[moving to -dev since it's an unusual issue]
Daniel Quinlan writes:
> This was in my spam corpus. Perhaps it is borderline, but reviewing the
> Received: headers, it does not seem this should have been considered a
> T_all_TRUSTED message regardless of how it is classified.
>
> I had two of these messages, but they were basically the same.
Interesting -- tricky case there.
So basically, it looks like mail.dropinsolutions.com is scanning outward
bound mail and sending it on as a report_safe-encapped attachment;
when it's then mass-checked, mass-check removes the markup and scans
just the message inside that.
That message uses this rcvd line:
Received: from klqe.net (unknown [192.168.50.50])
by mail.dropinsolutions.com (Postfix) with ESMTP
id 62F9114047; Sun, 15 Feb 2004 14:29:04 -0500 (EST)
which is an internal-only IP (192.168), so it should hit ALL_TRUSTED,
that's correct -- since the IP was trusted (or at least on the same
internal network) by the host that did the scanning.
The issue here is -- should mass-check be de-encapsulating this mail?
It wasn't encapped by *your* SpamAssassin installation. hmm.
Anyone got ideas on how to handle this?
--j.
