a email this morning that had scored -94. I do not know the sender domain, so looked at how it had been scored and noticed that the rule USER_IN_WHITELIST had been hit with a -100. On Tue, 15 May 2007 10:35:35 +0200, Cedric BUSCHINI [EMAIL PROTECTED] wrote: --[ UxBoD ]-- a écrit : Which rule sets this ? I have grep'd through /etc/mail/spamassassin and the variable is used but does not seem to get set anywhere ? Hi, Have a look in /usr/share/spamassassin. There is 60_whitelist.cf for rules and about scores it s in 50_scores.cf BUT it's better to overwrite these parameters upadating the local.cf instead. What is the problem ? I may have the same !! Cedric -- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- --[ UxBoD ]-- // PGP Key: curl -s http://www.splatnix.net/uxbod.asc | gpg --import // Fingerprint: 543A E778 7F2D 98F1 3E50 9C1F F190 93E0 E8E8 0CF8 // Keyserver: www.keyserver.net Key-ID: 0xE8E80CF8 // Phone: +44 (0) 845 869 2749 SIP: [EMAIL PROTECTED] -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Re: USER_IN_WHITELIST
ok - not the same problem I have is -100 too high for you ? --[ UxBoD ]-- a écrit : I have just performed a brand new server install with SA 3.2.0 and I noticed a email this morning that had scored -94. I do not know the sender domain, so looked at how it had been scored and noticed that the rule USER_IN_WHITELIST had been hit with a -100. On Tue, 15 May 2007 10:35:35 +0200, Cedric BUSCHINI [EMAIL PROTECTED] wrote: --[ UxBoD ]-- a écrit : Which rule sets this ? I have grep'd through /etc/mail/spamassassin and the variable is used but does not seem to get set anywhere ? Hi, Have a look in /usr/share/spamassassin. There is 60_whitelist.cf for rules and about scores it s in 50_scores.cf BUT it's better to overwrite these parameters upadating the local.cf instead. What is the problem ? I may have the same !! Cedric -- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- Cedric BUSCHINI - CARAX - IT Department Phone : + 33 1 4006 9864 fax : + 33 1 4006 9865
Re: USER_IN_WHITELIST
It wouldn't be if we had any user whitelists set up ! Thats the problem. This is a vanilla installation and we have no individual user preferences setup. All is controlled by a single account, as the mail is then passed onto a Notes server. I have looked at that rule and can see that it uses the function eval:check_from_in_whitelist(), but need to see how that works. On Tue, 15 May 2007 10:48:47 +0200, Cedric BUSCHINI [EMAIL PROTECTED] wrote: ok - not the same problem I have is -100 too high for you ? --[ UxBoD ]-- a écrit : I have just performed a brand new server install with SA 3.2.0 and I noticed a email this morning that had scored -94. I do not know the sender domain, so looked at how it had been scored and noticed that the rule USER_IN_WHITELIST had been hit with a -100. On Tue, 15 May 2007 10:35:35 +0200, Cedric BUSCHINI [EMAIL PROTECTED] wrote: --[ UxBoD ]-- a écrit : Which rule sets this ? I have grep'd through /etc/mail/spamassassin and the variable is used but does not seem to get set anywhere ? Hi, Have a look in /usr/share/spamassassin. There is 60_whitelist.cf for rules and about scores it s in 50_scores.cf BUT it's better to overwrite these parameters upadating the local.cf instead. What is the problem ? I may have the same !! Cedric -- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- Cedric BUSCHINI - CARAX - IT Department Phone : + 33 1 4006 9864 fax : + 33 1 4006 9865 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- --[ UxBoD ]-- // PGP Key: curl -s http://www.splatnix.net/uxbod.asc | gpg --import // Fingerprint: 543A E778 7F2D 98F1 3E50 9C1F F190 93E0 E8E8 0CF8 // Keyserver: www.keyserver.net Key-ID: 0xE8E80CF8 // Phone: +44 (0) 845 869 2749 SIP: [EMAIL PROTECTED] -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Re: USER_IN_WHITELIST
Resolved :) Thanks. On Tue, 15 May 2007 10:48:47 +0200, Cedric BUSCHINI [EMAIL PROTECTED] wrote: ok - not the same problem I have is -100 too high for you ? --[ UxBoD ]-- a écrit : I have just performed a brand new server install with SA 3.2.0 and I noticed a email this morning that had scored -94. I do not know the sender domain, so looked at how it had been scored and noticed that the rule USER_IN_WHITELIST had been hit with a -100. On Tue, 15 May 2007 10:35:35 +0200, Cedric BUSCHINI [EMAIL PROTECTED] wrote: --[ UxBoD ]-- a écrit : Which rule sets this ? I have grep'd through /etc/mail/spamassassin and the variable is used but does not seem to get set anywhere ? Hi, Have a look in /usr/share/spamassassin. There is 60_whitelist.cf for rules and about scores it s in 50_scores.cf BUT it's better to overwrite these parameters upadating the local.cf instead. What is the problem ? I may have the same !! Cedric -- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- Cedric BUSCHINI - CARAX - IT Department Phone : + 33 1 4006 9864 fax : + 33 1 4006 9865 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- --[ UxBoD ]-- // PGP Key: curl -s http://www.splatnix.net/uxbod.asc | gpg --import // Fingerprint: 543A E778 7F2D 98F1 3E50 9C1F F190 93E0 E8E8 0CF8 // Keyserver: www.keyserver.net Key-ID: 0xE8E80CF8 // Phone: +44 (0) 845 869 2749 SIP: [EMAIL PROTECTED] -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Re: USER_IN_WHITELIST problem
Sherman Lilly wrote: [Snipped text about forged mail from own domains whitelisted...] I was looking on the net and I came across a plugin on spamassassin I don't think i have loaded. Will the SPF plugin help with this problem? If you publish SPF records for your domains, you can use whitelist_from_spf instead of whitelist_from. That way you shouldn't whitelist forgeries. OTH, why do you need to whitelist your own domain? /Jonas -- Jonas Eckerman, FSDB Fruktträdet http://whatever.frukt.org/ http://www.fsdb.org/ http://www.frukt.org/
RE: USER_IN_WHITELIST problem
René Berber wrote: Sherman Lilly wrote: [snip] I get why they are getting through. They are spoofing the Return-Path. Is there any way to remedy this problem? Depends on your server. For sendmail there is: http://ultra.ap.krakow.pl/~raj/sendmail/english.html the FEATURE(`local_sender_check') gets rid of all forged addresses pretending to be from your domain. -- Unfortunately, at least in my case, the addresses aren't forged - they are actual addresses on my server (Some of my clients APPEAR to send themselves quite a bit of this garbage), so the local_sender_check wouldn't help, because the return path appears to be themselves. --Will
Re: USER_IN_WHITELIST problem
As of last Wednesday I am having this problem. In fact it's more then just USER_IN_WHITELIST, I am getting many reports of incorrect USER_IN_BLACKLIST. No I don't whitelist my domain. Yes I checked the To/From/ReplyTo/EnvelopeFrom/etc. No the users don't have whitelist/blacklist entries anywhere close to reported match in debug mode. Green = Blacklist Blue = Whitelist The most recent change, on or around Wednesday, was I ran sa-update. I now use the rule's located in /var/lib/spamassassin. I checked my configs and noticed v310.pre now shows AWL enabled. I disabled this, thought I saw all my graphs drop but sadly it was a momentary drop. I reverted back to using /usr/local/share/spamassassin base rules. No change. So therefore I have rolled back any change made in the last week. Here are two examples of a test I just ran. I took two messages and ran them through a loop. One gets scanned normally and occassionally hits the blacklist. The other does the inverse. Both are from my inbox, dated today. == Example 1 === Scanned, normal score X-Spam-Flag: YES X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) on spamd3.oct X-Spam-Level: *** X-Spam-PrefsFile: nac.net/paradox X-Spam-Status: Yes, score=19.5 required=5.0 tests=RAZOR2_CF_RANGE_51_100=0.5, RAZOR2_CF_RANGE_E8_51_100=1.5,RAZOR2_CHECK=0.5, RCVD_IN_SORBS_DUL=1.988,RCVD_IN_XBL=3.114,SORTED_RECIPS=1.53, SPF_HELO_PASS=-0.001,SPF_PASS=-0.001,URIBL_AB_SURBL=3.306, URIBL_JP_SURBL=3.36,URIBL_OB_SURBL=2.617,URIBL_SBL=1.094 === Scanned a moment later in a loop, Hit blacklist X-Spam-Flag: YES X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) on spamd3.oct X-Spam-Level: ** X-Spam-PrefsFile: nac.net/paradox X-Spam-Status: Yes, score=119.5 required=5.0 tests=RAZOR2_CF_RANGE_51_100=0.5, RAZOR2_CF_RANGE_E8_51_100=1.5,RAZOR2_CHECK=0.5, RCVD_IN_SORBS_DUL=1.988,RCVD_IN_XBL=3.114,SORTED_RECIPS=1.53, SPF_HELO_PASS=-0.001,SPF_PASS=-0.001,URIBL_AB_SURBL=3.306, URIBL_JP_SURBL=3.36,URIBL_OB_SURBL=2.617,URIBL_SBL=1.094, USER_IN_BLACKLIST=100 autolearn=disabled version=3.1.7 == Original Message Return-Path: [EMAIL PROTECTED] Delivered-To: [EMAIL PROTECTED] Received: (qmail 95612 invoked by uid 0); 23 Jan 2007 08:34:19 - Received: from 127.0.0.1 by mx2.oct.nac.net (envelope-from [EMAIL PROTECTED], uid 0) with qmail-scanner-1.25 (clamdscan: 0.88.3/2095. f-prot: 4.6.6/3.16.14. spamassassin: 3.1.0. Clear:RC:1(127.0.0.1):. Processed in 1.629328 secs); 23 Jan 2007 08:34:19 - X-Qmail-Scanner-Mail-From: [EMAIL PROTECTED] via mx2.oct.nac.net X-Qmail-Scanner-Rcpt-To: [EMAIL PROTECTED] X-Qmail-Scanner: 1.25 (Clear:RC:1(127.0.0.1):. Processed in 1.629328 secs) X-Qmail-Scanner-NAC-Block-Zips: 1 X-Qmail-Scanner-NAC-Redirect-This: 0 X-Qmail-Scanner-NAC-Redirect-To: X-Qmail-Scanner-NAC-Scanners-Run: clamdscan_scanner fprot_scanner Received: from unknown (HELO mx2.oct.nac.net) (127.0.0.1) by localhost with SMTP; 23 Jan 2007 08:34:17 - Received: (qmail 95433 invoked by alias); 23 Jan 2007 08:34:15 - Delivered-To: [EMAIL PROTECTED] Received: (qmail 95336 invoked by uid 0); 23 Jan 2007 08:34:12 - Received: from 81.14.191.12 by mx2.oct.nac.net (envelope-from [EMAIL PROTECTED], uid 0) with qmail-scanner-1.25 (clamdscan: 0.88.3/2095. f-prot: 4.6.6/3.16.14. spamassassin: 3.1.0. Clear:RC:0(81.14.191.12):. Processed in 4.496398 secs); 23 Jan 2007 08:34:12 - X-Qmail-Scanner-Mail-From: [EMAIL PROTECTED] via mx2.oct.nac.net X-Qmail-Scanner-Rcpt-To: [EMAIL PROTECTED],[EMAIL PROTECTED],[EMAIL PROTECTED],[EMAIL PROTECTED],[EMAIL PROTECTED],[EMAIL PROTECTED],[EMAIL PROTECTED],[EMAIL PROTECTED] X-Qmail-Scanner: 1.25 (Clear:RC:0(81.14.191.12):. Processed in 4.496398 secs) X-Qmail-Scanner-NAC-Block-Zips: 1 X-Qmail-Scanner-NAC-Redirect-This: 0 X-Qmail-Scanner-NAC-Redirect-To: REDIRECT_NONE X-Qmail-Scanner-NAC-Scanners-Run: Received: from unknown (HELO ovjkuxqmpy) (81.14.191.12) by rbl-mx.nac.net with SMTP; 23 Jan 2007 08:34:07 - To: [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED] Date: Tue, 23 Jan 2007 09:35:01 +0100 From: Man Aida [EMAIL PROTECTED] Message-ID: [EMAIL PROTECTED] DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=learned.dirty; d=dialupnet.com; b=BkqGXQzAyMlUagemGOpLIxezlerUABJhtHFfMORxbSauBfGAoroqGlvDCVRpRfuXvGXXtGXmaabRNJwo; User-Agent: Mozilla Thunderbird 1.5 (Windows/20060111) X-Accept-Language: en-us, en MIME-Version: 1.0 Subject: Be Rich, Get Yourself Rolex/AP/Bvlgari/PatekPhilippe .. At $ 199 Each least street Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 7bit 100% Similar Quality, from $ 199 Each Show Off to your colleague that you can afford a ROLEX as well More random text == Message 2 === Scanned ok
Re: USER_IN_WHITELIST problem
Sherman Lilly wrote: I was looking on the net and I came across a plugin on spamassassin I don't think i have loaded. Will the SPF plugin help with this problem? Yes... *if* you replace whitelist_from with whitelist_from_spf Alternatively you can try something like this: whitelist_from_rcvd[EMAIL PROTECTED]yourmailserver.com whitelist_from should always be a last resort because it's so easy for spammers to forge the From: and Return-Path: headers. If at all possible, you should use one of the more specific whitelist functions that will double-check against the received headers, SPF, DKIM, etc. -- Kelson Vibber SpeedGate Communications www.speed.net
Re: USER_IN_WHITELIST problem
Ok I have an update. I picked a message that was getting marked USER_IN_WHITELIST once every 5 or so messages. I took the from address and added this code to Perl..Mail\SpamAssassin\EvalTests.pm if ($addr =~ qr/$regexp/i) { dbg(rules: address $addr matches whitelist or blacklist regexp: $regexp); if ($addr eq [EMAIL PROTECTED]) { info(PARADOX: rules: address $addr matches whitelist or blacklist regexp: $regexp); foreach my $reg (values %{$list}) { info(PARADOX: $reg); } } I then ran my loop and watched the log. After a few tries it hit. Guess the cool part. It printed out hundreds and hundreds of lines of blacklist/whitelist settings. I use a domain/username file based pref system, no sql, nothing broken there. The hundreds of lines were not 'all' my wl/bl's. After some more debugging I am petty confident that I am seeing the list of all wl/bl's loaded in memory for any message being scanned at that moment. On this particularly box probably around 25 or so. Pretty cool huh? How is this possible? How did it just start happening out of nowhere? Ryan Pavely Director Research And Development Net Access Corporation http://www.nac.net/ http://www.15minuteservers.com/
Re: USER_IN_WHITELIST problem
Will Nordmeyer wrote: René Berber wrote: Sherman Lilly wrote: [snip] I get why they are getting through. They are spoofing the Return-Path. Is there any way to remedy this problem? Depends on your server. For sendmail there is: http://ultra.ap.krakow.pl/~raj/sendmail/english.html the FEATURE(`local_sender_check') gets rid of all forged addresses pretending to be from your domain. -- Unfortunately, at least in my case, the addresses aren't forged - they are actual addresses on my server (Some of my clients APPEAR to send themselves quite a bit of this garbage), so the local_sender_check wouldn't help, because the return path appears to be themselves. That could be solved with smtp auth, of course that means that your clients/users need to change their configuration or implementing pop-before-send. As for SA, the plugin Botnet will catch most spammers, over 90% in my experience (even if it is redundant with some of the dynamic-ip-blacklist tests). -- René Berber
USER_IN_WHITELIST problem
I have spam getting through that would get filtered if they were not getting -100 because of the USER_IN_WHITELIST rule. I do have a whitelist but no of these spam email have anything close to my whitelist. I am using the latest version of spamassassin and update my rules daily. I have also added the SARE rules to my configuration. The system is doing a great job.I would say I am successfully filtering 95% of the spam coming in. Now I'm just doing some fine tuning and need some help.
Re: USER_IN_WHITELIST problem
Sherman Lilly wrote: I have spam getting through that would get filtered if they were not getting -100 because of the USER_IN_WHITELIST rule. I do have a whitelist but no of these spam email have anything close to my whitelist. Yes they do, otherwise you wouldn't see USER_IN_WHITELIST hitting. It's probably hitting on whatever the envelope from address is (found in the Return-Path header). Most of the time this happens when people whitelist their own domain using whitelist_from. Daryl
RE: USER_IN_WHITELIST problem
Well, I certainly don't mean to be argumentative about this, but over the weekend, I had to set USER_IN_WHITELIST score to 0 due to the number of false hits it was receiving. Seeing as I am the only one here who has the ability to add and remove from whitelists or blacklists, I have a pretty good idea of what is in them. I can't say for sure, but there certainly seems to be a bug in this particular rule. If I could help to troubleshoot it, I would be glad to provide whatever information is necessary. Drew Burchett United Systems Software Ph:(270)527-3293 Fax: (270)527-3132 -Original Message- From: Daryl C. W. O'Shea [mailto:[EMAIL PROTECTED] Sent: Monday, January 22, 2007 10:40 AM To: Sherman Lilly Cc: users@spamassassin.apache.org Subject: Re: USER_IN_WHITELIST problem Sherman Lilly wrote: I have spam getting through that would get filtered if they were not getting -100 because of the USER_IN_WHITELIST rule. I do have a whitelist but no of these spam email have anything close to my whitelist. Yes they do, otherwise you wouldn't see USER_IN_WHITELIST hitting. It's probably hitting on whatever the envelope from address is (found in the Return-Path header). Most of the time this happens when people whitelist their own domain using whitelist_from. Daryl -- CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. -- This message has been scanned for viruses and dangerous content by MailScanner and is believed to be clean.
Re: USER_IN_WHITELIST problem
Drew Burchett wrote: Well, I certainly don't mean to be argumentative about this, but over the weekend, I had to set USER_IN_WHITELIST score to 0 due to the number of false hits it was receiving. Seeing as I am the only one here who has the ability to add and remove from whitelists or blacklists, I have a pretty good idea of what is in them. I can't say for sure, but there certainly seems to be a bug in this particular rule. If I could help to troubleshoot it, I would be glad to provide whatever information is necessary. All this guessing can easily be put to rest by posting: 1. The headers of the message in question 2. Your SA whitelist statements -Jim Drew Burchett United Systems Software Ph:(270)527-3293 Fax: (270)527-3132 -Original Message- From: Daryl C. W. O'Shea [mailto:[EMAIL PROTECTED] Sent: Monday, January 22, 2007 10:40 AM To: Sherman Lilly Cc: users@spamassassin.apache.org Subject: Re: USER_IN_WHITELIST problem Sherman Lilly wrote: I have spam getting through that would get filtered if they were not getting -100 because of the USER_IN_WHITELIST rule. I do have a whitelist but no of these spam email have anything close to my whitelist. Yes they do, otherwise you wouldn't see USER_IN_WHITELIST hitting. It's probably hitting on whatever the envelope from address is (found in the Return-Path header). Most of the time this happens when people whitelist their own domain using whitelist_from. Daryl -- CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.
Re: USER_IN_WHITELIST problem
On Monday 22 January 2007 11:39, you wrote: Sherman Lilly wrote: I have spam getting through that would get filtered if they were not getting -100 because of the USER_IN_WHITELIST rule. I do have a whitelist but no of these spam email have anything close to my whitelist. Yes they do, otherwise you wouldn't see USER_IN_WHITELIST hitting. It's probably hitting on whatever the envelope from address is (found in the Return-Path header). Most of the time this happens when people whitelist their own domain using whitelist_from. Daryl Daryl, You are completely right. I have whitelisted my domain and when I remove that rule from my cf the bad emails get blocked. Here is the header of an email that is getting through. It should have failed. The rule is WHITELIST_FROM [EMAIL PROTECTED] Here is the header. Return-Path: [EMAIL PROTECTED] Delivered-To: unknown Received: from 10.155.0.68 (10.155.0.68) by imap.knoxcounty.org with POP3; 22 Jan 2007 13:02:37 - X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) on mail.knoxcounty.org X-Spam-Level: X-Spam-Status: No, score=-80.4 required=4.6 tests=EXTRA_MPART_TYPE, HELO_DYNAMIC_DHCP,HELO_DYNAMIC_IPADDR,HTML_FONT_BIG, HTML_IMAGE_ONLY_08,HTML_MESSAGE,MY_CID_AND_CLOSING,MY_CID_AND_STYLE, PART_CID_STOCK,PART_CID_STOCK_LESS,RCVD_IN_SORBS_DUL,SARE_GIF_ATTACH, SARE_GIF_STOX,TVD_FW_GRAPHIC_ID1,UNPARSEABLE_RELAY,USER_IN_WHITELIST autolearn=disabled version=3.1.7 Received: from winserv-dp-9880 ([10.155.0.69]) by mail.knoxcounty.org (8.13.8/8.11.6) with SMTP id l0LGfODE015790 for [EMAIL PROTECTED]; Sun, 21 Jan 2007 11:41:32 -0500 Received: from dsl-189-136-76-104.prod-infinitum.com.mx ([189.136.76.104]) by winserv-dp-9880 (SMSSMTP 4.0.0.59) with SMTP id M2007012111435603309 for [EMAIL PROTECTED]; Sun, 21 Jan 2007 11:43:56 -0500 Received: from el-molino.com (port=15590 helo=hsjyatbrlvpmk) by dsl-189-136-76-104.prod-infinitum.com.mx with smtp id 1dKU-cxFT-JI for [EMAIL PROTECTED]; Sun, 21 Jan 2007 10:41:25 -0600 Message-ID: [EMAIL PROTECTED] From: John [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: work: thou shalt see not hold of before the race is I: will make Date: Sun, 21 Jan 2007 10:41:25 -0600 MIME-Version: 1.0 Content-Type: multipart/related; type=multipart/alternative; boundary==_NextPart_000_000B_01C73D48.AF3EDA20 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2869 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962 X-Length: 17836 X-UID: 2691 Thank You, Sherman
RE: USER_IN_WHITELIST problem
Do you have some example headers? This is a legitimate email, but it got flagged as USER_IN_WHITELIST while CNN is not listed in my whitelist: Received: from cnnimail33.turner.com (cnnimail33.turner.com [64.236.25.90]) by spamfilter.onlineky.net (Postfix) with ESMTP id 2FB331757E for [EMAIL PROTECTED]; Fri, 12 Jan 2007 09:36:50 -0600 (CST) Received: from mail.cnn.com (10.165.130.21) by cnnimail33.turner.com with ESMTP; 12 Jan 2007 10:36:49 -0500 Message-Id: [EMAIL PROTECTED] From: CNNMoney.com Alerts [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Russia's Lukoil pumps $2.4B in profits MIME-Version: 1.0 Content-Type: TEXT/HTML; charset=US-ASCII Date: Fri, 12 Jan 2007 09:36:50 -0600 (CST) This one is most likely spam as this email account has been inactive for at least 6 months: Received: from tigger.babycenter.com (tigger.babycenter.com [10.128.130.152]) by cosby.mailsender.com (8.13.8/8.13.8) with ESMTP id l0D5hne7011671 for [EMAIL PROTECTED]; Fri, 12 Jan 2007 21:44:03 -0800 (PST) Message-ID: [EMAIL PROTECTED] Date: Fri, 12 Jan 2007 21:43:49 -0800 (PST) From: BabyCenter Store [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: This weekend only. $50 off on top of sale prices. Mime-Version: 1.0 Content-Type: text/html Content-Transfer-Encoding: quoted-printable Another one to that same user: Received: from MYWX-S8.myweather.net (cliff.myweather.net [64.73.35.115]) by spamfilter.onlineky.net (Postfix) with ESMTP id 8ED2119631 for [EMAIL PROTECTED]; Sat, 13 Jan 2007 02:31:14 -0600 (CST) Received: by MYWX-S8.myweather.net (PowerMTA(TM) v2.0r13) id hl2cd6046443; Sat, 13 Jan 2007 02:31:01 -0600 (envelope-from [EMAIL PROTECTED]) Date: Sat, 13 Jan 2007 02:31:01 -0600 Subject: Your Personal Predictor x-envid: 1168677003.1103304562 To: [EMAIL PROTECTED] From: [EMAIL PROTECTED] Content-type: text/html; charset=ISO-8859-1 Message-Id: [EMAIL PROTECTED] This one got flagged as spam for several other users and then got the USER_IN_WHITELIST out of the blue: Received: from mta130.e.drugstore.com (mta130.e.drugstore.com [66.165.105.168]) by spamfilter.onlineky.net (Postfix) with SMTP id 9BCA41BFA6 for [EMAIL PROTECTED]; Sun, 14 Jan 2007 07:41:04 -0600 (CST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=200505; d=e.drugstore.com; b=cY8Vpx/rnCIRMKPGZRNHM4/KNsEpr4kHYii2STgI9W6HEF2b9Di5sIret/1YfAqwoGtfis iuPTBVdqNgjuFdDrRKkSapc4KvdDIOMTJlusKwn4ViXq0Pp/hgoVBuJ5StpuOl4aJZGrRSte srCsYmvwo1IaDqSRaqoOCVbTZq2lI=; h=Date:Message-ID:List-Unsubscribe:From:To:Subject:MIME-Version:Reply-To :Content-type; Date: Sun, 14 Jan 2007 13:41:04 - Message-ID: [EMAIL PROTECTED] List-Unsubscribe: mailto:[EMAIL PROTECTED] From: drugstore.com [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Save up to 40% and stock up for the new year MIME-Version: 1.0 Reply-To: drugstore.com [EMAIL PROTECTED] Content-type: multipart/alternative; boundary==b19wt9ya08rqp8bx3mk4jbujgjpyka Received: from nl-mail5.internet.com (nl-mail5.internet.com [64.62.164.185]) by spamfilter.onlineky.net (Postfix) with ESMTP id CE73821EA0 for [EMAIL PROTECTED]; Tue, 16 Jan 2007 09:40:16 -0600 (CST) Received: from nl.internet.com (192.168.5.118) by nl-mail5.internet.com with ESMTP; 16 Jan 2007 07:39:02 -0800 Received: by mail8.internet.com (Postfix, from userid 0) id EDFA41190032; Tue, 16 Jan 2007 07:38:56 -0800 (PST) To: [EMAIL PROTECTED] Subject: Tech Brief: Manage Performance Availability of .NET Apps Reply-To: [EMAIL PROTECTED] Content-description: [EMAIL PROTECTED] Content-Type: text/plain; charset=us-ascii From: DevX Skill Building Update [EMAIL PROTECTED] Message-Id: [EMAIL PROTECTED] Date: Tue, 16 Jan 2007 07:38:56 -0800 (PST) Received: from dc1img10.digitalriver.com (dc1img10.digitalriver.com [66.192.69.11]) by spamfilter.onlineky.net (Postfix) with ESMTP id BC3021FEAC for [EMAIL PROTECTED]; Tue, 16 Jan 2007 10:26:27 -0600 (CST) Date: 16 Jan 2007 10:26:13 -0600 From: Nuance - Makers of PaperPort [EMAIL PROTECTED] X-Complaints-to: [EMAIL PROTECTED] To: Nancy [EMAIL PROTECTED] Reply-To: Nuance - Makers of PaperPort [EMAIL PROTECTED] Message-ID: [EMAIL PROTECTED] Subject: Exclusive customer savings on OmniPage - 50% off X-MID: 19198-bhb2fz7bz5vsedwr2 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary=06986E0E1E196312E032AFBC -- Thanks, James -- CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. -- This message has been scanned for viruses and dangerous content by MailScanner and is believed to be clean.