Andrew Xiang wrote: > I have many users in the whitelist_from in the local.cf. > When I get forwarded spam email like this, how do I find which one it > matched? If you want to know for sure, you can run it through spamassassin -D and wade through the debug output.
my guess is you've got a whitelist_from [EMAIL PROTECTED] or whitelist_from [EMAIL PROTECTED] that's matching. > Which FROM entry is it actually looking at? Well, it's looking at "all" of them. SpamAssassin will dig for any hints at the envelope sender, as well as the normal From: header.. It's going to be looking at the embedded envelope-from's in the Received: headers, as well as the From: header. In particular, the list for this message could be: [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Depending on what hosts SA is set to trust. my guess is you've got a whitelist_from [EMAIL PROTECTED] or whitelist_from [EMAIL PROTECTED] that's matching. Don't use plain whitelist_from's unless you can't avoid it. Where possible, use whitelist_from_rcvd or whitelist_from_spf instead..
