Matthew Goodman wrote:
Why does spam continually get a “hit” on this rule? I noticed a lot
more spam coming in off the upgrade to 3.2.4. Are spammers getting
crafty with their mail messages to appear as coming from myself TO
myself? I could always reduce the adjustment that USER_IN_WHITELIST
makes. However, I’d like to avoid that if possible.
What’s up with that?
My guess is you did something many new users do: whitelist_from
[EMAIL PROTECTED], or whitelist_from [EMAIL PROTECTED]
Spammers *FREQUENTLY* forge your domain as either the From: or the
Return-Path, both of which will match the whitelist_from, causing
USER_IN_WHITELIST to trigger.
In general, don't use whitelist_from. Period. It just looks at a single,
trivially forged header. I'd generally suggest avoiding white lists, but
if you must, whitelist_from_rcvd is substantially better as it takes a
second parameter that checks the reverse-dns lookup of the first
external host in the Received: headers. This is a little more difficult
to configure properly, but it's also fairly difficult to forge if
configured properly. Another good option if you have SPF enabled and the
sending domain has SPF would be whitelist_from_spf. This takes a single
parameter, but requires the email match the SPF specs for the sending
domain.
Regardless, USER_IN_WHITELIST will only trigger in response to a
whitelist_from* type command, so it's definitely one of these that you
explicitly added. There are some default white listings in SA, but they
used the def_whitelist_* commands, which triggers USER_IN_DEF_WHITELIST
instead.
Check your configs and see which whitelist command the spammers are abusing.
