It's worth checking this; that rule should fire only if the
mail really *did* come from Vonage. I suspect a bug in how your
mailserver's Received headers are parsed.
Could you post:
- a sample of a spam that passed this, with all headers
- output of "spamassassin -D -L -t < spam", the lines with
'received-header' and 'metadata' at least
--j.
Paul Boven writes:
> Hi everyone,
>
> Paul Boven wrote:
>
> > One of my users just spotted a FN that had managed to slip trough.
> > They're abusing 70_sare_whitelist.cf, specifically:
> >
> > whitelist_from_rcvd [EMAIL PROTECTED] vonage.com
> > # Vonage voice mail notification
>
> I'm now catching these on several mailservers that we run, so I'm
> assuming this is getting abused quite a bit. And it's very effective
> because the default score for whitelist_from_rcvd is -100. What worries
> me is that whitelist_from_rcvd gets triggered, even though the mail
> obviously is forged, unless vonage sends their mails from China.
>
> So my question is, still, why does the email (see my previous posting
> for headers) hit the whiltelist_from_rcvd? Is my trusted networks
> confused? Does it get hit because the mail was processed by the
> (trusted) backup-MX first?
>
> Regards, Paul Boven.
