Hi @all,
I just had a chat with wolfgang by phone, and we discovered, that a
Webformular on my own site seems to deliver this spam to my GMX -
Account richter_marc -at- gmx.net .
This would explaid this result: When my own server is the initial
sender, it's clear why the USER_IN_WHITELIST - Test hits.
It seems as if I just read the header wrong, sorry.
I'll have a closer look to this, and I'll write again if I'm still
experiencing something, I don't get.
Thank you all so far!
Am 15.08.2010 16:46, schrieb John Hardin:
On Sun, 15 Aug 2010, Marc Richter wrote:
http://pastebin.com/Rhj2UMLS
I don't understand 3 things:
1) Why is it recognized as not beeing spam, although the required score
is 3.0 and the actual score is 101.0?
Look a little closer. The actual score is -101.0 (negative).
Yeah, I already saw my error, thank you. 1) is 100% solved because of
that ;)
Is this because of points 2) and 3)?
2) Why does ALL_TRUSTED hit here? I haven't configured mx0.gmx.net
anywhere.
Odd. I'd have expected pop.gmx.net to have prevented ALL_TRUSTED. I
can't suggest why this might have occurred, perhaps one of the devs a
little closer to that code will comment.
ALL_TRUSTED isn't by itself contributing to the problem, but it is
useful as a symptom.
3) Why does USER_IN_WHITELIST apply here? "iyeboxfzpfj
<zyy...@alxhkv.com>" is noone I've put onto any whitelist.
In the user_prefs of user "ww" the only "WHITE" - Thing is:
whitelist_from *...@web-factory.de
whitelist_from *...@marketing-factory.de
which is my company's domain.
As I just recommended to someone else, do not use whitelist_from except
as a last resort. It is trivially easy for a spammer to leverage as it
does not verification that the From address is not forged.
You're right. Up till today (may be subject to change, since I told it
here in public ;) ) there has not a single spam arrived my because of
this whitelist.
Here's my whole global SA config:
http://pastebin.com/DixnLNmv
I note you're using whitelist_from_rcvd in your global config. Good.
However, changing the required_score to 3.0 is not recommended. All of
the scores assigned by the masscheck system are targeted at a
required_score of 5.0, and if you lower that without making any
adjustment to rule scores then you are likely going to increase your
false positive rate.
I know, but the suggested 5.0 result in a too high false ham rate to me.
I'm having an eye to the filtered ones. They're not deleted, but
collected in a seperate box, which I check frequently. The FP - Rate is
extreemely low (2-5 in a whole year!) and even when this happens, they
had never been "autolearned" as spam up to today.
Can you post the ww user's config too?
I's nearly empty. Just the two whitelist_from entrys are from that file.
Could anybody please give me a hint with this?
The whitelist hit is what's hurting the most.
You should also take a look at your bayes, after we resolve the
whitelist problem.
OK, I'll keep that in mind :)
Thank you!
Best Regards,
Marc
