How does one stop spam which is from a forged or legitimate address within my own domain, yet did NOT really come from my domain?
I get tons of spam which slips past spamassassin because of USER_IN_WHITELIST
Should I just take my domain out of the whitelist?
Suggestion: set a subject that has something to do with your post...
Answer to your question:
Just don't whitelist your own domain, as you suggested. You shouldn't need to whitelist your domain anyway. I don't.
If you must whitelist your domain, use whitelist_from_rcvd, not whitelist_from. Make sure the rcvd part is something that can be used to identify email internal machines by looking at the Received: headers which will not match mail from the outside.
ie:
whitelist_from_rcvd [EMAIL PROTECTED] inexs.com
Forgery is why whitelist_from_rcvd exists in the first place.. use it.
