Hi everyone,
One of my users just spotted a FN that had managed to slip trough.
They're abusing 70_sare_whitelist.cf, specifically:
whitelist_from_rcvd [EMAIL PROTECTED] vonage.com
# Vonage voice mail notification
Headers in question:
Received: from mta.example.com (mta.example.com [10.11.12.13])
by orwell.example.com (8.13.6+Sun/8.13.6) with ESMTP id
k66B6gSq000157
for <[EMAIL PROTECTED]>; Thu, 6 Jul 2006 13:06:42 +0200 (MEST)
Received: from vm.vonage.com ([218.27.100.202])
by mta.example.com (8.13.6+Sun/8.13.6) with SMTP id
k66B6ZCU023260
for <[EMAIL PROTECTED]>; Thu, 6 Jul 2006 13:06:37 +0200 (MEST)
Message-Id: <[EMAIL PROTECTED]>
From: "kosenuwi" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Subject: rezup
Date: Thu, 6 Jul 2006 19:06:07 0800
MIME-Version: 1.0
Content-Type: multipart/related;
type="multipart/alternative";
boundary="----=_NextPart_000_0002_01BFD49E.200FBFD0"
X-Spam-Score: (-83.703) BAYES_99,DATE_IN_FUTURE_06_12,HTML_90_100,
HTML_IMAGE_ONLY_08,HTML_MESSAGE,INVALID_DATE,RCVD_IN_BL_SPAMCOP_NET,
RCVD_IN_XBL,SARE_GIF_ATTACH,SARE_GIF_STOX,USER_IN_WHITELIST,
autolearn=no
Return-Path: [EMAIL PROTECTED]
The mail in question came into our backup-mx (mta) then was forwarded to
our 1st MX (orwell). SpamAssassin only runs on the 1st MX, trough
Mimedefang. Could this have anything to do with USER_IN_WHITELIST being
triggered?
Would an SPF check have helped?
Regards, Paul Boven.
