On Mon, Feb 07, 2005 at 01:44:46PM -0600, David N wrote: > Thus spake Michael Parker ([EMAIL PROTECTED]): > > > On Mon, Feb 07, 2005 at 05:44:00PM +0000, David N wrote: > > > As I understand, '[EMAIL PROTECTED]|ip=142.55' is supposed to be unique to > > > emails originating from 142.55.x.x, yet it shows 65 occurrences, and an > > > (apparently) incorrect score of -5.4. > > > > Possibly you got 64 mails where the IP could not be determined so it > > was placed in the database as "none." When you got one with an IP > > that AWL could make use of it upgraded the "none" entry to the one > > with the IP. > > That makes some sense to me, but I do have an entry in the database > for '[EMAIL PROTECTED]|ip=none'... however the count is '1'!! I would > expect the 'ip=none' to have more than a count of 1 but have no empirical > evidence to prove it.... > > The 'ip=none' also includes the case where all ip addresses known come > from private subnets too doesn't it? -- If that's the case, then 64 would > make a LOT of sense. [Additionally, since I received that bum spam message, > I've send exactly 1 email to an internal mailing list that returns the > mail from me, but all private IP's - once again, the shoe fits]. >
Yeah, sending the 1 email added a new "none" record. > Now then, if this scenario is correct, I end up in a situation where > I send a buncha emails internally, accumulate a good -6.6 score in > the AWL, and along comes Mr. Spammer & forges a 'from' from me, > and the AWL code hijacks my good -6.6 score & passes the message? > Is that an accurate description? If so: > This behavior is broken in several ways. Try whitelisting/blacklisting an address. It sets the record to "none." Next time you receive a message from that address it will be "upgraded" to the sending IP. Now a message comes in from somewhere else and now it gets a new record. AWL isn't perfect, which is why it's slated to be replaced/deprecated (assuming I can get off my duff and finish the History plugin) in 3.1. Hopefully, we'll be able to do away with all these little idiosyncrasies. > 1) Can I turn off this 'upgrading', or is there something I can do > to say include private addresses 192.168.223.x?? Or do I just > need to disable AWL entirely? No, that's just the way it works. > 2) How can I delete the bum record from my AWL database? see --remove-addr-from-whitelist=addr in the spamassassin manpage. Michael
pgppsLwxZuRIN.pgp
Description: PGP signature
