Hello,
A spam just came through my server, and it got -100 from the rule
USER_IN_WHITELIST. But that is NOT in my white-list!
[EMAIL PROTECTED] spamassassin]# pwd
/etc/mail/spamassassin
[EMAIL PROTECTED] spamassassin]# grep -v "^#" *|grep -i white
local.cf:whitelist_to [EMAIL PROTECTED], [EMAIL PROTECTED]
local.cf:whitelist_from_rcvd * xxxx.com.br
local.cf:whitelist_from_rcvd * yyyy.com.br
local.cf:whitelist_from_rcvd [EMAIL PROTECTED] sourceforge.net
local.cf:whitelist_from [EMAIL PROTECTED]
local.cf:whitelist_from [EMAIL PROTECTED]
local.cf:whitelist_from [EMAIL PROTECTED]
local.cf:whitelist_from [EMAIL PROTECTED]
local.cf:whitelist_from [EMAIL PROTECTED]
local.cf:whitelist_from [EMAIL PROTECTED]
local.cf:whitelist_from [EMAIL PROTECTED]
local.cf:whitelist_from [EMAIL PROTECTED]
local.cf:whitelist_from [EMAIL PROTECTED]
local.cf:whitelist_from [EMAIL PROTECTED]
local.cf:whitelist_from [EMAIL PROTECTED]
local.cf:whitelist_from [EMAIL PROTECTED]
local.cf:whitelist_from [EMAIL PROTECTED]
local.cf:whitelist_from [EMAIL PROTECTED]
local.cf:whitelist_from [EMAIL PROTECTED]
local.cf:whitelist_from [EMAIL PROTECTED]
local.cf:whitelist_from [EMAIL PROTECTED]
local.cf:whitelist_from [EMAIL PROTECTED]
local.cf:whitelist_from [EMAIL PROTECTED]
local.cf:whitelist_from [EMAIL PROTECTED]
local.cf:whitelist_from [EMAIL PROTECTED]
local.cf:whitelist_from [EMAIL PROTECTED]
local.cf:whitelist_from [EMAIL PROTECTED]
local.cf:whitelist_from [EMAIL PROTECTED]
local.cf:score USER_IN_WHITELIST -100.000
local.cf:score USER_IN_WHITELIST_TO -6.000
[EMAIL PROTECTED] spamassassin]#
The headers as from spamassassin -t < spam.eml:
X-UIDL: AAQoJ0/AAAwMQpjA/q4KWuUb7xhXNtYr
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Received: from mx01.xxxx.com.br ([200.xxx.xxx.xxx]) by exchange.xxxx.com.br with
Microsoft SMTPSVC(5.0.2195.6713);
Thu, 20 Nov 2003 16:48:48 -0200
Received: from localhost (localhost.localdomain [127.0.0.1])
by mx01.xxxx.com.br (Postfix) with ESMTP
id BC109A65DE; Thu, 20 Nov 2003 16:47:14 -0200 (EDT)
Received: from mx01.xxxx.com.br ([127.0.0.1])
by localhost (mx01.xxxx.com.br [127.0.0.1]) (amavisd-new, port 10024)
with LMTP id 17784-01-17; Thu, 20 Nov 2003 16:47:14 -0200 (EDT)
Received: from xxxx.com.br (KH218-187-175-184.adsl.pl.apol.com.tw [218.187.175.184])
by mx01.xxxx.com.br (Postfix) with SMTP
id 351ADA65D5; Thu, 20 Nov 2003 16:47:10 -0200 (EDT)
From: "airbus2003" <"">
Subject: =?Big5?B?uvS49KTAqlI=?=
Content-Type: text/html
Date: Fri, 21 Nov 2003 00:05:21 +0800
X-Priority: 3
X-Library: Indy 9.0.3-B
Message-Id: <[EMAIL PROTECTED]>
To: undisclosed-recipients: ;
X-Virus-Scanned: by ClamAV at xxxx.com.br
Return-Path: [EMAIL PROTECTED]
X-OriginalArrivalTime: 20 Nov 2003 18:48:48.0080 (UTC) FILETIME=[EEAD5D00:01C3AF96]
X-Spam-Checker-Version: SpamAssassin 2.60-spambr_20030926a
(1.212-2003-09-23-exp) on bat.xxxx.com.br
X-Spam-Level:
X-Spam-Status: No, hits=-84.9 required=8.2 tests=CHARSET_FARAWAY_HEADER,
FRONTPAGE,HTML_60_70,HTML_CHARSET_FARAWAY,HTML_FONTCOLOR_BLUE,
HTML_FONTCOLOR_GREEN,HTML_FONTCOLOR_RED,HTML_FONT_BIG,
HTML_FONT_FACE_BAD,HTML_FONT_FACE_ODD,HTML_MESSAGE,
MAILTO_TO_SPAM_ADDR,MAILTO_WITH_SUBJ,MIME_HEADER_CTYPE_ONLY,
MIME_HTML_NO_CHARSET,MIME_HTML_ONLY,PRIORITY_NO_NAME,UNDISC_RECIPS,
UNWANTED_LANGUAGE_BODY,USER_IN_WHITELIST,X_LIBRARY autolearn=no
version=2.60-spambr_20030926a
Content analysis details: (-84.9 points, 8.2 required)
pts rule name description
---- ---------------------- --------------------------------------------------
1.6 X_LIBRARY Message has X-Library header
1.2 UNDISC_RECIPS Valid-looking To "undisclosed-recipients"
0.1 HTML_60_70 BODY: Message is 60% to 70% HTML
0.3 HTML_FONT_FACE_ODD BODY: HTML font face is not a commonly used face
0.1 HTML_FONTCOLOR_GREEN BODY: HTML font color is green
0.1 HTML_FONTCOLOR_BLUE BODY: HTML font color is blue
0.1 HTML_MESSAGE BODY: HTML included in message
0.4 HTML_FONT_FACE_BAD BODY: HTML font face is not a word
0.3 HTML_FONT_BIG BODY: HTML has a big font
2.8 UNWANTED_LANGUAGE_BODY BODY: Message written in an undesired language
0.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
0.1 HTML_FONTCOLOR_RED BODY: HTML font color is red
0.7 FRONTPAGE BODY: Frontpage used to create the message
0.8 MIME_HTML_NO_CHARSET RAW: Message text in HTML without charset
0.0 MAILTO_WITH_SUBJ URI: Includes a link to send a mail with a subject
0.4 MAILTO_TO_SPAM_ADDR URI: Includes a link to a likely spammer email
-100 USER_IN_WHITELIST From: address is in the user's white-list
3.2 CHARSET_FARAWAY_HEADER A foreign language charset used in headers
1.9 MIME_HEADER_CTYPE_ONLY 'Content-Type' found without required MIME headers
0.5 HTML_CHARSET_FARAWAY A foreign language charset used in HTML markup
0.5 PRIORITY_NO_NAME Message has priority setting, but no X-Mailer
mmmm....
Would the rule
local.cf:whitelist_from_rcvd * xxxx.com.br
be white-listing everything?
Thanks for any input. Regards,
--
Marcio Merlone
[EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED]
ICQ UIN #13746928 - Linux user #104911
[ "$error" -eq "0" ] && eval [ "\${$servidor}" -gt "$lim" ] || error=2
PII350 128MB RAM Voodoo4500 32MB Samsumg 510s Quantum 6GB
M6x1,5 - 2pçs W3/16"x1.1/4" - 1 pç + 2N3055 - 4 pçs
'95 Fiat Tipo 1.6 gasolina
'98 Suzuki Intruder 250 idem
"Qualquer besteira ou código escrito embaixo de uma assinatura de email
parece coisa séria."
-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive? Does it
help you create better code? SHARE THE LOVE, and help us help
YOU! Click Here: http://sourceforge.net/donate/
_______________________________________________
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
