Re: whitelist_from_rcvd to train bayesdb ?

[Matt Kettler]

[EMAIL PROTECTED] wrote:
> Hi,
>
> Although I have some negative-score rules, my ham mails never score
> too much below zero. I've set auto learning for ham to -12 to be sure
> spam never gets marked as ham and my bayes database doesn't get
> polluted- i think it's quite bad if ham mail would be autolearned as
> spam (i guess much more worse than the other way around).
>
> Anyway, i've been thinking to use "whitelist_from_rcvd" to mark mail
> from certain providers (which i never saw spam from if it came from
> the right mailserver) with a low score so that my database also gets
> trained with more ham.
userconf rules are not used when determining the learning score. This
includes all "whitelist_*" rules.

whitelist_from_rcvd to train bayesdb ?

[kshatriyak]

Hi,

Although I have some negative-score rules, my ham mails never score too 
much below zero. I've set auto learning for ham to -12 to be sure spam 
never gets marked as ham and my bayes database doesn't get polluted- i 
think it's quite bad if ham mail would be autolearned as spam (i guess 
much more worse than the other way around).


Anyway, i've been thinking to use "whitelist_from_rcvd" to mark mail from 
certain providers (which i never saw spam from if it came from the 
right mailserver) with a low score so that my database also gets trained 
with more ham.


So for example:

whitelist_from_rcvd  [EMAIL PROTECTED]  isp-sending-domain

Is this a good idea, or am i abusing the whitelist_from_rcvd rule and am I 
missing something so this will it have a bad impact in the end?


Thanks!
K.

Re: whitelist_from_rcvd problem

[Duane Hill]

On Thu, 26 Apr 2007, John D. Hardin wrote:


On Thu, 26 Apr 2007, Bret Miller wrote:


I said:
whitelist_from_rcvd [EMAIL PROTECTED] sbc.com


try:

 whitelist_from_rcvd [EMAIL PROTECTED] *.sbc.com


If that does work, it goes against what is documented. I haven't had any 
problem with whitelist_from_rcvd in the way Bret has illustrated.


"The first parameter is the address to whitelist, and the second is a
 string to match the relay's rDNS.

 This string is matched against the reverse DNS lookup used during the
 handover from the internet to your internal network's mail exchangers.
 It can either be the full hostname, or the domain component of that
 hostname."

Re: whitelist_from_rcvd problem

[John D. Hardin]

On Thu, 26 Apr 2007, Bret Miller wrote:

> I said:
> whitelist_from_rcvd [EMAIL PROTECTED] sbc.com

try:

  whitelist_from_rcvd [EMAIL PROTECTED] *.sbc.com

--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED]
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Judicial Activism (n): interpreting the Constitution to grant the
  government powers that are popularly felt to be "needed" but that
  are not explicitly provided for therein (common definition);
  interpreting the Constitution as it is written (Brady definition)
---
 558 days until the Presidential Election

RE: whitelist_from_rcvd problem

[Bret Miller]

> One of my users is supposed to get messages from this person, but they
> often get marked as spam. So I want to whitelist, and I can use
> whitelist_from, but I want to use whitelist_from_rcvd. BUT, it doesn't
> work for me.
>
> I said:
> whitelist_from_rcvd [EMAIL PROTECTED] sbc.com
>
> Which I think means that as long as his e-mail comes from any host in
> any subdomain of sbc.com, it should be whitelisted. But the message
> didn't hit the whitelist. (Headers below.)

OK, never mind. Upgrading to rc3 (or something in the update process)
fixed this.

Bret



>
> Before I opened a bug ticket, I just wanted to make sure my reasoning
> was sound in thinking that this should have been whitelisted by the
> above configuration entry. (I've had to report bugs previously with
> whitelist_spf not parsing the received headers from
> CommuniGate Pro, so
> perhaps this is related. I wonder if the header-parsing code is a
> central routine of if each plugin has its own way of doing it...)
>
> Thanks,
> Bret
>
>
>
> X-Spam-Tests:
> tests=AWL=4.115,BAYES_50=0.001,DKIM_POLICY_SIGNSOME=0.001,
>   FH_RELAY_NODNS=1.451,HTML_MESSAGE=0.001,RCVD_IN_MXRATE_WL=-1,
>   RDNS_NONE=0.1;autolearn=no
> X-Spam-Score: 4.7
> X-Spam-Checker-Version: SpamAssassin 3.2.0-rc2 (2007-04-13) on
> mail.hq.wcg.org
> X-Spam-Level: 
> X-TFF-CGPSA-Version: 1.6a5
> X-WCG-CGPSA-Filter: Scanned
> X-SPAM-FLAG: Yes
> Return-Path: <[EMAIL PROTECTED]>
> Received: from nlpi029.sbcis.sbc.com ([207.115.36.58] verified)
>   by mail.wcg.org (CommuniGate Pro SMTP 5.1.8)
>   with ESMTP id 21043544 for [EMAIL PROTECTED]; Thu,
> 26 Apr 2007
> 11:37:26 -0700
> Received-SPF: none
>  receiver=mail.wcg.org; client-ip=207.115.36.58;
> [EMAIL PROTECTED]
> X-ORBL: [63.198.171.170]
> Received: from JBROD (adsl-63-198-171-170.dsl.lsan03.pacbell.net
> [63.198.171.170])
>   by nlpi029.sbcis.sbc.com (8.13.8 out.dk.spool/8.13.8) with ESMTP
> id l3QIUgM5027947
>   for <[EMAIL PROTECTED]>; Thu, 26 Apr 2007 13:31:11 -0500
> From: "Jon Brod" <[EMAIL PROTECTED]>
> To: "'Bernie Schnippert'" <[EMAIL PROTECTED]>
> Subject: RE: California/Ontario Estate Matter
> Date: Thu, 26 Apr 2007 11:30:09 -0700
> Message-ID: <[EMAIL PROTECTED]>
> MIME-Version: 1.0
> Content-Type: multipart/alternative;
>   boundary="=_NextPart_000_0010_01C787F6.4582C0D0"
> X-Priority: 3 (Normal)
> X-MSMail-Priority: Normal
> X-Mailer: Microsoft Outlook, Build 10.0.6626
> Importance: Normal
> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3028
> In-Reply-To: <[EMAIL PROTECTED]>
>
>
>
>

whitelist_from_rcvd problem

[Bret Miller]

One of my users is supposed to get messages from this person, but they
often get marked as spam. So I want to whitelist, and I can use
whitelist_from, but I want to use whitelist_from_rcvd. BUT, it doesn't
work for me.

I said:
whitelist_from_rcvd [EMAIL PROTECTED] sbc.com

Which I think means that as long as his e-mail comes from any host in
any subdomain of sbc.com, it should be whitelisted. But the message
didn't hit the whitelist. (Headers below.)

Before I opened a bug ticket, I just wanted to make sure my reasoning
was sound in thinking that this should have been whitelisted by the
above configuration entry. (I've had to report bugs previously with
whitelist_spf not parsing the received headers from CommuniGate Pro, so
perhaps this is related. I wonder if the header-parsing code is a
central routine of if each plugin has its own way of doing it...)

Thanks,
Bret



X-Spam-Tests: tests=AWL=4.115,BAYES_50=0.001,DKIM_POLICY_SIGNSOME=0.001,
FH_RELAY_NODNS=1.451,HTML_MESSAGE=0.001,RCVD_IN_MXRATE_WL=-1,
RDNS_NONE=0.1;autolearn=no
X-Spam-Score: 4.7
X-Spam-Checker-Version: SpamAssassin 3.2.0-rc2 (2007-04-13) on
mail.hq.wcg.org
X-Spam-Level: 
X-TFF-CGPSA-Version: 1.6a5
X-WCG-CGPSA-Filter: Scanned
X-SPAM-FLAG: Yes
Return-Path: <[EMAIL PROTECTED]>
Received: from nlpi029.sbcis.sbc.com ([207.115.36.58] verified)
  by mail.wcg.org (CommuniGate Pro SMTP 5.1.8)
  with ESMTP id 21043544 for [EMAIL PROTECTED]; Thu, 26 Apr 2007
11:37:26 -0700
Received-SPF: none
 receiver=mail.wcg.org; client-ip=207.115.36.58;
[EMAIL PROTECTED]
X-ORBL: [63.198.171.170]
Received: from JBROD (adsl-63-198-171-170.dsl.lsan03.pacbell.net
[63.198.171.170])
by nlpi029.sbcis.sbc.com (8.13.8 out.dk.spool/8.13.8) with ESMTP
id l3QIUgM5027947
for <[EMAIL PROTECTED]>; Thu, 26 Apr 2007 13:31:11 -0500
From: "Jon Brod" <[EMAIL PROTECTED]>
To: "'Bernie Schnippert'" <[EMAIL PROTECTED]>
Subject: RE: California/Ontario Estate Matter
Date: Thu, 26 Apr 2007 11:30:09 -0700
Message-ID: <[EMAIL PROTECTED]>
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="=_NextPart_000_0010_01C787F6.4582C0D0"
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook, Build 10.0.6626
Importance: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3028
In-Reply-To: <[EMAIL PROTECTED]>

whitelist_from_rcvd questions

[Robert]

Greets,

Can lines be combined in a situation like this

whitelist_from_rcvd [EMAIL PROTECTED] hisdomain.com
whitelist_from_rcvd [EMAIL PROTECTED] hisotherdomain.com


does this work or should this be done?

can they be combined into one statement or should they be separate?

Any other tips etc?

Thanks!

 - rh

--
Abba Communications Internet & Computer Services
PO Box 7175
Spokane, WA 99207-7175
www.abbacomm.net

Re: whitelist_from_rcvd inquiry

[Matt Kettler]

R Lists06 wrote:
>> Matt Kettler wrote:
>> Separate.
>> 
> *snip*
>   
>> In general, for options that you can do many of on one line, you only
>> put the option name itself once, you don't repeat it.
>> 
>
> Thanks
>
> What I was getting at is what if there are multiple sending hosts...
>
> Obviously the thing that changed was the last parameter
>
> Still separate???
>
> How do we deal with multiple possible sending domains?
>
> I take it that it still cannot be dealt with on one line?  :-)
>
> The original email should have looked like this as when I got it back it was
> all one line. Oops.
>
> whitelist_from_rcvd [EMAIL PROTECTED] hisdomain.com
>
> whitelist_from_rcvd [EMAIL PROTECTED] hisotherdomain.com
>
> does it make more sense now?
>   

Yep, you'd still do separate lines.. unless of course hisdomain supports
SPF, then I'd set up SPF in SA and use whitelist_from_spf.

RE: whitelist_from_rcvd inquiry

[R Lists06]

> Matt Kettler wrote:
> Separate.
*snip*
> In general, for options that you can do many of on one line, you only
> put the option name itself once, you don't repeat it.

Thanks

What I was getting at is what if there are multiple sending hosts...

Obviously the thing that changed was the last parameter

Still separate???

How do we deal with multiple possible sending domains?

I take it that it still cannot be dealt with on one line?  :-)

The original email should have looked like this as when I got it back it was
all one line. Oops.

whitelist_from_rcvd [EMAIL PROTECTED] hisdomain.com

whitelist_from_rcvd [EMAIL PROTECTED] hisotherdomain.com

does it make more sense now?

 - rh

--
Abba Communications - Internet 
PO Box 7175
Spokane, WA 99207-7175
www.abbacomm.net

Re: whitelist_from_rcvd inquiry

[Matt Kettler]

R Lists06 wrote:
> Greeting,
>
> Can lines be combined in a situation like this...
>
> whitelist_from_rcvd [EMAIL PROTECTED] hisdomain.com whitelist_from_rcvd
> [EMAIL PROTECTED] hisotherdomain.com
>
>
> does this work or should this be done?
>   
No. If you run spamassassin --lint, it should generate a warning. If it
doesn't it's an oversight in the lint processor.
> can they be combined into one statement or should they be separate?
>   
Separate.
> Any other tips etc?
>   
In general, for options that you can do many of on one line, you only
put the option name itself once, you don't repeat it.

whitelist_from_rcvd inquiry

[R Lists06]

Greeting,

Can lines be combined in a situation like this...

whitelist_from_rcvd [EMAIL PROTECTED] hisdomain.com whitelist_from_rcvd
[EMAIL PROTECTED] hisotherdomain.com


does this work or should this be done?

can they be combined into one statement or should they be separate?

Any other tips etc?

Thanks in advance!

 - rh

--
Abba Communications Internet & Computer Services
PO Box 7175
Spokane, WA 99207-7175
www.abbacomm.net

Re: whitelist_from_rcvd

[Bob McClure Jr]

On Wed, Mar 21, 2007 at 05:03:49PM -0400, Robert Fitzpatrick wrote:
> I have this in my local.cf file...
> 
> whitelist_from_rcvd [EMAIL PROTECTED] *.blackberry.com
> 
> Shouldn't this not get tagged?

Change that to

  whitelist_from_rcvd [EMAIL PROTECTED] blackberry.com

You don't need or want the glob on the server domain.

> Return-Path: <>
> Delivered-To: spam-quarantine
> X-Envelope-From: <[EMAIL PROTECTED]>
> X-Envelope-To: <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>
> X-Quarantine-ID: 
> X-Spam-Flag: YES
> X-Spam-Score: 6.705
> X-Spam-Level: **
> X-Spam-Status: Yes, score=6.705 tag=-999 tag2=4.6 kill=4.6 tests=[AWL=-5.090,
> BAYES_00=-2.599, FROM_EXCESS_BASE64=1.309, RAZOR2_CF_RANGE_51_100=0.5,
> RAZOR2_CF_RANGE_E8_51_100=1.5, RAZOR2_CHECK=2.5, URIBL_JP_SURBL=4.087,
> URIBL_SC_SURBL=4.498]
> Received: from esmtp.webtent.net ([127.0.0.1])
> by localhost (esmtp.webtent.net [127.0.0.1]) (amavisd-new, port 10024)
> with ESMTP id AoDSTJF3q8ee; Wed, 21 Mar 2007 16:14:53 -0400 (EDT)
> Received: from smtp01.bis.na.blackberry.com (smtp01.bis.na.blackberry.com 
> [216.9.248.48])
> by esmtp.webtent.net (WebTent ESMTP Postfix Internet Mail Gateway) 
> with ESMTP id 1F5867F2BB;
> Wed, 21 Mar 2007 16:14:52 -0400 (EDT)
> Message-ID: <[EMAIL PROTECTED]
> Content-Transfer-Encoding: quoted-printable
> Reply-To: [EMAIL PROTECTED]
> Sensitivity: Normal
> Importance: Normal
> To: "Bruce Orand" <[EMAIL PROTECTED]>
> Subject: Fw: breathtaking then selfish
> From: "=?UTF-8?B?SmVyZW15IENoYXBtYW4=?=" <[EMAIL PROTECTED]>
> Date: Wed, 21 Mar 2007 21:22:48 +
> Content-type: text/plain
> MIME-Version: 1.0
> 
> -- 
> Robert

Cheers,
-- 
Bob McClure, Jr. Bobcat Open Systems, Inc.
[EMAIL PROTECTED] http://www.bobcatos.com
The wicked man earns deceptive wages, but he who sows righteousness
reaps a sure reward.  Proverbs 11:18 (NIV)

whitelist_from_rcvd

[Robert Fitzpatrick]

I have this in my local.cf file...

whitelist_from_rcvd [EMAIL PROTECTED] *.blackberry.com

Shouldn't this not get tagged?

Return-Path: <>
Delivered-To: spam-quarantine
X-Envelope-From: <[EMAIL PROTECTED]>
X-Envelope-To: <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>
X-Quarantine-ID: 
X-Spam-Flag: YES
X-Spam-Score: 6.705
X-Spam-Level: **
X-Spam-Status: Yes, score=6.705 tag=-999 tag2=4.6 kill=4.6 tests=[AWL=-5.090,
BAYES_00=-2.599, FROM_EXCESS_BASE64=1.309, RAZOR2_CF_RANGE_51_100=0.5,
RAZOR2_CF_RANGE_E8_51_100=1.5, RAZOR2_CHECK=2.5, URIBL_JP_SURBL=4.087,
URIBL_SC_SURBL=4.498]
Received: from esmtp.webtent.net ([127.0.0.1])
by localhost (esmtp.webtent.net [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id AoDSTJF3q8ee; Wed, 21 Mar 2007 16:14:53 -0400 (EDT)
Received: from smtp01.bis.na.blackberry.com (smtp01.bis.na.blackberry.com 
[216.9.248.48])
by esmtp.webtent.net (WebTent ESMTP Postfix Internet Mail Gateway) with 
ESMTP id 1F5867F2BB;
Wed, 21 Mar 2007 16:14:52 -0400 (EDT)
Message-ID: <[EMAIL PROTECTED]
Content-Transfer-Encoding: quoted-printable
Reply-To: [EMAIL PROTECTED]
Sensitivity: Normal
Importance: Normal
To: "Bruce Orand" <[EMAIL PROTECTED]>
Subject: Fw: breathtaking then selfish
From: "=?UTF-8?B?SmVyZW15IENoYXBtYW4=?=" <[EMAIL PROTECTED]>
Date: Wed, 21 Mar 2007 21:22:48 +
Content-type: text/plain
MIME-Version: 1.0

-- 
Robert

RE: Why doesn't whitelist_from_rcvd work on this?

[Duane Hill]

On Fri, 16 Mar 2007, Gary V wrote:


I'm having trouble figuring out why my whitelist_from_rcvd statement
doesn't work on this message.

whitelist_from_rcvd [EMAIL PROTECTED] *.cems.wamu.com #Washington
Mutual Statements




In my debug output, I get:
[3260] dbg: received-header: parsed as [ ip=167.88.194.145
rdns=mtaw014.cems.wamu.com helo=mtaw014.cems.wamu.com by=mail.wcg.org
ident= envfrom= intl=0 id=20140775 auth= ]
[3260] dbg: received-header: relay 167.88.194.145 trusted? no internal?
No

So, to me, it looks like it parsed the received header just fine. The
from address matches, and the received mtaw013.cems.wamu.com should
match *.cems.wamu.com should it not?

What am I missing here?

Bret


Try it without globbing the client:
[EMAIL PROTECTED] cems.wamu.com

Gary V


Correct. Documentation leads me to think the email address can be globbed 
but the host's reverse name can not based on the examples shown.

RE: Why doesn't whitelist_from_rcvd work on this?

[Gary V]

I'm having trouble figuring out why my whitelist_from_rcvd statement
doesn't work on this message.

whitelist_from_rcvd [EMAIL PROTECTED] *.cems.wamu.com #Washington
Mutual Statements




In my debug output, I get:
[3260] dbg: received-header: parsed as [ ip=167.88.194.145
rdns=mtaw014.cems.wamu.com helo=mtaw014.cems.wamu.com by=mail.wcg.org
ident= envfrom= intl=0 id=20140775 auth= ]
[3260] dbg: received-header: relay 167.88.194.145 trusted? no internal?
No

So, to me, it looks like it parsed the received header just fine. The
from address matches, and the received mtaw013.cems.wamu.com should
match *.cems.wamu.com should it not?

What am I missing here?

Bret


Try it without globbing the client:
[EMAIL PROTECTED] cems.wamu.com

Gary V

_
Get a FREE Web site, company branded e-mail and more from Microsoft Office 
Live! http://clk.atdmt.com/MRT/go/mcrssaub0050001411mrt/direct/01/

Why doesn't whitelist_from_rcvd work on this?

[Bret Miller]

I'm having trouble figuring out why my whitelist_from_rcvd statement
doesn't work on this message.

whitelist_from_rcvd [EMAIL PROTECTED] *.cems.wamu.com #Washington
Mutual Statements

Message Headers:
X-Spam-Tests: tests=AWL=0.427,BAYES_00=-2.599,DBL_12_LETTER_PGIMG=0.2,

HEADER_SPAM=3.789,HTML_MESSAGE=0.001,HTML_TAG_BALANCE_BODY=0.228,
MSGID_FROM_MTA_ID=1.393,NORMAL_HTTP_TO_IP=0.175,
SARE_HTML_MANY_BR05=0.5;autolearn=no
X-Spam-Score: 4.1
X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) on
mail.hq.wcg.org
X-Spam-Level: 
X-TFF-CGPSA-Version: 1.6a5
X-WCG-CGPSA-Filter: Scanned
X-SPAM-FLAG: Yes
X-Deliver-To: [EMAIL PROTECTED]
Return-Path: <[EMAIL PROTECTED]>
Received: from mtaw014.cems.wamu.com ([167.88.194.145] verified)
  by mail.wcg.org (CommuniGate Pro SMTP 5.1.5)
  with ESMTP id 20140775 for [EMAIL PROTECTED]; Thu, 01 Feb 2007 03:58:33
-0800
Received-SPF: none
 receiver=mail.wcg.org; client-ip=167.88.194.145;
[EMAIL PROTECTED]
Content-Type: multipart/alternative; boundary="=_NEXT_28374530"
Date: Thu, 01 Feb 2007 03:56:59 -0800
Mime-Version: 1.0
Reply-To: [EMAIL PROTECTED]
Mime-Subversion: 30c687-27c6f0
From: "Washington Mutual" <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: A New Statement is Ready
Content-Transfer-Encoding: binary
Message-ID: <[EMAIL PROTECTED]>

In my debug output, I get:
[3260] dbg: received-header: parsed as [ ip=167.88.194.145
rdns=mtaw014.cems.wamu.com helo=mtaw014.cems.wamu.com by=mail.wcg.org
ident= envfrom= intl=0 id=20140775 auth= ]
[3260] dbg: received-header: relay 167.88.194.145 trusted? no internal?
No

So, to me, it looks like it parsed the received header just fine. The
from address matches, and the received mtaw013.cems.wamu.com should
match *.cems.wamu.com should it not?

What am I missing here?

Bret

Re: whitelist_from_rcvd

[Robert Fitzpatrick]

Matt Kettler wrote:

Robert Fitzpatrick wrote:
  

I have the following in my local.cf file, but some messages get blocked
still, see my log entries below. I use amavisd-new and it seems those in
the log that show localhost as the client pass through and those
directly from the blackberry get blocked. Not sure why all would not be
coming from the amavisd localhost, can someone tell me what is going on?
Perhaps my whitelist_from_rcvd line is wrong? I want anything coming
from a user at culin.com using their blackberry to bypass filtering.

whitelist_from_rcvd [EMAIL PROTECTED] blackberry.com

Passed message:
  




My guess is one of the following two has occured, in order of likelyhood:

1) that SA doesn't have the right trusted_networks. (if your MX server
has a private IP  (ie: static NAT) you *MUST* declare trusted_networks
manually. The auto-guesser won't handle this scenario properly)
2) SA can't parse your received headers.

You can test this by running one of the messages through spamassassin
-D. If you need help, post the debug info here
Thanks, I am running static NAT, but with public IP addresses. The MX 
server does not have a private IP, it has a public IP address using NAT 
policies for outbound traffic in the firewall for proper rDNS. The 
configuration of the SonicWall firewall allows us to use multiple public 
subnets behind one WAN port.


The only message I have to run through SA is a blocked one, sorry, but 
how do I capture the debug output to file for posting here? I tried the 
following and got a copy of the file:


I did see some things referencing headers in the debug:

[38446] dbg: rules: running header regexp tests; score so far=0

[38446] dbg: rules: ran header rule __HAS_MSGID ==> got hit: "<"

[38446] dbg: rules: ran header rule __SANE_MSGID ==> got hit: "<[EMAIL 
PROTECTED]>

[38446] dbg: rules: "

[38446] dbg: rules: ran header rule __CT ==> got hit: "m"

[38446] dbg: rules: ran header rule __TOCC_EXISTS ==> got hit: """

[38446] dbg: rules: ran header rule __HAS_SUBJECT ==> got hit: "F"

[38446] dbg: rules: ran header rule __MSGID_OK_HEX ==> got hit: "96205411"

[38446] dbg: rules: ran header rule __BOUNCE_RP1 ==> got hit: "<>"

[38446] dbg: rules: ran header rule __SARE_WHITELIST_FLAG ==> got hit: """

[38446] dbg: rules: ran header rule __HAS_RCVD ==> got hit: "f"

[38446] dbg: rules: ran header rule __FROM_ENCODED_B64 ==> got hit: 
"=?UTF-8?B?"

[38446] dbg: rules: ran header rule __CTYPE_HAS_BOUNDARY ==> got hit: 
"boundary"

[38446] dbg: rules: ran header rule __MIME_VERSION ==> got hit: "1"

[38446] dbg: rules: ran header rule __RATWARE_0_TZ_DATE ==> got hit: " 
+"

[38446] dbg: rules: ran header rule __MSGID_OK_DIGITS ==> got hit: 
"2049971341"

Thanks,

Robert

Re: whitelist_from_rcvd

[Matt Kettler]

Robert Fitzpatrick wrote:
> I have the following in my local.cf file, but some messages get blocked
> still, see my log entries below. I use amavisd-new and it seems those in
> the log that show localhost as the client pass through and those
> directly from the blackberry get blocked. Not sure why all would not be
> coming from the amavisd localhost, can someone tell me what is going on?
> Perhaps my whitelist_from_rcvd line is wrong? I want anything coming
> from a user at culin.com using their blackberry to bypass filtering.
>
> whitelist_from_rcvd [EMAIL PROTECTED] blackberry.com
>
> Passed message:
>   


My guess is one of the following two has occured, in order of likelyhood:

1) that SA doesn't have the right trusted_networks. (if your MX server
has a private IP  (ie: static NAT) you *MUST* declare trusted_networks
manually. The auto-guesser won't handle this scenario properly)
2) SA can't parse your received headers.

You can test this by running one of the messages through spamassassin
-D. If you need help, post the debug info here.

whitelist_from_rcvd

[Robert Fitzpatrick]

I have the following in my local.cf file, but some messages get blocked
still, see my log entries below. I use amavisd-new and it seems those in
the log that show localhost as the client pass through and those
directly from the blackberry get blocked. Not sure why all would not be
coming from the amavisd localhost, can someone tell me what is going on?
Perhaps my whitelist_from_rcvd line is wrong? I want anything coming
from a user at culin.com using their blackberry to bypass filtering.

whitelist_from_rcvd [EMAIL PROTECTED] blackberry.com

Passed message:
esmtp# grep 085E237B4B1 /var/log/maillog
Jan 23 17:08:10 esmtp postfix/smtpd[96238]: 085E237B4B1: 
client=localhost.ky.webtent.net[127.0.0.1]
Jan 23 17:08:10 esmtp postfix/cleanup[99277]: 085E237B4B1: message-id=<[EMAIL 
PROTECTED]>
Jan 23 17:08:10 esmtp postfix/qmgr[23779]: 085E237B4B1: from=<[EMAIL 
PROTECTED]>, size=4457, nrcpt=1 (queue active)
Jan 23 17:08:10 esmtp amavis[98912]: (98912-18) Passed CLEAN, [216.9.248.50] 
<[EMAIL PROTECTED]> -> <[EMAIL PROTECTED]>, Message-ID: <[EMAIL PROTECTED]>, 
mail_id: DJ-O0Sgt8iGF, Hits: 3.314, queued_as: 085E237B4B1, 1893 ms
Jan 23 17:08:10 esmtp postfix/smtp[99281]: 2EA9337B471: to=<[EMAIL PROTECTED]>, 
relay=127.0.0.1[127.0.0.1]:10024, delay=2.2, delays=0.32/0/0/1.9, dsn=2.6.0, 
status=sent (250 2.6.0 Ok, id=98912-18, from MTA([127.0.0.1]:10025): 250 2.0.0 
Ok: queued as 085E237B4B1)
Jan 23 17:08:10 esmtp postfix/smtp[99287]: 085E237B4B1: to=<[EMAIL PROTECTED]>, 
relay=71.16.138.218[71.16.138.218]:25, delay=0.51, delays=0.11/0/0.17/0.24, 
dsn=2.0.0, status=sent (250 OK)
Jan 23 17:08:10 esmtp postfix/qmgr[23779]: 085E237B4B1: removed

Blocked message:
esmtp# grep 1B36837B4BB /var/log/maillog
Jan 23 17:13:43 esmtp postfix/smtpd[99612]: 1B36837B4BB: 
client=smtp01.bis.na.blackberry.com[216.9.248.48]
Jan 23 17:13:43 esmtp postfix/cleanup[99710]: 1B36837B4BB: message-id=<[EMAIL 
PROTECTED]>
Jan 23 17:13:43 esmtp postfix/qmgr[23779]: 1B36837B4BB: from=<[EMAIL 
PROTECTED]>, size=53198, nrcpt=2 (queue active)
Jan 23 17:13:45 esmtp postfix/smtp[98957]: 1B36837B4BB: to=<[EMAIL PROTECTED]>, 
relay=127.0.0.1[127.0.0.1]:10024, delay=3.2, delays=0.84/0/0/2.4, dsn=2.5.0, 
status=sent (250 2.5.0 Ok, id=99667-12, BOUNCE)
Jan 23 17:13:45 esmtp postfix/smtp[98957]: 1B36837B4BB: to=<[EMAIL PROTECTED]>, 
relay=127.0.0.1[127.0.0.1]:10024, delay=3.2, delays=0.84/0/0/2.4, dsn=2.5.0, 
status=sent (250 2.5.0 Ok, id=99667-12, BOUNCE)
Jan 23 17:13:45 esmtp postfix/qmgr[23779]: 1B36837B4BB: removed
esmtp# grep 2049971341-1169590408-cardhu_blackberry /var/log/maillog
Jan 23 17:13:43 esmtp postfix/cleanup[99710]: 1B36837B4BB: message-id=<[EMAIL 
PROTECTED]>
Jan 23 17:13:45 esmtp amavis[99667]: (99667-12) Blocked SPAM, [216.9.248.48] 
<[EMAIL PROTECTED]> -> <[EMAIL PROTECTED]>,<[EMAIL PROTECTED]>, quarantine: 
spam-Q7bNs8B0f6e6.gz, Message-ID: <[EMAIL PROTECTED]>, mail_id: Q7bNs8B0f6e6, 
Hits: 4.757, 2370 ms

-- 
Robert

Re: Using whitelist_from_rcvd when there's no rDNS

[Matt Kettler]

Philip Prindeville wrote:
> I was wondering if SA could be modified to take an IP address
> for the second argument to whitelist_from_rcvd as well as a
> domain/host name string.
>
>   
Unfortunately, no. It would be a nice feature to add.
whitelist_from_rcvd_ip or some such.

> Lately I seem to be dealing with a lot of small businesses with
> poorly set-up mail servers, and no rDNS.  Sigh.
>   
On the consoling side, they'll have to fix that sooner or later.. much
of the civilized world will not accept email at all from a server with
no RDNS. Major ISPs included. (personally I greylist all hosts with no
RDNS but I don't blacklist them)

That said, in the general case I feel your pain and have much the same
problem.

Using whitelist_from_rcvd when there's no rDNS

[Philip Prindeville]

I was wondering if SA could be modified to take an IP address
for the second argument to whitelist_from_rcvd as well as a
domain/host name string.

Lately I seem to be dealing with a lot of small businesses with
poorly set-up mail servers, and no rDNS.  Sigh.

It would be useful to not bounce their email.

Thanks,

-Philip

Re: whitelist_from and whitelist_from_rcvd not working

[Mark Adams]

Hi Thanks for your mail,


On Mon, Dec 04, 2006 at 02:58:56PM -0500, Robert Swan wrote:
> 
> I had a similar problem with SA not reading a specific .cf file. I
> basically created a new greylist.cf file and copied the test over and it
> worked, and of coarse make sure it is in the right folder... Might be
> worth a try
> 

I have done this, but the issue is still occurring. Has anyone else seen
this or have any suggestions?

> 
> 
> Robert
>  
>  
>

Regards,
Mark

>  
>  
>  
> Peace he would say instead of goodbyepeace my brother.
> 
> -Original Message-
> From: Mark Adams [mailto:[EMAIL PROTECTED] 
> Sent: Monday, December 04, 2006 12:56 PM
> To: [EMAIL PROTECTED]
> Cc: users@spamassassin.apache.org
> Subject: Re: whitelist_from and whitelist_from_rcvd not working
> 
> On Sun, Dec 03, 2006 at 05:55:24PM +0100, mouss wrote:
> > Mark Adams wrote:
> > >Hi All,
> > >
> > >Spamassassin 3.1.4-1
> > >
> > >Currently have entries like the following in the local.cf file
> > >
> > >whitelist_from [EMAIL PROTECTED]
> > >and
> > >whitelist_from [EMAIL PROTECTED]
> > >
> > >But mail is still picked up as spam for the [EMAIL PROTECTED]
> > >
> > >Have also tried the following;
> > >
> > >whitelist_from_rcvd [EMAIL PROTECTED] domain.com
> > >and
> > >whitelist_from_rcvd [EMAIL PROTECTED] domain.com
> > >
> > >But nothing seems to work? has anyone got any advice on this?
> > >  
> > 
> > do you have
> > 
> >always_trust_envelope_sender 1
> > 
> > ?
> >
> 
> No I don't have this setting
> > 

RE: whitelist_from and whitelist_from_rcvd not working

[Robert Swan]

I had a similar problem with SA not reading a specific .cf file. I
basically created a new greylist.cf file and copied the test over and it
worked, and of coarse make sure it is in the right folder... Might be
worth a try



Robert
 
 
 
 
 
 
Peace he would say instead of goodbyepeace my brother.

-Original Message-
From: Mark Adams [mailto:[EMAIL PROTECTED] 
Sent: Monday, December 04, 2006 12:56 PM
To: [EMAIL PROTECTED]
Cc: users@spamassassin.apache.org
Subject: Re: whitelist_from and whitelist_from_rcvd not working

On Sun, Dec 03, 2006 at 05:55:24PM +0100, mouss wrote:
> Mark Adams wrote:
> >Hi All,
> >
> >Spamassassin 3.1.4-1
> >
> >Currently have entries like the following in the local.cf file
> >
> >whitelist_from [EMAIL PROTECTED]
> >and
> >whitelist_from [EMAIL PROTECTED]
> >
> >But mail is still picked up as spam for the [EMAIL PROTECTED]
> >
> >Have also tried the following;
> >
> >whitelist_from_rcvd [EMAIL PROTECTED] domain.com
> >and
> >whitelist_from_rcvd [EMAIL PROTECTED] domain.com
> >
> >But nothing seems to work? has anyone got any advice on this?
> >  
> 
> do you have
> 
>always_trust_envelope_sender 1
> 
> ?
>

No I don't have this setting
> 

Re: whitelist_from and whitelist_from_rcvd not working

[Mark Adams]

On Sun, Dec 03, 2006 at 05:55:24PM +0100, mouss wrote:
> Mark Adams wrote:
> >Hi All,
> >
> >Spamassassin 3.1.4-1
> >
> >Currently have entries like the following in the local.cf file
> >
> >whitelist_from [EMAIL PROTECTED]
> >and
> >whitelist_from [EMAIL PROTECTED]
> >
> >But mail is still picked up as spam for the [EMAIL PROTECTED]
> >
> >Have also tried the following;
> >
> >whitelist_from_rcvd [EMAIL PROTECTED] domain.com
> >and
> >whitelist_from_rcvd [EMAIL PROTECTED] domain.com
> >
> >But nothing seems to work? has anyone got any advice on this?
> >  
> 
> do you have
> 
>always_trust_envelope_sender 1
> 
> ?
>

No I don't have this setting
> 

Re: whitelist_from and whitelist_from_rcvd not working

[mouss]

Mark Adams wrote:

Hi All,

Spamassassin 3.1.4-1

Currently have entries like the following in the local.cf file

whitelist_from [EMAIL PROTECTED]
and
whitelist_from [EMAIL PROTECTED]

But mail is still picked up as spam for the [EMAIL PROTECTED]

Have also tried the following;

whitelist_from_rcvd [EMAIL PROTECTED] domain.com
and
whitelist_from_rcvd [EMAIL PROTECTED] domain.com

But nothing seems to work? has anyone got any advice on this?
  


do you have

   always_trust_envelope_sender 1

?

whitelist_from and whitelist_from_rcvd not working

[Mark Adams]

Hi All,

Spamassassin 3.1.4-1

Currently have entries like the following in the local.cf file

whitelist_from [EMAIL PROTECTED]
and
whitelist_from [EMAIL PROTECTED]

But mail is still picked up as spam for the [EMAIL PROTECTED]

Have also tried the following;

whitelist_from_rcvd [EMAIL PROTECTED] domain.com
and
whitelist_from_rcvd [EMAIL PROTECTED] domain.com

But nothing seems to work? has anyone got any advice on this?

Any help appreciated.

Regards,
Mark

RE: adjust rules and whitelist_from_rcvd

[Leon Kolchinsky]

Hi,


So should I write? :


whitelist_from_rcvd [EMAIL PROTECTED] mydomain.ac.il

OR

whitelist_from_rcvd [EMAIL PROTECTED] mail.mydomain.ac.il


Regards
Leon


-Original Message-
From: Stuart Johnston [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, November 15, 2006 4:57 PM
To: users@spamassassin.apache.org
Subject: Re: adjust rules and whitelist_from_rcvd

It is probably this header generated by SquirrelMail that is causing the 
problem.

 > Received: from 217.132.226.2
 > (SquirrelMail authenticated user ronits)
 > by mail.mydomain.ac.il with HTTP;
 > Tue, 14 Nov 2006 13:11:52 +0200 (IST)

I'm not really sure what the solution is though.  What version of SA are you 
running?


Leon Kolchinsky wrote:
> Hello All,
> 
> I'm running several virtual domains on 
> Cyrus+Postfix+SquirrelMail+Amavisd-new+Spamassassin+ClamAV system.
> 
> 
> There are several users sending their legitimate mails via SquirrelMail on 
> the same mail server but getting scored as spam.
>  
> Here are 2 examples of X-Spam-Status for such mails.
> 
> 
> X-Spam-Status: Yes, hits=6.2 tag1=-999.0 tag2=5.0 kill=5.0 tests=BAYES_00,
>  NO_REAL_NAME, PRIORITY_NO_NAME, RCVD_IN_DSBL, RCVD_IN_NJABL_DUL,
>  RCVD_IN_NJABL_PROXY, RCVD_IN_SORBS_DUL, RCVD_IN_XBL
> X-Spam-Level: **
> 
> X-Spam-Status: Yes, hits=6.2 tag1=-999.0 tag2=5.0 kill=5.0 tests=BAYES_00,
>  NO_REAL_NAME, PRIORITY_NO_NAME, RCVD_IN_DSBL, RCVD_IN_NJABL_DUL,
>  RCVD_IN_NJABL_PROXY, RCVD_IN_SORBS_DUL, RCVD_IN_XBL
> X-Spam-Level: **
> 
> 
> Below full headers for an example mail:
> 
> 
> Return-Path: <[EMAIL PROTECTED]>
> Received: from mail.mydomain.ac.il ([unix socket])
>   by mail.mydomain.ac.il (Cyrus v2.2.3) with LMTP; Tue, 14 Nov 2006 
> 13:11:57 +0200
> X-Sieve: CMU Sieve 2.2
> Received: from localhost (localhost [127.0.0.1])
>   by mail.mydomain.ac.il (Postfix) with ESMTP id 3212A1B370
>   for <[EMAIL PROTECTED]>; Tue, 14 Nov 2006 13:11:57 +0200 (IST)
> X-Envelope-To: <[EMAIL PROTECTED]>
> X-Envelope-From: <[EMAIL PROTECTED]>
> X-Quarantine-id: 
> 
> Received: from mail.mydomain.ac.il (localhost [127.0.0.1])
>   by mail.mydomain.ac.il (Postfix) with ESMTP id D0AB71C5CD
>   for <[EMAIL PROTECTED]>; Tue, 14 Nov 2006 13:11:52 +0200 (IST)
> Received: from 217.132.226.2
> (SquirrelMail authenticated user ronits)
> by mail.mydomain.ac.il with HTTP;
> Tue, 14 Nov 2006 13:11:52 +0200 (IST)
> Message-ID: <[EMAIL PROTECTED]>
> Date: Tue, 14 Nov 2006 13:11:52 +0200 (IST)
> Subject: =?utf-8?B?15fXqNeT15nXldeqINeR16DXmSDXkdeo16c=?=
> From: [EMAIL PROTECTED]
> To: [EMAIL PROTECTED]
> User-Agent: SquirrelMail/1.4.7
> MIME-Version: 1.0
> Content-Type: text/plain;charset=utf-8
> Content-Transfer-Encoding: 8bit
> X-Priority: 3 (Normal)
> Importance: Normal
> X-Spam-Status: Yes, hits=6.2 tag1=-999.0 tag2=5.0 kill=5.0 tests=BAYES_00,
>  NO_REAL_NAME, PRIORITY_NO_NAME, RCVD_IN_DSBL, RCVD_IN_NJABL_DUL,
>  RCVD_IN_NJABL_PROXY, RCVD_IN_SORBS_DUL, RCVD_IN_XBL
> X-Spam-Level: **
> 
> 
> 1) Could you please tell me what rules should I adjust (and what score give 
> to those rules in local.cf) so these kinds of mails score below 5.
> 
> 2) I've tried to add whitelist_from_rcvd to local.cf, but it didn't help:
> 
> whitelist_from_rcvd [EMAIL PROTECTED] virtualdomain1.ac.il 
> 
> 
> Should this line look like this?
> 
> whitelist_from_rcvd [EMAIL PROTECTED] mydomain.ac.il
> 
> Or this?
> 
> whitelist_from_rcvd [EMAIL PROTECTED] mail.mydomain.ac.il
> 
> 
> 
> 
> Best Regards,
> Leon Kolchinsky
> 

Re: adjust rules and whitelist_from_rcvd

[Stuart Johnston]

It is probably this header generated by SquirrelMail that is causing the 
problem.

> Received: from 217.132.226.2
> (SquirrelMail authenticated user ronits)
> by mail.mydomain.ac.il with HTTP;
> Tue, 14 Nov 2006 13:11:52 +0200 (IST)

I'm not really sure what the solution is though.  What version of SA are you 
running?


Leon Kolchinsky wrote:

Hello All,

I'm running several virtual domains on 
Cyrus+Postfix+SquirrelMail+Amavisd-new+Spamassassin+ClamAV system.


There are several users sending their legitimate mails via SquirrelMail on the 
same mail server but getting scored as spam.
 
Here are 2 examples of X-Spam-Status for such mails.



X-Spam-Status: Yes, hits=6.2 tag1=-999.0 tag2=5.0 kill=5.0 tests=BAYES_00,
 NO_REAL_NAME, PRIORITY_NO_NAME, RCVD_IN_DSBL, RCVD_IN_NJABL_DUL,
 RCVD_IN_NJABL_PROXY, RCVD_IN_SORBS_DUL, RCVD_IN_XBL
X-Spam-Level: **

X-Spam-Status: Yes, hits=6.2 tag1=-999.0 tag2=5.0 kill=5.0 tests=BAYES_00,
 NO_REAL_NAME, PRIORITY_NO_NAME, RCVD_IN_DSBL, RCVD_IN_NJABL_DUL,
 RCVD_IN_NJABL_PROXY, RCVD_IN_SORBS_DUL, RCVD_IN_XBL
X-Spam-Level: **


Below full headers for an example mail:


Return-Path: <[EMAIL PROTECTED]>
Received: from mail.mydomain.ac.il ([unix socket])
by mail.mydomain.ac.il (Cyrus v2.2.3) with LMTP; Tue, 14 Nov 2006 
13:11:57 +0200
X-Sieve: CMU Sieve 2.2
Received: from localhost (localhost [127.0.0.1])
by mail.mydomain.ac.il (Postfix) with ESMTP id 3212A1B370
for <[EMAIL PROTECTED]>; Tue, 14 Nov 2006 13:11:57 +0200 (IST)
X-Envelope-To: <[EMAIL PROTECTED]>
X-Envelope-From: <[EMAIL PROTECTED]>
X-Quarantine-id: 

Received: from mail.mydomain.ac.il (localhost [127.0.0.1])
by mail.mydomain.ac.il (Postfix) with ESMTP id D0AB71C5CD
for <[EMAIL PROTECTED]>; Tue, 14 Nov 2006 13:11:52 +0200 (IST)
Received: from 217.132.226.2
(SquirrelMail authenticated user ronits)
by mail.mydomain.ac.il with HTTP;
Tue, 14 Nov 2006 13:11:52 +0200 (IST)
Message-ID: <[EMAIL PROTECTED]>
Date: Tue, 14 Nov 2006 13:11:52 +0200 (IST)
Subject: =?utf-8?B?15fXqNeT15nXldeqINeR16DXmSDXkdeo16c=?=
From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
User-Agent: SquirrelMail/1.4.7
MIME-Version: 1.0
Content-Type: text/plain;charset=utf-8
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
X-Spam-Status: Yes, hits=6.2 tag1=-999.0 tag2=5.0 kill=5.0 tests=BAYES_00,
 NO_REAL_NAME, PRIORITY_NO_NAME, RCVD_IN_DSBL, RCVD_IN_NJABL_DUL,
 RCVD_IN_NJABL_PROXY, RCVD_IN_SORBS_DUL, RCVD_IN_XBL
X-Spam-Level: **


1) Could you please tell me what rules should I adjust (and what score give to 
those rules in local.cf) so these kinds of mails score below 5.

2) I've tried to add whitelist_from_rcvd to local.cf, but it didn't help:

whitelist_from_rcvd [EMAIL PROTECTED] virtualdomain1.ac.il 



Should this line look like this?

whitelist_from_rcvd [EMAIL PROTECTED] mydomain.ac.il

Or this?

whitelist_from_rcvd [EMAIL PROTECTED] mail.mydomain.ac.il




Best Regards,
Leon Kolchinsky

Re: adjust rules and whitelist_from_rcvd

[Stuart Johnston]

This should be fixed if you install SA 3.1:

http://issues.apache.org/SpamAssassin/show_bug.cgi?id=3236

Leon Kolchinsky wrote:

Hi,

My server runs with static IP and have a legitimate MX record.
Squirrelmail runs on the same mail server.


So I don't think that this is the problem.


Regards,
Leon

-Original Message-
From: Benny Pedersen [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, November 15, 2006 10:01 AM

To: users@spamassassin.apache.org
Subject: Re: adjust rules and whitelist_from_rcvd


On Tue, November 14, 2006 14:08, Leon Kolchinsky wrote:


X-Spam-Status: Yes, hits=6.2 tag1=-999.0 tag2=5.0 kill=5.0 tests=BAYES_00,
 NO_REAL_NAME, PRIORITY_NO_NAME, RCVD_IN_DSBL, RCVD_IN_NJABL_DUL,
 RCVD_IN_NJABL_PROXY, RCVD_IN_SORBS_DUL, RCVD_IN_XBL
X-Spam-Level: **


you are running a mail server with dynamic ip ranges with means that mail from
you will ALWAYS being seen as spam on other mailservers :/(

to fix this search for a mail server that can smart-host for you, eg send all
mail outgoing to your isp will do

ask you isp about a static assigned ip will be perfect :-)

the NO_REAL_NAME fix is here
http://www.squirrelmail.org/plugin_view.php?id=142

RE: adjust rules and whitelist_from_rcvd

[Leon Kolchinsky]

Hi,

My server runs with static IP and have a legitimate MX record.
Squirrelmail runs on the same mail server.


So I don't think that this is the problem.


Regards,
Leon

-Original Message-
From: Benny Pedersen [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, November 15, 2006 10:01 AM
To: users@spamassassin.apache.org
Subject: Re: adjust rules and whitelist_from_rcvd


On Tue, November 14, 2006 14:08, Leon Kolchinsky wrote:

> X-Spam-Status: Yes, hits=6.2 tag1=-999.0 tag2=5.0 kill=5.0 tests=BAYES_00,
>  NO_REAL_NAME, PRIORITY_NO_NAME, RCVD_IN_DSBL, RCVD_IN_NJABL_DUL,
>  RCVD_IN_NJABL_PROXY, RCVD_IN_SORBS_DUL, RCVD_IN_XBL
> X-Spam-Level: **

you are running a mail server with dynamic ip ranges with means that mail from
you will ALWAYS being seen as spam on other mailservers :/(

to fix this search for a mail server that can smart-host for you, eg send all
mail outgoing to your isp will do

ask you isp about a static assigned ip will be perfect :-)

the NO_REAL_NAME fix is here
http://www.squirrelmail.org/plugin_view.php?id=142

-- 
This message was sent using 100% recycled spam mails.

Re: adjust rules and whitelist_from_rcvd

[Benny Pedersen]

On Tue, November 14, 2006 14:08, Leon Kolchinsky wrote:

> X-Spam-Status: Yes, hits=6.2 tag1=-999.0 tag2=5.0 kill=5.0 tests=BAYES_00,
>  NO_REAL_NAME, PRIORITY_NO_NAME, RCVD_IN_DSBL, RCVD_IN_NJABL_DUL,
>  RCVD_IN_NJABL_PROXY, RCVD_IN_SORBS_DUL, RCVD_IN_XBL
> X-Spam-Level: **

you are running a mail server with dynamic ip ranges with means that mail from
you will ALWAYS being seen as spam on other mailservers :/(

to fix this search for a mail server that can smart-host for you, eg send all
mail outgoing to your isp will do

ask you isp about a static assigned ip will be perfect :-)

the NO_REAL_NAME fix is here
http://www.squirrelmail.org/plugin_view.php?id=142

-- 
This message was sent using 100% recycled spam mails.

RE: adjust rules and whitelist_from_rcvd

[Leon Kolchinsky]

Hello All,

I run SA on SLES9, so these are the packages I have (updated ones):
spamassassin-2.64-3.7
amavisd-new-20030616p9-3.6
perl-spamassassin-2.64-3.7
clamav-0.88.5-0.2

Please read the following mail (under questions 1 and 2) and help:

1) Could you please tell me what rules should I adjust (and what score give to 
those rules in local.cf) so these kinds of mails score below 5.

2) I've tried to add whitelist_from_rcvd to local.cf, but it didn't help:

whitelist_from_rcvd [EMAIL PROTECTED] virtualdomain1.ac.il 


Should this line look like this?

whitelist_from_rcvd [EMAIL PROTECTED] mydomain.ac.il

Or this?

whitelist_from_rcvd [EMAIL PROTECTED] mail.mydomain.ac.il


-Original Message-
From: Leon Kolchinsky [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, November 14, 2006 3:09 PM
To: users@spamassassin.apache.org
Subject: adjust rules and whitelist_from_rcvd

Hello All,

I'm running several virtual domains on 
Cyrus+Postfix+SquirrelMail+Amavisd-new+Spamassassin+ClamAV system.


There are several users sending their legitimate mails via SquirrelMail on the 
same mail server but getting scored as spam.
 
Here are 2 examples of X-Spam-Status for such mails.


X-Spam-Status: Yes, hits=6.2 tag1=-999.0 tag2=5.0 kill=5.0 tests=BAYES_00,
 NO_REAL_NAME, PRIORITY_NO_NAME, RCVD_IN_DSBL, RCVD_IN_NJABL_DUL,
 RCVD_IN_NJABL_PROXY, RCVD_IN_SORBS_DUL, RCVD_IN_XBL
X-Spam-Level: **

X-Spam-Status: Yes, hits=6.2 tag1=-999.0 tag2=5.0 kill=5.0 tests=BAYES_00,
 NO_REAL_NAME, PRIORITY_NO_NAME, RCVD_IN_DSBL, RCVD_IN_NJABL_DUL,
 RCVD_IN_NJABL_PROXY, RCVD_IN_SORBS_DUL, RCVD_IN_XBL
X-Spam-Level: **


Below full headers for an example mail:


Return-Path: <[EMAIL PROTECTED]>
Received: from mail.mydomain.ac.il ([unix socket])
by mail.mydomain.ac.il (Cyrus v2.2.3) with LMTP; Tue, 14 Nov 2006 
13:11:57 +0200
X-Sieve: CMU Sieve 2.2
Received: from localhost (localhost [127.0.0.1])
by mail.mydomain.ac.il (Postfix) with ESMTP id 3212A1B370
for <[EMAIL PROTECTED]>; Tue, 14 Nov 2006 13:11:57 +0200 (IST)
X-Envelope-To: <[EMAIL PROTECTED]>
X-Envelope-From: <[EMAIL PROTECTED]>
X-Quarantine-id: 

Received: from mail.mydomain.ac.il (localhost [127.0.0.1])
by mail.mydomain.ac.il (Postfix) with ESMTP id D0AB71C5CD
for <[EMAIL PROTECTED]>; Tue, 14 Nov 2006 13:11:52 +0200 (IST)
Received: from 217.132.226.2
(SquirrelMail authenticated user ronits)
by mail.mydomain.ac.il with HTTP;
Tue, 14 Nov 2006 13:11:52 +0200 (IST)
Message-ID: <[EMAIL PROTECTED]>
Date: Tue, 14 Nov 2006 13:11:52 +0200 (IST)
Subject: =?utf-8?B?15fXqNeT15nXldeqINeR16DXmSDXkdeo16c=?=
From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
User-Agent: SquirrelMail/1.4.7
MIME-Version: 1.0
Content-Type: text/plain;charset=utf-8
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
X-Spam-Status: Yes, hits=6.2 tag1=-999.0 tag2=5.0 kill=5.0 tests=BAYES_00,
 NO_REAL_NAME, PRIORITY_NO_NAME, RCVD_IN_DSBL, RCVD_IN_NJABL_DUL,
 RCVD_IN_NJABL_PROXY, RCVD_IN_SORBS_DUL, RCVD_IN_XBL
X-Spam-Level: **






Best Regards,
Leon Kolchinsky

Re: adjust rules and whitelist_from_rcvd

[Daryl C. W. O'Shea]

What version of SA are you using?

Daryl

adjust rules and whitelist_from_rcvd

[Leon Kolchinsky]

Hello All,

I'm running several virtual domains on 
Cyrus+Postfix+SquirrelMail+Amavisd-new+Spamassassin+ClamAV system.


There are several users sending their legitimate mails via SquirrelMail on the 
same mail server but getting scored as spam.
 
Here are 2 examples of X-Spam-Status for such mails.


X-Spam-Status: Yes, hits=6.2 tag1=-999.0 tag2=5.0 kill=5.0 tests=BAYES_00,
 NO_REAL_NAME, PRIORITY_NO_NAME, RCVD_IN_DSBL, RCVD_IN_NJABL_DUL,
 RCVD_IN_NJABL_PROXY, RCVD_IN_SORBS_DUL, RCVD_IN_XBL
X-Spam-Level: **

X-Spam-Status: Yes, hits=6.2 tag1=-999.0 tag2=5.0 kill=5.0 tests=BAYES_00,
 NO_REAL_NAME, PRIORITY_NO_NAME, RCVD_IN_DSBL, RCVD_IN_NJABL_DUL,
 RCVD_IN_NJABL_PROXY, RCVD_IN_SORBS_DUL, RCVD_IN_XBL
X-Spam-Level: **


Below full headers for an example mail:


Return-Path: <[EMAIL PROTECTED]>
Received: from mail.mydomain.ac.il ([unix socket])
by mail.mydomain.ac.il (Cyrus v2.2.3) with LMTP; Tue, 14 Nov 2006 
13:11:57 +0200
X-Sieve: CMU Sieve 2.2
Received: from localhost (localhost [127.0.0.1])
by mail.mydomain.ac.il (Postfix) with ESMTP id 3212A1B370
for <[EMAIL PROTECTED]>; Tue, 14 Nov 2006 13:11:57 +0200 (IST)
X-Envelope-To: <[EMAIL PROTECTED]>
X-Envelope-From: <[EMAIL PROTECTED]>
X-Quarantine-id: 

Received: from mail.mydomain.ac.il (localhost [127.0.0.1])
by mail.mydomain.ac.il (Postfix) with ESMTP id D0AB71C5CD
for <[EMAIL PROTECTED]>; Tue, 14 Nov 2006 13:11:52 +0200 (IST)
Received: from 217.132.226.2
(SquirrelMail authenticated user ronits)
by mail.mydomain.ac.il with HTTP;
Tue, 14 Nov 2006 13:11:52 +0200 (IST)
Message-ID: <[EMAIL PROTECTED]>
Date: Tue, 14 Nov 2006 13:11:52 +0200 (IST)
Subject: =?utf-8?B?15fXqNeT15nXldeqINeR16DXmSDXkdeo16c=?=
From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
User-Agent: SquirrelMail/1.4.7
MIME-Version: 1.0
Content-Type: text/plain;charset=utf-8
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
X-Spam-Status: Yes, hits=6.2 tag1=-999.0 tag2=5.0 kill=5.0 tests=BAYES_00,
 NO_REAL_NAME, PRIORITY_NO_NAME, RCVD_IN_DSBL, RCVD_IN_NJABL_DUL,
 RCVD_IN_NJABL_PROXY, RCVD_IN_SORBS_DUL, RCVD_IN_XBL
X-Spam-Level: **


1) Could you please tell me what rules should I adjust (and what score give to 
those rules in local.cf) so these kinds of mails score below 5.

2) I've tried to add whitelist_from_rcvd to local.cf, but it didn't help:

whitelist_from_rcvd [EMAIL PROTECTED] virtualdomain1.ac.il 


Should this line look like this?

whitelist_from_rcvd [EMAIL PROTECTED] mydomain.ac.il

Or this?

whitelist_from_rcvd [EMAIL PROTECTED] mail.mydomain.ac.il




Best Regards,
Leon Kolchinsky

Re: question re. whitelist_from_rcvd

[Kelson]

Miles Fidelman wrote:

whitelist_from_rcvd [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>

hmmm...not sure how that last bit made it into my email, I thought I'd 
just typed


whitelist_from_rcvd [EMAIL PROTECTED]
must have to do with typing it at 2:46 in the am, sigh...


Nah, it's probably just your mail client.  I see in the headers you're 
using SeaMonkey.  I'd guess it shares quite a bit of code with 
Thunderbird, and Thunderbird has an annoying habit of plunking in an 
extra copy of an email address if it's converting from HTML to 
plaintext... even if the text of the link is the email address itself.


--
Kelson Vibber
SpeedGate Communications 

Re: question re. whitelist_from_rcvd

[Miles Fidelman]

Not as easily done as said.

Matthias Leisi wrote:

Miles Fidelman wrote:

Do you *really* need to pass locally generated mail through
Spamassassin? Most likely not.

  
I prefer to, since I have a number of users who use my machine as their 
SMTP route to the world - and you never know when a desktop machine can 
pick up a virus or trojan.  Since I run a number of email lists, I like 
to have multiple lines of defense to keep spam and viruses from getting 
to lists.  Beyond the obvious reason, it also reduces the likelihood of 
getting listed in blocklists.


Hence I need something more fine-grained than eliminating filters from 
all locally generated mail.

*Received: * from localhost (localhost.localdomain [127.0.0.1]) by
server1.neighborhoods.net (Postfix) with ESMTP id 5CDE2B6C2F0 for
<[EMAIL PROTECTED] >; Sat, 11 Nov 2006 10:22:18
-0500 (EST)
*Received: * from server1.neighborhoods.net ([127.0.0.1]) by localhost
(server1 [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 31180-01-2
for <[EMAIL PROTECTED] >; Sat, 11 Nov 2006
10:22:12 -0500 (EST)
*Received: * by server1.neighborhoods.net (Postfix, from userid 114) id
1A9BFB6C2F6; Sat, 11 Nov 2006 10:22:05 -0500 (EST)

Any thoughts on other ways to whitelist locally originated messages from
a single address ([EMAIL PROTECTED]) without just opening up the
world to spammers by using a simple whitelist_from command?



Looking at the Received: headers it looks as if you're running a mostly
regular Postfix/Amavis setup, ie Postfix forwards to Amavis which in
turn forwards it to Postfix.

You can tell Postfix which conent filters it should use depending on
where mail comes from. Since the mail in question is generated locally
("from userid 114"), you can tell Postfix not to use the content filter
in the pickup process:

+-- /etc/postfix/master.cf --
| pickupfifo  n   -   -   60  1   pickup
|-o content_filter=
+-- --

See [1] for a more complete example.

-- Matthias

[1]
http://matthias.leisi.net/archives/120-Unblocking-an-EICAR-with-PostfixAmavisClamAV.html
  

Re: question re. whitelist_from_rcvd

[Matthias Leisi]

Miles Fidelman wrote:

Do you *really* need to pass locally generated mail through
Spamassassin? Most likely not.

> *Received: * from localhost (localhost.localdomain [127.0.0.1]) by
> server1.neighborhoods.net (Postfix) with ESMTP id 5CDE2B6C2F0 for
> <[EMAIL PROTECTED] >; Sat, 11 Nov 2006 10:22:18
> -0500 (EST)
> *Received: * from server1.neighborhoods.net ([127.0.0.1]) by localhost
> (server1 [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 31180-01-2
> for <[EMAIL PROTECTED] >; Sat, 11 Nov 2006
> 10:22:12 -0500 (EST)
> *Received: * by server1.neighborhoods.net (Postfix, from userid 114) id
> 1A9BFB6C2F6; Sat, 11 Nov 2006 10:22:05 -0500 (EST)
> 
> Any thoughts on other ways to whitelist locally originated messages from
> a single address ([EMAIL PROTECTED]) without just opening up the
> world to spammers by using a simple whitelist_from command?

Looking at the Received: headers it looks as if you're running a mostly
regular Postfix/Amavis setup, ie Postfix forwards to Amavis which in
turn forwards it to Postfix.

You can tell Postfix which conent filters it should use depending on
where mail comes from. Since the mail in question is generated locally
("from userid 114"), you can tell Postfix not to use the content filter
in the pickup process:

+-- /etc/postfix/master.cf --
| pickupfifo  n   -   -   60  1   pickup
|-o content_filter=
+-- --

See [1] for a more complete example.

-- Matthias

[1]
http://matthias.leisi.net/archives/120-Unblocking-an-EICAR-with-PostfixAmavisClamAV.html


smime.p7s
Description: S/MIME Cryptographic Signature

Re: question re. whitelist_from_rcvd

[Miles Fidelman]

Matt Kettler wrote:

Miles Fidelman wrote:
  

Hi,

I'm trying to figure out how to whitelist control messages generated
by our list manager (Sympa) - which are generated on the localhost and
sent to addresses on the localhost.

In particular, here's a specific example:

*From: *   [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>
*Received: * from localhost (localhost.localdomain [127.0.0.1]) by
server1.neighborhoods.net (Postfix) with ESMTP id 5CDE2B6C2F0 for
<[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>>; Sat, 11 Nov 2006 10:22:18
-0500 (EST)


It's pretty clear that the entry in user_prefs would start with

whitelist_from_rcvd [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>

but what would I use as the domain part?


Actually, no..  it would not start like that... As written the "
<mailto:[EMAIL PROTECTED]>" would be interpreted as the Received:
header check.

Try:
whitelist_from_rcvd [EMAIL PROTECTED] localhost.localdomain

  

Well that doesn't seem to work.  I also tried

whitelist_from_rcvd [EMAIL PROTECTED] server1.neighborhoods.net
whitelist_from_rcvd [EMAIL PROTECTED] 127.0.0.1

I think the problem is that the reverse lookups don't match in any of 
these combinations (look closely at the headers):


*From: *   [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>
*Subject: * SPAM*** Message diffusion*
*Date: * November 11, 2006 10:22:05 AM EST
*To: *   [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>
*Return-Path: * <[EMAIL PROTECTED] 
<mailto:[EMAIL PROTECTED]>>

*X-Original-To: * [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>
*Delivered-To: * [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>
*Received: * from localhost (localhost.localdomain [127.0.0.1]) by 
server1.neighborhoods.net (Postfix) with ESMTP id 5CDE2B6C2F0 for 
<[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>>; Sat, 11 Nov 2006 10:22:18 
-0500 (EST)
*Received: * from server1.neighborhoods.net ([127.0.0.1]) by localhost 
(server1 [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 31180-01-2 
for <[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>>; Sat, 11 Nov 2006 
10:22:12 -0500 (EST)
*Received: * by server1.neighborhoods.net (Postfix, from userid 114) id 
1A9BFB6C2F6; Sat, 11 Nov 2006 10:22:05 -0500 (EST)


Any thoughts on other ways to whitelist locally originated messages from 
a single address ([EMAIL PROTECTED]) without just opening up the 
world to spammers by using a simple whitelist_from command?


Thanks again,

Miles

Re: question re. whitelist_from_rcvd

[Miles Fidelman]

Matt Kettler wrote:

Miles Fidelman wrote:
  

Hi,

I'm trying to figure out how to whitelist control messages generated
by our list manager (Sympa) - which are generated on the localhost and
sent to addresses on the localhost.

In particular, here's a specific example:

*From: *   [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>
*Received: * from localhost (localhost.localdomain [127.0.0.1]) by
server1.neighborhoods.net (Postfix) with ESMTP id 5CDE2B6C2F0 for
<[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>>; Sat, 11 Nov 2006 10:22:18
-0500 (EST)


It's pretty clear that the entry in user_prefs would start with

whitelist_from_rcvd [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>

hmmm...not sure how that last bit made it into my email, I thought I'd 
just typed


whitelist_from_rcvd [EMAIL PROTECTED] 


must have to do with typing it at 2:46 in the am, sigh...


but what would I use as the domain part?


Actually, no..  it would not start like that... As written the "
<mailto:[EMAIL PROTECTED]>" would be interpreted as the Received:
header check.

Try:
whitelist_from_rcvd [EMAIL PROTECTED] localhost.localdomain
  

Thanks! Will do.

Miles

Re: question re. whitelist_from_rcvd

[Matt Kettler]

Miles Fidelman wrote:
> Hi,
>
> I'm trying to figure out how to whitelist control messages generated
> by our list manager (Sympa) - which are generated on the localhost and
> sent to addresses on the localhost.
>
> In particular, here's a specific example:
>
> *From: *   [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>
> *Received: * from localhost (localhost.localdomain [127.0.0.1]) by
> server1.neighborhoods.net (Postfix) with ESMTP id 5CDE2B6C2F0 for
> <[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>>; Sat, 11 Nov 2006 10:22:18
> -0500 (EST)
>
>
> It's pretty clear that the entry in user_prefs would start with
>
> whitelist_from_rcvd [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>
>
> but what would I use as the domain part?
Actually, no..  it would not start like that... As written the "
<mailto:[EMAIL PROTECTED]>" would be interpreted as the Received:
header check.

Try:
whitelist_from_rcvd [EMAIL PROTECTED] localhost.localdomain

question re. whitelist_from_rcvd

[Miles Fidelman]

Hi,

I'm trying to figure out how to whitelist control messages generated by 
our list manager (Sympa) - which are generated on the localhost and sent 
to addresses on the localhost.


In particular, here's a specific example:

*From: *   [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>
*Subject: * SPAM*** Message diffusion*
*Date: * November 11, 2006 10:22:05 AM EST
*To: *   [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>
*Return-Path: * <[EMAIL PROTECTED] 
<mailto:[EMAIL PROTECTED]>>

*X-Original-To: * [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>
*Delivered-To: * [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>
*Received: * from localhost (localhost.localdomain [127.0.0.1]) by 
server1.neighborhoods.net (Postfix) with ESMTP id 5CDE2B6C2F0 for 
<[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>>; Sat, 11 Nov 2006 10:22:18 
-0500 (EST)
*Received: * from server1.neighborhoods.net ([127.0.0.1]) by localhost 
(server1 [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 31180-01-2 
for <[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>>; Sat, 11 Nov 2006 
10:22:12 -0500 (EST)
*Received: * by server1.neighborhoods.net (Postfix, from userid 114) id 
1A9BFB6C2F6; Sat, 11 Nov 2006 10:22:05 -0500 (EST)

*Mime-Version: * 1.0
*Content-Type: * text/plain; charset=utf-8;
*Content-Transfer-Encoding: * 8bit
*Message-Id: * <[EMAIL PROTECTED] 
<mailto:[EMAIL PROTECTED]>>
*X-Virus-Scanned: * by amavisd-new-20030616-p10 (Debian) at 
neighborhoods.net
*X-Spam-Status: * Yes, hits=9.7 tagged_above=0.0 required=6.3 tests=AWL, 
BAYES_20, NO_RELAYS

*X-Spam-Level: * *
*X-Spam-Flag: * YES
*Status:** *

It's pretty clear that the entry in user_prefs would start with

whitelist_from_rcvd [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>

but what would I use as the domain part? 


Thanks very much,

Miles

Re: whitelist_from_rcvd

[Matt Kettler]

Chris Edwards wrote:
> OK I think I get it, here is a header from one of the companies we do
> business with...
>
> Microsoft Mail Internet Headers Version 2.0
> Received: from gandalf.ctdx.net ([199.0.161.154]) by buythetruck.com
> with Microsoft SMTPSVC(6.0.3790.211);
>Tue, 31 Oct 2006 23:27:03 -0500
> Received: from harbor.x-cart.com (harbor.x-cart.com [69.20.14.15])
>   by gandalf.ctdx.net (8.13.7/8.13.6) with ESMTP id kA14M3vT018502
>   for <[EMAIL PROTECTED]>; Tue, 31 Oct 2006 23:22:03 -0500
>
>   

> So there entry would be...
>
> whitelist_from_rcvd [EMAIL PROTECTED] x-cart.com 
>
> Correct?
>   

Depends, is the IP address that results from resolving gandalf.ctdx.net
trusted?

If so, yes, that's the correct entry.

RE: whitelist_from_rcvd

[Chris Edwards]

OK I think I get it, here is a header from one of the companies we do
business with...

Microsoft Mail Internet Headers Version 2.0
Received: from gandalf.ctdx.net ([199.0.161.154]) by buythetruck.com
with Microsoft SMTPSVC(6.0.3790.211);
 Tue, 31 Oct 2006 23:27:03 -0500
Received: from harbor.x-cart.com (harbor.x-cart.com [69.20.14.15])
by gandalf.ctdx.net (8.13.7/8.13.6) with ESMTP id kA14M3vT018502
for <[EMAIL PROTECTED]>; Tue, 31 Oct 2006 23:22:03 -0500
Received: from localhost (localhost [127.0.0.1])
by harbor.x-cart.com (Postfix) with ESMTP id 32CA4FC2B4
for <[EMAIL PROTECTED]>; Tue, 31 Oct 2006 20:18:36 -0800 (PST)
Received: from harbor.x-cart.com ([127.0.0.1])
by localhost (harbor.x-cart.com [127.0.0.1]) (amavisd-new, port
10024)
with ESMTP id FJP1WignZXnm for <[EMAIL PROTECTED]>;
Tue, 31 Oct 2006 20:18:34 -0800 (PST)
Received: from gw-red.crtdev.local (mail.crtdev.local [192.168.10.1])
by harbor.x-cart.com (Postfix) with ESMTP id 1EE32FC2B2
for <[EMAIL PROTECTED]>; Tue, 31 Oct 2006 20:18:33 -0800 (PST)
Received: from localhost (localhost [127.0.0.1])
by gw-red.crtdev.local (Postfix) with ESMTP id 0C9B8112EC3C;
Wed,  1 Nov 2006 07:18:33 +0300 (MSK)
Received: from gw-red.crtdev.local ([127.0.0.1])
by localhost (mail.crtdev.local [127.0.0.1]) (amavisd-new, port
10024)
with ESMTP id Iqw-2Ddq46oC; Wed,  1 Nov 2006 07:18:32 +0300
(MSK)
Received: from gw-green.crtdev.local (green-red-fiber.crtdev.local
[192.168.99.13])
by gw-red.crtdev.local (Postfix) with ESMTP id DC976112EC2B
for <[EMAIL PROTECTED]>; Wed,  1 Nov 2006 07:18:32 +0300 (MSK)
Received: from sauron.crtdev.local (sauron.crtdev.local [192.168.12.10])
by gw-green.crtdev.local (Postfix) with ESMTP id C1738244C21
for <[EMAIL PROTECTED]>; Wed,  1 Nov 2006 07:18:32 +0300 (MSK)
Received: from sauron.crtdev.local (localhost [127.0.0.1])
by sauron.crtdev.local (8.13.8/8.13.8) with ESMTP id
kA14IFAa080272
for <[EMAIL PROTECTED]>; Wed, 1 Nov 2006 07:18:15 +0300 (MSK)
(envelope-from [EMAIL PROTECTED])
Received: (from [EMAIL PROTECTED])
by sauron.crtdev.local (8.13.8/8.13.8/Submit) id kA14IEv1080271;
Wed, 1 Nov 2006 07:18:14 +0300 (MSK)
(envelope-from www)
Date: Wed, 1 Nov 2006 07:18:14 +0300 (MSK)
Message-Id: <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: Valentine Kaverin has posted a new message for you.
From: Qualiteam HelpDesk system <[EMAIL PROTECTED]>
Content-Type: text/plain;charset=iso-8859-1;
X-Signature-Check-Ignore: Yes
X-Virus-Scanned: ClamAV 0.88.5/2136/Tue Oct 31 22:06:48 2006 on
gandalf.ctdx.net
X-Virus-Scanned: amavisd-new at x-cart.com
X-Virus-System: ClamAV 0.88.5/2136/Tue Oct 31 19:06:48 2006
X-Virus-Status: Clean
X-Spam-Status: No, score=3.0 required=5.0 tests=AWL,BAYES_00,BIZ_TLD,
SPF_SOFTFAIL,URI_NO_WWW_BIZ_CGI autolearn=no version=3.1.3
X-Spam-Level: **
X-Spam-Checker-Version: SpamAssassin 3.1.3 (2006-06-01) on
gandalf.ctdx.net
Return-Path: [EMAIL PROTECTED]
X-OriginalArrivalTime: 01 Nov 2006 04:27:03.0500 (UTC)
FILETIME=[FB3D50C0:01C6FD6D]

So there entry would be...

whitelist_from_rcvd [EMAIL PROTECTED] x-cart.com 

Correct?

Thanks for the help!!

Chris Edwards

-Original Message-
From: Matt Kettler [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, October 31, 2006 10:30 PM
To: Chris Edwards
Cc: users@spamassassin.apache.org
Subject: Re: whitelist_from_rcvd

Chris Edwards wrote:
> Hello!
>  
> Praise...
>  
> I have not used spamassassin for several years.  I switched companies 
> recently and they were getting killed with spam.  I have really 
> enjoyed relearning spamassassin and reading the mailing list.
> Spamassassin has done and incredible job of reducing the amount of 
> spam coming into the company.  I just wanted to say thanks to all of 
> you who have had a hand in developing this awesome program!
>  
> Ok, now my question...
>  
> My company has several other companies that it does business with and 
> I want to put those companies and all the domains we own into a white 
> list.  Can I find the needed information in the headers of an email to

> create a  whitelist_from_rcvd entry in local.cf?  If so, what 
> information do I need?  If not, where would I go about finding it.
whitelist_from_rcvd needs to match two parts:

1) A "From" address. This could be the From: header, but could also be a
Return-Path, Envelope-Sender, or similar header with the Envelope "Mail
FROM" recorded in it. Which one you pick for most cases doesn't matter,
but matching a Return-Path is useful for public mailing lists where the
From: header changes constantly, but the Return-Path is always the list
server.

Note: you can use file-glob style wildcards for the addresses here. ie:
[EMAIL PROTECTED]

2) The Re

Re: whitelist_from_rcvd

[Matt Kettler]

Chris Edwards wrote:
> Hello!
>  
> Praise...
>  
> I have not used spamassassin for several years.  I switched companies
> recently and they were getting killed with spam.  I have really
> enjoyed relearning spamassassin and reading the mailing list. 
> Spamassassin has done and incredible job of reducing the amount of
> spam coming into the company.  I just wanted to say thanks to all of
> you who have had a hand in developing this awesome program!
>  
> Ok, now my question...
>  
> My company has several other companies that it does business with and
> I want to put those companies and all the domains we own into a white
> list.  Can I find the needed information in the headers of an email to
> create a  whitelist_from_rcvd entry in local.cf?  If so, what
> information do I need?  If not, where would I go about finding it.
whitelist_from_rcvd needs to match two parts:

1) A "From" address. This could be the From: header, but could also be a
Return-Path, Envelope-Sender, or similar header with the Envelope "Mail
FROM" recorded in it. Which one you pick for most cases doesn't matter,
but matching a Return-Path is useful for public mailing lists where the
From: header changes constantly, but the Return-Path is always the list
server.

Note: you can use file-glob style wildcards for the addresses here. ie:
[EMAIL PROTECTED]

2) The Reverse DNS hostname for the host that delivered the message to
your network. So find the Received: header your MX added. Then grab the
hostname that appears before the IP address.

For example, let's look at one header that apache.org added:

Received: from herse.apache.org (HELO herse.apache.org) (140.211.11.133)
 by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 31 Oct 2006 10:14:47 -0800

In this case herse.apache.org is the reverse DNS hostanme.

Note: you don't have to match the whole hostname. You can use a substring like 
"apache.org" and it will match "herse.apache.org" or "example.apache.org".


Nine times out of ten, a whitelist_from_rcvd simply looks like:

whitelist_from_rcvd [EMAIL PROTECTED] example.com

But it never hurts to check the headers, as some folks use servers that
have non-matching domain names to send. (typical when a server is used
for multiple domains. It can only RDNS as one of them...)

>  
> Thanks!
>
> ---
>
> Chris Edwards
>
>  

whitelist_from_rcvd

[Chris Edwards]

Hello!
 
Praise...
 
I have not used 
spamassassin for several years.  I switched companies recently and they 
were getting killed with spam.  I have really enjoyed relearning 
spamassassin and reading the mailing list.  Spamassassin has done and 
incredible job of reducing the amount of spam coming into the company.  I 
just wanted to say thanks to all of you who have had a hand in developing this 
awesome program!
 
Ok, now 
my question...
 
My company has 
several other companies that it does business with and I want to put those 
companies and all the domains we own into a white list.  Can I 
find the needed information in the headers of an email to create a 
 whitelist_from_rcvd entry in local.cf?  If so, what information do I 
need?  If not, where would I go about finding it.
 
Thanks!
---Chris Edwards
 

RE: whitelist_from_rcvd not working

[Jean-Paul Natola]

>From my understanding the whitelist entry should contain and address then the
domain


whitelist_from_rcvd [EMAIL PROTECTED] cecinfo.org


-Original Message-
From: Robert Fitzpatrick [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, May 10, 2006 9:13 AM
To: users@spamassassin.apache.org
Subject: whitelist_from_rcvd not working

Can someone point out what I am doing wrong hereI have this in my
local.cf file:

whitelist_from_rcvd [EMAIL PROTECTED] mail*.magnetmail.net

But messages are getting blocked that I believe should match this?

May  5 14:54:19 esmtp postfix/smtpd[994]: 9315B7FA20:
client=mail10.magnetmail.net[209.18.70.10]
May  5 14:54:20 esmtp postfix/cleanup[3083]: 9315B7FA20:
message-id=<[EMAIL PROTECTED]>
May  5 14:54:36 esmtp postfix/qmgr[39594]: 9315B7FA20: from=<>, size=55412,
nrcpt=1 (queue active)
May  5 14:54:47 esmtp amavis[3767]: (03767-02-2) Blocked SPAM, [209.18.70.10]
<> -> <[EMAIL PROTECTED]>, quarantine: spam-u95sUSnhhshW.gz, Message-ID:
<[EMAIL PROTECTED]>, mail_id: u95sUSnhhshW, Hits:
7.069, 11177 ms
May  5 14:54:47 esmtp postfix/smtp[2820]: 9315B7FA20: to=<[EMAIL PROTECTED]>,
relay=127.0.0.1[127.0.0.1], delay=28, status=sent (250 2.5.0 Ok,
id=03767-02-2, BOUNCE)
May  5 14:54:47 esmtp postfix/qmgr[39594]: 9315B7FA20: removed

-- 
Robert

Re: whitelist_from_rcvd not working

[Matt Kettler]

Robert Fitzpatrick wrote:
> Can someone point out what I am doing wrong hereI have this in my
> local.cf file:
>
> whitelist_from_rcvd [EMAIL PROTECTED] mail*.magnetmail.net
>
> But messages are getting blocked that I believe should match this?
>   
What about the below suggests this mail is [EMAIL PROTECTED] The below
suggests that the message is from <> (A bounce), but is being delivered
to [EMAIL PROTECTED]

> May  5 14:54:19 esmtp postfix/smtpd[994]: 9315B7FA20: 
> client=mail10.magnetmail.net[209.18.70.10]
> May  5 14:54:20 esmtp postfix/cleanup[3083]: 9315B7FA20: message-id=<[EMAIL 
> PROTECTED]>
> May  5 14:54:36 esmtp postfix/qmgr[39594]: 9315B7FA20: from=<>, size=55412, 
> nrcpt=1 (queue active)
> May  5 14:54:47 esmtp amavis[3767]: (03767-02-2) Blocked SPAM, [209.18.70.10] 
> <> -> <[EMAIL PROTECTED]>, quarantine: spam-u95sUSnhhshW.gz, Message-ID: 
> <[EMAIL PROTECTED]>, mail_id: u95sUSnhhshW, Hits: 7.069, 11177 ms
> May  5 14:54:47 esmtp postfix/smtp[2820]: 9315B7FA20: to=<[EMAIL PROTECTED]>, 
> relay=127.0.0.1[127.0.0.1], delay=28, status=sent (250 2.5.0 Ok, 
> id=03767-02-2, BOUNCE)
> May  5 14:54:47 esmtp postfix/qmgr[39594]: 9315B7FA20: removed
>
>   

whitelist_from_rcvd not working

[Robert Fitzpatrick]

Can someone point out what I am doing wrong hereI have this in my
local.cf file:

whitelist_from_rcvd [EMAIL PROTECTED] mail*.magnetmail.net

But messages are getting blocked that I believe should match this?

May  5 14:54:19 esmtp postfix/smtpd[994]: 9315B7FA20: 
client=mail10.magnetmail.net[209.18.70.10]
May  5 14:54:20 esmtp postfix/cleanup[3083]: 9315B7FA20: message-id=<[EMAIL 
PROTECTED]>
May  5 14:54:36 esmtp postfix/qmgr[39594]: 9315B7FA20: from=<>, size=55412, 
nrcpt=1 (queue active)
May  5 14:54:47 esmtp amavis[3767]: (03767-02-2) Blocked SPAM, [209.18.70.10] 
<> -> <[EMAIL PROTECTED]>, quarantine: spam-u95sUSnhhshW.gz, Message-ID: 
<[EMAIL PROTECTED]>, mail_id: u95sUSnhhshW, Hits: 7.069, 11177 ms
May  5 14:54:47 esmtp postfix/smtp[2820]: 9315B7FA20: to=<[EMAIL PROTECTED]>, 
relay=127.0.0.1[127.0.0.1], delay=28, status=sent (250 2.5.0 Ok, id=03767-02-2, 
BOUNCE)
May  5 14:54:47 esmtp postfix/qmgr[39594]: 9315B7FA20: removed

-- 
Robert

Re: Question about whitelist_from_rcvd

[Jeremy Fairbrass]

The wildcard isn't needed, and I doubt it's allowed either. See the info and 
examples at 
http://spamassassin.apache.org/full/3.0.x/dist/doc/Mail_SpamAssassin_Conf.html#whitelist_and_blacklist_options

Specifically, the string at the end of whitelist_from_rcvd which refers to 
the reverse DNS of the host, "can either be the full hostname, or the domain 
component of that hostname. In other words, if the host that connected to 
your MX had an IP address that mapped to 'sendinghost.spamassassin.org', you 
should specify sendinghost.spamassassin.org or just spamassassin.org here."

So in your case, [whitelist_from_rcvd [EMAIL PROTECTED] somelist.org] 
would work (without the [] of course). The wildcard is effectively implied.

Cheers,
Jeremy



"Frank Bures" <[EMAIL PROTECTED]> wrote in message 
news:[EMAIL PROTECTED]
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> There are lists that use various servers for their distributions.
> These servers can be described using wild cards as for instance
> *.somelist.org
>
> I tried to use such wild cards in local.cf as in
>
> whitelist_from_rcvd [EMAIL PROTECTED] *.somelist.org
>
> but the definition does not seem to be working.
>
> Is the '*' wild card use in whitelist_from_rcvd allowed?
>
> Thanks
>
>
> Frank Bures, Dept. of Chemistry, University of Toronto, M5S 3H6
> [EMAIL PROTECTED]
> http://www.chem.utoronto.ca
> PGP public key: 
> http://pgp.mit.edu:11371/pks/lookup?op=index&search=Frank+Bures
> -BEGIN PGP SIGNATURE-
> Version: PGPfreeware 5.0 OS/2 for non-commercial use
> Comment: PGP 5.0 for OS/2
> Charset: cp850
>
> wj8DBQFEIUWpih0Xdz1+w+wRAjwMAKDiX3vwC4ehE6cDqVfMHpUf65xkPACgkplc
> nw+l3EcIt0HNeNn4kKK7Ulk=
> =Ua27
> -END PGP SIGNATURE-
>
>
> 

Question about whitelist_from_rcvd

[Frank Bures]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

There are lists that use various servers for their distributions.
These servers can be described using wild cards as for instance
*.somelist.org

I tried to use such wild cards in local.cf as in

whitelist_from_rcvd [EMAIL PROTECTED] *.somelist.org

but the definition does not seem to be working.

Is the '*' wild card use in whitelist_from_rcvd allowed?

Thanks


Frank Bures, Dept. of Chemistry, University of Toronto, M5S 3H6
[EMAIL PROTECTED]
http://www.chem.utoronto.ca
PGP public key: http://pgp.mit.edu:11371/pks/lookup?op=index&search=Frank+Bures
-BEGIN PGP SIGNATURE-
Version: PGPfreeware 5.0 OS/2 for non-commercial use
Comment: PGP 5.0 for OS/2
Charset: cp850

wj8DBQFEIUWpih0Xdz1+w+wRAjwMAKDiX3vwC4ehE6cDqVfMHpUf65xkPACgkplc
nw+l3EcIt0HNeNn4kKK7Ulk=
=Ua27
-END PGP SIGNATURE-

Using whitelist_from_rcvd with multiple relay domains

[Larry Starr]

After receiving a large volume of phishing messages, in this case with a 
forged ebay sender, I have been looking at my whitelist entries.  

I have a number of wildcard entries i.e.
whitelist_from  [EMAIL PROTECTED]

This one was an easy fix, since all of the messages, that I could identify
came from somewhere in ebay.com, so an update to:

whitelist_from_rcvd [EMAIL PROTECTED] ebay.com

Corrected this problem.

In looking at other domains, that I had similarly whitelisted, I found one or 
two, for which, legitimate emails originate through different domains, 
without a common domain in the list.

My question is would entries of the form:

whitelist_from_rcvd [EMAIL PROTECTED]domain.name
whitelist_from_rcvd [EMAIL PROTECTED]  someotherdomain.name

accompish what I am trying to do!  Or would the second entry nullify the 
first?

Thank you,
-- 
Larry G. Starr - [EMAIL PROTECTED] or [EMAIL PROTECTED]
Software Engineer: Full Compass Systems LTD.
Phone: 608-831-7330 x 1347  FAX: 608-831-6330
===
There are only three sports: bullfighting, mountaineering and motor
racing, all the rest are merely games! - Ernest Hemmingway

Re: Whitelist_from_rcvd misfire!!

[jdow]

From: "Matt Kettler" <[EMAIL PROTECTED]>


jdow wrote:

===8<---
Return-Path: <[EMAIL PROTECTED]>
Received: from smtp.earthlink.net [209.86.93.205]
by localhost with POP3 (fetchmail-6.2.5.5)
for [EMAIL PROTECTED] (single-drop); Mon, 13 Mar 2006 05:36:39
-0800 (PST)
Received: from amazon.com ([80.33.31.58])
by mx-pigeons.atl.sa.earthlink.net (EarthLink SMTP Server) with SMTP id
1fiNda4KB3Nl34g0
for <[EMAIL PROTECTED]>; Mon, 13 Mar 2006 08:35:48 -0500 (EST)
From: LARISA SOSNITSKAYA <[EMAIL PROTECTED]>
To: jdow <[EMAIL PROTECTED]>
Subject: PLEASE RESPOND ASAP
X-Priority: 3
X-MSMail-Priority: Normal
Reply-To: LARISA SOSNITSKAYA <[EMAIL PROTECTED]>
mime-version: 1.0
content-type: multipart/mixed;
boundary="qzsoft_directmail_seperator"
Message-Id: <[EMAIL PROTECTED]>
Date: Mon, 13 Mar 2006 08:35:48 -0500 (EST)
X-ELNK-AV: 0
X-ELNK-Info: sbv=0; sbrc=.0; sbf=00; sbw=000;
X-Spam-Virus: No
===8<---

Now, just why a FORGED amazon.com Received header should cause this set of
rule hits I don't know:



From the looks of it, earthlink is claiming that 80.33.31.58 RDNS'ed as

amazon.com. So apparently this guy managed to forge his RDNS, or earthlink's
header format is weird.

This:

from amazon.com ([80.33.31.58])

Matches the typical behavior of postgress when the RDNS matches the HELO.. I'm
not sure if Earthlink's server does the same.


This does also outline reason why whitelist_from_spf is better than
whitelist_from_rcvd.. Forging RDNS is difficult, but if your ISP gives you
sub-delegation of your RDNS then you can change it to be whatever you want.


58.Red-80-33-31.staticIP.rima-tde.net.

So it's not a forged rdns. Theo got it in one. I commented out the QMAIL
 in Received.pm and the user_whitelist hit went away. I just
entered my confirmation of that "not really a solution" to the bugzilla
site.

(For a long time now I've thought qmail was more a problem than a solution
based on comments and problems with it recounted on this list.)

{^_^}

Whitelist_from_rcvd misfire!!

[jdow]

===8<---
Return-Path: <[EMAIL PROTECTED]>
Received: from smtp.earthlink.net [209.86.93.205]
by localhost with POP3 (fetchmail-6.2.5.5)
for [EMAIL PROTECTED] (single-drop); Mon, 13 Mar 2006 05:36:39 -0800 (PST)
Received: from amazon.com ([80.33.31.58])
by mx-pigeons.atl.sa.earthlink.net (EarthLink SMTP Server) with SMTP id 
1fiNda4KB3Nl34g0
for <[EMAIL PROTECTED]>; Mon, 13 Mar 2006 08:35:48 -0500 (EST)
From: LARISA SOSNITSKAYA <[EMAIL PROTECTED]>
To: jdow <[EMAIL PROTECTED]>
Subject: PLEASE RESPOND ASAP
X-Priority: 3
X-MSMail-Priority: Normal
Reply-To: LARISA SOSNITSKAYA <[EMAIL PROTECTED]>
mime-version: 1.0
content-type: multipart/mixed;
boundary="qzsoft_directmail_seperator"
Message-Id: <[EMAIL PROTECTED]>
Date: Mon, 13 Mar 2006 08:35:48 -0500 (EST)
X-ELNK-AV: 0
X-ELNK-Info: sbv=0; sbrc=.0; sbf=00; sbw=000;
X-Spam-Virus: No
===8<---

Now, just why a FORGED amazon.com Received header should cause this set of
rule hits I don't know:

===8<---
X-Spam-Checker-Version: SpamAssassin 3.0.5 (2005-06-05) on
   morticia.wizardess.wiz
X-Spam-Level:
X-Spam-Status: No, score=0.9 required=5.0 tests=BAYES_99,DEAR_FRIEND,
   JD_MY_NAME,JD_TO_EARTHLINK,JD_USDOLLARS,MIME_BASE64_TEXT,
   MISSING_MIMEOLE,MSGID_FROM_MTA_ID,PRIORITY_NO_NAME,RCVD_IN_XBL,
   SARE_BOUNDARY_QZSOFT,SARE_LWOILCO,SARE_SXLIFE,SUBJ_ALL_CAPS,
   USER_IN_DEF_WHITELIST autolearn=disabled version=3.0.5
===8<---
   ^ That rule let it sail on through with it's
-15 score.

{o.o}

Re: Whitelist_from_rcvd misfire!!

[Matt Kettler]

jdow wrote:
> ===8<---
> Return-Path: <[EMAIL PROTECTED]>
> Received: from smtp.earthlink.net [209.86.93.205]
> by localhost with POP3 (fetchmail-6.2.5.5)
> for [EMAIL PROTECTED] (single-drop); Mon, 13 Mar 2006 05:36:39
> -0800 (PST)
> Received: from amazon.com ([80.33.31.58])
> by mx-pigeons.atl.sa.earthlink.net (EarthLink SMTP Server) with SMTP id
> 1fiNda4KB3Nl34g0
> for <[EMAIL PROTECTED]>; Mon, 13 Mar 2006 08:35:48 -0500 (EST)
> From: LARISA SOSNITSKAYA <[EMAIL PROTECTED]>
> To: jdow <[EMAIL PROTECTED]>
> Subject: PLEASE RESPOND ASAP
> X-Priority: 3
> X-MSMail-Priority: Normal
> Reply-To: LARISA SOSNITSKAYA <[EMAIL PROTECTED]>
> mime-version: 1.0
> content-type: multipart/mixed;
> boundary="qzsoft_directmail_seperator"
> Message-Id: <[EMAIL PROTECTED]>
> Date: Mon, 13 Mar 2006 08:35:48 -0500 (EST)
> X-ELNK-AV: 0
> X-ELNK-Info: sbv=0; sbrc=.0; sbf=00; sbw=000;
> X-Spam-Virus: No
> ===8<---
> 
> Now, just why a FORGED amazon.com Received header should cause this set of
> rule hits I don't know:

>From the looks of it, earthlink is claiming that 80.33.31.58 RDNS'ed as
amazon.com. So apparently this guy managed to forge his RDNS, or earthlink's
header format is weird.

This:

 from amazon.com ([80.33.31.58])

Matches the typical behavior of postgress when the RDNS matches the HELO.. I'm
not sure if Earthlink's server does the same.


This does also outline reason why whitelist_from_spf is better than
whitelist_from_rcvd.. Forging RDNS is difficult, but if your ISP gives you
sub-delegation of your RDNS then you can change it to be whatever you want.

Re: Whitelist_from_rcvd misfire!!

[Theo Van Dinter]

On Mon, Mar 13, 2006 at 12:29:49PM -0800, jdow wrote:
> Received: from smtp.earthlink.net [209.86.93.205]
> by localhost with POP3 (fetchmail-6.2.5.5)
> for [EMAIL PROTECTED] (single-drop); Mon, 13 Mar 2006 05:36:39 
> -0800 (PST)
> Received: from amazon.com ([80.33.31.58])
> by mx-pigeons.atl.sa.earthlink.net (EarthLink SMTP Server) with SMTP id 
> 1fiNda4KB3Nl34g0
> for <[EMAIL PROTECTED]>; Mon, 13 Mar 2006 08:35:48 -0500 (EST)

I haven't looked into it, but it looks like this may be related to
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=4813

-- 
Randomly Generated Tagline:
"I don't get the army: they kick you out for being gay, but their big plan to
 improve moral is a make-over." - Bill Maher


pgpwBsWk6kBET.pgp
Description: PGP signature

Re: whitelist_from_rcvd not working for me

[JamesDR]

James Long wrote:

James Long wrote:
In my SpamAssassin-3.1.0 (p5-Mail-SpamAssassin-3.1.0_6) local.cf, I 
use:



...
trusted_networks 127.0.0.0/8 65.75.198.48/28 63.105.30.37/32

^^

	Your IP for the ns.museum.rain.com comes back as 65.75.198.49, are you 
sure this is correct?


	I think what is happening here is sa isn't finding a local server, and 
gives up. My guess is that adding/changing that to .49 will help.


The first Received by statement is this (last server)
"by ns.museum.rain.com (8.13.4/8.13.4) with ESMTP id"

When doing a lookup this is what I get (your internal DNS may be diff.):
Name:ns.museum.rain.com
Address:  65.75.198.49

HTH
--
Thanks,
JamesDR


Thanks for your reply.

My understanding is that "65.75.198.48/28" means that all IPs in that subnet
will be trusted.  Your DNS server returns the correct IP for ns.museum.rain.com.
The /32 is another server at a colo site.  I trust that server.

Are you saying that ns.museum.rain.com's own IP should not be listed as a 
trusted
server?  Earlier advice I received from this list suggested that it should be.

Clarification appreciated.

Jim




Yeah, I missed the /28 ... Long weekend, need to reply to email's after 
plenty of sleep :-D


Sorry for the confusion.

--
Thanks,
James

Re: whitelist_from_rcvd not working for me

[Daryl C. W. O'Shea]

On 3/12/2006 8:13 PM, James Long wrote:
Mail sent via SMTP should have all of it's headers parsed correctly and 
your whitelist_from_rcvd should work.



Yet, it doesn't.  One of the nightly server log messages has been
getting rejected because SA thinks it is spam, and doesn't see the
whitelist_from_rcvd entry for it.  (sendmail log below)


OK, to I should have wrote "Mail submitted" and not "Mail sent" above.

In any case, if you can change your local submission header so that it 
doesn't include the (envelope-from james) part, it'll be successfully 
parsed.


ie. If you can change your Sendmail config so that it generates headers 
that look like this instead:


Received: (from [EMAIL PROTECTED])
by ns.umpquanet.com (8.13.4/8.13.4/Submit) id k2CJ9LT4065172
for [EMAIL PROTECTED]; Sun, 12 Mar 2006 11:09:21 -0800 (PST)


If your headers, as they are now, are from a default configuration, 
please open a bug about them not being parsed at: 
http://issues.apache.org/SpamAssassin/




BTW, is there an easy way to troubleshoot this from the command line,
with perhaps a sample message in a text file that I can just use as
input to SA, so that I don't have to use up bandwidth and also put a
large number of test messages into my mailbox?  Is it as simple as
'spamassassin -t < textfilename' ?


Yeah.


Daryl

Re: whitelist_from_rcvd not working for me

[James Long]

> On 3/12/2006 2:21 PM, James Long wrote:
> > In my SpamAssassin-3.1.0 (p5-Mail-SpamAssassin-3.1.0_6) local.cf, I 
> > use:
> > 
> > 
> > ...
> > trusted_networks 127.0.0.0/8 65.75.198.48/28 63.105.30.37/32
> > ...
> > whitelist_from_rcvd [EMAIL PROTECTED] ns.umpquanet.com
> > ...
> > 
> > 
> > yet messages that I had hoped would match that whitelist entry
> > are not.  How can I fix this?
> 
> SA can't parse the first (oldest) received header.  Since that header is 
> a local submission header, I wouldn't worry about it.
> 
> Mail sent via SMTP should have all of it's headers parsed correctly and 
> your whitelist_from_rcvd should work.

Yet, it doesn't.  One of the nightly server log messages has been
getting rejected because SA thinks it is spam, and doesn't see the
whitelist_from_rcvd entry for it.  (sendmail log below)

> No, it must be listed, as it is now.

Okay, so I feel comfortable that my trusted_networks line is correct.
On to troubleshooting the whitelist_from_rcvd.

BTW, is there an easy way to troubleshoot this from the command line,
with perhaps a sample message in a text file that I can just use as
input to SA, so that I don't have to use up bandwidth and also put a
large number of test messages into my mailbox?  Is it as simple as
'spamassassin -t < textfilename' ?

Thanks again,

Jim



Sendmail log excerpt from ns.museum.rain.com:

Mar 12 03:04:26 ns sm-mta[44915]: NOQUEUE: connect from ns.umpquanet.com 
[63.105.30.37]
Mar 12 03:04:26 ns sm-mta[44915]: k2CB4QKW044915: Milter (spamassassin): init 
success to negotiate
Mar 12 03:04:26 ns sm-mta[44915]: k2CB4QKW044915: Milter (greylist): init 
success to negotiate
Mar 12 03:04:26 ns sm-mta[44915]: k2CB4QKW044915: Milter: connect to filters
Mar 12 03:04:26 ns sm-mta[44915]: k2CB4QKW044915: milter=spamassassin, 
action=connect, continue
Mar 12 03:04:26 ns sm-mta[44915]: k2CB4QKW044915: milter=greylist, 
action=connect, continue
Mar 12 03:04:26 ns sm-mta[44915]: k2CB4QKW044915: --- 220 ns.museum.rain.com 
ESMTP Sendmail 8.13.4/8.13.4; Sun, 12 Mar 2006 03:04:26 -0800 (PST)
Mar 12 03:04:26 ns sm-mta[44915]: k2CB4QKW044915: <-- EHLO ns.umpquanet.com
Mar 12 03:04:26 ns sm-mta[44915]: k2CB4QKW044915: milter=spamassassin, 
action=helo, continue
Mar 12 03:04:26 ns sm-mta[44915]: k2CB4QKW044915: --- 250-ns.museum.rain.com 
Hello ns.umpquanet.com [63.105.30.37], pleased to meet you
Mar 12 03:04:26 ns sm-mta[44915]: k2CB4QKW044915: --- 250-ENHANCEDSTATUSCODES
Mar 12 03:04:26 ns sm-mta[44915]: k2CB4QKW044915: --- 250-PIPELINING
Mar 12 03:04:26 ns sm-mta[44915]: k2CB4QKW044915: --- 250-8BITMIME
Mar 12 03:04:26 ns sm-mta[44915]: k2CB4QKW044915: --- 250-SIZE
Mar 12 03:04:26 ns sm-mta[44915]: k2CB4QKW044915: --- 250-DSN
Mar 12 03:04:26 ns sm-mta[44915]: k2CB4QKW044915: --- 250-ETRN
Mar 12 03:04:26 ns sm-mta[44915]: k2CB4QKW044915: --- 250-STARTTLS
Mar 12 03:04:26 ns sm-mta[44915]: k2CB4QKW044915: --- 250-DELIVERBY
Mar 12 03:04:26 ns sm-mta[44915]: k2CB4QKW044915: --- 250 HELP
Mar 12 03:04:26 ns sm-mta[44915]: k2CB4QKW044915: <-- STARTTLS
Mar 12 03:04:26 ns sm-mta[44915]: k2CB4QKW044915: --- 220 2.0.0 Ready to start 
TLS
Mar 12 03:04:26 ns sm-mta[44915]: STARTTLS=server, get_verify: 0 get_peer: 0x0
Mar 12 03:04:26 ns sm-mta[44915]: STARTTLS=server, relay=ns.umpquanet.com 
[63.105.30.37], version=TLSv1/SSLv3, verify=NO, cipher=DHE-DSS-AES256-SHA, 
bits=256/256
Mar 12 03:04:26 ns sm-mta[44915]: STARTTLS=server, cert-subject=, cert-issuer=, 
verifymsg=ok
Mar 12 03:04:26 ns sm-mta[44915]: k2CB4QKW044915: <-- EHLO ns.umpquanet.com
Mar 12 03:04:26 ns sm-mta[44915]: k2CB4QKX044915: milter=spamassassin, 
action=helo, continue
Mar 12 03:04:26 ns sm-mta[44915]: k2CB4QKX044915: --- 250-ns.museum.rain.com 
Hello ns.umpquanet.com [63.105.30.37], pleased to meet you
Mar 12 03:04:26 ns sm-mta[44915]: k2CB4QKX044915: --- 250-ENHANCEDSTATUSCODES
Mar 12 03:04:26 ns sm-mta[44915]: k2CB4QKX044915: --- 250-PIPELINING
Mar 12 03:04:26 ns sm-mta[44915]: k2CB4QKX044915: --- 250-8BITMIME
Mar 12 03:04:26 ns sm-mta[44915]: k2CB4QKX044915: --- 250-SIZE
Mar 12 03:04:26 ns sm-mta[44915]: k2CB4QKX044915: --- 250-DSN
Mar 12 03:04:26 ns sm-mta[44915]: k2CB4QKX044915: --- 250-ETRN
Mar 12 03:04:26 ns sm-mta[44915]: k2CB4QKX044915: --- 250-DELIVERBY
Mar 12 03:04:26 ns sm-mta[44915]: k2CB4QKX044915: --- 250 HELP
Mar 12 03:04:26 ns sm-mta[44915]: k2CB4QKX044915: <-- MAIL From:<[EMAIL 
PROTECTED]> SIZE=9162
Mar 12 03:04:26 ns sm-mta[44915]: k2CB4QKX044915: Milter: senders: <[EMAIL 
PROTECTED]>
Mar 12 03:04:26 ns sm-mta[44915]: k2CB4QKX044915: milter=spamassassin, 
action=mail, continue
Mar 12 03:04:26 ns sm-mta[44915]: k2CB4QKX044915: milter=greylist, action=mail, 
continue
Mar 12 03:04:26 ns sm-mta[44915]: k2CB4QKX044915: --- 250 2.1.0 <[EMAIL 
PROTECTED]>... Sender ok
Mar 12 03:04:26 ns sm-mta[44915]: k2CB4QKX044915: 

Re: whitelist_from_rcvd not working for me

[jdow]

From: "JamesDR" <[EMAIL PROTECTED]>


James Long wrote:
In my SpamAssassin-3.1.0 (p5-Mail-SpamAssassin-3.1.0_6) local.cf, I 
use:



...
trusted_networks 127.0.0.0/8 65.75.198.48/28 63.105.30.37/32

^^

Your IP for the ns.museum.rain.com comes back as 65.75.198.49, are you 
sure this is correct?


I think what is happening here is sa isn't finding a local server, and 
gives up. My guess is that adding/changing that to .49 will help.


The first Received by statement is this (last server)
"by ns.museum.rain.com (8.13.4/8.13.4) with ESMTP id"

When doing a lookup this is what I get (your internal DNS may be diff.):
Name:ns.museum.rain.com
Address:  65.75.198.49


65.75.198.49 is within CIDR 65.75.198.48/28

{^_-}

Re: whitelist_from_rcvd not working for me

[Daryl C. W. O'Shea]

On 3/12/2006 2:21 PM, James Long wrote:
In my SpamAssassin-3.1.0 (p5-Mail-SpamAssassin-3.1.0_6) local.cf, I 
use:



...
trusted_networks 127.0.0.0/8 65.75.198.48/28 63.105.30.37/32
...
whitelist_from_rcvd [EMAIL PROTECTED] ns.umpquanet.com
...


yet messages that I had hoped would match that whitelist entry
are not.  How can I fix this?


SA can't parse the first (oldest) received header.  Since that header is 
a local submission header, I wouldn't worry about it.


Mail sent via SMTP should have all of it's headers parsed correctly and 
your whitelist_from_rcvd should work.




My understanding is that "65.75.198.48/28" means that all IPs in that subnet
will be trusted.  Your DNS server returns the correct IP for ns.museum.rain.com.
The /32 is another server at a colo site.  I trust that server.


Yeah 65.75.198.48/28 covers 65.75.198.48-63.



Are you saying that ns.museum.rain.com's own IP should not be listed as a 
trusted
server?  Earlier advice I received from this list suggested that it should be.


No, it must be listed, as it is now.


Daryl

Re: whitelist_from_rcvd not working for me

[James Long]

> James Long wrote:
> > In my SpamAssassin-3.1.0 (p5-Mail-SpamAssassin-3.1.0_6) local.cf, I 
> > use:
> > 
> > 
> > ...
> > trusted_networks 127.0.0.0/8 65.75.198.48/28 63.105.30.37/32
> ^^
> 
>   Your IP for the ns.museum.rain.com comes back as 65.75.198.49, are you 
> sure this is correct?
> 
>   I think what is happening here is sa isn't finding a local server, and 
> gives up. My guess is that adding/changing that to .49 will help.
> 
>   The first Received by statement is this (last server)
> "by ns.museum.rain.com (8.13.4/8.13.4) with ESMTP id"
> 
>   When doing a lookup this is what I get (your internal DNS may be diff.):
> Name:ns.museum.rain.com
> Address:  65.75.198.49
> 
> HTH
> -- 
> Thanks,
> JamesDR

Thanks for your reply.

My understanding is that "65.75.198.48/28" means that all IPs in that subnet
will be trusted.  Your DNS server returns the correct IP for ns.museum.rain.com.
The /32 is another server at a colo site.  I trust that server.

Are you saying that ns.museum.rain.com's own IP should not be listed as a 
trusted
server?  Earlier advice I received from this list suggested that it should be.

Clarification appreciated.

Jim

Re: whitelist_from_rcvd not working for me

[JamesDR]

James Long wrote:
In my SpamAssassin-3.1.0 (p5-Mail-SpamAssassin-3.1.0_6) local.cf, I 
use:



...
trusted_networks 127.0.0.0/8 65.75.198.48/28 63.105.30.37/32

^^

	Your IP for the ns.museum.rain.com comes back as 65.75.198.49, are you 
sure this is correct?


	I think what is happening here is sa isn't finding a local server, and 
gives up. My guess is that adding/changing that to .49 will help.


The first Received by statement is this (last server)
"by ns.museum.rain.com (8.13.4/8.13.4) with ESMTP id"

When doing a lookup this is what I get (your internal DNS may be diff.):
Name:ns.museum.rain.com
Address:  65.75.198.49

HTH
--
Thanks,
JamesDR


smime.p7s
Description: S/MIME Cryptographic Signature

whitelist_from_rcvd not working for me

[James Long]

In my SpamAssassin-3.1.0 (p5-Mail-SpamAssassin-3.1.0_6) local.cf, I 
use:


...
trusted_networks 127.0.0.0/8 65.75.198.48/28 63.105.30.37/32
...
whitelist_from_rcvd [EMAIL PROTECTED] ns.umpquanet.com
...


yet messages that I had hoped would match that whitelist entry
are not.  How can I fix this?

Thanks!

Jim


>From [EMAIL PROTECTED] Sun Mar 12 11:09:27 2006
Received: from ns.umpquanet.com (ns.umpquanet.com [63.105.30.37])
by ns.museum.rain.com (8.13.4/8.13.4) with ESMTP id k2CJ9L90046330
(version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO)
for <[EMAIL PROTECTED]>; Sun, 12 Mar 2006 11:09:21 -0800 (PST)
(envelope-from [EMAIL PROTECTED])
Received: from ns.umpquanet.com (localhost [127.0.0.1])
by ns.umpquanet.com (8.13.4/8.13.4) with ESMTP id k2CJ9McY065173
for <[EMAIL PROTECTED]>; Sun, 12 Mar 2006 11:09:22 -0800 (PST)
(envelope-from [EMAIL PROTECTED])
Received: (from [EMAIL PROTECTED])
by ns.umpquanet.com (8.13.4/8.13.4/Submit) id k2CJ9LT4065172
for [EMAIL PROTECTED]; Sun, 12 Mar 2006 11:09:21 -0800 (PST)
(envelope-from james)
Date: Sun, 12 Mar 2006 11:09:21 -0800 (PST)
From: James Long <[EMAIL PROTECTED]>
Message-Id: <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: test
X-Spam-Status: No, score=0.0 required=5.0 tests=UNPARSEABLE_RELAY
autolearn=failed version=3.1.0
X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on ns.museum.rain.com
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-2.0.2 
(ns.museum.rain.com [65.75.198.50]); Sun, 12 Mar
 2006 11:09:27 -0800 (PST)

Re: Question About whitelist_from_rcvd

[mouss]

Gustafson, Tim a écrit :
> In my local.cf, I have the following:
> 
> whitelist_from_rcvd [EMAIL PROTECTED] mail.someplace.com
> 
> However, when messages arrive at my server from mydomain.com through
> mail.someplace.com, they are still being tagged as SPAM:

you didn't show the Received headers, so we can't tell...

most probably, your trusted_networks aren't set correctly.

Question About whitelist_from_rcvd

[Gustafson, Tim]

In my local.cf, I have the following:

whitelist_from_rcvd [EMAIL PROTECTED] mail.someplace.com

However, when messages arrive at my server from mydomain.com through
mail.someplace.com, they are still being tagged as SPAM:

sm-mta: k23G6r86071146: from=<[EMAIL PROTECTED]>, size=38180, class=0,
nrcpts=1, relay=mail.someplace.com [1.2.3.4] (may be forged)
sm-mta: k23G6r86071146: Milter add: header: X-Spam-Flag: YES
sm-mta: k23G6r86071146: Milter add: header: X-Spam-Status: Yes,
score=4.7 required=4.5
tests=HTML_FONT_BIG,HTML_MESSAGE,\n\tMEI_BODY_14,SARE_TOCC_COMBO1,SPF_NE
UTRAL,TJ_EMPTY_SUBJECT \n\tautolearn=disabled version=3.1.0
sm-mta: k23G6r86071146: Milter add: header: X-Spam-Checker-Version:
SpamAssassin 3.1.0 (2005-09-13) on maze.meitech.com

Of course, I changed the names to protect the innocent.  :)

Am I missing something?  Does the fact that the host doesn't have
reverse DNS matter?

Tim Gustafson
MEI Technology Consulting, Inc
[EMAIL PROTECTED]
(516) 379-0001 Office
(516) 908-4185 Fax
http://www.meitech.com/ 


smime.p7s
Description: S/MIME cryptographic signature

Re: Trying to understand whitelist_from_rcvd

[Robert Menschel]

Hello Dr. Young,

Wednesday, July 13, 2005, 3:37:18 PM, you wrote:

DRY> If this is set in local.cf

DRY> whitelist_from_rcvd@gold.com   gold.com
DRY> trusted_networks  gold.com ( via the IP address }

DRY> and the incoming email header looks like (xxx added by me)

DRY> Received: ...
DRY> From: "Dagnija Ragland" <[EMAIL PROTECTED]>
DRY> To: "Hashim Ojeda" <[EMAIL PROTECTED]>

DRY> will the email be treated as "white" and get scored a -100 accordingly?

No, since the From is not from anything at gold.com.
(BTW, the correct syntax would be
> whitelist_from_rcvd [EMAIL PROTECTED] goldcom
)

For whitelist_from_rcvd to get scored, the From address must match
that first glob pattern (eg: [EMAIL PROTECTED]), and the last trusted
received header (in your case received ... by email1.gold.com) must be
from the domain name listed in the second parameter (gold.com).

Your trusted_networks should probably not be the domain gold.com, but
rather the IP addresses of the two machines email1.gold.com =
relay1.gold.com and also kashmir.gold.com (plus any other email/relay
machines that might handle the email).

Bob Menschel

Trying to understand whitelist_from_rcvd

[Dr Robert Young]

If this is set in local.cf

whitelist_from_rcvd@gold.com   gold.com
trusted_networks  gold.com ( via the IP address }

and the incoming email header looks like (xxx added by me)

Received: from email1.gold.com (relay1.gold.com [xxx.xxx.xxx.xxx]) by 
kashmir.gold.com with SMTP (Microsoft Exchange Internet Mail Service 
Version 5.5.2653.13)

 id 3QYTCQ3J; Wed, 13 Jul 2005 16:46:03 -0400
Received: from jdfulwiler.com ([xxx.xxx.xxx.xxx])
 by email1.gold.com (8.12.10/8.12.10) with SMTP id j6DKkGNJ020346
 for <[EMAIL PROTECTED]>; Wed, 13 Jul 2005 16:46:17 -0400
Message-Id: <[EMAIL PROTECTED]>
From: "Dagnija Ragland" <[EMAIL PROTECTED]>
To: "Hashim Ojeda" <[EMAIL PROTECTED]>

will the email be treated as "white" and get scored a -100 accordingly?

It's the first "Received" line I am wondering about matching with the 
white list..





Dr. Robert Young
ALI Database Consultants
1151 Williams Dr
Aiken SC 29803
USA

WWW: http://www.aliconsultants.com
Tele: 1-803-648-5931
Toll free in US: 1-866-257-8970 Fax:1-803-641-0345
Email: [EMAIL PROTECTED]
"Source of Rdb Controller, software for database analysis &  
performance tuning"

Whitelist_from_rcvd help

[Bret Miller]

I have a message with headers:

Return-Path: <[EMAIL PROTECTED]>
Received: from host4.zenit.org ([209.239.41.228] verified)
  by wcg.org (CommuniGate Pro SMTP 4.2.3)
  with ESMTP id 10083237 for [EMAIL PROTECTED]; Thu, 04 Nov 2004
15:59:13 -0800
Received-SPF: none
 receiver=wcg.org; client-ip=209.239.41.228;
[EMAIL PROTECTED]
Received: by host4.zenit.org (Postfix on SuSE Linux SLES-7 (PPC), from
userid 510)
id 3CB1130515; Thu,  4 Nov 2004 18:56:44 -0500 (EST)
Delivered-To: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: ZE041104
Content-Type: multipart/alternative; boundary=boundary42
MIME-Version: 1.0
Date: Thu,  4 Nov 2004 18:55:01 -0500 (EST)
From: ZENIT <[EMAIL PROTECTED]>
Message-id: <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
X-Loop: [EMAIL PROTECTED]
X-Sequence: 137
Errors-To: [EMAIL PROTECTED]
Precedence: list
X-no-archive: yes
List-Id: 

Why wouldn't this trigger this:

whitelist_from_rcvd [EMAIL PROTECTED] zenit.org

Is it possible to use rules to imitate whitelist_from_rcvd?

[John Schneider]

I need to create a custom rule to imitate the action of whitelist_from_rcvd.

The reason I need to do this is because I have several networks where mail
originates for the same domain before it is received at our internal mail
server. 

Originally, I tried to use multiple whitelist_from_rcvd commands such as: 
whitelist_from_rcvd [EMAIL PROTECTED] lcinet.net 
whitelist_from_rcvd [EMAIL PROTECTED] telepacific.net 
Etc...

But, I found that the last statement overwrote the previous ones.

I also tried:
whitelist_from_rcvd [EMAIL PROTECTED] lcinet.net telepacific.net

If someone could help me with a rule for this it would be very much
appreciated! 

Thanks! - John

Re: Whitelist_from_rcvd and multiple DNS resolvers causingproblems?

[Kris Deugau]

> On Fri, 24 Sep 2004 11:36:27 -0400 (EDT) "Dan Mahoney, System Admin"
> > The person running 1.2.3.4 has NO CLUE what they are doing.
> > 1.2.3.4 should RDNS to whatever the "hostname" value of that
> > machine is.  This should be the same as the HELO the machine uses
> > when talking out to the outside world.

Bob Apthorpe replied:
> No. HELO is only required to be a FQDN and to resolve to an A record.
> It does not have to match rDNS nor does it have to match the hostname
> of the actual server sending out the mail.

It might not be required or an RFC-ish "SHOULD", but any mail server
that HELO's as a name other than its FQDN is doing something very odd
anyway.

Dan's "should"'s are perfectly correct, and most well-behaved mail
systems with properly-configured DNS records do exactly that.

(Exceptions include the hosting server I administer at work, which
occupies most of a /26 except for a few IPs.  For some unknown reason,
it periodically gets mixed up about which IP is its "real" IP, and
starts initiating TCP/IP connections of all sorts from the highest
aliased IP instead.  Blech.  The machine is otherwise very
well-behaved.)

-kgd
-- 
Get your mouse off of there!  You don't know where that email has been!

Re: Whitelist_from_rcvd and multiple DNS resolvers causing problems?

[Bob Apthorpe]

On Fri, 24 Sep 2004 11:36:27 -0400 (EDT) "Dan Mahoney, System Admin" <[EMAIL 
PROTECTED]> wrote:

[snip]
> The person running 1.2.3.4 has NO CLUE what they are doing.  1.2.3.4 
> should RDNS to whatever the "hostname" value of that machine is.  This 
> should be the same as the HELO the machine uses when talking out to the 
> outside world.

No. HELO is only required to be a FQDN and to resolve to an A record. It
does not have to match rDNS nor does it have to match the hostname of
the actual server sending out the mail. HELO may be a dotted-quad per
the RFCs but only incompetents set their mail systems to do that and
that mail is often safely ignored.

This is better addressed on SPAM-L.

-- 
Bob Apthorpe

Re: Whitelist_from_rcvd and multiple DNS resolvers causing problems?

[Dan Mahoney, System Admin]

On Thu, 23 Sep 2004, Joe Smith wrote:
*This message was transferred with a trial version of CommuniGate(tm) Pro*
I'm using SpamAssassin 3.0 when I use whitelist_from_rcvd with domain names 
that reverse to only one possible domain it works just as it should. When the 
domain name is one that has multiple possibilities that it can reverse dns to 
then it doesn't work unless it happens to pick the domain name listed in my 
whitelist_rcvd_to entry. For example, if I create an entry for 
whitelist_from_rcvd [EMAIL PROTECTED] domain1.com but the server hosting 
domain1.com also hosts domain2.com, anotherdomain.com and anotherdomain.net, 
I have problems. Say the server that hosted email for the domain I wanted to 
whitelist had an ip of 123.123.123.1 and I did dig -x 123.123.123.1, it would 
give me all the various domains that that address is configured for.

I think this is what's going on anyway. I looked at the output from 
spamassassin -D -t < problem then I notice that the rdns= is for one of the 
other domains hosted on the server and not the domain I would like to 
whitelist. When I examine the same output from a message that is working, the 
rdns= is the domain name that I specified in the whitelist_from_rcvd entry. 
Do I need to specify the IP address of the server using multiple dns entries 
to get whitelist_from_rcvd to work or should this not be an issue and I need 
to look at other reasons why this particular domain is causing problems.
Let me try to understand what you are saying.
You are saying that a server has multiple PTR records for a given ip, and 
that *that* is causing the problem --

So if 1.2.3.4 had PTR records for domainone.com. and domaintwo.com. and 
domainthree.com., and you had written a filter to whitelist 
domainone.com's email, but you found it didn't always work?

The person running 1.2.3.4 has NO CLUE what they are doing.  1.2.3.4 
should RDNS to whatever the "hostname" value of that machine is.  This 
should be the same as the HELO the machine uses when talking out to the 
outside world.

Assigning multiple addresses (A or PTR -- for the sake of this discussion 
there's no difference) to things makes them into a round-robin type thing. 
The possible answers will be handed out in cyclic order (at least, the 
first time they are queried), and then they are cached as long as the TTL 
value for the record -- which I've seen some caches override.

--
"Happy, Sad, Happy, Sad, Happy, Sad, Happy, Intruiged!  I've never been so
in touch with my emotions!"
-AndrAIa as Hexadecimal, Reboot Episode 3.2.3
Dan Mahoney
Techie,  Sysadmin,  WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144   AIM: LarpGM
Site:  http://www.gushi.org
---

Re: Whitelist_from_rcvd and multiple DNS resolvers causing problems?

[Kris Deugau]

Joe Smith wrote:
> I'm using SpamAssassin 3.0 when I use whitelist_from_rcvd with domain
> names that reverse to only one possible domain it works just as it
> should. When the domain name is one that has multiple possibilities
> that it can reverse dns to then it doesn't work unless it happens to
> pick the domain name listed in my whitelist_rcvd_to entry.

This is a DNS resolver library/client (not sure which) issue more than
anything else;  although it's also due in part to some admin being
slightly less clueful that usual in issuing multiple PTR records for a
single IP in the first place.

> For example,
> if I create an entry for whitelist_from_rcvd [EMAIL PROTECTED]
> domain1.com but the server hosting domain1.com also hosts
> domain2.com, anotherdomain.com and anotherdomain.net, I have
> problems. Say the server that hosted email for the domain I wanted to
> whitelist had an ip of 123.123.123.1 and I did dig -x 123.123.123.1,
> it would give me all the various domains that that address is
> configured for.

dig will, but many other resolvers won't- or at least, they'll just
return one random entry in much the same way they would return one IP
from a round-robin forward DNS lookup.

> Do I need to specify the IP address of the
> server using multiple dns entries to get whitelist_from_rcvd to work

You can try, but I don't think this will work.

> or should this not be an issue and I need to look at other reasons
> why this particular domain is causing problems.

:/  You need to contact the person/organization responsible for rDNS for
that IP, and get them to remove the multiple entries- preferably putting
in something like "hosted-rmx.hostingcompany.com" rather than the
multiple PTR records you're seeing now.

I don't recall if it's formalized in an RFC somewhere, but while any
number of domains can point to the same IP, the rDNS for that IP
*should* only point to ONE hostname - that hostname should be the FQDN
of that physical machine.

In the meantime, you'll have to work around this with custom local rules
that manually implement whitelist_from_rcvd functionality based on the
IP.  Or, just add whitelist_from_rcvd entries for each of the rDNS names
you see for this IP.

-kgd
-- 
Get your mouse off of there!  You don't know where that email has been!

Whitelist_from_rcvd and multiple DNS resolvers causing problems?

[Joe Smith]

*This message was transferred with a trial version of CommuniGate(tm) Pro*
I'm using SpamAssassin 3.0 when I use whitelist_from_rcvd with domain 
names that reverse to only one possible domain it works just as it 
should. When the domain name is one that has multiple possibilities 
that it can reverse dns to then it doesn't work unless it happens to 
pick the domain name listed in my whitelist_rcvd_to entry. For example, 
if I create an entry for whitelist_from_rcvd [EMAIL PROTECTED] domain1.com 
but the server hosting domain1.com also hosts domain2.com, 
anotherdomain.com and anotherdomain.net, I have problems. Say the 
server that hosted email for the domain I wanted to whitelist had an ip 
of 123.123.123.1 and I did dig -x 123.123.123.1, it would give me all 
the various domains that that address is configured for.

I think this is what's going on anyway. I looked at the output from 
spamassassin -D -t < problem then I notice that the rdns= is for one of 
the other domains hosted on the server and not the domain I would like 
to whitelist. When I examine the same output from a message that is 
working, the rdns= is the domain name that I specified in the 
whitelist_from_rcvd entry. Do I need to specify the IP address of the 
server using multiple dns entries to get whitelist_from_rcvd to work or 
should this not be an issue and I need to look at other reasons why 
this particular domain is causing problems. 

Request for custom rule to imitate whitelist_from_rcvd

[John Schneider]

 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
I need to create a custom rule to imitate the action of whitelist_from_rcvd.

The reason I need to do this is because I have several networks where mail
originates for the same domain before it is received at our internal mail
server. 

Originally, I tried to use multiple whitelist_from_rcvd commands such as:
whitelist_from_rcvd [EMAIL PROTECTED] lcinet.net
whitelist_from_rcvd [EMAIL PROTECTED] telepacific.net
Etc...

But, we found the last entry overwrote the first.

(I also tried whitelist_from_rcvd [EMAIL PROTECTED] lcinet.net
telepacific.net etc)

If someone could help me with a rule for this it would be very much
appreciated! 
 
 
Regards,
 
 
 
John Schneider
-BEGIN PGP SIGNATURE-
Version: PGP 8.1

iQA/AwUBQVMVIZJSSuYw9x8KEQJ32wCfTB+XR9UEWRyKHtR9JH7vleGf+tAAn1Cp
eoougI+tRU9t7RjfQrT4I3w2
=Y03Z
-END PGP SIGNATURE-