I have many users in the whitelist_from in the local.cf. When I get forwarded spam email like this, how do I find which one it matched? Which FROM entry is it actually looking at?
-Andrew X-Spam-Checker-Version: SpamAssassin 3.2.1 (2007-05-02) on xphotonics.com X-Spam-Level: X-Spam-Status: No, score=-72.0 required=5.0 tests=BAYES_50,DCC_CHECK, DIGEST_MULTIPLE,DRUGS_ERECTILE,HTML_MESSAGE,HTML_MIME_NO_HTML_TAG, MIME_HTML_ONLY,PYZOR_CHECK,RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E4_51_100, RAZOR2_CHECK,SARE_FROM_DRUGS,UNPARSEABLE_RELAY,USER_IN_WHITELIST autolearn=no version=3.2.1 X-Spam-Pyzor: Reported 4263 times. X-Spam-Report: * -100 USER_IN_WHITELIST From: address is in the user's white-list * 1.7 SARE_FROM_DRUGS From a drug * 5.5 UNPARSEABLE_RELAY Informational: message has unparseable relay lines * 0.0 HTML_MESSAGE BODY: HTML included in message * 0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60% * [score: 0.5000] * 3.5 MIME_HTML_ONLY BODY: Message only has text/html MIME parts * 5.0 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/) * 1.5 RAZOR2_CF_RANGE_E4_51_100 Razor2 gives engine 4 confidence level * above 50% * [cf: 100] * 0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50% * [cf: 100] * 5.0 PYZOR_CHECK Listed in Pyzor (http://pyzor.sf.net/) * 5.0 DCC_CHECK Listed in DCC (http://rhyolite.com/anti-spam/dcc/) * 0.0 DIGEST_MULTIPLE Message hits more than one network digest check * 0.3 DRUGS_ERECTILE Refers to an erectile drug * 0.1 HTML_MIME_NO_HTML_TAG HTML-only message, but there is no HTML tag Received: from xphotonics.com (localhost [127.0.0.1]) by xphotonics.com (8.14.1/8.14.1) with ESMTP id l9MFJIOp032936 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO) for <[EMAIL PROTECTED]>; Mon, 22 Oct 2007 11:19:18 -0400 (EDT) (envelope-from [EMAIL PROTECTED]) Received: (from [EMAIL PROTECTED]) by xphotonics.com (8.14.1/8.14.1/Submit) id l9MFJIKX032935 for xiang; Mon, 22 Oct 2007 11:19:18 -0400 (EDT) (envelope-from lian) Received: from 029ae8f252bf4ac (84pavel.dialup.corbina.ru [85.21.237.209]) by xphotonics.com (8.14.1/8.14.1) with SMTP id l9MFHg8N032899 for <[EMAIL PROTECTED]>; Mon, 22 Oct 2007 11:17:44 -0400 (EDT) (envelope-from [EMAIL PROTECTED]) Date: Mon, 22 Oct 2007 11:17:42 -0400 (EDT) Received: from Susana Ware (10.11.17.11) by 029ae8f252bf4ac (PowerMTA(TM) v3.2r4) id hfp31o62d55j87 for <[EMAIL PROTECTED]>; Mon, 22 Oct 2007 07:17:20 +0300 Message-Id: <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Subject: October 79% OFF From: VIAGRA ?Official Site <[EMAIL PROTECTED]> MIME-Version: 1.0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-Virus-Scanned: ClamAV 0.91.1/4559/Mon Oct 22 00:02:57 2007 on xphotonics.com X-Virus-Scanned: ClamAV 0.91.1/4559/Mon Oct 22 00:02:57 2007 on xphotonics.com X-Virus-Status: Clean <style> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd";> <html dir="ltr"> <head> <meta http-equiv=Content-Type content="text/html; charset=unicode"> <meta name=Generator content="Microsoft SafeHTML"> <title>WL 90-day Email 1a</title> <table width=550 border=0 cellpadding=0 cellspacing=0 bgcolor="#999999"> </tr> <tr valign=top> <td colspan=5><img src="http://ads1.oqr.com/ads/pronws/CIQ3536/1a_banner.jpg"; alt="Windows Live Hotmail" width=548 height=224 border=0></td>
![http://ads1.oqr.com/ads/pronws/CIQ3536/1a_banner.jpg"](http://ads1.oqr.com/ads/pronws/CIQ3536/1a_banner.jpg"){kind=link}