At 05:40 PM 12/27/2005, Clay Irving wrote:
Here's one that has me a bit confused. I'm receiving mail from spammers
and the messages are being scored 30+, but they're also hitting on
USER_IN_WHITELIST which pushes the score positive.
Return-Path: <>
X-Original-To: [EMAIL PROTECTED]
Delivered-To: [EMAIL PROTECTED]
Received: by mail.mydomain.com (Postfix, from userid 2331)
id 425518146AE; Tue, 27 Dec 2005 14:04:52 -0800 (PST)
X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on
chatter.mydomain.com
X-Spam-Status: No, score=-70.2 required=6.5 tests=BAYES_99,
DATE_IN_FUTURE_06_12,RATWARE_MS_HASH,RATWARE_OUTLOOK_NONAME,
RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E4_51_100,RAZOR2_CHECK,
RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_NJABL_DUL,RCVD_IN_SORBS_DUL,
RCVD_IN_WHOIS_INVALID,SKX_TO_DBA,USER_IN_WHITELIST autolearn=no
version=3.1.0
From: Jodi Santiago <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
The user isn't in a whitelist, at least that I can find.
Well, finding it is what we need to do. I've never seen a USER_IN_WHITELIST
FP before..
Hmm, well.. Let's see here.. USER_IN_WHITELIST points to it matching a
whitelist_from, or whitelist_from_rcvd. Anything else would show up as a
different hit.
SA will match either the Return-Path or the From: header address to
whitelists, so we need to find something that would match
"[EMAIL PROTECTED]" or "".
First, I'd suggest a spamassassin --lint run. Maybe there's some typo
somewhere that's REALLY confusing SA.. I doubt it, but we should rule that
out before going ahead.
After that I'd suggest grepping your configs for all the whitelist_from
commands.
check the site_config dir, assuming /etc/mail/spamassassin is your site
config:
grep whitelist_from /etc/mail/spamassassin/*.cf
I'd also check around for user_prefs files in the following spots:
/root/.spamassassin/
/home/dba/.spamassassin/
/home/<real delivery user>/.spamassassin/
~nobody/.spamassassin/
