My server handles exactly one mailbox: my own. I am running SA 2.60 through
MimeDefang, with some MimeDefang changes to enable AWL processing.
I've noticed an increasing amount of spam getting through that uses the
age-old trick of forging my address in the From: line. This somehow
triggers the AWL; since the AWL is keyed to both IP address and name, I'm
not sure how that's happening. As I understand it,
[EMAIL PROTECTED]|ip=none (that is, my own outbound mail) should be a
different "sender" to AWL than [EMAIL PROTECTED]|ip=218.166 (spam forged in
my name).
When I run check_auto_whitelist, I see the following entries:
[EMAIL PROTECTED]|ip=218.166 8
[EMAIL PROTECTED]|ip=none|totscore -3.603
[EMAIL PROTECTED]|ip=218.166|totscore 0.794
[EMAIL PROTECTED]|ip=none 2
The spam below comes from 218.166, so it should get a positive boost from
AWL, yet according to spamassassin -D -t, it is actually getting a negative
score:
debug: auto-whitelist (db-based): [EMAIL PROTECTED]|ip=218.166 scores
7/-6.751
debug: AWL active, pre-score: 7.545, mean: -0.964428571428572,
originating-ip: 218.166.57.150
debug: add_score: New count: 8, new totscore: 0.794
debug: Post AWL score: 3.29028571428571
...
Content analysis details: (3.3 points, -3.0 required)
pts rule name description
---- ---------------------- ------------------------------------------------
--
1.2 BANG_MORE BODY: Talks about more with an exclamation!
0.1 HTML_FONTCOLOR_UNKNOWN BODY: HTML font color is unknown to us
0.1 HTML_MESSAGE BODY: HTML included in message
0.3 HTML_FONT_BIG BODY: HTML has a big font
5.4 BAYES_99 BODY: Bayesian spam probability is 99 to 100%
[score: 1.0000]
0.3 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
0.1 HTML_FONTCOLOR_RED BODY: HTML font color is red
0.1 NORMAL_HTTP_TO_IP URI: Uses a dotted-decimal IP address in URL
0.0 UPPERCASE_25_50 message body is 25-50% uppercase
-4.3 AWL AWL: Auto-whitelist adjustment
Entire message follows...
-------
Return-Path: <[EMAIL PROTECTED]>
Received: from linux.home.jay.fm ([unix socket])
by linux.home.jay.fm (Cyrus v2.1.12-Mandrake-RPM-2.1.12-1mdk) with LMTP;
Thu, 30 Oct 2003 09:37:15 -0500
X-Sieve: CMU Sieve 2.2
Received: from jay.fm (218-166-57-150.HINET-IP.hinet.net [218.166.57.150])
by linux.home.jay.fm (8.12.10/8.12.10) with ESMTP id h9UEbA1x027111
for <[EMAIL PROTECTED]>; Thu, 30 Oct 2003 09:37:13 -0500
Received: from p4 [192.168.1.105] by jay.fm with eSMTP;
Thu, 30 Oct 2003 22:36:43 +0800
Message-ID: <[EMAIL PROTECTED]>
From: "anthony" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Subject: With these pills you can shoot curn like a porn star!
Date: Thu, 30 Oct 2003 22:36:43 +0800
MIME-Version: 1.0
Content-Type: text/html; charset="ISO-8859-1"
X-Priority: 3
X-Mailer: PHP2
Lid-Tracking: <amF5QGpheS5mbQ==>
X-Spam-Score: 1.745 (*)
AWL,BAYES_99,HTML_30_40,HTML_FONTCOLOR_RED,HTML_FONTCOLOR_UNKNOWN,HTML_FONT_
BIG,HTML_MESSAGE,MIME_HTML_ONLY,NORMAL_HTTP_TO_IP,UPPERCASE_25_50
<html><title>The irrepressible anger within her came out suddenly in a
scream.
Amber vainly said she was my
idol.r9011qyc97k09288fu78ndm7638659t54h44b7032bv2i5h9r67874676zjy</title><he
ad></head><body>
<p align="center"><b><i><font size="4" color="#FF0000">S.URPRISE YOUR L.OVER
TODAY! COVER HER WHOLE FACE WITH C.UM!</font></i>
<font size="+2"><br><br>How w.ould you like to</font></b><br>
<b><font color="red" size="+3">SHOOT LIKE THE PO.RN-STARS?</font></b><br>
<b><font size="+2">Up to 500% more S.PERM!</font></b> </p>
<div align="center"><ul><li><b><i><font size="+1">ADD UP_TO 500% MORE
SPER.M</font></i></b></li>
<li><b><i><font size="+1">INCREASED SE.XUAL DESIRE</font></i></b></li>
<li><b><i><font size="+1">HAVE M.ORE INTENSE 0.RGASMS</font></i></b></li>
<li><b><i><font size="+1">PRODUCE ST.RONGER E.RECTIONS</font></i></b></li>
<li><b><i><font size="+1">HAVE A STRONGER 5.EXUAL DESIRE</font></i></b></li>
<li><b><i><font size="+1">1.NCREASED S.E..XUAL
STAMINA</font></i></b></li></ul></div>
<p align="center"><b><font size="+2"><a
href="http://203.197.204.157/pi/";>FULLY DO.CTOR APP.ROVED! L.EARN
MORE!</a></font></b></p>
<div align="center"><font color="red" size="4">100% GUARAN.TEED! NOT
SAT1SFIED? YOU GET YOUR MONE.Y BACK!</font></div>
<BR>7256et45343p3n8mu6sj7heg2r7d005a2lg84825oen2x69x898u85pr<br>c3bok3wl5w4i
r9011qyc97k09288fu78ndm7638659t54h44b7032bv2<br><br>i5h9r67874676zjy7256et45
343p<br>The irrepressible anger within her came out suddenly in a
scream.<br><br>Amber vainly said she was my
idol.<br>3n8mu6sj7heg2r7d005a2lg84825oen2x69x898u85prc3bok3wl5w4ir9011qyc97k
09288fu78ndm76386<br>59t54h44b7032bv2i5h9r6787467<br><br>
<p align="center">to stop all future mailings, <a
href="http://203.197.204.157/rm/";>Here</a></p><BR><BR>The irrepressible
anger within her came out suddenly in a scream.The irrepressible anger
within her came out suddenly in a scream.Amber vainly said she was my
idol.The irrepressible anger within her came out suddenly in a
scream.</body></html>
-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive? Does it
help you create better code? SHARE THE LOVE, and help us help
YOU! Click Here: http://sourceforge.net/donate/
_______________________________________________
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
