By looking at these headers, can anyone suggest a fix that would correct the AWL database and stop this from happening in the first place?
First, sorry for the short check the FAQ reply the first go around. I didn't look low enough in the mail to see just how strong a negative score got applied.
However, the FAQ article is still relevant in understanding how the AWL works, and why it can assign negative scores.
Based on the strong negative score (-12.6) applied to an otherwise positive scoring email (8.7 pre-awl) this suggest the standing average for the address in the AWL was strongly negative (-16.5 existing average)...
Such a strong average is typical of the score-smearing problem which is probably caused by a more_spam_to. I know that 2.60 ignores the score of these statements when storing averages, but I'm not sure if 2.55 does. If I remember correctly, 2.55 isn't supposed to have this issue with whitelists, only with GTUBE (fixed in 2.60).
What happens in score smearing is that the spammer first sends a spam of some sort to an account that has a more_spam_to or all_spam_to. This earns him a very strongly negative average in the AWL database because the more_spam_to made the message have a massively negative score. Then, when the spammer sends an email using the same relay and from: address to another account, which isn't a more_spam_to address, the AWL winds up effectively whitelisting the message because the sender has a hugely negative past average.
When SA was modified to ignore "userconf" type rules, when calculating AWL averages this problem was fixed. I thought that occured somewhere in the 2.5x development, but I could be wrong.
I'd check to see of the same spammer hit any of your all_spam_to or more_spam_to'ed accounts. If so, that explains it.
You can quick-fix the immediate problem by using a --remove-addr-from-whitelist command, see the manpage.
If you are experiencing score smearing, I'd suggest going up to 2.60 when you can, and disable the AWL in the interim. (I'd suggest not running the AWL on a sitewide single database basis anyway, but that's a minor issue).
------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. SourceForge.net hosts over 70,000 Open Source Projects. See the people who have HELPED US provide better services: Click here: http://sourceforge.net/supporters.php _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
