whitelist_from_rcvd [EMAIL PROTECTED] borland.com will probably do what you want. Although Borland doesn't publish an SPF, you <may> find all their MXs have borland.com rDNS.
You'd have to watch it a while to see if you miss any legitimate Borland email that's not via a borland.com server. Dan -----Original Message----- From: Martin G. Diehl [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 02, 2007 3:31 PM To: users@spamassassin.apache.org Subject: Spoofed from address but matched my whitelist -- please clarify Greetings, I have a piece of SPAM with an obviously spoofed (obvious to me, that is) from address ... but didn't get flagged as SPAM. The message claims to originate from borland.com borland.com has IP 63.175.76.152 The message actually originates from napfehfu 86.60.37.183 borland.com is listed in my whitelist. My questions ... (1) Shouldn't this message have been flagged as SPAM? (2) Is the DomainKey-Signature also spoofed or fake? (3) Which headers (types of from addresses) are compared to my whitelist? Some of the significant header lines (I reversed the sequence) > DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=south.disappoint; d=borland.com; > b=GfpMxmdJQIBAeYlLWrgcDOJbZZJXiYVEpoeUbVUmwMrmrQbfMFvNqqczKSjQWxIoppVlOJSHMQ iZhlik; > From: "Abbey Delisa" <[EMAIL PROTECTED]> > Received: from unknown (HELO napfehfu) (86.60.37.183) > by rbl-mx.nac.net with SMTP; 1 May 2007 16:42:53 -0000 > Received: from 86.60.37.183 by mx2.oct.nac.net (envelope-from <[EMAIL PROTECTED]>, uid 0) with qmail-scanner-1.25 > (clamdscan: 0.88.3/2095. f-prot: 4.6.6/3.16.14. spamassassin: 3.1.0. > Clear:RC:0(86.60.37.183):. Here are all of the headers ... =============================== > X-UIDL: 1178037793.M276441P78860.mx2.oct.nac.net > X-Mozilla-Status: 0000 > X-Mozilla-Status2: 00000000 > Return-Path: <[EMAIL PROTECTED]> > Delivered-To: [EMAIL PROTECTED] > X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) on spamd1.oct > X-Spam-Level: > X-Spam-PrefsFile: nac.net/mdiehl > X-Spam-Status: No, score=-77.8 required=4.7 tests=HTML_FONT_BIG=0.256, > HTML_MESSAGE=0.001,MIME_HTML_ONLY=0.001,RAZOR2_CF_RANGE_51_100=0.5, > RAZOR2_CF_RANGE_E4_51_100=1.5,RAZOR2_CF_RANGE_E8_51_100=1.5, > RAZOR2_CHECK=0.5,RCVD_IN_SORBS_DUL=1.988,TW_ZW=0.077, > URIBL_AB_SURBL=3.306,URIBL_BLACK=3,URIBL_JP_SURBL=3.36, > URIBL_OB_SURBL=2.617,URIBL_SC_SURBL=3.6,USER_IN_WHITELIST=-100 > autolearn=disabled version=3.1.7 > Received: (qmail 78558 invoked by uid 0); 1 May 2007 16:42:54 -0000 > Received: from 86.60.37.183 by mx2.oct.nac.net (envelope-from <[EMAIL PROTECTED]>, uid 0) with qmail-scanner-1.25 > (clamdscan: 0.88.3/2095. f-prot: 4.6.6/3.16.14. spamassassin: 3.1.0. > Clear:RC:0(86.60.37.183):. > Processed in 0.524071 secs); 01 May 2007 16:42:54 -0000 > X-Qmail-Scanner-Mail-From: [EMAIL PROTECTED] via mx2.oct.nac.net > X-Qmail-Scanner-Rcpt-To: [EMAIL PROTECTED],[EMAIL PROTECTED],[EMAIL PROTECTED] > X-Qmail-Scanner: 1.25 (Clear:RC:0(86.60.37.183):. Processed in 0.524071 secs) > X-Qmail-Scanner-NAC-Block-Zips: 1 > X-Qmail-Scanner-NAC-Redirect-This: 0 > X-Qmail-Scanner-NAC-Redirect-To: > X-Qmail-Scanner-NAC-Scanners-Run: clamdscan_scanner fprot_scanner > Received: from unknown (HELO napfehfu) (86.60.37.183) > by rbl-mx.nac.net with SMTP; 1 May 2007 16:42:53 -0000 > To: <[EMAIL PROTECTED]> > Date: Tue, 01 May 2007 09:42:45 -0800 > From: "Abbey Delisa" <[EMAIL PROTECTED]> > Message-ID: <[EMAIL PROTECTED]> > DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=south.disappoint; d=borland.com; > b=GfpMxmdJQIBAeYlLWrgcDOJbZZJXiYVEpoeUbVUmwMrmrQbfMFvNqqczKSjQWxIoppVlOJSHMQ iZhlik; > User-Agent: Mozilla Thunderbird 1.5 (Windows/20060111) > X-Accept-Language: en-us, en > MIME-Version: 1.0 > Subject: SPECIAL PHARMACY DISCOUNT, you pay & we ship, no question asked, established by reputable Canadian Doctor qizwx > Content-Type: text/html; > charset="iso-8859-1" > Content-Transfer-Encoding: 7bit =============================== Thanks for any and all comments, help, or advice. -- MGD
