Hi all, we got a natwest spam through this morning that should not have
got through. Here is the spam test results
Content analysis details: (-77.6 points, 6.0 required)
0.3 FROM_ENDS_IN_NUMS From: ends in numbers
1.6 HTML_60_70 BODY: Message is 60% to 70% HTML
1.4 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
0.7 HTML_MESSAGE BODY: HTML included in message
0.1 HTML_FONTCOLOR_UNSAFE BODY: HTML font color not in safe 6x6x6
palette
1.6 HTML_IMAGE_ONLY_02 BODY: HTML: images with 0-200 bytes of words
2.0 SARE_HEXOCTDWORD URI: Uses an encoded IP address
7.8 HTTP_EXCESSIVE_ESCAPES URI: Completely unnecessary %-escapes inside
a URL
6.8 HTTP_ESCAPED_HOST URI: Uses %-escapes inside a URL's hostname
-100 USER_IN_WHITELIST From: address is in the user's white-list
0.1 RCVD_IN_SORBS RBL: SORBS: sender is listed in SORBS
[195.174.36.203 listed in dnsbl.sorbs.net]
Now the user in whitelist must have come about because of the following
entry in out local.cf
whitelist_from rcvd [EMAIL PROTECTED] rbs.co.uk
I am obviously misunderstanding the way whitelist_from_rcvd works
because I thought it checked the domain of the sending server with a dns
lookup. This is the header from the email
Received: from [195.174.36.203] (helo=MELIH)
So how come this got whitelisted ?
--
Ron McKeating
Senior IT Services Specialist
Internet Services and Software Solutions
Loughborough University
01509 222329
