Hello.. I've searched the archives and Google and haven't found a specific answer to this question. I apologize in advance if I've overlooked something simple.
I'm getting a fair amount of emails that are whitelisted because SA thinks they're from [EMAIL PROTECTED] and is "trusting" this info. If you look at the output below SA (spamd ran with -D) realizes there is a forged HELO and knows something is up. It still subtracts 100 for the whitelist and does not tag the message as spam though... Is there not a rule for "forged-HELO" which I can assign a very high score to? Would that even be advisable? Can SA be set to not apply a whitelist rule to a message with a forged HELO claiming to be local? Thanks! debug: bayes: 28907 untie-ing db_seen debug: received-header: parsed as [ ip=24.61.202.136 rdns=h000102c5794e.ne.client2.attbi.com helo=DFHLCL21 by=mail.mydomain.com ident= ] debug: is Net::DNS::Resolver available? yes debug: IP is reserved, not looking up PTR debug: received-header: parsed as [ ip=192.168.1.101 rdns=192.168.1.101 helo=DFHLCL21 by=mydomain.com ident= ] debug: received-header: 'by' mail.mydomain.com has public IP 204.99.99.99 debug: received-header: relay 24.61.202.136 trusted? no debug: received-header: relay 192.168.1.101 trusted? no debug: Language possibly: en,sco,de,rm debug: all '*From' addrs: [EMAIL PROTECTED] debug: running header regexp tests; score so far=0 debug: running body-text per-line regexp tests; score so far=0 debug: running raw-body-text per-line regexp tests; score so far=1.856 debug: running uri tests; score so far=1.856 debug: uri tests: Done uriRE debug: running full-text regexp tests; score so far=2.64 debug: Pyzor is available: /usr/bin/pyzor debug: entering helper-app run mode debug: Pyzor: got response: 66.92.49.157:24441 TimeoutError: debug: leaving helper-app run mode debug: Pyzor: couldn't grok response "66.92.49.157:24441 TimeoutError: " debug: DCCifd is not available: no r/w dccifd socket found. debug: all '*To' addrs: [EMAIL PROTECTED] debug: DNS MX records found: 1 debug: forged-HELO: from=attbi.com helo=dfhlcl21 by=mydomain.com debug: forged-HELO: from=192.168.1.101 helo=dfhlcl21 by=mydomain.com debug: forged-HELO: mismatch on from: 'attbi.com' != 'mydomain.com' debug: RBL: success for 9 of 10 queries debug: RBL: timeout for dynablock-notfirsthop after 6 seconds debug: running meta tests; score so far=4.89 debug: auto-learn? ham=0.1, spam=10, body-hits=4.89, head-hits=2.25 debug: auto-learn: currently using scoreset 1. no need to recompute. debug: auto-learn? no: inside auto-learn thresholds debug: using "/var/qmail/.spamassassin" for user state dir debug: lock: 28907 created /var/qmail/.spamassassin/auto-whitelist.lock.mail.localdomain.28907 debug: lock: 28907 trying to get lock on /var/qmail/.spamassassin/auto-whitelist with 0 retries debug: lock: 28907 link to /var/qmail/.spamassassin/auto-whitelist.lock: link ok debug: Tie-ing to DB file R/W in /var/qmail/.spamassassin/auto-whitelist debug: auto-whitelist (db-based): [EMAIL PROTECTED]|ip=24.61 scores 0/0 debug: auto-whitelist (db-based): [EMAIL PROTECTED]|ip=none scores 0/0 debug: AWL active, pre-score: -95.11, mean: undef, originating-ip: 24.61.202.136 debug: add_score: New count: 1, new totscore: -95.11 debug: Post AWL score: -95.11 debug: DB addr list: untie-ing and unlocking. debug: DB addr list: file locked, breaking lock. debug: unlock: 28907 unlink /var/qmail/.spamassassin/auto-whitelist.lock debug: is spam? score=-95.11 required=5 tests=BIZ_TLD,HTML_30_40,HTML_FONTCOLOR_BLUE,HTML_FONTCOLOR_RED,HTML_FONTCOLOR_UNKNOWN,HTML_FONTCOLOR_UNSAFE,HTML_FONT_BIG,HTML_FONT_INVISIBLE,HTML_MESSAGE,MIME_HTML_ONLY,RCVD_IN_BL_SPAMCOP_NET,USER_IN_WHITELIST logmsg: clean message (-95.1/5.0) for qmaild:2020 in 6.3 seconds, 2871 bytes. debug: cleaned up kid 28907, pool=5 ------------------------------------------------------- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
