Re: spam is marked as "user_in_whitelist"

Wed, 29 Nov 2006 07:44:34 -0800 


hey greg:

you got me there
i was looking at :


Received: from myserver ([127.0.0.1])
    by localhost (myserver [127.0.0.1]) (amavisd-new, port
10024)
    with ESMTP id TnlkYt9U0aRr for <myuser>;
    Wed, 29 Nov 2006 06:09:20 -0500 (EST)
Received: from 218-171-61-71.dynamic.hinet.net
(218-171-61-71.dynamic.hinet.net [218.171.61.71])
    by myserver (Postfix) with ESMTP id 76A9DC97AC
    for <myuser>; Wed, 29 Nov 2006 06:09:06 -0500 (EST)
Received: from insersudamerica.com (port=2457 helo=hhdyayyfbpavq)
    by 218-171-61-71.dynamic.hinet.net with smtp
    id 666-jMbg-4o
    for myuser; Wed, 29 Nov 2006 19:08:40 +0800



and i don't see the envelope-from field at all in the header
i can post the full header if that would help


-------- Original Message  --------
Subject: Re:spam is marked as "user_in_whitelist"
From: Greg Skouby <[EMAIL PROTECTED]>
To: users@spamassassin.apache.org
Date: 11/29/2006 10:27 AM

On Wed, Nov 29, 2006 at 10:22:11AM -0500, Stas Khromoy wrote:

*keep getting the following spam
which spamassassin for some reason
give a scrore of -100 or - 70
keeps saying the user is in whitelist



Subject:* both of those that is of the people, of the Lord your words of
subject :me: a certain man that hear O house of man from among the land of our 
or other of similar context .. they look like quotes from the bible :)


with offers to buy  some crap  from
s a b a n z e n dot com

X-Spam-Status: No, score=-74.498 tagged_above=-150 required=3
    tests=[BAYES_80=2, EXTRA_MPART_TYPE=1.091, HELO_DYNAMIC_IPADDR2=3.818,
    HTML_IMAGE_ONLY_08=3.126, HTML_MESSAGE=0.001, RCVD_IN_DYNABLOCK=1,
    RCVD_IN_NJABL_DUL=1.946, RCVD_IN_SBL_XBL=1.5, RCVD_IN_SORBS=1,
    RCVD_IN_SORBS_DUL=2.046, RCVD_IN_XBL=3.897, SARE_GIF_ATTACH=0.75,
    SARE_GIF_STOX=1.66, SARE_RECV_SPAM_DOMN0b=1.666,
    UNPARSEABLE_RELAY=0.001, USER_IN_WHITELIST=-100]
i can't think of anything at this point aside from getting rid of the old whitelist and starting a new one. 




Hi Stas,
I am betting that the "envelope-sender" is the user that is in the whitelist and you are looking at the "from" address and thinking that the "from" address is not in the whitelist. We have run into a fair amount of the above situation on our system. I think it might be a good idea to make USER_IN_WHITELIST have a score of ~ -15 instead of ~100. 




--Greg

Reply via email to