I'm going to take a wild stab at this, but the AWL is NOT IP specific. It only goes by the from, not IP. I think it takes the "average" (I know it isn't an average.) score from all the records it has of it.
Make sense? --Chris > -----Original Message----- > From: Jay Levitt [mailto:[EMAIL PROTECTED] > Sent: Tuesday, November 04, 2003 4:26 PM > To: Abigail Marshall > Subject: [SAtalk] THIRD request: Someone please help with AWL oddness > > > > ----- Original Message ----- > From: "Jay Levitt" <[EMAIL PROTECTED]> > To: "Jay Levitt" <[EMAIL PROTECTED]> > Sent: Sunday, November 02, 2003 9:29 AM > Subject: Second request: AWL false hits > > > > Hi.. does anyone have any ideas on this? I have read the > FAQ, and this > does > > not seem to be the usual "why does AWL regress toward the > average" case. > > > > Jay > > ----- Original Message ----- > > From: "Jay Levitt" <[EMAIL PROTECTED]> > > To: "Abigail Marshall" <[EMAIL PROTECTED]> > > Sent: Thursday, October 30, 2003 12:14 PM > > Subject: [SAtalk] Understanding AWL processing > > > > > > > My server handles exactly one mailbox: my own. I am > running SA 2.60 > > through > > > MimeDefang, with some MimeDefang changes to enable AWL processing. > > > > > > I've noticed an increasing amount of spam getting through > that uses the > > > age-old trick of forging my address in the From: line. > This somehow > > > triggers the AWL; since the AWL is keyed to both IP > address and name, > I'm > > > not sure how that's happening. As I understand it, > > > [EMAIL PROTECTED]|ip=none (that is, my own outbound > mail) should be a > > > different "sender" to AWL than [EMAIL PROTECTED]|ip=218.166 (spam > forged > > in > > > my name). > > > > > > When I run check_auto_whitelist, I see the following entries: > > > > > > [EMAIL PROTECTED]|ip=218.166 8 > > > [EMAIL PROTECTED]|ip=none|totscore -3.603 > > > [EMAIL PROTECTED]|ip=218.166|totscore 0.794 > > > [EMAIL PROTECTED]|ip=none 2 > > > > > > The spam below comes from 218.166, so it should get a > positive boost > from > > > AWL, yet according to spamassassin -D -t, it is actually getting a > > negative > > > score: > > > > > > debug: auto-whitelist (db-based): > [EMAIL PROTECTED]|ip=218.166 scores > > > 7/-6.751 > > > debug: AWL active, pre-score: 7.545, mean: -0.964428571428572, > > > originating-ip: 218.166.57.150 > > > debug: add_score: New count: 8, new totscore: 0.794 > > > debug: Post AWL score: 3.29028571428571 > > > ... > > > Content analysis details: (3.3 points, -3.0 required) > > > > > > pts rule name description > > > > ---- ---------------------- > ---------------------------------------------- > > -- > > > -- > > > 1.2 BANG_MORE BODY: Talks about more with > an exclamation! > > > 0.1 HTML_FONTCOLOR_UNKNOWN BODY: HTML font color is unknown to us > > > 0.1 HTML_MESSAGE BODY: HTML included in message > > > 0.3 HTML_FONT_BIG BODY: HTML has a big font > > > 5.4 BAYES_99 BODY: Bayesian spam > probability is 99 to > 100% > > > [score: 1.0000] > > > 0.3 MIME_HTML_ONLY BODY: Message only has > text/html MIME parts > > > 0.1 HTML_FONTCOLOR_RED BODY: HTML font color is red > > > 0.1 NORMAL_HTTP_TO_IP URI: Uses a dotted-decimal IP > address in URL > > > 0.0 UPPERCASE_25_50 message body is 25-50% uppercase > > > -4.3 AWL AWL: Auto-whitelist adjustment > > > > > > Entire message follows... > > > ------- > > > > > > Return-Path: <[EMAIL PROTECTED]> > > > Received: from linux.home.jay.fm ([unix socket]) > > > by linux.home.jay.fm (Cyrus > v2.1.12-Mandrake-RPM-2.1.12-1mdk) with > LMTP; > > > Thu, 30 Oct 2003 09:37:15 -0500 > > > X-Sieve: CMU Sieve 2.2 > > > Received: from jay.fm (218-166-57-150.HINET-IP.hinet.net > [218.166.57.150]) > > > by linux.home.jay.fm (8.12.10/8.12.10) with ESMTP id > h9UEbA1x027111 > > > for <[EMAIL PROTECTED]>; Thu, 30 Oct 2003 09:37:13 -0500 > > > Received: from p4 [192.168.1.105] by jay.fm with eSMTP; > > > Thu, 30 Oct 2003 22:36:43 +0800 > > > Message-ID: <[EMAIL PROTECTED]> > > > From: "anthony" <[EMAIL PROTECTED]> > > > To: <[EMAIL PROTECTED]> > > > Subject: With these pills you can shoot curn like a porn star! > > > Date: Thu, 30 Oct 2003 22:36:43 +0800 > > > MIME-Version: 1.0 > > > Content-Type: text/html; charset="ISO-8859-1" > > > X-Priority: 3 > > > X-Mailer: PHP2 > > > Lid-Tracking: <amF5QGpheS5mbQ==> > > > X-Spam-Score: 1.745 (*) > > > > > > AWL,BAYES_99,HTML_30_40,HTML_FONTCOLOR_RED,HTML_FONTCOLOR_UNKN > OWN,HTML_FONT_ > > > BIG,HTML_MESSAGE,MIME_HTML_ONLY,NORMAL_HTTP_TO_IP,UPPERCASE_25_50 > > > > > > <html><title>The irrepressible anger within her came out > suddenly in a > > > scream. > > > Amber vainly said she was my > > > > > > idol.r9011qyc97k09288fu78ndm7638659t54h44b7032bv2i5h9r67874676 > zjy</title><he > > > ad></head><body> > > > <p align="center"><b><i><font size="4" > color="#FF0000">S.URPRISE YOUR > > L.OVER > > > TODAY! COVER HER WHOLE FACE WITH C.UM!</font></i> > > > <font size="+2"><br><br>How w.ould you like to</font></b><br> > > > <b><font color="red" size="+3">SHOOT LIKE THE > PO.RN-STARS?</font></b><br> > > > <b><font size="+2">Up to 500% more S.PERM!</font></b> </p> > > > <div align="center"><ul><li><b><i><font size="+1">ADD > UP_TO 500% MORE > > > SPER.M</font></i></b></li> > > > <li><b><i><font size="+1">INCREASED SE.XUAL > DESIRE</font></i></b></li> > > > <li><b><i><font size="+1">HAVE M.ORE INTENSE > 0.RGASMS</font></i></b></li> > > > <li><b><i><font size="+1">PRODUCE ST.RONGER > E.RECTIONS</font></i></b></li> > > > <li><b><i><font size="+1">HAVE A STRONGER 5.EXUAL > > DESIRE</font></i></b></li> > > > <li><b><i><font size="+1">1.NCREASED S.E..XUAL > > > STAMINA</font></i></b></li></ul></div> > > > <p align="center"><b><font size="+2"><a > > > href="http://203.197.204.157/pi/";>FULLY DO.CTOR APP.ROVED! L.EARN > > > MORE!</a></font></b></p> > > > <div align="center"><font color="red" size="4">100% > GUARAN.TEED! NOT > > > SAT1SFIED? YOU GET YOUR MONE.Y BACK!</font></div> > > > > > > <BR>7256et45343p3n8mu6sj7heg2r7d005a2lg84825oen2x69x898u85pr<b > r>c3bok3wl5w4i > > > > > > r9011qyc97k09288fu78ndm7638659t54h44b7032bv2<br><br>i5h9r67874 > 676zjy7256et45 > > > 343p<br>The irrepressible anger within her came out suddenly in a > > > scream.<br><br>Amber vainly said she was my > > > > > > idol.<br>3n8mu6sj7heg2r7d005a2lg84825oen2x69x898u85prc3bok3wl5 > w4ir9011qyc97k > > > 09288fu78ndm76386<br>59t54h44b7032bv2i5h9r6787467<br><br> > > > <p align="center">to stop all future mailings, <a > > > href="http://203.197.204.157/rm/";>Here</a></p><BR><BR>The > irrepressible > > > anger within her came out suddenly in a scream.The > irrepressible anger > > > within her came out suddenly in a scream.Amber vainly > said she was my > > > idol.The irrepressible anger within her came out suddenly in a > > > scream.</body></html> > > > > > > > > > > > > ------------------------------------------------------- > > > This SF.net email is sponsored by: SF.net Giveback Program. > > > Does SourceForge.net help you be more productive? Does it > > > help you create better code? SHARE THE LOVE, and help us help > > > YOU! Click Here: http://sourceforge.net/donate/ > > > _______________________________________________ > > > Spamassassin-talk mailing list > > > [EMAIL PROTECTED] > > > https://lists.sourceforge.net/lists/listinfo/spamassassin-talk > > > > > > > > > ------------------------------------------------------- > This SF.net email is sponsored by: SF.net Giveback Program. > Does SourceForge.net help you be more productive? Does it > help you create better code? SHARE THE LOVE, and help us help > YOU! Click Here: http://sourceforge.net/donate/ > _______________________________________________ > Spamassassin-talk mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/spamassassin-talk > ------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
