Doesn't it say in the header that it was recieved from taurus-int.global-imaging.com and isn't *.global-imaging.com in your whitelist?
Just my observations. -C -----Original Message----- From: Jamie Pratt [mailto:[EMAIL PROTECTED] Sent: Thursday, May 20, 2004 10:01 AM To: [EMAIL PROTECTED] Subject: Re: Spam whitelisted, but can't figure out how I think bounce messages use <> - maybe SA auto-whitelists these? Kevin Peuhkurinen wrote: > Just a guess, but maybe the "Envelope-From" is a spoofed address > included in your whitelist, probably a spoofed nlisc.com address since > that is the receiving domain. It might help if you could get your MTA > to provide the envelope headers. > > > Vermyndax wrote: > >> I have a SpamAssassin implementation here at this company that is a basic >> setup using my_rules_du_jour to autoupdate. There is a small >> whitelist in >> the local.cf for SA: >> >> whitelist_from [EMAIL PROTECTED] >> whitelist_from *.canon.com >> whitelist_from *.global-imaging.com >> whitelist_from [EMAIL PROTECTED] >> whitelist_from [EMAIL PROTECTED] >> whitelist_from [EMAIL PROTECTED] >> whitelist_from [EMAIL PROTECTED] >> whitelist_from [EMAIL PROTECTED] >> whitelist_from [EMAIL PROTECTED] >> whitelist_from [EMAIL PROTECTED] >> whitelist_from [EMAIL PROTECTED] >> whitelist_from [EMAIL PROTECTED] >> >> Today I get a report from a user who received a spam that was not marked >> as such. The spam score was -90.2 because, it CLAIMS, the user was in >> the >> whitelist. The sender is listed as <>. >> >> Huh? >> >> Here's the headers as a straight-up paste... email address of the >> recipient has been removed to protect the innocent. >> >> Microsoft Mail Internet Headers Version 2.0 >> Received: from sara-too.nlisc.com ([10.9.4.25]) by mail.nlisc.com with >> Microsoft SMTPSVC(6.0.3790.0); >> Wed, 19 May 2004 19:16:41 -0500 >> Received: by sara-too.nlisc.com (Postfix, from userid 500) >> id 5CF80141548; Wed, 19 May 2004 19:18:45 -0500 (CDT) >> Received: from taurus-int.global-imaging.com (unknown [10.4.1.3]) >> by sara-too.nlisc.com (Postfix) with SMTP id 4B9C5141546 >> for <[EMAIL PROTECTED]>; Wed, 19 May 2004 19:18:42 -0500 (CDT) >> Received: from hello.com ([62.64.225.215]) >> by taurus-int.global-imaging.com (SAVSMTP 3.1.6.45) with SMTP id >> M2004051920181217785 >> for <[EMAIL PROTECTED]>; Wed, 19 May 2004 20:18:13 -0400 >> From: <> >> To: <[EMAIL PROTECTED]> >> Subject: The news is good on the econoor >> Date: Wed, 19 May 2004 17:19:27 -0500 >> Mime-Version: 1.0 >> Content-Type: text/html; charset=us-ascii >> Message-Id: <[EMAIL PROTECTED]> >> X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on >> sara-too.nlisc.com >> X-Spam-Level: >> X-Spam-Status: No, hits=-90.2 required=5.0 tests=BAYES_56,FROM_NO_LOWER, >> FROM_NO_USER,HTML_50_60,HTML_MESSAGE,MIME_HTML_ONLY, >> RAZOR2_CF_RANGE_51_100,RAZOR2_CHECK,RCVD_IN_DYNABLOCK,RCVD_IN_SORBS, >> USER_IN_WHITELIST autolearn=no version=2.63 >> Return-Path: <> >> X-OriginalArrivalTime: 20 May 2004 00:16:41.0828 (UTC) >> FILETIME=[B9E9D240:01C43DFF] >> >> --- >> >> The receiving domain is @nlisc.com. Would this perhaps be because there >> is a whitelist entry for [EMAIL PROTECTED] >> >> (Guess I need to implement a check against this in Postfix!) >> >> Thanks... >> >> --JM >> >> >> > > . > -- Jamie Pratt Systems Administrator/Programmer Analyst Norwich University Course Development Center [EMAIL PROTECTED] | ph. (802)485-2532
