First, Thanks for the help. Craig noticed that the rule ALL_TRUSTED was matched. There was a potential issue with Trusted Path if trusted_networks was not configured. I tried that. The final mail server is Exchange, and I am having a hard time getting the headers back from the users.
I posted a link to the Trusted Path issue in my response to Craig. Thanks again, Ron Shuck, CISSP, GCIA, CCSE - Managing Consultant Buchanan Associates - People. Process. Technology. -----Original Message----- From: Matt Kettler [mailto:[EMAIL PROTECTED] Sent: Friday, April 29, 2005 11:56 AM To: Ron Shuck Cc: Craig McLean; users@spamassassin.apache.org Subject: Re: Blacklist Not Working Ron Shuck wrote: >Here is the log. I don't have the message, but as you can see it did >not match the blacklist. > >-------log------ >Apr 24 04:39:43 mail postfix/smtpd[25746]: connect from >castile.calmra.com[72.11.146.117] >Apr 24 04:39:44 mail postfix/smtpd[25746]: AE20883C: >client=castile.calmra.com[72.11.146.117] >Apr 24 04:39:45 mail postfix/cleanup[26437]: AE20883C: >message-id=<[EMAIL PROTECTED]> >Apr 24 04:39:45 mail postfix/qmgr[4304]: AE20883C: >from=<[EMAIL PROTECTED]>, size=2034, nrcpt=1 (queue active) Apr 24 >04:39:45 mail spamd[14218]: connection from localhost.localdomain >[127.0.0.1] at port 48918 Apr 24 04:39:45 mail spamd[14218]: info: >setuid to filter succeeded Apr 24 04:39:45 mail spamd[14218]: >processing message <[EMAIL PROTECTED]> for filter:501. >Apr 24 04:39:46 mail spamd[14218]: clean message (4.8/5.0) for >filter:501 in 1.2 seconds, 2000 bytes. >Apr 24 04:39:46 mail spamd[14218]: result: . 4 - >ALL_TRUSTED,AWL,BAYES_20,DNS_FROM_AHBL_RHSBL,HTML_50_60,HTML_IMAGE_ONLY >_ >12,HTML_IMAGE_RATIO_02,HTML_MESSAGE,MIME_HTML_MOSTLY,MPART_ALT_DIFF,URI >B >L_OB_SURBL,URIBL_SBL,URIBL_WS_SURBL >scantime=1.2,size=2000,mid=<[EMAIL PROTECTED]>,bayes=0.062705367 >0 >923895,autolearn=no > >----local.cf snippet---- >blacklist_from [EMAIL PROTECTED] > > <snip> Ok, now what did the headers in the message look like? The "from" quoted in your logfile is the envelope, which might not have been present in the message at the time SA saw it. SA doesn't get the envelope directly, so that from is completely irrelevant unless your MTA or MDA inserted it into a Return-Path: header before SpamAssassin got called.
