Re: External whitelist_from and blacklist_from lists
Sure. Add them to any .cf file. On 11/16/2019 10:19 AM, Daryl Rose wrote: > Can I have external whitelist_from and blacklist_from lists? > Currently they're in the users_prefs file and are growing. I would > prefer to have an external list and keep them out of the users_prefs > file. > > Thanks > > Daryl -- Kevin A. McGrail kmcgr...@apache.org Member, Apache Software Foundation Chair Emeritus Apache SpamAssassin Project https://www.linkedin.com/in/kmcgrail - 703.798.0171
External whitelist_from and blacklist_from lists
Can I have external whitelist_from and blacklist_from lists? Currently they're in the users_prefs file and are growing. I would prefer to have an external list and keep them out of the users_prefs file. Thanks Daryl
Re: Whitelist_from??
On 3/14/19 5:50 PM, @lbutlr wrote: > I've been having a lot of problems with emails from comixology getting tagged > as spam and then the message attachment is often, but not always, corrupt. > > Content analysis details: (6.8 points, 5.0 required) > > pts rule name description > -- -- > -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, > no trust > [54.240.13.78 listed in list.dnswl.org] > 0.2 BAYES_999 BODY: Bayes spam probability is 99.9 to 100% > [score: 1.] > 3.5 BAYES_99 BODY: Bayes spam probability is 99 to 100% > [score: 1.] > 0.0 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level > mail domains are different > 0.8 MPART_ALT_DIFF BODY: HTML and text parts are different > 0.0 HTML_MESSAGE BODY: HTML included in message > 0.4 MIME_HTML_MOSTLY BODY: Multipart message mostly text/html MIME > 0.1 DKIM_SIGNEDMessage has a DKIM or DK signature, not necessarily > valid > 0.7 MIME_HEADER_CTYPE_ONLY 'Content-Type' found without required > MIME headers > 0.1 DKIM_INVALID DKIM or DK signature exists, but is not valid > 1.0 BODY_URI_ONLY Message body is only a URI in one line of text or > for an image > 0.0 T_REMOTE_IMAGE Message contains an external image > > The attached message when I open it starts: > > =23outlook A =7B PADDING-BOTTOM: 0px; PADDING-LEFT: 0px; PADDING-RIGHT: > 0px= > ; PADDING-TOP: 0px =7D > BODY =7BPADDING-BOTTOM: 0px; MARGIN: 0px; PADDING-LEFT: 0px; WIDTH: 100% = > =21important; PADDING-RIGHT: 0px; PADDING-TOP: 0px; -webkit-text-size-adjus= > t: 100%; -ms-text-size-adjust: 100% > =7D > =7D =20 > > > I added whitelist_auth comixology.com to local.cf and still had issues, so I > also added whitelist_from comixology.com, but messages are still tagged as > spam. > > From: Comics by comiXology > > But the message are actually coming from amazon.com. I have these references > to amazon in local.cf > > adsp_override amazon.com custom_high > adsp_override amazon.com > whitelist_auth *@amazon.com > > (not sure about the first two lines, don't recall those settings) > > > I would recommend using this if they hit SPF_PASS or DKIM_VALID_AU whitelist_auth *@*.comixology.com If they don't have good SPF or DKIM like this one, then use: whitelist_from_rcvd *@*.comixology.com amazonses.com The "amazonses.com" would be the part of the sending mail server's name when it has good FCrDNS. If that mail server doesn't have good FCrDNS, then use: whitelist_from_rcvd *@*.comixology.com [ip.ad.dr.ess] whitelist_from should be the last option and I only use it on a full email address that is very unique so spammers won't be able to match that by accident from any source server or IP address. -- David Jones
Re: Whitelist_from??
On 14 Mar 2019, at 22:03, @lbutlr wrote: > On 14 Mar 2019, at 17:00, RW wrote: >> >> whitelist entries need to be globs that match an email address, not a >> domain name. > > How sophisticated is SA's globbing? > > ^(\w+)([\-.'][\w]+)+@domain.tld$ For whitelist entries the match string is a simple glob, not a regex. "perldoc Mail::SpamAssassin::Conf" will tell you the details. -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses) Available For Hire: https://linkedin.com/in/billcole
Re: Whitelist_from??
On 14 Mar 2019, at 17:00, RW wrote: > > whitelist entries need to be globs that match an email address, not a > domain name. How sophisticated is SA's globbing? ^(\w+)([\-.'][\w]+)+@domain.tld$ ? -- These are the thoughts that kept me out of the really good schools. -- George Carlin
Re: Whitelist_from??
On Thu, 14 Mar 2019 16:50:01 -0600 @lbutlr wrote: > I've been having a lot of problems with emails from comixology > getting tagged as spam and then the message attachment is often, but > not always, corrupt. ... > I added whitelist_auth comixology.com to local.cf and still had > issues, so I also added whitelist_from comixology.com, but messages > are still tagged as spam. whitelist entries need to be globs that match an email address, not a domain name.
Whitelist_from??
I've been having a lot of problems with emails from comixology getting tagged as spam and then the message attachment is often, but not always, corrupt. Content analysis details: (6.8 points, 5.0 required) pts rule name description -- -- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [54.240.13.78 listed in list.dnswl.org] 0.2 BAYES_999 BODY: Bayes spam probability is 99.9 to 100% [score: 1.] 3.5 BAYES_99 BODY: Bayes spam probability is 99 to 100% [score: 1.] 0.0 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.8 MPART_ALT_DIFF BODY: HTML and text parts are different 0.0 HTML_MESSAGE BODY: HTML included in message 0.4 MIME_HTML_MOSTLY BODY: Multipart message mostly text/html MIME 0.1 DKIM_SIGNEDMessage has a DKIM or DK signature, not necessarily valid 0.7 MIME_HEADER_CTYPE_ONLY 'Content-Type' found without required MIME headers 0.1 DKIM_INVALID DKIM or DK signature exists, but is not valid 1.0 BODY_URI_ONLY Message body is only a URI in one line of text or for an image 0.0 T_REMOTE_IMAGE Message contains an external image The attached message when I open it starts: =23outlook A =7BPADDING-BOTTOM: 0px; PADDING-LEFT: 0px; PADDING-RIGHT: 0px= ; PADDING-TOP: 0px =7D BODY =7BPADDING-BOTTOM: 0px; MARGIN: 0px; PADDING-LEFT: 0px; WIDTH: 100% = =21important; PADDING-RIGHT: 0px; PADDING-TOP: 0px; -webkit-text-size-adjus= t: 100%; -ms-text-size-adjust: 100% =7D =7D =20 I added whitelist_auth comixology.com to local.cf and still had issues, so I also added whitelist_from comixology.com, but messages are still tagged as spam. From: Comics by comiXology But the message are actually coming from amazon.com. I have these references to amazon in local.cf adsp_override amazon.com custom_high adsp_override amazon.com whitelist_auth *@amazon.com (not sure about the first two lines, don't recall those settings) -- The night is always old. He'd walked too often down dark streets in the secret hours and felt the night stretching away, and known in his blood that while days and kings and empires come and go, the night is always the same age, always aeons deep. Terrors unfolded in the velvet shadows and while the nature of the talons may change, the nature of the beast does not. --Jingo
Re: [RESOLVED] Re: Usage of whitelist_from
On Tue, 16 Jun 2015 21:12:42 +0200 Bruno Costacurta wrote: Quoting RW rwmailli...@googlemail.com: Your actual problem is that the rule isn't showing in the spamd debug. If postfix.org isn't in the From header then SA needs to find it in an appropriate envelope header. See the documentation for whitelist_from in the SA configuration man-page. Thanks for explanation. Now it is resolved. First, my previous sample about postfix.org. In fact the 'from' did not contain @postfix.org. .. In fact the header 'Sender' and 'Return-path' contains @postfix.org, but the 'From' on which I based my whitelist_from understanding, contains the sender email, not @postfix.org It explains what's going on, but it's not really resolved since it implies that SA wasn't able to parse-out the envelope sender from the headers. It's best to fix that since it's used for other things besides whitelisting. I'm guessing that postfix added Return-Path after SA processed the email. There needs to be a header with the envelope address in; Return-Path, X-Envelope-From, Envelope-Sender and X-Sender are supported by default, but you can tell SA the name of the header by setting envelope_sender_header in SA's config.
Re: [RESOLVED] Re: Usage of whitelist_from
It will if you enable SHORTCIRCUIT'ing of whitelist_from no it will not, it skips many rules which would not have any effect because the large negative score but it *will not* bypass Technically it doesn't bypass SA but it effectively does the same thing. Depends on what you mean by bypass. If you don't want SA involved at all, then you are correct. If you want all your mail to go through SA and some safely and reliably skipped with minimal CPU hits, then you can do this with SHORTCIRCUIT and whitelist_auth/ whitelist_from_rcvd. There is a valid use for whitelist_from_spf and whitelist_from_dkim when you trust the sending mail server but you don't want to trust any mail server to send for that domain.
[RESOLVED] Re: Usage of whitelist_from
Quoting RW rwmailli...@googlemail.com: On Sat, 13 Jun 2015 21:25:02 +0200 Bruno Costacurta wrote: Hello, I setup the following into /etc/spamassassin/local.cf whitelist_from *@postfix.org But this seems not working as apparently spamassassin still process emails from *@postfix.org. If you don't want SpamAssassin to process an email you have to configure that in whatever glue passes the mail to SpamAssassin, whitelist_from just causes a rule to hit with a large negative score. Your actual problem is that the rule isn't showing in the spamd debug. If postfix.org isn't in the From header then SA needs to find it in an appropriate envelope header. See the documentation for whitelist_from in the SA configuration man-page. Thanks for explanation. Now it is resolved. First, my previous sample about postfix.org. In fact the 'from' did not contain @postfix.org. The postfix log shows : (...) postfix/qmgr[9892]: B3C30DA6040: from=owner-postfix-us...@postfix.org, size=7257, nrcpt=1 (queue active) (...) which confused me. In fact the header 'Sender' and 'Return-path' contains @postfix.org, but the 'From' on which I based my whitelist_from understanding, contains the sender email, not @postfix.org Second, I understand now that whitelist_from just represent a large score, and does not bypass the email itself. Thanks again Bruno -- LiCo : LinuxCounter Project Get counted as a Linux user and register your linux boxes http://linuxcounter.net/ --
Re: Usage of whitelist_from
Quoting Bowie Bailey bowie_bai...@buc.com: Did you restart spamd after making the change? -- Bowie Yes, spamassassin config was re-loaded Under Linux Debian : sudo systemctl reload spamassassin.service -- LiCo : LinuxCounter Project Get counted as a Linux user and register your linux boxes http://linuxcounter.net/ --
Re: [RESOLVED] Re: Usage of whitelist_from
Second, I understand now that whitelist_from just represent a large score, and does not bypass the email itself. It will if you enable SHORTCIRCUIT'ing of whitelist_from. However, it is not recommended to use whitelist_from. Use whitelist_from_rcvd, or whitelist_auth instead to prevent spoofed addresses from passing through SA without being scored. Also, never whitelist an address or domain that you filter for. Spam- mers commonly spoof the From: address to match the To: address just to try to hit bad whitelist entries like that. (Not saying you did but just a general rule of whitelisting.) Thanks again Bruno
Re: [RESOLVED] Re: Usage of whitelist_from
Am 16.06.2015 um 22:11 schrieb David Jones: Second, I understand now that whitelist_from just represent a large score, and does not bypass the email itself. It will if you enable SHORTCIRCUIT'ing of whitelist_from no it will not, it skips many rules which would not have any effect because the large negative score but it *will not* bypass keep your fingers away of whitelist_from and use whilelist_auth, a sender which don' tsupport SPF and/or DKIM don't deserve whitelisting Jun 16 22:28:41 mail-gw spamd[5558]: spamd: result: . -100 - CUST_DNSWL_4,CUST_DNSWL_5,RCVD_IN_MSPIKE_H3,SHORTCIRCUIT,SHORTCIRCUIT_NET_HAM,USER_IN_SPF_WHITELIST scantime=0.2,size=48305,user=sa-milt,uid=189,required_score=5.5,rhost=localhost,raddr=127.0.0.1,rport=/run/spamassassin/spamassassin.sock,mid=14dfe0dccca.50b.291017@ismtpd-066,autolearn=disabled,shortcircuit=ham signature.asc Description: OpenPGP digital signature
Re: Usage of whitelist_from
On Sat, 13 Jun 2015 21:25:02 +0200 Bruno Costacurta wrote: Hello, I setup the following into /etc/spamassassin/local.cf whitelist_from *@postfix.org But this seems not working as apparently spamassassin still process emails from *@postfix.org. If you don't want SpamAssassin to process an email you have to configure that in whatever glue passes the mail to SpamAssassin, whitelist_from just causes a rule to hit with a large negative score. Your actual problem is that the rule isn't showing in the spamd debug. If postfix.org isn't in the From header then SA needs to find it in an appropriate envelope header. See the documentation for whitelist_from in the SA configuration man-page.
Re: Usage of whitelist_from
On 6/14/2015 5:40 AM, Bruno Costacurta wrote: Quoting Benny Pedersen m...@junc.eu: Reindl Harald skrev den 2015-06-13 21:29: Am 13.06.2015 um 21:25 schrieb Bruno Costacurta: I setup the following into /etc/spamassassin/local.cf whitelist_from *@postfix.org why /etc/spamassassin/local.cf? on most setups its /etc/mail/spamassassin/*.cf its opensource, so anyone can create there own problem to resolve with spamassassin -D --lint 21 | less on the other hand whitelist_from is a problem in its own The location on file /etc/spamassassin/local.cf is correct. On Debian config files are located in /etc/spamassassin/* and there is a symbolic link from /etc/mail/spamassassin to /etc/spamassassin. spamassassin -D --lint 21 returns : .. Jun 14 11:33:11.542 [2459] dbg: util: final PATH set to: /usr/bin:/bin:/sbin:/usr/sbin:/usr/local/sbin:/usr/local/bin Jun 14 11:33:11.871 [2459] dbg: config: read file /etc/spamassassin/local.pre Jun 14 11:33:11.873 [2459] dbg: config: read file /etc/spamassassin/local.cf .. Obviously /etc/spamassassin/local.cf is read. Did you restart spamd after making the change? -- Bowie
Re: Usage of whitelist_from
Quoting Benny Pedersen m...@junc.eu: Reindl Harald skrev den 2015-06-13 21:29: Am 13.06.2015 um 21:25 schrieb Bruno Costacurta: I setup the following into /etc/spamassassin/local.cf whitelist_from *@postfix.org why /etc/spamassassin/local.cf? on most setups its /etc/mail/spamassassin/*.cf its opensource, so anyone can create there own problem to resolve with spamassassin -D --lint 21 | less on the other hand whitelist_from is a problem in its own The location on file /etc/spamassassin/local.cf is correct. On Debian config files are located in /etc/spamassassin/* and there is a symbolic link from /etc/mail/spamassassin to /etc/spamassassin. spamassassin -D --lint 21 returns : .. Jun 14 11:33:11.542 [2459] dbg: util: final PATH set to: /usr/bin:/bin:/sbin:/usr/sbin:/usr/local/sbin:/usr/local/bin Jun 14 11:33:11.871 [2459] dbg: config: read file /etc/spamassassin/local.pre Jun 14 11:33:11.873 [2459] dbg: config: read file /etc/spamassassin/local.cf .. Obviously /etc/spamassassin/local.cf is read. Bruno -- LiCo : LinuxCounter Project Get counted as a Linux user and register your linux boxes http://linuxcounter.net/ --
Re: Usage of whitelist_from
Reindl Harald skrev den 2015-06-14 00:46: how about reading a whole thread *before* give useless answers as you are always doing - problem solved - it was just the wrong folder for local.cf - period i showed generic help, if you dont like it, dont reply, atleast dont show all others then you are fool
Re: Usage of whitelist_from
Quoting Reindl Harald h.rei...@thelounge.net: Am 13.06.2015 um 21:25 schrieb Bruno Costacurta: I setup the following into /etc/spamassassin/local.cf whitelist_from *@postfix.org why /etc/spamassassin/local.cf? on most setups its /etc/mail/spamassassin/*.cf This is in fact /etc/mail/spamassassin/local.cf On Debian there is a symbolic link to /etc/spamassassin Bruno -- LiCo : LinuxCounter Project Get counted as a Linux user and register your linux boxes http://linuxcounter.net/ --
Usage of whitelist_from
Hello, I setup the following into /etc/spamassassin/local.cf whitelist_from *@postfix.org But this seems not working as apparently spamassassin still process emails from *@postfix.org. Hereafter the log of my postfix server with the call to spamassassin via spamd. The spamassassin have been re-started after the whitelist setup. (...) postfix/postscreen[24527]: CONNECT from [168.100.1.7]:32583 to [x.x.x.x]:25 postfix/postscreen[24527]: PASS OLD [168.100.1.7]:32583 postfix/smtpd[24531]: connect from english-breakfast.cloud9.net[168.100.1.7] postfix/smtpd[24531]: Anonymous TLS connection established from english-breakfast.cloud9.net[168.100.1.7]: TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits) postfix/smtpd[24531]: 47B3F17DE5FC: client=english-breakfast.cloud9.net[168.100.1.7] postfix/cleanup[24536]: 47B3F17DE5FC: message-id=20150613130644.gg2...@mournblade.imrryr.org postfix/qmgr[13140]: 47B3F17DE5FC: from=owner-postfix-us...@postfix.org, size=3902, nrcpt=1 (queue active) spamd[20236]: spamd: connection from localhost.localdomain [127.0.0.1]:51878 to port 783, fd 5 spamd[20236]: spamd: setuid to spamfilter succeeded spamd[20236]: spamd: processing message 20150613130644.gg2...@mournblade.imrryr.org for spamfilter:5001 postfix/smtpd[24531]: disconnect from english-breakfast.cloud9.net[168.100.1.7] spamd[20236]: spamd: clean message (-1.9/2.0) for spamfilter:5001 in 0.3 seconds, 3826 bytes. spamd[20236]: spamd: result: . -1 - BAYES_00,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL scantime=0.3,size=3826,user=spamfilter,uid=5001,required_score=2.0,rhost=localhost.l ocaldomain,raddr=127.0.0.1,rport=51878,mid=20150613130644.gg2...@mournblade.imrryr.org,bayes=0.00,autolearn=ham autolearn_force=no postfix/pipe[24537]: 47B3F17DE5FC: to=tec...@xxx.xxx, relay=myspamd, delay=3.7, delays=3.4/0.01/0/0.33, dsn=2.0.0, status=sent (delivered via myspamd servic e) postfix/qmgr[13140]: 47B3F17DE5FC: removed postfix/pickup[24482]: B1F7F17DE601: uid=5001 from=owner-postfix-us...@postfix.org postfix/cleanup[24536]: B1F7F17DE601: message-id=20150613130644.gg2...@mournblade.imrryr.org postfix/qmgr[13140]: B1F7F17DE601: from=owner-postfix-us...@postfix.org, size=4271, nrcpt=1 (queue active) spamd[20235]: prefork: child states: II dovecot: lda(tec...@xxx.xxx): sieve: msgid=20150613130644.gg2...@mournblade.imrryr.org: stored mail into mailbox 'INBOX.miscellanous' postfix/pipe[24541]: B1F7F17DE601: to=x...@xxx.xxx, relay=mydovecot, delay=0.1, delays=0.05/0.02/0/0.04, dsn=2.0.0, status=sent (delivered via mydovecot s ervice) postfix/qmgr[13140]: B1F7F17DE601: removed (...) Thanks for any clue or help Bruno -- LiCo : LinuxCounter Project Get counted as a Linux user and register your linux boxes http://linuxcounter.net/ --
Re: Usage of whitelist_from
Am 13.06.2015 um 21:25 schrieb Bruno Costacurta: I setup the following into /etc/spamassassin/local.cf whitelist_from *@postfix.org why /etc/spamassassin/local.cf? on most setups its /etc/mail/spamassassin/*.cf signature.asc Description: OpenPGP digital signature
Re: Usage of whitelist_from
Reindl Harald skrev den 2015-06-13 21:29: Am 13.06.2015 um 21:25 schrieb Bruno Costacurta: I setup the following into /etc/spamassassin/local.cf whitelist_from *@postfix.org why /etc/spamassassin/local.cf? on most setups its /etc/mail/spamassassin/*.cf its opensource, so anyone can create there own problem to resolve with spamassassin -D --lint 21 | less on the other hand whitelist_from is a problem in its own
Re: Usage of whitelist_from
Am 14.06.2015 um 00:26 schrieb Benny Pedersen: Reindl Harald skrev den 2015-06-13 21:29: Am 13.06.2015 um 21:25 schrieb Bruno Costacurta: I setup the following into /etc/spamassassin/local.cf whitelist_from *@postfix.org why /etc/spamassassin/local.cf? on most setups its /etc/mail/spamassassin/*.cf its opensource, so anyone can create there own problem to resolve with how about reading a whole thread *before* give useless answers as you are always doing - problem solved - it was just the wrong folder for local.cf - period signature.asc Description: OpenPGP digital signature
RE: whitelist_from in user_prefs is not being processed.
That worked, many thanks.. Missing @ makes a difference ;) -RIckH -Original Message- From: RW [mailto:rwmailli...@googlemail.com] Sent: Thursday, March 12, 2015 11:44 AM To: users@spamassassin.apache.org Subject: Re: whitelist_from in user_prefs is not being processed. On Thu, 12 Mar 2015 11:23:33 -0700 Rick Hantz \(TirNanOg\) wrote: However, none of the whitelist seems to get processed. Mail that should have a high negative number doesn't and ends up in the spam folder. whitelist_from 23andme.com ... whitelist_from *.aarp.com try: whitelist_from *@23andme.com whitelist_from *@*.aarp.com etc
Re: whitelist_from in user_prefs is not being processed.
On 03/12/2015 07:23 PM, Rick Hantz (TirNanOg) wrote: whitelist_from alfranken.com bad syntax http://spamassassin.apache.org/full/3.4.x/doc/Mail_SpamAssassin_Conf.txt unwhitelist_from u...@example.com Used to override a default whitelist_from entry, so for example a distribution whitelist_from can be overridden in a local.cf file, or an individual user can override a whitelist_from entry in their own user_prefs file. The specified email address has to match exactly (although case-insensitively) the address previously used in a whitelist_from line, which implies that a wildcard only matches literally the same wildcard (not 'any' address). e.g. unwhitelist_from j...@example.com f...@example.com unwhitelist_from *@example.com whitelist_from_rcvd a...@lists.sourceforge.net sourceforge.net Works similarly to whitelist_from, except that in addition to matching a sender address, a relay's rDNS name or its IP address must match too for the whitelisting rule to fire. The first parameter is a sender's e-mail address to whitelist, and the second is a string to match the relay's rDNS, or its IP address. Matching is case-insensitive. This second parameter is matched against the TCP-info information field as provided in a FROM clause of a trace information (i.e. the Received header field, see RFC 5321). Only the Received header fields inserted by trusted hosts are considered. This parameter can either be a full hostname, or the domain component of that hostname, or an IP address in square brackets. The reverse DNS lookup is done by a MTA, not by SpamAssassin. In case of an IPv4 address in brackets, it may be truncated on classful boundaries to cover whole subnets, e.g. [10.1.2.3], [10.1.2], [10.1], [10]. CIDR notation is currently not supported, nor is IPv6. The matching on IP address is mainly provided to cover rare cases where whitelisting of a sending MTA is desired which does not have a correct reverse DNS configured. In other words, if the host that connected to your MX had an IP address 192.0.2.123 that mapped to 'sendinghost.example.org', you should specify sendinghost.example.org, or example.org, or [192.0.2.123] or [192.0.2] here. Note that this requires that internal_networks be correct. For simple cases, it will be, but for a complex network you may get better results by setting that parameter. It also requires that your mail exchangers be configured to perform DNS reverse lookups on the connecting host's IP address, and to record the result in the generated Received header field according to RFC 5321. e.g. whitelist_from_rcvd j...@example.com example.com whitelist_from_rcvd *@axkit.org sergeant.org whitelist_from_rcvd *@axkit.org [192.0.2.123]
Re: whitelist_from in user_prefs is not being processed.
On Thu, 12 Mar 2015 11:23:33 -0700 Rick Hantz \(TirNanOg\) wrote: However, none of the whitelist seems to get processed. Mail that should have a high negative number doesn't and ends up in the spam folder. whitelist_from 23andme.com ... whitelist_from *.aarp.com try: whitelist_from *@23andme.com whitelist_from *@*.aarp.com etc
Re: whitelist_from in user_prefs is not being processed.
Am 12.03.2015 um 19:23 schrieb Rick Hantz (TirNanOg): My mail is hosted on Lunarpages.com on my own domain. I train SpamAssassin frequently. However, I get hundreds of spam messages daily (500-700). This is an old public account that I need to maintain, otherwise I’d delete it. After a while, the tokens files get corrupt, so I delete them and start over. (I start getting a lot of spam missed). To filter most everything, I set the spam level at -1. I maintain a whitelist in user_prefs, so I can easily start over. However, none of the whitelist seems to get processed. Mail that should have a high negative number doesn’t and ends up in the spam folder. Any ideas or workarounds? without logs - no signature.asc Description: OpenPGP digital signature
whitelist_from in user_prefs is not being processed.
My mail is hosted on Lunarpages.com on my own domain. I train SpamAssassin frequently. However, I get hundreds of spam messages daily (500-700). This is an old public account that I need to maintain, otherwise I'd delete it. After a while, the tokens files get corrupt, so I delete them and start over. (I start getting a lot of spam missed). To filter most everything, I set the spam level at -1. I maintain a whitelist in user_prefs, so I can easily start over. However, none of the whitelist seems to get processed. Mail that should have a high negative number doesn't and ends up in the spam folder. rewrite_header subject {SPAM _SCORE(0)_} add_header all Checker-Version SpamAssassin _VERSION_ (_SUBVERSION_) on _HOSTNAME_ add_header all Level _STARS(*)_ add_header all Status _YESNO_, score=_SCORE_ required=_REQD_ tests=_TESTS_ autolearn=_AUTOLEARN_ version=_VERSION_ add_header spam Flag _YESNOCAPS_ bayes_file_mode 0600 bayes_ignore_header X-MailScanner bayes_ignore_header X-MailScanner-Information bayes_ignore_header X-MailScanner-SpamCheck bayes_ignore_header X-MailScanner-SpamScore bayes_path /home/tirna3/.spamassassin/bayes required_score -2.0 use_bayes 1 whitelist_from 23andme.com whitelist_from aaawa.com whitelist_from *.aarp.com whitelist_from *.airportparkingreservations.com whitelist_from alfranken.com whitelist_from alternet.org whitelist_from amazon.com whitelist_from amcustomercare.att-mail.com whitelist_from autobytel.com whitelist_from boldprogressives.org whitelist_from *.care2.com whitelist_from *.charbroil.com whitelist_from cnet.online.com whitelist_from *.consumerlab.com whitelist_from *.costco.com whitel . Any ideas or workarounds? Thanks, Rick
Re: whitelist_from in user_prefs is not being processed.
On March 12, 2015 11:10:13 PM Rick Hantz \(TirNanOg\) rick...@tirnanog.com wrote: In my user_prefs file, I have: (see resulting header below) whitelist_from mailto:*@sailthru.com read perldoc Mail::SpamAssassin::Conf note whitelist_from allows forged senders, if possible use whitelist_auth instaed
Re: whitelist_from in user_prefs is not being processed.
In my user_prefs file, I have: (see resulting header below) whitelist_from mailto:*@sailthru.com whitelist_from mailto:*@e.washingtonpost.com Do I also need whitelist_from mailto:*@*.sailthru.com ? Appreciate all the help. -RickH Return-path: deliv...@mx.sailthru.com Envelope-to: rickhan!!tirnanog.com Delivery-date: Thu, 12 Mar 2015 14:21:53 -0700 Received: from mx-washpost-a.sailthru.com ([192.64.237.165]:50811) by coeus.lunarmania.com with esmtp (Exim 4.82) (envelope-from deliv...@mx.sailthru.com) id 1YWAYA-0004uL-M3 for rickhan!!tirnanog.com; Thu, 12 Mar 2015 14:21:53 -0700 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; s=mt; d=pmta.sailthru.com; h=Date:From:To:Message-ID:Subject:MIME-Version:Content-Type:List-Unsubscribe ; bh=/lxmlrJQKq6fl1OmIaekS84ZalE=; b=Rqtg31H8M0M7AiYslW+Ts/cy/igfo2wn6vw+km/vpsEAUcEi9s+m9aDCfLzoG7L5upSDBWrzwo 83 sT7eKPwz4iPAa7fB2PMzLJpDmExu1qv7lN5xKl2JLLrOjlVQQiKhoXAIxRfp/e2KUi4LkdTpSiEr y5gMs8tOcZis8Icxo2E= Received: from nyp1-p-p4136-prd-jma-04.sailthru.pvt (64.34.57.233) by mx-washpost-a.sailthru.com id h081mu1qqbs6 for rick...@tirnanog.com; Thu, 12 Mar 2015 17:21:50 -0400 (envelope-from deliv...@mx.sailthru.com) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; t=1426195310; s=sailthru; d=e.washingtonpost.com; h=Date:From:To:Message-ID:Subject:MIME-Version:Content-Type:List-Unsubscribe ; bh=h1kKlRHR3FV/7FTdYTfMs9u9pPrGdkNPKUp05V1qrVk=; b=B/lK29y/CHuHLJ/uY/BZCgCN0XZsku3MaOW/I+KGW/Xqd9NA5jdxyRG3Fz0eq5Cj u5F0C3Q+vuIparPPdGqqBEifv6bCdVWN92wBDOslNf9qHyJeJpn43LatKbWsw3+nvuR EEBdWGj2tt1nSrzqNlO64g+TdXMKltQWkxkHCaeA= Date: Thu, 12 Mar 2015 17:21:50 -0400 (EDT) From: The Washington Post em...@e.washingtonpost.com To: rickhan!!tirnanog.com Message-ID: 20150312212150.3994150.72...@sailthru.com Subject: News Alert: American with Ebola to be treated at National Institutes of Health MIME-Version: 1.0 Content-Type: multipart/alternative; boundary==_Part_1695_1383230446.1426195310303 Precedence: bulk X-TM-ID: 20150312212150.3994150.72694 X-Info: Message sent by sailthru.com customer The Washington Post X-Info: We do not permit unsolicited commercial email X-Info: Please report abuse by forwarding complete headers to X-Info: ab...@sailthru.com X-Mailer: sailthru.com X-JMailer: nyp1-p-p4136-prd-jma-04.sailthru.pvt X-Unsubscribe-Web: http://link.washingtonpost.com/oc/54836cd23b35d0d5728c41ca2dlwm.1k3a/a618a63 9 List-Unsubscribe: http://link.washingtonpost.com/oc/54836cd23b35d0d5728c41ca2dlwm.1k3a/a618a6 39, mailto:unsubscribe_20150312212150.3994150.72...@mx.sailthru.com X-rpcampaign: sthiq3994150 X-Spam-Subject: ***SPAM*** News Alert: American with Ebola to be treated at National Institutes of Health X-Spam-Status: Yes, score=-0.5 X-Spam-Score: -4 X-Spam-Bar: / X-Spam-Flag: YES
Re: whitelist_from in user_prefs is not being processed.
Am 12.03.2015 um 23:06 schrieb Rick Hantz (TirNanOg): In my user_prefs file, I have: (see resulting header below) whitelist_from mailto:*@sailthru.com whitelist_from mailto:*@e.washingtonpost.com Do I also need whitelist_from mailto:*@*.sailthru.com ? Return-path: deliv...@mx.sailthru.com i guess all that mailto:; crap comes from sending HTML mails for whatever reason, besides that: @sailthru.com surely is not the same as @mx.sailthru.com signature.asc Description: OpenPGP digital signature
whitelist_from conditioned to hostname
Dear sir is possible to specify a whitelist_from in local.cf limiting it for some hosts? Example: i want to whitelist my postmas...@foo.tld to avoid backscatter or bouce_message classifications, but want to limit this whitelist only if the sender is from my server, if the smtp client is something different than i trust i don't want to whitelist it. Can i do that? Thanks -- /*/ nik600 http://www.kumbe.it
Re: whitelist_from conditioned to hostname
nik600 skrev den 2013-10-18 17:24: Can i do that? sure: whitelist_auth postmas...@example.org whitelist_from allow forges, dont use it, its still candidate to be removed from spamassassin
Re: whitelist_from conditioned to hostname
On 18.10.13 17:24, nik600 wrote: is possible to specify a whitelist_from in local.cf limiting it for some hosts? yes, use whitelist_from_rcvd for that. Note that applies to external mail, e.g. mail received from hosts not in your internal_network. i want to whitelist my postmas...@foo.tld to avoid backscatter or bouce_message classifications, but want to limit this whitelist only if the sender is from my server, if the smtp client is something different than i trust i don't want to whitelist it. well, this it exactly what VBounce plugin is for, and you need to specify whitelist_bounce_relays for it to work. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Saving Private Ryan... Private Ryan exists. Overwrite? (Y/N)
Re: whitelist_from conditioned to hostname
nik600 wrote: is possible to specify a whitelist_from in local.cf http://local.cf limiting it for some hosts? Example: i want to whitelist my postmas...@foo.tld to avoid backscatter or bouce_message classifications, but want to limit this whitelist only if the sender is from my server, if the smtp client is something different than i trust i don't want to whitelist it. whitelist_from_rcvd postmas...@foo.tld smtp.foo.tld Note this requires you have properly configured reverse DNS on your server's IP. -kgd
RE: whitelist_from in SQL not applied?
1: spamassassin 21 -D --lint | less 2: perldoc Mail::SpamAssassin::Plugin::SPF could still be relevant problem if its added remotely and not localy, but this is why i asked 1: on above, can you post it to pastebin and give a link here ? http://pastebin.com/xErBy0ej 2: is just informative to you what to configure in local.cf Ok, will try whitelist_from_spf for the sql whitelist use same preferences as it would be in local.cf, and btw have you multiple sql users preferences or just one ?, is it really checking the right user ? Just one user prefs in the DB for this user, how can't I be sure that it's checking the right user? Other whitelist_from all work Thanks
RE: whitelist_from in SQL not applied?
Philippe Ratté skrev den 2013-02-19 16:15: 1: spamassassin 21 -D --lint | less 2: perldoc Mail::SpamAssassin::Plugin::SPF could still be relevant problem if its added remotely and not localy, but this is why i asked 1: on above, can you post it to pastebin and give a link here ? http://pastebin.com/xErBy0ej Feb 19 10:02:25.354 [19195] dbg: spf: cannot get Envelope-From, cannot use SPF is this why whitelist_from are the only one that works ? first get it to work from local.cf, if this is working move the same rule to sql is the right way to test if envelope-from is non default, then set it in local.cf, info here perldoc Mail::SpamAssassin::Conf postfix is using Return-Path, if you are using another mta you may change this in the settings so spf does not say it does not find envelope-from as above 2: is just informative to you what to configure in local.cf Ok, will try whitelist_from_spf i noticed you are using openprotect rule set with 99% depricated rule sets :( why not just use spamassassin rule sets ? and a side note: dont loadplugin from an cf file, use pre files for loadplugin, see freemail error in your pastbin its gets loaded twice :( if you can add the missing perl modules then do it, but i cant remember if it solves problems, it depends on what to test for the sql whitelist use same preferences as it would be in local.cf, and btw have you multiple sql users preferences or just one ?, is it really checking the right user ? Just one user prefs in the DB for this user, how can't I be sure that it's checking the right user? Other whitelist_from all work lets solve envelope sender first
RE: whitelist_from in SQL not applied?
Benny, Feb 19 10:02:25.354 [19195] dbg: spf: cannot get Envelope-From, cannot use SPF is this why whitelist_from are the only one that works ? first get it to work from local.cf, if this is working move the same rule to sql is the right way to test if envelope-from is non default, then set it in local.cf, info here perldoc Mail::SpamAssassin::Conf postfix is using Return-Path, if you are using another mta you may change this in the settings so spf does not say it does not find envelope-from as above I'm using qmail, along with qmail-scanner-st, and I just added a patch so that qmail adds the envelope-from to the headers It works; this is what the first header now looks like: Received: from mail-ve0-f193.google.com (209.85.128.193) by myserver.com (envelope-from u...@gmail.com) with SMTP; 19 Feb 2013 22:12:37 - If I run spamassassin using these params, I don't see any SPF errors: spamassassin -D email.msg 2debug.log [...] Feb 19 17:39:22.803 [10817] dbg: spf: checking to see if the message has a Received-SPF header that we can use Feb 19 17:39:22.848 [10817] dbg: spf: using Mail::SPF for SPF checks Feb 19 17:39:22.848 [10817] dbg: spf: checking HELO (helo=falcon594.startdedicated.com, ip=69.64.33.211) Feb 19 17:39:22.850 [10817] dbg: dns: providing a callback for id: 55831/falcon594.startdedicated.com/SPF/IN Feb 19 17:39:22.857 [10817] dbg: spf: query for /69.64.33.211/falcon594.startdedicated.com: result: none, comment: , text: No applicable sender policy available Feb 19 17:39:22.858 [10817] dbg: spf: already checked for Received-SPF headers, proceeding with DNS based checks Feb 19 17:39:22.858 [10817] dbg: spf: found Envelope-From in first external Received header Feb 19 17:39:22.858 [10817] dbg: spf: checking EnvelopeFrom (helo=falcon594.startdedicated.com, ip=69.64.33.211, envfrom=nore...@sonico.com) Feb 19 17:39:22.859 [10817] dbg: dns: providing a callback for id: 65122/sonico.com/SPF/IN Feb 19 17:39:22.941 [10817] dbg: spf: query for nore...@sonico.com/69.64.33.211/falcon594.startdedicated.com: result: fail, comment: Please see http://www.openspf.org/Why?s=mfromid=noreply%40sonico.comip=69.64.33.211r=myserver.com, text: Mechanism '-all' matched Feb 19 17:39:22.948 [10817] dbg: spf: def_spf_whitelist_from: already checked spf and didn't get pass, skipping whitelist check Feb 19 17:39:22.949 [10817] dbg: rules: ran eval rule SPF_FAIL == got hit (1) Feb 19 17:39:22.950 [10817] dbg: spf: whitelist_from_spf: already checked spf and didn't get pass, skipping whitelist check Feb 19 17:39:23.222 [10817] dbg: rules: ran uri rule __LOCAL_PP_NONPPURL == got hit: http://www.openspf.org; [...] However, if I run spamassassin 21 -D --lint | less I still see the error: Feb 19 17:41:54.196 [11019] dbg: spf: cannot get Envelope-From, cannot use SPF Feb 19 17:41:54.196 [11019] dbg: spf: def_spf_whitelist_from: could not find useable envelope sender i noticed you are using openprotect rule set with 99% depricated rule sets :( /var/lib/spamassassin/3.002005/saupdates_openprotect_com.pre /var/lib/spamassassin/3.002005/saupdates_openprotect_com /var/lib/spamassassin/3.002005/saupdates_openprotect_com.cf /var/lib/spamassassin/3.003001/saupdates_openprotect_com.pre /var/lib/spamassassin/3.003001/saupdates_openprotect_com /var/lib/spamassassin/3.003001/saupdates_openprotect_com.cf /var/lib/spamassassin/3.002004/saupdates_openprotect_com.pre /var/lib/spamassassin/3.002004/saupdates_openprotect_com /var/lib/spamassassin/3.002004/saupdates_openprotect_com.cf /var/lib/spamassassin/3.003002/saupdates_openprotect_com.pre /var/lib/spamassassin/3.003002/saupdates_openprotect_com /var/lib/spamassassin/3.003002/saupdates_openprotect_com.cf I can simply delete them, correct? why not just use spamassassin rule sets ? Most likely from previous SA versions Thanks for your help btw!
RE: whitelist_from in SQL not applied?
Philippe Ratté skrev den 2013-02-19 23:49: I'm using qmail, along with qmail-scanner-st, and I just added a patch so that qmail adds the envelope-from to the headers ? It works; this is what the first header now looks like: Received: from mail-ve0-f193.google.com (209.85.128.193) by myserver.com (envelope-from u...@gmail.com) with SMTP; 19 Feb 2013 22:12:37 - received is not envelope-from If I run spamassassin using these params, I don't see any SPF errors: spamassassin -D email.msg 2debug.log [...] Feb 19 17:39:22.803 [10817] dbg: spf: checking to see if the message has a Received-SPF header that we can use it reuse pypolicyd-spf here it does not use envelope-from However, if I run spamassassin 21 -D --lint | less I still see the error: Feb 19 17:41:54.196 [11019] dbg: spf: cannot get Envelope-From, cannot use SPF Feb 19 17:41:54.196 [11019] dbg: spf: def_spf_whitelist_from: could not find useable envelope sender you did not fix spamassassin, just found a received-spf example does not show the problem I can simply delete them, correct? yes why not just use spamassassin rule sets ? Most likely from previous SA versions :-) Thanks for your help btw! wait until it works
RE: whitelist_from in SQL not applied?
On Tue, 19 Feb 2013, Philippe Ratté wrote: Benny, Feb 19 10:02:25.354 [19195] dbg: spf: cannot get Envelope-From, cannot use SPF is this why whitelist_from are the only one that works ? first get it to work from local.cf, if this is working move the same rule to sql is the right way to test [snip..] I'm using qmail, along with qmail-scanner-st, and I just added a patch so that qmail adds the envelope-from to the headers It works; this is what the first header now looks like: Received: from mail-ve0-f193.google.com (209.85.128.193) by myserver.com (envelope-from u...@gmail.com) with SMTP; 19 Feb 2013 22:12:37 - If I run spamassassin using these params, I don't see any SPF errors: spamassassin -D email.msg 2debug.log [...] Feb 19 17:39:22.803 [10817] dbg: spf: checking to see if the message has a Received-SPF header that we can use Feb 19 17:39:22.848 [10817] dbg: spf: using Mail::SPF for SPF checks Feb 19 17:39:22.848 [10817] dbg: spf: checking HELO (helo=falcon594.startdedicated.com, ip=69.64.33.211) Feb 19 17:39:22.850 [10817] dbg: dns: providing a callback for id: 55831/falcon594.startdedicated.com/SPF/IN Feb 19 17:39:22.857 [10817] dbg: spf: query for /69.64.33.211/falcon594.startdedicated.com: result: none, comment: , text: No applicable sender policy available Feb 19 17:39:22.858 [10817] dbg: spf: already checked for Received-SPF headers, proceeding with DNS based checks Feb 19 17:39:22.858 [10817] dbg: spf: found Envelope-From in first external Received header OK, this says that your envelope-from patch to qmail is working Feb 19 17:39:22.858 [10817] dbg: spf: checking EnvelopeFrom (helo=falcon594.startdedicated.com, ip=69.64.33.211, envfrom=nore...@sonico.com) Feb 19 17:39:22.949 [10817] dbg: rules: ran eval rule SPF_FAIL == got hit (1) Feb 19 17:39:22.950 [10817] dbg: spf: whitelist_from_spf: already checked spf and didn't get pass, skipping whitelist check Feb 19 17:39:23.222 [10817] dbg: rules: ran uri rule __LOCAL_PP_NONPPURL == got hit: http://www.openspf.org; [...] this says that SA can now make valid decisions about whitelist_from_spf, so you should be good to go with using whitelist_from_spf However, if I run spamassassin 21 -D --lint | less I still see the error: Feb 19 17:41:54.196 [11019] dbg: spf: cannot get Envelope-From, cannot use SPF Feb 19 17:41:54.196 [11019] dbg: spf: def_spf_whitelist_from: could not find useable envelope sender Don't worry about this error. When you do a --lint SA uses a special built-in test message for system configuration checking which has very little network related info, including lacking anything that it can use for Envelope-From detection. Bottom line, this error is expected with --lint. As long as you get that found Envelope-From in... debug message when checking with live data you're OK. Now, on with your whitelist testing. -- Dave Funk University of Iowa dbfunk (at) engineering.uiowa.eduCollege of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include std_disclaimer.h Better is not better, 'standard' is better. B{
RE: whitelist_from in SQL not applied?
David B Funk skrev den 2013-02-20 01:18: On Tue, 19 Feb 2013, Philippe Ratté wrote: Benny, Feb 19 10:02:25.354 [19195] dbg: spf: cannot get Envelope-From, cannot use SPF is this why whitelist_from are the only one that works ? first get it to work from local.cf, if this is working move the same rule to sql is the right way to test [snip..] I'm using qmail, along with qmail-scanner-st, and I just added a patch so that qmail adds the envelope-from to the headers It works; this is what the first header now looks like: Received: from mail-ve0-f193.google.com (209.85.128.193) by myserver.com (envelope-from u...@gmail.com) with SMTP; 19 Feb 2013 22:12:37 - If I run spamassassin using these params, I don't see any SPF errors: spamassassin -D email.msg 2debug.log [...] Feb 19 17:39:22.803 [10817] dbg: spf: checking to see if the message has a Received-SPF header that we can use Feb 19 17:39:22.848 [10817] dbg: spf: using Mail::SPF for SPF checks read perldoc Mail::SpamAssassin::Plugin::SPF was not fun when i say it :) if you want to reuse that received-spf header then tell spf plugin to not use Mail::SPF and see more info on perldoc Mail::SpamAssassin::Conf for envelope-sender-header Feb 19 17:39:22.848 [10817] dbg: spf: checking HELO (helo=falcon594.startdedicated.com, ip=69.64.33.211) Feb 19 17:39:22.850 [10817] dbg: dns: providing a callback for id: 55831/falcon594.startdedicated.com/SPF/IN Feb 19 17:39:22.857 [10817] dbg: spf: query for /69.64.33.211/falcon594.startdedicated.com: result: none, comment: , text: No applicable sender policy available Feb 19 17:39:22.858 [10817] dbg: spf: already checked for Received-SPF headers, proceeding with DNS based checks Feb 19 17:39:22.858 [10817] dbg: spf: found Envelope-From in first external Received header OK, this says that your envelope-from patch to qmail is working but it still miss what header is the envelope-from ?, received-spf is not envelope-from Feb 19 17:39:22.858 [10817] dbg: spf: checking EnvelopeFrom (helo=falcon594.startdedicated.com, ip=69.64.33.211, envfrom=nore...@sonico.com) Feb 19 17:39:22.949 [10817] dbg: rules: ran eval rule SPF_FAIL == got hit (1) Feb 19 17:39:22.950 [10817] dbg: spf: whitelist_from_spf: already checked spf and didn't get pass, skipping whitelist check Feb 19 17:39:23.222 [10817] dbg: rules: ran uri rule __LOCAL_PP_NONPPURL == got hit: http://www.openspf.org; [...] this says that SA can now make valid decisions about whitelist_from_spf, so you should be good to go with using whitelist_from_spf +1 However, if I run spamassassin 21 -D --lint | less I still see the error: Feb 19 17:41:54.196 [11019] dbg: spf: cannot get Envelope-From, cannot use SPF Feb 19 17:41:54.196 [11019] dbg: spf: def_spf_whitelist_from: could not find useable envelope sender Don't worry about this error. When you do a --lint SA uses a special built-in test message for system configuration checking which has very little network related info, including lacking anything that it can use for Envelope-From detection. it was to detect loadplugin errors Bottom line, this error is expected with --lint. As long as you get that found Envelope-From in... debug message when checking with live data you're OK. Now, on with your whitelist testing. yep but first test is in local.cf, when that works try sql problems :)
RE: whitelist_from in SQL not applied?
Philippe Ratté skrev den 2013-02-14 15:24: The mail came from 65.54.190.123 and it passes SPF dont use whitelist_from, with that setting anyone can use that email as sender to get whitelisted, this is okay if you do spf testing in mta only, so spamassassin follow it as an ok, but not if you are not testing spf in mta What should I use, then? 1: spamassassin 21 -D --lint | less 2: perldoc Mail::SpamAssassin::Plugin::SPF SPF is not checked at mta ok have you configured Mail::SPF to reuse mta spf (recieved-spf header) ? No could still be relevant problem if its added remotely and not localy, but this is why i asked 1: on above, can you post it to pastebin and give a link here ? 2: is just informative to you what to configure in local.cf for the sql whitelist use same preferences as it would be in local.cf, and btw have you multiple sql users preferences or just one ?, is it really checking the right user ?
Re: whitelist_from in SQL not applied?
Philippe Ratté skrev den 2013-02-13 23:05: dbg: spf: def_spf_whitelist_from: already checked spf and didn't get pass, skipping whitelist check why does it not get pass when spf is okay ? http://dmarcian.com/spf-survey/hotmail.com | 3485 | %domain.ca | whitelist_from | u...@hotmail.com | dont use whitelist_from, with that setting anyone can use that email as sender to get whitelisted, this is okay if you do spf testing in mta only, so spamassassin follow it as an ok, but not if you are not testing spf in mta have you configured Mail::SPF to reuse mta spf (recieved-spf header) ?
RE: whitelist_from in SQL not applied?
The mail came from 65.54.190.123 and it passes SPF dont use whitelist_from, with that setting anyone can use that email as sender to get whitelisted, this is okay if you do spf testing in mta only, so spamassassin follow it as an ok, but not if you are not testing spf in mta What should I use, then? SPF is not checked at mta have you configured Mail::SPF to reuse mta spf (recieved-spf header) ? No
whitelist_from in SQL not applied?
Hi, We have our blacklist/whitelist stored in MySQL, has always worked fine, but I've got an issue where an email that is stored in whitelist_from (SQL) is not applied Running spamassassin -D message 2output.txt and I noticed this: dbg: spf: def_spf_whitelist_from: already checked spf and didn't get pass, skipping whitelist check This mail is coming from u...@hotmail.com, and I verified Hotmail's SPF for the incoming IP and its all good My SQL query in local.cf looks like this: user_scores_sql_custom_querySELECT preference, value FROM _TABLE_ WHERE username = _USERNAME_ OR username = '$GLOBAL' OR username = CONCAT('%',_DOMAIN_) ORDER BY username ASC The database contains this: mysql select * from userpref WHERE value = u...@hotmail.com; ++++--+ | prefid | username | preference | value| ++++--+ | 3485 | %domain.ca | whitelist_from | u...@hotmail.com | ++++--+ 1 row in set (0.00 sec) u...@hotmail.com has no USER_IN_WHITELIST applied while it should... Any hints? Thanks!
5000 x whitelist_from or whitelist_auth entries - performance hit?
I am planning on exporting a list of our client's email addresses into a file with 5000 separate lines as such: whitelist_from cli...@somebody.co I'm running an Apple XServe with Intel Xeon Quadcores and 6Gb RAM - processor fairly underutilised at the moment. Is 5000 whitelist entries expected to have a dramatic performance influence? Also, further to this, will replacing the whitelist_from with whitelist_auth make a dramatic difference? Approximately what percentage of servers out there arel configured correctly so that whitelist_auth works correctly? -- View this message in context: http://old.nabble.com/5000-x-whitelist_from--or--whitelist_auth-entries---performance-hit--tp32715552p32715552.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: 5000 x whitelist_from or whitelist_auth entries - performance hit?
Am 25.10.2011 09:51, schrieb SuperDuper: I am planning on exporting a list of our client's email addresses into a file with 5000 separate lines as such: whitelist_from cli...@somebody.co I'm running an Apple XServe with Intel Xeon Quadcores and 6Gb RAM - processor fairly underutilised at the moment. Is 5000 whitelist entries expected to have a dramatic performance influence? Also, further to this, will replacing the whitelist_from with whitelist_auth make a dramatic difference? Approximately what percentage of servers out there arel configured correctly so that whitelist_auth works correctly? you should choose another way for whitelisting, i.e bypass spamassassin for trusted server ips etc anyway why not using i.e. whitelist_from *@somebody.co ? -- Best Regards MfG Robert Schetterer Germany/Munich/Bavaria
Re: 5000 x whitelist_from or whitelist_auth entries - performance hit?
On Tue, 2011-10-25 at 00:51 -0700, SuperDuper wrote: I am planning on exporting a list of our client's email addresses into a file with 5000 separate lines as such: whitelist_from cli...@somebody.co I do essentially the same thing with an SA plugin and rule plus a database. Background: I archive all incoming and outgoing mail in a PostgreSQL database because it keeps my mail folders nice and empty while making access to archived mail somewhat faster than searching through mail folders is. The archive schema includes a view that contains only the addresses of people I've sent mail to. The plugin does lookups on this view and has an associated rule that whitelists hits by applying a suitably large negative score. The benefit of handling whitelisting this way is that updating is completely automatic and doesn't require SA to be stopped and restarted each time the list changes: every time I write or reply to a new correspondent they appear in the view. Suggestion: there is nothing to stop the plugin from doing its lookups against a table provided that it contains at least the same column as the view and you have a way of keeping the table's contents up to date. The view looks like this: create view whitelist as select distinct email fromaddress a, addresstype t where a.archive='yes' and a.self = 'no' and a.sdbk=t.asdbk and t.type='To'; So a table like the following should be fine and is probably general enough for it to be used without modification by any RDBMS. Of course it can have other columns that help to maintain the table and/or make it useful for other related tasks, e.g. a client list: create table whitelist ( email varchar(80) primary key ); If this sounds useful to you, the plugin is available here: http://www.libelle-systems.com/downloads/ma/docs/manual/whitelisting.html I should probably package the plugin with a table definition and make it available for freestanding use but that hasn't happened yet: maybe I should make that my next mini-project. Martin
Re: 5000 x whitelist_from or whitelist_auth entries - performance hit?
On Tue, 25 Oct 2011, Robert Schetterer wrote: Am 25.10.2011 09:51, schrieb SuperDuper: I am planning on exporting a list of our client's email addresses into a file with 5000 separate lines as such: whitelist_from cli...@somebody.co you should choose another way for whitelisting, i.e bypass spamassassin for trusted server ips etc Seconded. MTAs typically have efficient facilities for white- or black-listing specific email addresses. Use the capabilities of your MTA and glue layer to completely bypass SA for those addresses since you _know_ you want to receive mail from them. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- False is the idea of utility that sacrifices a thousand real advantages for one imaginary or trifling inconvenience; that would take fire from men because it burns, and water because one may drown in it; that has no remedy for evils except destruction. The laws that forbid the carrying of arms are laws of such a nature. They disarm only those who are neither inclined nor determined to commit crime. -- Cesare Beccaria, quoted by Thomas Jefferson --- 320 days since the first successful private orbital launch (SpaceX)
Re: 5000 x whitelist_from or whitelist_auth entries - performance hit?
On Tue, 25 Oct 2011 11:21:07 +0200, Robert Schetterer wrote: you should choose another way for whitelisting, i.e bypass spamassassin for trusted server ips etc anyway why not using i.e. whitelist_from *@somebody.co ? this open forges to numbers of equal senders recipient, never seen in my logs, so if mta is not checking sender auth then dont use whitelist_from, its safe to use whitelist_auth
Re: 5000 x whitelist_from or whitelist_auth entries - performance hit?
On Tue, 25 Oct 2011 06:28:41 -0700 (PDT) John Hardin wrote: Seconded. MTAs typically have efficient facilities for white- or black-listing specific email addresses. Use the capabilities of your MTA and glue layer to completely bypass SA for those addresses since you _know_ you want to receive mail from them. The downside to that is that it's not going through Bayes, so there's no auto-learning or atime updates. So when someone with a whitelisted address delegates, moves-on, or uses a different account, Bayes may be less well prepared than it would otherwise be. I suspect that in some cases MTA whitelisting may actually lead to a worse FP rate than doing nothing - particularly where BAYES_00 has been given a more substantial score.
Re: 5000 x whitelist_from or whitelist_auth entries - performance hit?
On Tue, 25 Oct 2011, RW wrote: On Tue, 25 Oct 2011 06:28:41 -0700 (PDT) John Hardin wrote: Seconded. MTAs typically have efficient facilities for white- or black-listing specific email addresses. Use the capabilities of your MTA and glue layer to completely bypass SA for those addresses since you _know_ you want to receive mail from them. The downside to that is that it's not going through Bayes, so there's no auto-learning or atime updates. So when someone with a whitelisted address delegates, moves-on, or uses a different account, Bayes may be less well prepared than it would otherwise be. I suspect that in some cases MTA whitelisting may actually lead to a worse FP rate than doing nothing - particularly where BAYES_00 has been given a more substantial score. Modulo manual training with classified miss corpora, of course. I distrust autolearn, but then I've never administered SA in a large user environment. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- It is not the business of government to make men virtuous or religious, or to preserve the fool from the consequences of his own folly. -- Henry George --- 320 days since the first successful private orbital launch (SpaceX)
Re: whitelist_from and whitelst_from_rcvd
thank you sir, i think this worked. On 3/17/2010 3:26 AM, John Hardin wrote: On Tue, 16 Mar 2010, John Hardin wrote: header POGO_CUSTOMER Received =~ /\(\...@pinoyonthego\.net\@[\d\.]+\).*by mail\.pinoyonthego\.net/ Watch the line wrap on that...
Re: whitelist_from and whitelst_from_rcvd
hi sir, yes i am using vchkpw to auth users. are you talking about using whitelist_auth? i have tried using that coz i have spf defined on my domain, but i am not sure if whitelist_auth is for that. dig -t TXT pinoyonthego.net ;; QUESTION SECTION: ;pinoyonthego.net. IN TXT ;; ANSWER SECTION: pinoyonthego.net. 604800 IN TXT v=spf1 a mx ip4:202.79.221.135 mx:mail.pinoyonthego.net -all basically my setup is i just followed qmailrocks.org and now i am trying to understand how everything works which is quite alot of things to understand. :( Ron On 3/16/2010 12:51 AM, John Hardin wrote: On Tue, 16 Mar 2010, Ron wrote: i think the only way to not scan outgoing mails in qmail is to add the users IP address to /etc/tcp.smtp, unfortunately my users are on dynamic IP that i cannot add it one by one. Are you authenticating your users in any way? There are ways to whitelist users who have authenticated against your MTA. Please check the list archives and the Wiki.
Re: whitelist_from and whitelst_from_rcvd
On Tue, 16 Mar 2010, Ron wrote: On 3/16/2010 12:51 AM, John Hardin wrote: Are you authenticating your users in any way? There are ways to whitelist users who have authenticated against your MTA. Please check the list archives and the Wiki. yes i am using vchkpw to auth users. are you talking about using whitelist_auth? i have tried using that coz i have spf defined on my domain, but i am not sure if whitelist_auth is for that. No, it's not. It's not going to be quite as simple as a one-line whitelist_* entry. Can you post the Received: headers from a properly-suthorized mail sent by one of your users from a dynamic IP address? I'll try to point out what you need to write a rule to detect and subtract points for. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Think Microsoft cares about your needs at all? A company wanted to hold off on upgrading Microsoft Office for a year in order to do other projects. So Microsoft gave a 'free' copy of the new Office to the CEO -- a copy that of course generated errors for anyone else in the firm reading his documents. The CEO got tired of getting the 'please re-send in XX format' so he ordered other projects put on hold and the Office upgrade to be top priority.-- Cringely, 4/8/2004 --- 158 days since President Obama won the Nobel Not George W. Bush prize
Re: whitelist_from and whitelst_from_rcvd
thank you sir, please see attached file. test header set score to 15 just to be able to send out, i have setup report_safe to but x-spam-report does not show up on the header, i can't tell what's causing all the points to increase. regards Ron On 3/16/2010 11:16 PM, John Hardin wrote: On Tue, 16 Mar 2010, Ron wrote: On 3/16/2010 12:51 AM, John Hardin wrote: Are you authenticating your users in any way? There are ways to whitelist users who have authenticated against your MTA. Please check the list archives and the Wiki. yes i am using vchkpw to auth users. are you talking about using whitelist_auth? i have tried using that coz i have spf defined on my domain, but i am not sure if whitelist_auth is for that. No, it's not. It's not going to be quite as simple as a one-line whitelist_* entry. Can you post the Received: headers from a properly-suthorized mail sent by one of your users from a dynamic IP address? I'll try to point out what you need to write a rule to detect and subtract points for. From - Tue Mar 16 23:27:53 2010 X-Account-Key: account7 X-UIDL: GmailId127679517268da5f X-Mozilla-Status: 0001 X-Mozilla-Status2: X-Mozilla-Keys: Delivered-To: nha...@gmail.com Received: by 10.229.43.14 with SMTP id u14cs96637qce; Tue, 16 Mar 2010 08:27:39 -0700 (PDT) Received: by 10.115.51.20 with SMTP id d20mr10746wak.151.1268753177038; Tue, 16 Mar 2010 08:26:17 -0700 (PDT) Return-Path: nha...@pinoyonthego.net Received: from mail.pinoyonthego.net ([202.79.221.135]) by mx.google.com with ESMTP id 1si13561053pxi.86.2010.03.16.08.26.15; Tue, 16 Mar 2010 08:26:16 -0700 (PDT) Received-SPF: pass (google.com: domain of nha...@pinoyonthego.net designates 202.79.221.135 as permitted sender) client-ip=202.79.221.135; Authentication-Results: mx.google.com; spf=pass (google.com: domain of nha...@pinoyonthego.net designates 202.79.221.135 as permitted sender) smtp.mail=nha...@pinoyonthego.net Received: (qmail 24730 invoked by uid 1012); 16 Mar 2010 23:23:02 +0800 Received: from 116.87.219.30 by pog (envelope-from nha...@pinoyonthego.net, uid 1008) with qmail-scanner-1.25-st-qms (clamdscan: 0.87/1082. spamassassin: 3.3.0. perlscan: 1.25-st-qms. Clear:RC:0(116.87.219.30):SA:0(11.1/15.0):. Processed in 0.342791 secs); 16 Mar 2010 15:23:02 - X-Spam-Status: No, hits=11.1 required=15.0 X-Spam-Level: +++ X-Antivirus-SILVERBACKASP-Mail-From: nha...@pinoyonthego.net via pog X-Antivirus-SILVERBACKASP: 1.25-st-qms (Clear:RC:0(116.87.219.30):SA:0(11.1/15.0):. Processed in 0.342791 secs Process 24720) Received: from cm30.zeta219.maxonline.com.sg (HELO ?192.168.1.107?) (nha...@pinoyonthego.net@116.87.219.30) by mail.pinoyonthego.net with SMTP; 16 Mar 2010 23:23:02 +0800 Message-ID: 4b9fa313.8030...@pinoyonthego.net Date: Tue, 16 Mar 2010 23:26:11 +0800 From: nhadie nha...@pinoyonthego.net User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.8) Gecko/20100227 Thunderbird/3.0.3 MIME-Version: 1.0 To: Ron nha...@gmail.com Subject: mail from pog Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit mail from pog
Re: whitelist_from and whitelst_from_rcvd
On Tue, 16 Mar 2010, Ron wrote: please see attached file. Is mail.pinoyonthego.net your MTA? If so, try this: header POGO_CUSTOMER Received =~ /\(\...@pinoyonthego\.net\@[\d\.]+\).*by mail\.pinoyonthego\.net/ score POGO_CUSTOMER -1 Run in test for a while, if you only get hits on customer emails then drop it to -20 or so to offset the scores they are getting. Note: this assumes that your MTA is putting this header into the emails before passing them on to SA. If it is not, they you're stuck. You'll need to figure out hot to tell your MTA to not pass those messages to SA in the first place. regards Ron On 3/16/2010 11:16 PM, John Hardin wrote: On Tue, 16 Mar 2010, Ron wrote: On 3/16/2010 12:51 AM, John Hardin wrote: Are you authenticating your users in any way? There are ways to whitelist users who have authenticated against your MTA. Please check the list archives and the Wiki. yes i am using vchkpw to auth users. are you talking about using whitelist_auth? i have tried using that coz i have spf defined on my domain, but i am not sure if whitelist_auth is for that. No, it's not. It's not going to be quite as simple as a one-line whitelist_* entry. Can you post the Received: headers from a properly-suthorized mail sent by one of your users from a dynamic IP address? I'll try to point out what you need to write a rule to detect and subtract points for. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- The United States has become a place where entertainers and professional athletes are mistaken for people of importance. -- Maureen Johnson Smith Long --- 158 days since President Obama won the Nobel Not George W. Bush prize
Re: whitelist_from and whitelst_from_rcvd
On Tue, 16 Mar 2010, John Hardin wrote: header POGO_CUSTOMER Received =~ /\(\...@pinoyonthego\.net\@[\d\.]+\).*by mail\.pinoyonthego\.net/ Watch the line wrap on that... -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- The United States has become a place where entertainers and professional athletes are mistaken for people of importance. -- Maureen Johnson Smith Long --- 158 days since President Obama won the Nobel Not George W. Bush prize
Re: whitelist_from and whitelst_from_rcvd
On Mon, 15 Mar 2010 21:43:03 +0800 Ron nha...@gmail.com wrote: Hi All, Newbie here, i have a qmail server, and i installed qmail-scanner+clav+spamassassin. I'm trying to allow all my users using whitelist_from but filter spoofed e-mail address using whitelist_from_rcvd. Whitelist rules whitelist, they don't filter. Not sure If i'm following the manual correctly, but here's what on local.cf internal_networks 202.79.221.135 trusted_networks 202.79.221.135 whitelist_from *...@imagetransforms.com whitelist_from_rcvd *...@imagetransforms.com mail.pinoyonthego.net This last line means whitelist *...@imagetransforms.com if it's received into your internal network from mail.pinoyonthego.net. mail.pinoyonthego.net isn't going to receive from mail.pinoyonthego.net so that wont work. And in any case your server is called ip135.silverbackasp.com since whitelist_from_rcvd uses reverse dns. but with that config, i'm still receiving spam e-mail with spoofed e-mail address, so i tried removing whitelist_from *...@imagetransforms.com and retained whitelist_from_rcvd, but when i send an e-mail i'm getting denied because my email was tagged as spam. Why is your outgoing mail identified as spam? Do you even want to be scanning this? another thing i'm confused is that there 2 Received From on the header, one from my IP address at home, and one which is the IP address of my qmail server. There's nothing unusual about that. You sent an email to gmail, your server added a header and gmail added a header
Re: whitelist_from and whitelst_from_rcvd
Hi Sir, Please see inline. Thank You On 3/16/2010 12:05 AM, RW wrote: On Mon, 15 Mar 2010 21:43:03 +0800 Ronnha...@gmail.com wrote: Hi All, Newbie here, i have a qmail server, and i installed qmail-scanner+clav+spamassassin. I'm trying to allow all my users using whitelist_from but filter spoofed e-mail address using whitelist_from_rcvd. Whitelist rules whitelist, they don't filter. Not sure If i'm following the manual correctly, but here's what on local.cf internal_networks 202.79.221.135 trusted_networks 202.79.221.135 whitelist_from *...@imagetransforms.com whitelist_from_rcvd *...@imagetransforms.com mail.pinoyonthego.net This last line means whitelist *...@imagetransforms.com if it's received into your internal network from mail.pinoyonthego.net. mail.pinoyonthego.net isn't going to receive from mail.pinoyonthego.net so that wont work. And in any case your server is called ip135.silverbackasp.com since whitelist_from_rcvd uses reverse dns. does this mean i have to add reverse DNS of IP address of my users where they send the mail from? does it also mean since they are on dynamic IP i won't be able to use this command? but with that config, i'm still receiving spam e-mail with spoofed e-mail address, so i tried removing whitelist_from *...@imagetransforms.com and retained whitelist_from_rcvd, but when i send an e-mail i'm getting denied because my email was tagged as spam. Why is your outgoing mail identified as spam? Do you even want to be scanning this? i think the only way to not scan outgoing mails in qmail is to add the users IP address to /etc/tcp.smtp, unfortunately my users are on dynamic IP that i cannot add it one by one. another thing i'm confused is that there 2 Received From on the header, one from my IP address at home, and one which is the IP address of my qmail server. There's nothing unusual about that. You sent an email to gmail, your server added a header and gmail added a header
Re: whitelist_from and whitelst_from_rcvd
On Mon, 15 Mar 2010, Ron wrote: whitelist_from *...@imagetransforms.com Do not do this. The From: address is trivially easy to spoof. You should not trust it to this degree. whitelist_from should only be used in unusual situations, when you know exactly why one of the other whitelist options won't work. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- If guards and searches and metal detectors can't keep a gun out of a maximum-security solitary confinement prisoner's cell, how will a disciplinary policy and some signs keep guns out of a university? --- 157 days since President Obama won the Nobel Not George W. Bush prize
Re: whitelist_from and whitelst_from_rcvd
On Tue, 16 Mar 2010, Ron wrote: i think the only way to not scan outgoing mails in qmail is to add the users IP address to /etc/tcp.smtp, unfortunately my users are on dynamic IP that i cannot add it one by one. Are you authenticating your users in any way? There are ways to whitelist users who have authenticated against your MTA. Please check the list archives and the Wiki. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- If guards and searches and metal detectors can't keep a gun out of a maximum-security solitary confinement prisoner's cell, how will a disciplinary policy and some signs keep guns out of a university? --- 157 days since President Obama won the Nobel Not George W. Bush prize
Re: whitelist_from questions
Le 26/07/2009 04:00, McDonald, Dan a écrit : From: Robert [mailto:list...@abbacomm.net] There are no doubt lots of ways, but how about: egrep 'whitelist_from[^_]' local.cf | awk '{FS=@; print $2 TXT;}' | xargs dig | grep v=spf1 what is this supposed to do? select all of your whitelist_from entries, parse out the domain part, dig the TXT record for each domain, then display only the ones that have a v=spf1 notation. That would give you a list of all of the domains in your whitelist_from that could be migrated to whitelist_from_spf ... provided, as Matus pointed out, all your whitelist_from entries are nicely formatted one address per line, and provided you don't have any domain wildcards. If those two conditions aren't met then you'll have to do some extra mangling to extract the domains properly. It also only looks for TXT RRs, so if any of the target domains are using only SPF RRs it won't find them. John. -- -- Over 4000 webcams from ski resorts around the world - www.snoweye.com -- Translate your technical documents and web pages- www.tradoc.fr
Re: whitelist_from questions
Hi, I'm looking an email that appears to be one of the users from the whitelist, but instead was from: From probesqt...@segunitb1.freeserve.co.uk Mon Jul 27 19:49:19 2009 Why can't a comparison be made between the From: info and the actual sender? Is this because of virtual domains and/or users? Thanks, Alex
Re: whitelist_from questions
MySQL Student wrote: Hi, I'm looking an email that appears to be one of the users from the whitelist, but instead was from: From probesqt...@segunitb1.freeserve.co.uk Mon Jul 27 19:49:19 2009 Why can't a comparison be made between the From: info and the actual sender? Is this because of virtual domains and/or users? It's not done because this mismatch happens for nearly every mailing list in existence (including this one). Every message you get from this mailing list is From: the poster, but the envelope is from the apache list server's bounce handler. The To: header and Rcpt to: mismatch for similar reasons (To: will be the list, but RCPT TO will be your mailbox).
Re: whitelist_from questions
On 25.07.09 01:25, jida...@jidanni.org wrote: Actually there should be one or two more whitelists, so one can e.g., score -100 one's friends -10 one's schools -1 one's country we still have def_whitelist_* with score of -15. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. He who laughs last thinks slowest.
RE: whitelist_from questions
There are no doubt lots of ways, but how about: egrep 'whitelist_from[^_]' local.cf | awk '{FS=@; print $2 TXT;}' | xargs dig | grep v=spf1 John. john, what is this supposed to do? - rh
RE: whitelist_from questions
From: Robert [mailto:list...@abbacomm.net] There are no doubt lots of ways, but how about: egrep 'whitelist_from[^_]' local.cf | awk '{FS=@; print $2 TXT;}' | xargs dig | grep v=spf1 what is this supposed to do? select all of your whitelist_from entries, parse out the domain part, dig the TXT record for each domain, then display only the ones that have a v=spf1 notation. That would give you a list of all of the domains in your whitelist_from that could be migrated to whitelist_from_spf
Re: whitelist_from questions
Le 24/07/2009 04:09, MySQL Student a écrit : I don't doubt that if we removed a substantial amount of them that SA would do what's right, but there doesn't seem to be any scientific way to do that successfully. Can't you just look at the scores that the whitelisted messages are getting and see whether any would be close to being considered as spam without the -100 of the whitelist? [How best to do that depends on how you've integrated spamassassin into your mail setup, but grepping through logs ought to do it in most cases]. And perhaps a few carefully-chosen negative-scoring rules (for words or phrases common to your customer's business) might be a far more effective way of handling the rest. Is there a way to script that for the 1000 or so entries, to see which have SPF records? There are no doubt lots of ways, but how about: egrep 'whitelist_from[^_]' local.cf | awk '{FS=@; print $2 TXT;}' | xargs dig | grep v=spf1 John. -- -- Over 4000 webcams from ski resorts around the world - www.snoweye.com -- Translate your technical documents and web pages- www.tradoc.fr
Re: whitelist_from questions
Le 24/07/2009 04:09, MySQL Student a écrit : I don't doubt that if we removed a substantial amount of them that SA would do what's right, but there doesn't seem to be any scientific way to do that successfully. Can't you just look at the scores that the whitelisted messages are getting and see whether any would be close to being considered as spam without the -100 of the whitelist? [How best to do that depends on how you've integrated spamassassin into your mail setup, but grepping through logs ought to do it in most cases]. And perhaps a few carefully-chosen negative-scoring rules (for words or phrases common to your customer's business) might be a far more effective way of handling the rest. Is there a way to script that for the 1000 or so entries, to see which have SPF records? There are no doubt lots of ways, but how about: On 24.07.09 08:58, John Wilcock wrote: egrep 'whitelist_from[^_]' local.cf | awk '{FS=@; print $2 TXT;}' | xargs dig | grep v=spf1 well - addresses can contain wildcards - more addresses can be at one line - SPF records should be checked before TXT the first issue is hard to avoid by scripting, others can be solved. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. 42.7 percent of all statistics are made up on the spot.
Re: whitelist_from questions
Actually there should be one or two more whitelists, so one can e.g., score -100 one's friends -10 one's schools -1 one's country
Re: whitelist_from questions
jida...@jidanni.org writes: Actually there should be one or two more whitelists, so one can e.g., score -100 one's friends -10 one's schools -1 one's country I have long wanted to be able to whitelist_from f...@bar -3.0 to have per-entry scores. Obviously though I haven't wanted it enough to write the code. pgp3aDYuXaIPC.pgp Description: PGP signature
Re: whitelist_from questions
On Fri, 24 Jul 2009, Greg Troxel wrote: I have long wanted to be able to whitelist_from f...@bar -3.0 to have per-entry scores. Obviously though I haven't wanted it enough to write the code. How does this not work? header WL_FROM_FOO From =~ /\bf...@bar/i score WL_FROM_FOO -3.00 -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- If healthcare is a Right means that the government is obligated to provide the people with hospitals, physicians, treatments and medications at low or no cost, then the right to free speech means the government is obligated to provide the people with printing presses and public address systems, the right to freedom of religion means the government is obligated to build churches for the people, and the right to keep and bear arms means the government is obligated to provide the people with guns, all at low or no cost. --- 13 days since a sunspot last seen - EPA blames CO2 emissions
Re: whitelist_from questions
John Hardin jhar...@impsec.org writes: On Fri, 24 Jul 2009, Greg Troxel wrote: I have long wanted to be able to whitelist_from f...@bar -3.0 to have per-entry scores. Obviously though I haven't wanted it enough to write the code. How does this not work? header WL_FROM_FOO From =~ /\bf...@bar/i score WL_FROM_FOO -3.00 It does, but doesn't it require allowing user rules? Plus, it's two lines for each whitelist_from_score entry, with a magic regexp. pgpMetL9X7grj.pgp Description: PGP signature
Re: whitelist_from questions
On Fri, 24 Jul 2009, Greg Troxel wrote: John Hardin jhar...@impsec.org writes: On Fri, 24 Jul 2009, Greg Troxel wrote: I have long wanted to be able to whitelist_from f...@bar -3.0 to have per-entry scores. Obviously though I haven't wanted it enough to write the code. How does this not work? header WL_FROM_FOO From =~ /\bf...@bar/i score WL_FROM_FOO -3.00 It does, but doesn't it require allowing user rules? Yeah, but that requirement wasn't specified. Sorry. Plus, it's two lines for each whitelist_from_score entry, with a magic regexp. Yeah, the whitelist_* do a lot of magic in the background. This would get hard to manage for more than a few entries. I was assuming you only wanted to do a few. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- If healthcare is a Right means that the government is obligated to provide the people with hospitals, physicians, treatments and medications at low or no cost, then the right to free speech means the government is obligated to provide the people with printing presses and public address systems, the right to freedom of religion means the government is obligated to build churches for the people, and the right to keep and bear arms means the government is obligated to provide the people with guns, all at low or no cost. --- 13 days since a sunspot last seen - EPA blames CO2 emissions
Re: whitelist_from questions
On Fri, 2009-07-24 at 11:57 -0700, John Hardin wrote: On Fri, 24 Jul 2009, Greg Troxel wrote: I have long wanted to be able to whitelist_from f...@bar -3.0 to have per-entry scores. Obviously though I haven't wanted it enough to write the code. First of all -- I don't like the term whitelist in this context. What's being discussed is a small, almost marginal adjustment to the score. Using whitelist for anything that low (even -1 has been mentioned previously) is just watering down the definition. That said, something like the above might be useful in some cases. Not that I ever felt the need for it, but still. Also, there are custom plugins [1] out there, which provide similar or related functionality -- and even are *much* easier to maintain for *users*, than the user_prefs. See the Addressbook and LDAPfilter plugins. The latter even mentions support for per-domain listings. However, I strongly agree with a note in the Addressbook plugin's description. This doesn't really work for all addresses (unless rcvd or auth constrained, sic!). It is a common spammer pattern to send From forged address A, to Recipient A, B and C at the same domain. Thus, giving negative scores to your family, friends or co-workers is in some cases likely to result in FNs. Anyway, I hope everyone who really needs and uses whitelisting, also has the ShortCircuit plugin enabled. If you deliberately WHITE-list, why waste more cycles on the mail? [1] http://wiki.apache.org/spamassassin/CustomPlugins -- char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: whitelist_from questions
On Fri, July 24, 2009 20:10, John Hardin wrote: On Fri, 24 Jul 2009, Greg Troxel wrote: I have long wanted to be able to whitelist_from f...@bar -3.0 to have per-entry scores. Obviously though I haven't wanted it enough to write the code. How does this not work? header WL_FROM_FOO From =~ /\bf...@bar/i score WL_FROM_FOO -3.00 another example: whitelist_from_spf f...@bar -3.0 only give -3.0 if spf pass or whitelist_from_dkim f...@bar -3.0 same for dkim or both whitelist_from_auth f...@bar -3.0 i still wonder why so many dont care more about forged senders :( good such bad plugin does not exists, its bad enough that whitelist_from does -- xpoint
Re: whitelist_from questions
Le 22/07/2009 17:48, MySQL Student a écrit : So, forever I have been using whitelist_from and have probably a thousand entries. Firstly, before you convert all these to whitelist_from_rcvd, perhaps you ought to ask yourself whether you really need 1000 entries on your whitelist. Does mail from these addresses actually get miscategorised as spam, or would SA get it right without the whitelist? Secondly, don't forget about whitelist_from_spf. If a domain has an SPF record, this is a better solution than whitelist_from_rcvd as it avoids the need for *you* to work out which are the outgoing servers. Lastly, if you do use whitelist_from_rcvd, remember that there may be multiple outgoing servers for a given domain, and worse they may change over time. John. -- -- Over 4000 webcams from ski resorts around the world - www.snoweye.com -- Translate your technical documents and web pages- www.tradoc.fr
Re: whitelist_from questions
Hi, Firstly, before you convert all these to whitelist_from_rcvd, perhaps you ought to ask yourself whether you really need 1000 entries on your whitelist. I'm surprised you were the first to make that very comment, so thanks. Does mail from these addresses actually get miscategorised as spam, or would SA get it right without the whitelist? Mail was being tagged as spam, and the organization became concerned that others would be tagged, so it seemed anytime there was a high-profile external business contact that they couldn't risk being tagged, they had it added to the whitelist. The list used to be much larger until we spent quite a while (months and months) going through it with them to prune it. I don't doubt that if we removed a substantial amount of them that SA would do what's right, but there doesn't seem to be any scientific way to do that successfully. Secondly, don't forget about whitelist_from_spf. If a domain has an SPF record, this is a better solution than whitelist_from_rcvd as it avoids the need for *you* to work out which are the outgoing servers. Is there a way to script that for the 1000 or so entries, to see which have SPF records? Lastly, if you do use whitelist_from_rcvd, remember that there may be multiple outgoing servers for a given domain, and worse they may change over time. Yeah, I thought of that too, so it doesn't sound like that's going to work well here. Thanks, Alex
whitelist_from questions
Hi all, Some time ago someone had mentioned to never use whitelist_from but instead use whitelist_from_rcvd. Where is whitelist_from_rcvd documented? It doesn't appear in the SA docs in the same place that whitelist_from is listed. So, forever I have been using whitelist_from and have probably a thousand entries. Given that it doesn't appear to be well documented, Is it okay to do a one-to-one translation of my whitelist_from rules to whitelist_from_rcvd? Do these entries have to be in local.cf, or can I create a whitelist_from.cf file to place them in? Thanks, Alex
Re: whitelist_from questions
MySQL Student wrote: Hi all, Some time ago someone had mentioned to never use whitelist_from but instead use whitelist_from_rcvd. Where is whitelist_from_rcvd documented? It doesn't appear in the SA docs in the same place that whitelist_from is listed. So, forever I have been using whitelist_from and have probably a thousand entries. Given that it doesn't appear to be well documented, Is it okay to do a one-to-one translation of my whitelist_from rules to whitelist_from_rcvd? Do these entries have to be in local.cf, or can I create a whitelist_from.cf file to place them in? Thanks, Alex It is documented on the Mail::SpamAssassin::Conf man page just like whitelist_from. -- whitelist_from_rcvd a...@lists.sourceforge.net sourceforge.net Use this to supplement the whitelist_from addresses with a check against the Received headers. The first parameter is the address to whitelist, and the second is a string to match the relay’s rDNS. This string is matched against the reverse DNS lookup used during the handover from the internet to your internal network’s mail exchangers. It can either be the full hostname, or the domain component of that hostname. In other words, if the host that connected to your MX had an IP address that mapped to ’sendinghost.spamassassin.org’, you should specify send- inghost.spamassassin.org or just spamassassin.org here. Note that this requires that internal_networks be correct. For simple cases, it will be, but for a complex network you may get better results by setting that parameter. It also requires that your mail exchangers be configured to perform DNS reverse lookups on the connecting host’s IP address, and to record the result in the generated Received: header. e.g. whitelist_from_rcvd j...@example.com example.com whitelist_from_rcvd *...@axkit.org sergeant.org -- You can't just do a simple switch from one to another. You have to look at each address and determine where the mail will be coming from. This way you are only whitelisting mail from that address if it comes from the correct servers. You can also use whitelist_auth (described a bit further down on the same man page) to whitelist addresses from domains that use SPF, Domain Keys, or DKIM, assuming you have the SPF and DKIM Perl modules installed (I'm too lazy to look up the module names at the moment). -- Bowie
Re: whitelist_from questions
It is documented on the Mail::SpamAssassin::Conf man page just like whitelist_from. Ugh, thanks. whitelist_from_rcvd a...@lists.sourceforge.net sourceforge.net Use this to supplement the whitelist_from addresses with a check against the Received headers. The first parameter is the address to whitelist, and the second is a string to match the relay’s rDNS. Okay, so for example if I was going to whitelist j...@orbitz.com, the appropriate line would be: whitelist_from_rcvd j...@orbitz.com psmtp.com psmtp.com is the domain that controls mail for orbitz, according to the MX records. Thanks, Alex
Re: whitelist_from questions
It is documented on the Mail::SpamAssassin::Conf man page just like whitelist_from. Ugh, thanks. whitelist_from_rcvd a...@lists.sourceforge.net sourceforge.net Use this to supplement the whitelist_from addresses with a check against the Received headers. The first parameter is the address to whitelist, and the second is a string to match the relay’s rDNS. Okay, so for example if I was going to whitelist j...@orbitz.com, the appropriate line would be: whitelist_from_rcvd j...@orbitz.com psmtp.com psmtp.com is the domain that controls mail for orbitz, according to the MX records. psmtp.com may well, or may not handle their outgoing mail. MX records to not tell that. Of they are the same, but not necessarily always. You ought to look at the headers of a received email and see where it came from.
Whitelist_From Woes
We're using spamassassin 3.1.7 on a slack-10 box, invoked via cron. I'm having problems getting a domain whitelisted. Previously, adding domains to be whitelisted simply meant adding a whitelist_from *...@domain.com to my /opt/MailScanner/etc/spam.assassin.prefs.conf file. Now, however, my maillog shows the messages as being marked as spam. Yesterday, I added a spam.whitelist.rules, which takes -100 down from the score, but the message is still marked as spam and not delivered: /var/log/maillog output: May 13 10:53:46 cerberus MailScanner[3309]: Message n4DFrTip004779 from 63.93.193.30 (a...@easymatch.com) to saintjoe.edu is spam, SpamAssassin (not cached, score=68.739, required 4, AWL -33.17, BAYES_50 0.00, FORGED_RCVD_HELO 0.14, HTML_30_40 0.37, HTML_MESSAGE 0.00, NO_REAL_NAME 0.96, RE_PASSWORD 100.00, RE_PASSWORDV 100.00, USER_IN_WHITELIST -100.00, X_PRIORITY_HIGH 0.43) SO...I see the USER_IN_WHITELIST -100 score, but it never is delivered... Thoughts? Thanks, Mike
RE: Whitelist_From Woes
/var/log/maillog output: May 13 10:53:46 cerberus MailScanner[3309]: Message n4DFrTip004779 from 63.93.193.30 (a...@easymatch.com) to saintjoe.edu http://saintjoe.edu/ is spam, SpamAssassin (not cached, score=68.739, required 4, AWL -33.17, BAYES_50 0.00, FORGED_RCVD_HELO 0.14, HTML_30_40 0.37, HTML_MESSAGE 0.00, NO_REAL_NAME 0.96, RE_PASSWORD 100.00, RE_PASSWORDV 100.00, USER_IN_WHITELIST -100.00, X_PRIORITY_HIGH 0.43) - Not trying to ne rude here Mike, but you log entry actually answers your question. After all the scores are totaled you still have a score of 68.739 and you only allow 4..Seems to me you need to get the other issues fixed like going through the RE_PASSWORD filter twice. Regards, Pete To have principles... First have courage.. With principles comes integrity!!!
Re: Whitelist_From Woes
Well maybe you should figure out what is going on with these two: RE_PASSWORD 100.00, RE_PASSWORDV 100.00 since your choice of -100 (it is not a magic pass value, just another factor in the arithmetic) for your manual whitelist only counteracts one of them ... or run your manual whitelist score to an even larger value. In other words, you are apparently NOT having a problem getting the domain whitelisted - you are having a problem fully balancing the effects of spammy-ness elements in their mail. Michael Lyon mjl...@gmail.com 05/13/09 12:16 PM We're using spamassassin 3.1.7 on a slack-10 box, invoked via cron. I'm having problems getting a domain whitelisted. Previously, adding domains to be whitelisted simply meant adding a whitelist_from *...@domain.com to my /opt/MailScanner/etc/spam.assassin.prefs.conf file. Now, however, my maillog shows the messages as being marked as spam. Yesterday, I added a spam.whitelist.rules, which takes -100 down from the score, but the message is still marked as spam and not delivered: /var/log/maillog output: May 13 10:53:46 cerberus MailScanner[3309]: Message n4DFrTip004779 from 63.93.193.30 (a...@easymatch.com) to saintjoe.edu is spam, SpamAssassin (not cached, score=68.739, required 4, AWL -33.17, BAYES_50 0.00, FORGED_RCVD_HELO 0.14, HTML_30_40 0.37, HTML_MESSAGE 0.00, NO_REAL_NAME 0.96, RE_PASSWORD 100.00, RE_PASSWORDV 100.00, USER_IN_WHITELIST -100.00, X_PRIORITY_HIGH 0.43) SO...I see the USER_IN_WHITELIST -100 score, but it never is delivered... Thoughts? Thanks, Mike
Re: Whitelist_From Woes
On Wed, 2009-05-13 at 11:16 -0500, Michael Lyon wrote: We're using spamassassin 3.1.7 on a slack-10 box, invoked via cron. I suggest upgrading. That's quite ancient... I'm having problems getting a domain whitelisted. Previously, adding domains to be whitelisted simply meant adding a whitelist_from *...@domain.com to my /opt/MailScanner/etc/spam. assassin.prefs.conf file. Now, however, my maillog shows the messages as being marked as spam. Yesterday, I added a spam.whitelist.rules, which takes -100 down from the score, but the message is still marked as spam and not delivered: /var/log/maillog output: May 13 10:53:46 cerberus MailScanner[3309]: Message n4DFrTip004779 from 63.93.193.30 (a...@easymatch.com) to saintjoe.edu is spam, SpamAssassin (not cached, score=68.739, required 4, AWL -33.17, BAYES_50 0.00, FORGED_RCVD_HELO 0.14, HTML_30_40 0.37, HTML_MESSAGE 0.00, NO_REAL_NAME 0.96, RE_PASSWORD 100.00, RE_PASSWORDV 100.00, USER_IN_WHITELIST -100.00, X_PRIORITY_HIGH 0.43) SO...I see the USER_IN_WHITELIST -100 score, but it never is delivered... As Peter said, your whitelist_from works just as expected. The issue is with *your* custom password rules, both scoring a whopping 100. So the solution is to fix these rules. Some more notes: It's generally better to use whitelist_from_rcvd if possible, and use that unconstrained one only as a last resort. Also, your custom rules' scores are *way* too high, unless you seriously want them to act as a kill-switch. In that case, they did as the score asked for. And of course, after fixing the custom rules, you will need to correct (or drop) the AWL entry for that address. As you can see, AWL even tried to rescue the email, lowering the score significantly. However, as one can see, too, the average already is quite high (due to triggering the password rules in the past), so that AWL will *add* points next time (without tripping over your password rules), unless cleaned. guenther -- char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Whitelist_From Woes
Please always keep threads on-list by replying to list. I am not the only one, who can help you. On Wed, 2009-05-13 at 11:57 -0500, Michael Lyon wrote: But...how do I remove an autowhitelist entry for just one user? I have a rule that was duplicated and causing me problems (It was to prevent the Verify your password scams). See the options concerning the persistent address list in man spamassassin-run, in particular --remove-addr-from-whitelist. Now, I have just one of the Verify rules...I'd like to keep it at 100 so as to not ever let them get through, but the auto-whitelist score is pushing it back to Spam. Exactly what I predicted. Thus, remove that address from the AWL persistent address list database. I'd like to not AWL just the one domain if possible. Not possible. The AWL actually is just a historical score averager. In your case poisoned for that one address, fed with bad scores due to the custom password rules going berserk. Just correct that incident. Also, have a look here. http://wiki.apache.org/spamassassin/AutoWhitelist Apart from that, I strongly suggest revisiting your password rule(s). Obviously, they are hitting on mail they shouldn't, so they are too broad. Also, I still suggest lowering that score. Regarding the whitelisting: You aren't whitelisting your *own* domain, are you? That's a bad idea. Definitely unless using the variants with additional constraints, like whitelist_from_rcvd. guenther [ useless full-quote including sig snipped ] -- char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
USER_IN_WHITELIST triggered but whitelist_from* not in my config
Lately, we've been getting a bunch of spam with negative scores because it has triggered USER_IN_WHITELIST but we don't use whitelist_from*. About 2 weeks ago I removed whitelist_from_rcvd. Could it still be triggering it. Maybe the spam was sent a few weeks ago and just now being deliver to the users? Any ideas why? Email head: From: user Subject: RE: Get your mind cleared from additional problems. Date: November 12, 2008 11:25:03 AM MST To: user Return-Path: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 3.1.9 (2007-02-13) on server X-Spam-Level: X-Spam-Status: No, score=-70.5 required=5.5 tests=BAYES_50,HTML_50_60, HTML_EXTRA_CLOSE,HTML_IMAGE_ONLY_20,HTML_MESSAGE,HTML_SHORT_LINK_IMG_3, MIME_HTML_ONLY,MSGID_FROM_MTA_ID,NO_REAL_NAME,PYZOR_CHECK,URIBL_AB_SURBL, URIBL_BLACK,URIBL_JP_SURBL,URIBL_OB_SURBL,URIBL_SBL,URIBL_WS_SURBL, USER_IN_WHITELIST autolearn=no version=3.1.9 Received: from Jolanta (host-81-190-116-29.gdynia.mm.pl [81.190.116.29]) by server with SMTP id mACIP34L021551 for user; Wed, 12 Nov 2008 11:25:04 -0700 Mime-Version: 1.0 Content-Type: text/html /local.cf # These values can be overridden by editing ~/.spamassassin/user_prefs.cf # (see spamassassin(1) for details) # These should be safe assumptions and allow for simple visual sifting # without risking lost emails. required_hits 5.5 report_safe 0 rewrite_header Subject [SPAM] use_auto_whitelist 0 # Enable the Bayes system use_bayes 1 # Enable Bayes auto-learning bayes_auto_learn 1 use_razor2 1 use_pyzor 1 skip_rbl_checks 1 internal_networks 192.168.1/24 internal_networks 192.168.2/24 internal_networks 192.168.3/24 internal_networks 192.168.4/24 internal_networks 192.168.5/24 trusted_networks 192.168.1/24 trusted_networks 192.168.2/24 trusted_networks 192.168.3/24 trusted_networks 192.168.4/24 trusted_networks 192.168.5/24 -- View this message in context: http://www.nabble.com/USER_IN_WHITELIST-triggered-but-whitelist_from*-not-in-my-config-tp20470780p20470780.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: USER_IN_WHITELIST triggered but whitelist_from* not in my config
Nevermind. Someone has whitelisted our url in user-prefs. robanna wrote: Lately, we've been getting a bunch of spam with negative scores because it has triggered USER_IN_WHITELIST but we don't use whitelist_from*. About 2 weeks ago I removed whitelist_from_rcvd. Could it still be triggering it. Maybe the spam was sent a few weeks ago and just now being deliver to the users? Any ideas why? Email head: From: user Subject: RE: Get your mind cleared from additional problems. Date: November 12, 2008 11:25:03 AM MST To: user Return-Path: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 3.1.9 (2007-02-13) on server X-Spam-Level: X-Spam-Status: No, score=-70.5 required=5.5 tests=BAYES_50,HTML_50_60, HTML_EXTRA_CLOSE,HTML_IMAGE_ONLY_20,HTML_MESSAGE,HTML_SHORT_LINK_IMG_3, MIME_HTML_ONLY,MSGID_FROM_MTA_ID,NO_REAL_NAME,PYZOR_CHECK,URIBL_AB_SURBL, URIBL_BLACK,URIBL_JP_SURBL,URIBL_OB_SURBL,URIBL_SBL,URIBL_WS_SURBL, USER_IN_WHITELIST autolearn=no version=3.1.9 Received: from Jolanta (host-81-190-116-29.gdynia.mm.pl [81.190.116.29]) by server with SMTP id mACIP34L021551 for user; Wed, 12 Nov 2008 11:25:04 -0700 Mime-Version: 1.0 Content-Type: text/html /local.cf # These values can be overridden by editing ~/.spamassassin/user_prefs.cf # (see spamassassin(1) for details) # These should be safe assumptions and allow for simple visual sifting # without risking lost emails. required_hits 5.5 report_safe 0 rewrite_header Subject [SPAM] use_auto_whitelist 0 # Enable the Bayes system use_bayes 1 # Enable Bayes auto-learning bayes_auto_learn 1 use_razor2 1 use_pyzor 1 skip_rbl_checks 1 internal_networks 192.168.1/24 internal_networks 192.168.2/24 internal_networks 192.168.3/24 internal_networks 192.168.4/24 internal_networks 192.168.5/24 trusted_networks 192.168.1/24 trusted_networks 192.168.2/24 trusted_networks 192.168.3/24 trusted_networks 192.168.4/24 trusted_networks 192.168.5/24 -- View this message in context: http://www.nabble.com/USER_IN_WHITELIST-triggered-but-whitelist_from*-not-in-my-config-tp20470780p20471035.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
whitelist_from not working
I'm using spamassassin 3.2.5. Now, I must a whitelist_from containing *@ foo.com in my local.cf. However, there are still 1 email that has been tagged as spam. In my understanding, if a domain was in whitelist_from, even if it was tagged as spam, it will delivered to the recipient. I restart the spamd after I edit local.cf so it must take effect. Is this the right way to whitelist? As I check, when using 3.2.5, this is the right way of whitelisting a domain.
Re: whitelist_from not working
On 29.10.08 17:18, Nelson Serafica wrote: I'm using spamassassin 3.2.5. Now, I must a whitelist_from containing *@ foo.com in my local.cf. However, there are still 1 email that has been tagged as spam. Only one? show the headers or upload it somewhere.. In my understanding, if a domain was in whitelist_from, even if it was tagged as spam, it will delivered to the recipient. No, It will have -100 points added, so it should get classified as not spam (ham). It seems does not work. I restart the spamd after I edit local.cf so it must take effect. Is this the right way to whitelist? As I check, when using 3.2.5, this is the right way of whitelisting a domain. -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Support bacteria - they're the only culture some people have.
Re: whitelist_from not working
On Wed, October 29, 2008 10:18, Nelson Serafica wrote: Is this the right way to whitelist? As I check, when using 3.2.5, this is the right way of whitelisting a domain. the more i hear about whitelist_from the more i want to make a bug on it, whitelist_from should imho newer have being implemented use whitelist_auth, whitelist_from_spf, whitelist_from_dkim, whitelist_from_rcvd see perldocs how to make this -- Benny Pedersen Need more webspace ? http://www.servage.net/?coupon=cust37098
Re: whitelist_from not working
Nelson Serafica wrote: I'm using spamassassin 3.2.5. http://3.2.5. Now, I must a whitelist_from containing [EMAIL PROTECTED] http://foo.com in my local.cf http://local.cf. However, there are still 1 email that has been tagged as spam. In my understanding, if a domain was in whitelist_from, even if it was tagged as spam, it will delivered to the recipient. First, be aware that SpamAssassin itself does not directly cause messages to be deleted, rejected, or otherwise alter delivery. SpamAssassin itself *ONLY* tags. The way it inserts itself into the mail chain is very flexible, but gives SA no direct power over message delivery, so tagging is the only thing it can possibly do. If it were to try to delete the message, most mail tools would assume SA had crashed and recover the original, unscanned message and deliver that. Therefore, there is nothing in the SpamAssassin configuration that can cause a message to be delivered even if it is tagged as spam. SA can only tag, or not tag. whitelist_from causes messages to be hit with a -100 point rule named USER_IN_WHITELIST. This large negative score makes it more-or-less impossible for the message to be tagged as spam. Pretty much the only way to get SA to tag it when matching a whitelist would be to put a GTUBE test signature into the message. Your previously posted example was working perfectly, in that the whitelist configuration caused SA to match USER_IN_WHITELIST, which generated a hugely negative score, and therefore was not tagged as spam. That's exactly what it should do. If you've got something else that deletes mail when SA tags messages, then that is the tool you'd need to configure if you want the message to get tagged as spam, but still be delivered. Reconfiguring SA can't change this, because SA doesn't (and in fact can't) delete the messages. I restart the spamd after I edit local.cf http://local.cf so it must take effect. Is this the right way to whitelist? As I check, when using 3.2.5, this is the right way of whitelisting a domain. whitelist_from is never the right way to do anything. It is horribly easy to forge. Use whitelist_from_rcvd, or preferably, whitelist in your tools that call SA, bypassing it entirely and saving CPU time.
Re: whitelist_from not working
Benny Pedersen wrote: On Wed, October 29, 2008 10:18, Nelson Serafica wrote: Is this the right way to whitelist? As I check, when using 3.2.5, this is the right way of whitelisting a domain. the more i hear about whitelist_from the more i want to make a bug on it, whitelist_from should imho newer have being implemented Agreed. whitelist_from sucks. However, it's there as a method of last-resort. There are some messages you can't whitelist in SA using any other method. (ie: when the sender's server doesn't have reverse DNS). use whitelist_auth, whitelist_from_spf, whitelist_from_dkim, whitelist_from_rcvd see perldocs how to make this Agreed, and the man Mail::SpamAssassin::Conf section on whitelist_from (which should have been read in the first place) will tell you the same.
Re: whitelist_from not working
On Wed, Oct 29, 2008 at 08:24:25AM -0400, Matt Kettler wrote: There are some messages you can't whitelist in SA using any other method. (ie: when the sender's server doesn't have reverse DNS). You can use trusted_networks + ALL_TRUSTED to whitelist. Given of course that there aren't any dynamic IPs in the path.
Re: whitelist_from not working
From: Matt Kettler [EMAIL PROTECTED] Date: Wed, 29 Oct 2008 08:24:25 -0400 Benny Pedersen wrote: On Wed, October 29, 2008 10:18, Nelson Serafica wrote: Is this the right way to whitelist? As I check, when using 3.2.5, this is the right way of whitelisting a domain. the more i hear about whitelist_from the more i want to make a bug on it, whitelist_from should imho newer have being implemented Agreed. whitelist_from sucks. However, it's there as a method of last-resort. There are some messages you can't whitelist in SA using any other method. (ie: when the sender's server doesn't have reverse DNS). Since whitelist_from is spoofable wouldn't it make sense to have different scores assigned to whitelist_from and whitelist_from_rcvd? Right now if an email is in either you get a hit on USER_IN_WHITELIST, which is scored at a -100 by default. So split out USER_IN_RCVD_WHITELIST hits from USER_IN_WHITELIST. -jeff
Re: whitelist_from not working
Jeff Mincy [EMAIL PROTECTED] writes: Agreed. whitelist_from sucks. However, it's there as a method of last-resort. There are some messages you can't whitelist in SA using any other method. (ie: when the sender's server doesn't have reverse DNS). Since whitelist_from is spoofable wouldn't it make sense to have different scores assigned to whitelist_from and whitelist_from_rcvd? Right now if an email is in either you get a hit on USER_IN_WHITELIST, which is scored at a -100 by default. So split out USER_IN_RCVD_WHITELIST hits from USER_IN_WHITELIST. I use whitelist_from to be sure I whitelist mail from some people (not part of my organization). For those addreses, it's better to get FN on spam than a single FP. I don't know what IP addresses they use, and they keep changing. So the 'better' whitelist rules won't work. I have sometimes wanted a way to give a per-rule score for whitelist entries, instead of a fixed -100. But not enough to implement it :-) pgplJGqhwfxdz.pgp Description: PGP signature
Re: whitelist_from not working
On Wed, 29 Oct 2008, Matt Kettler wrote: Benny Pedersen wrote: the more i hear about whitelist_from the more i want to make a bug on it, whitelist_from should imho newer have being implemented Agreed. whitelist_from sucks. However, it's there as a method of last-resort. There are some messages you can't whitelist in SA using any other method. (ie: when the sender's server doesn't have reverse DNS). I'm going to suggest again that, given how much pain it causes noobs, perhaps the use of whitelist_from should generate a lint _warning_ that it should only be used if no other whitelist method will work... -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- ...the Fates notice those who buy chainsaws... -- www.darwinawards.com --- 2 days until Halloween
Re: whitelist_from not working
On Wed, 2008-10-29 at 07:52 -0700, John Hardin wrote: I'm going to suggest again that, given how much pain it causes noobs, perhaps the use of whitelist_from should generate a lint _warning_ that it should only be used if no other whitelist method will work... The thing with noobs and whitelist_from (according to my experience on this list) appears to be a lack of reading. I got the impression most of them just blindly whitelist_from their own domain to be on the safe side, without any prior investigation and usually without any need. I believe some of the recent threads like this clearly showed that SA has been set up right before that, for the first time, and this is kind of the very first customization... guenther -- char *t=[EMAIL PROTECTED]; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: whitelist_from not working
On Wed, 29 Oct 2008, Karsten Br?ckelmann wrote: On Wed, 2008-10-29 at 07:52 -0700, John Hardin wrote: I'm going to suggest again that, given how much pain it causes noobs, perhaps the use of whitelist_from should generate a lint _warning_ that it should only be used if no other whitelist method will work... The thing with noobs and whitelist_from (according to my experience on this list) appears to be a lack of reading. I got the impression most of them just blindly whitelist_from their own domain to be on the safe side, without any prior investigation and usually without any need. Agreed, and if they aren't reading the documentation carefully enough to see the warnings about using whitelist_from, then they probably aren't running a lint either... However, if emitting a warning in lint saves having some why are spams hitting USER_IN_WHITELIST?? messages sent to the list, it's probably worth doing. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- ...the Fates notice those who buy chainsaws... -- www.darwinawards.com --- 2 days until Halloween