-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Chris Santerre writes: >I'm going to take a wild stab at this, but the AWL is NOT IP specific. It >only goes by the from, not IP. I think it takes the "average" (I know it >isn't an average.) score from all the records it has of it. No, it *is* IP specific -- it combines From and the top 2 bytes of the last public IP address in the Received headers. - --j. >--Chris > >> -----Original Message----- >> From: Jay Levitt [mailto:[EMAIL PROTECTED] >> Sent: Tuesday, November 04, 2003 4:26 PM >> To: Abigail Marshall >> Subject: [SAtalk] THIRD request: Someone please help with AWL oddness >> >> >> >> ----- Original Message ----- >> From: "Jay Levitt" <[EMAIL PROTECTED]> >> To: "Jay Levitt" <[EMAIL PROTECTED]> >> Sent: Sunday, November 02, 2003 9:29 AM >> Subject: Second request: AWL false hits >> >> >> > Hi.. does anyone have any ideas on this? I have read the >> FAQ, and this >> does >> > not seem to be the usual "why does AWL regress toward the >> average" case. >> > >> > Jay >> > ----- Original Message ----- >> > From: "Jay Levitt" <[EMAIL PROTECTED]> >> > To: "Abigail Marshall" <[EMAIL PROTECTED]> >> > Sent: Thursday, October 30, 2003 12:14 PM >> > Subject: [SAtalk] Understanding AWL processing >> > >> > >> > > My server handles exactly one mailbox: my own. I am >> running SA 2.60 >> > through >> > > MimeDefang, with some MimeDefang changes to enable AWL processing. >> > > >> > > I've noticed an increasing amount of spam getting through >> that uses the >> > > age-old trick of forging my address in the From: line. >> This somehow >> > > triggers the AWL; since the AWL is keyed to both IP >> address and name, >> I'm >> > > not sure how that's happening. As I understand it, >> > > [EMAIL PROTECTED]|ip=none (that is, my own outbound >> mail) should be a >> > > different "sender" to AWL than [EMAIL PROTECTED]|ip=218.166 (spam >> forged >> > in >> > > my name). >> > > >> > > When I run check_auto_whitelist, I see the following entries: >> > > >> > > [EMAIL PROTECTED]|ip=218.166 8 >> > > [EMAIL PROTECTED]|ip=none|totscore -3.603 >> > > [EMAIL PROTECTED]|ip=218.166|totscore 0.794 >> > > [EMAIL PROTECTED]|ip=none 2 >> > > >> > > The spam below comes from 218.166, so it should get a >> positive boost >> from >> > > AWL, yet according to spamassassin -D -t, it is actually getting a >> > negative >> > > score: >> > > >> > > debug: auto-whitelist (db-based): >> [EMAIL PROTECTED]|ip=218.166 scores >> > > 7/-6.751 >> > > debug: AWL active, pre-score: 7.545, mean: -0.964428571428572, >> > > originating-ip: 218.166.57.150 >> > > debug: add_score: New count: 8, new totscore: 0.794 >> > > debug: Post AWL score: 3.29028571428571 >> > > ... >> > > Content analysis details: (3.3 points, -3.0 required) >> > > >> > > pts rule name description >> > >> > ---- ---------------------- >> ---------------------------------------------- >> > -- >> > > -- >> > > 1.2 BANG_MORE BODY: Talks about more with >> an exclamation! >> > > 0.1 HTML_FONTCOLOR_UNKNOWN BODY: HTML font color is unknown to us >> > > 0.1 HTML_MESSAGE BODY: HTML included in message >> > > 0.3 HTML_FONT_BIG BODY: HTML has a big font >> > > 5.4 BAYES_99 BODY: Bayesian spam >> probability is 99 to >> 100% >> > > [score: 1.0000] >> > > 0.3 MIME_HTML_ONLY BODY: Message only has >> text/html MIME parts >> > > 0.1 HTML_FONTCOLOR_RED BODY: HTML font color is red >> > > 0.1 NORMAL_HTTP_TO_IP URI: Uses a dotted-decimal IP >> address in URL >> > > 0.0 UPPERCASE_25_50 message body is 25-50% uppercase >> > > -4.3 AWL AWL: Auto-whitelist adjustment >> > > >> > > Entire message follows... >> > > ------- >> > > >> > > Return-Path: <[EMAIL PROTECTED]> >> > > Received: from linux.home.jay.fm ([unix socket]) >> > > by linux.home.jay.fm (Cyrus >> v2.1.12-Mandrake-RPM-2.1.12-1mdk) with >> LMTP; >> > > Thu, 30 Oct 2003 09:37:15 -0500 >> > > X-Sieve: CMU Sieve 2.2 >> > > Received: from jay.fm (218-166-57-150.HINET-IP.hinet.net >> [218.166.57.150]) >> > > by linux.home.jay.fm (8.12.10/8.12.10) with ESMTP id >> h9UEbA1x027111 >> > > for <[EMAIL PROTECTED]>; Thu, 30 Oct 2003 09:37:13 -0500 >> > > Received: from p4 [192.168.1.105] by jay.fm with eSMTP; >> > > Thu, 30 Oct 2003 22:36:43 +0800 >> > > Message-ID: <[EMAIL PROTECTED]> >> > > From: "anthony" <[EMAIL PROTECTED]> >> > > To: <[EMAIL PROTECTED]> >> > > Subject: With these pills you can shoot curn like a porn star! >> > > Date: Thu, 30 Oct 2003 22:36:43 +0800 >> > > MIME-Version: 1.0 >> > > Content-Type: text/html; charset="ISO-8859-1" >> > > X-Priority: 3 >> > > X-Mailer: PHP2 >> > > Lid-Tracking: <amF5QGpheS5mbQ==> >> > > X-Spam-Score: 1.745 (*) >> > > >> > >> AWL,BAYES_99,HTML_30_40,HTML_FONTCOLOR_RED,HTML_FONTCOLOR_UNKN >> OWN,HTML_FONT_ >> > > BIG,HTML_MESSAGE,MIME_HTML_ONLY,NORMAL_HTTP_TO_IP,UPPERCASE_25_50 >> > > >> > > <html><title>The irrepressible anger within her came out >> suddenly in a >> > > scream. >> > > Amber vainly said she was my >> > > >> > >> idol.r9011qyc97k09288fu78ndm7638659t54h44b7032bv2i5h9r67874676 >> zjy</title><he >> > > ad></head><body> >> > > <p align="center"><b><i><font size="4" >> color="#FF0000">S.URPRISE YOUR >> > L.OVER >> > > TODAY! COVER HER WHOLE FACE WITH C.UM!</font></i> >> > > <font size="+2"><br><br>How w.ould you like to</font></b><br> >> > > <b><font color="red" size="+3">SHOOT LIKE THE >> PO.RN-STARS?</font></b><br> >> > > <b><font size="+2">Up to 500% more S.PERM!</font></b> </p> >> > > <div align="center"><ul><li><b><i><font size="+1">ADD >> UP_TO 500% MORE >> > > SPER.M</font></i></b></li> >> > > <li><b><i><font size="+1">INCREASED SE.XUAL >> DESIRE</font></i></b></li> >> > > <li><b><i><font size="+1">HAVE M.ORE INTENSE >> 0.RGASMS</font></i></b></li> >> > > <li><b><i><font size="+1">PRODUCE ST.RONGER >> E.RECTIONS</font></i></b></li> >> > > <li><b><i><font size="+1">HAVE A STRONGER 5.EXUAL >> > DESIRE</font></i></b></li> >> > > <li><b><i><font size="+1">1.NCREASED S.E..XUAL >> > > STAMINA</font></i></b></li></ul></div> >> > > <p align="center"><b><font size="+2"><a >> > > href="http://203.197.204.157/pi/";>FULLY DO.CTOR APP.ROVED! L.EARN >> > > MORE!</a></font></b></p> >> > > <div align="center"><font color="red" size="4">100% >> GUARAN.TEED! NOT >> > > SAT1SFIED? YOU GET YOUR MONE.Y BACK!</font></div> >> > > >> > >> <BR>7256et45343p3n8mu6sj7heg2r7d005a2lg84825oen2x69x898u85pr<b >> r>c3bok3wl5w4i >> > > >> > >> r9011qyc97k09288fu78ndm7638659t54h44b7032bv2<br><br>i5h9r67874 >> 676zjy7256et45 >> > > 343p<br>The irrepressible anger within her came out suddenly in a >> > > scream.<br><br>Amber vainly said she was my >> > > >> > >> idol.<br>3n8mu6sj7heg2r7d005a2lg84825oen2x69x898u85prc3bok3wl5 >> w4ir9011qyc97k >> > > 09288fu78ndm76386<br>59t54h44b7032bv2i5h9r6787467<br><br> >> > > <p align="center">to stop all future mailings, <a >> > > href="http://203.197.204.157/rm/";>Here</a></p><BR><BR>The >> irrepressible >> > > anger within her came out suddenly in a scream.The >> irrepressible anger >> > > within her came out suddenly in a scream.Amber vainly >> said she was my >> > > idol.The irrepressible anger within her came out suddenly in a >> > > scream.</body></html> >> > > >> > > >> > > >> > > ------------------------------------------------------- >> > > This SF.net email is sponsored by: SF.net Giveback Program. >> > > Does SourceForge.net help you be more productive? Does it >> > > help you create better code? SHARE THE LOVE, and help us help >> > > YOU! Click Here: http://sourceforge.net/donate/ >> > > _______________________________________________ >> > > Spamassassin-talk mailing list >> > > [EMAIL PROTECTED] >> > > https://lists.sourceforge.net/lists/listinfo/spamassassin-talk >> > > >> > >> >> >> >> ------------------------------------------------------- >> This SF.net email is sponsored by: SF.net Giveback Program. >> Does SourceForge.net help you be more productive? Does it >> help you create better code? SHARE THE LOVE, and help us help >> YOU! Click Here: http://sourceforge.net/donate/ >> _______________________________________________ >> Spamassassin-talk mailing list >> [EMAIL PROTECTED] >> https://lists.sourceforge.net/lists/listinfo/spamassassin-talk >> > > >------------------------------------------------------- >This SF.net email is sponsored by: SF.net Giveback Program. >Does SourceForge.net help you be more productive? Does it >help you create better code? SHARE THE LOVE, and help us help >YOU! Click Here: http://sourceforge.net/donate/ >_______________________________________________ >Spamassassin-talk mailing list >[EMAIL PROTECTED] >https://lists.sourceforge.net/lists/listinfo/spamassassin-talk > > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) Comment: Exmh CVS iD8DBQE/qChqQTcbUG5Y7woRApJ5AJ4xKAyHMIdxURwho5e0H+9Az5lzugCeNqCZ ttnaEQCENwIpVnOKwY9zQsQ= =FjDf -----END PGP SIGNATURE----- ------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
