USER_IN_WHITELIST false negative

5 Jan 2005 19:21:13 -0000 

Oh boy do I need some help.

I've got SpamAssassin 3.0.2 running on a RedHat 7.2 system with sendmail,
configured sitewide to use bayes and auto-whitelist. local.cf is as follows:

    required_score 5.00
    report_safe 0
    use_razor2 0
    use_pyzor 0
    dcc_timeout 4
    bayes_expiry_max_db_size 300000
    bayes_journal_max_size 256000
    bayes_path /var/spool/spamassassin/bayes
    bayes_file_mode 0666
    use_auto_whitelist 0
    auto_whitelist_path        /var/spool/spamassassin/auto-whitelist
    auto_whitelist_file_mode   0666
    dns_available yes
    trusted_networks 216.110.45.174 #ns
    trusted_networks 69.20.61.50 #burrito
    trusted_networks 69.20.61.49 #taco
    lock_method flock


Problem: 
Spam arrives with a -75 score because it's "in the user's whitelist", as
you can see here:

X-Spam-Status: No, score=-76.1 required=4.0 tests=BAYES_50,DOMAIN_RATIO,
        FORGED_YAHOO_RCVD,HELO_DYNAMIC_HCC,HELO_DYNAMIC_IPADDR2,HTML_80_90,
        HTML_FONT_LOW_CONTRAST,HTML_IMAGE_ONLY_08,HTML_MESSAGE,MIME_HTML_ONLY,
        MSGID_FROM_MTA_ID,RCVD_IN_SORBS_DUL,RCVD_IN_XBL,URIBL_AB_SURBL,
        URIBL_OB_SURBL,URIBL_SC_SURBL,URIBL_WS_SURBL,USER_IN_WHITELIST 
        autolearn=failed version=3.0.1


My analysis:

1. USER_IN_WHITELIST is causing the low score. User has no whitelist, in
fact has no custom user settings whatsoever. 

Question: Therefore the site-wide shared auto-whitelist.db is causing
this flag, yes?

2. I'm checking the spamassassin database files:

-rw-rw-rw-    1 lesart   lesart        40M Jan  5 12:12 auto-whitelist
-rw-rw-rw-    1 root     root         255M Oct 10 06:34 auto-whitelist.db
-rw-------    1 jknolle  jknolle        25 Oct 10 06:49 auto-
whitelist.lock.ns.strangecode.com.19421
-rw-------    1 lesart   lesart          6 Jan  5 12:12 auto-whitelist.mutex
-rw-------    1 lesart   lesart       2.0k Jan  5 13:11 bayes.mutex
-rw-rw-rw-    1 lesart   lesart       125k Jan  5 13:11 bayes_journal
-rw-rw-rw-    1 root     root          40M Jan  5 13:11 bayes_seen
-rw-rw-rw-    1 lesart   lesart       5.3M Jan  5 13:11 bayes_toks

Question: auto-whitelist.db is 255M, is that bad?

3. I turn on debugging (spamd -D) and tail the log. I find entries of
"debug: auto-learning failed: lock: 2670 cannot create lockfile /var/
spool/spamassassin/bayes.mutex: Permission denied". This is because
SpamAssassin "becomes" the receiving user to process mail and the lock-
files (bayes.mutex and auto-whitelist.mutex) are owned by one user and
trying to be overwritten by another. I tried turning off "lock_method
flock" but that didn't make a difference.

Question: should I be running SpamAssassin in a different user mode? Root
only? Should I migrate to MySQL?

Final question: is the USER_IN_WHITELIST false negative related to the
auto-learn=failed?

Thanks!
Quinn

Reply via email to