On Fri, Jan 23, 2009 at 1:30 PM, Mark Martinec <mark.martinec+ama...@ijs.si> wrote: >> There were a few threads on the SA mailinglist about it, >> but I have been unable to find anything useful... >> and all the SA chatter was complaining about not setting >> up trust correctly which in my case is dependent on >> amavisd and is correct. >> >> Like a lot of places we are getting spam like this: >> From: u...@example.com >> To: u...@example.com >> (where my domain is example.com) >> >> The AWL is kicking in large negative scores even when the >> mail is coming from netblocks never seen before (it keeps >> track of /16's in the db) for mail supposedly from local users. >> >> This is an old installation that's been in service for some >> time now and up until now, there's never been a problem >> like this. Local mail is correctly marked ALL_TRUSTED and >> filtering happens as expected. >> >> An upgrade for all of these components is in the works, so >> if this is resolved in later releases it would help to know that >> (and I'll go away). >> >> amavisd-new-2.5.2 (20070627) >> SpamAssassin 3.2.4 on Perl 5.8.7 >> AWL in MySQL >> >> After reading the ChangeLogs for all these I don't see anything >> directly relevant, and the AWL code in 3.2.5 isn't much different. >> >> My current thought is to write a plugin to counteract AWL's score >> if it matches my criteria, but I'd rather fix the problem than the >> symptom. > > Is the problem in that the spammer's IP address happens to fall > into a /16 cidr range of your own networks? If yes, AWL would > need to be modified to store more specific address. If not, > this shouldn't be happening - you may want to take one such > mail sample and run it through a command line spamassassin > with debugging, and see why AWL behaves as it does:
Right, as I mentioned these are not in trusted netblocks (I discovered the /16 thing in researching the issue). > # su vscan -c 'spamassassin -t -D <0.msg' I did do this before posting, but I'm missing something. It claims to have found an entry for u...@example.com "w/o IP address" (ip="none", I assume), even though searching the database confirms that an entry like that does not exist (I looked at all entries for u...@example.com). SA claims the weight of this nonexistent entry is -187.24 which explains why the AWL is subtracting a large amount. It then goes and adds the new /16 to the db with a high score (38.844) as it should. The AWL MyISAM table checks OK, is cleaned nightly and is analyzed/optimized. (If this has gone into SA-land and you consider it no longer relevant to amavisd, please let me know and I'll try there...) Thanks. ------------------------------------------------------------------------------ This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword _______________________________________________ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
