I thought the received header looked funny, so I hand-typed one and got the same result. Actually, if you look at the botnet messages (with either header), the IP, RDNS and HELO have captured identically. I believe that means the header was parsed correctly by SA.
The three lines in the debug log following those botnet entries may bear on this. It says "skipping whitelist check". If an SPF failure causes whitelist_from_rcvd to be skipped, then that's a bug. Any comments before I move this discussion over to bugzilla? Dan Interesting lines (from -D with either header; full list http://www.visioncomm.net/temp/080104Debug2.txt): ... [9060] dbg: Botnet: starting [9060] dbg: Botnet: no trusted relays [9060] dbg: Botnet: get_relay didn't find RDNS [9060] dbg: Botnet: IP is '169.200.184.174' [9060] dbg: Botnet: RDNS is 'sls-sn-smtp-pmail3.wachovia.com' [9060] dbg: Botnet: HELO is 'sls-sn-smtp-pmail3.wachovia.com' [9060] dbg: Botnet: sender '[EMAIL PROTECTED]' [9060] dbg: Botnet: miss (none) [9060] dbg: rules: ran eval rule __ENV_AND_HDR_FROM_MATCH ======> got hit (1) [9060] dbg: spf: def_spf_whitelist_from: already checked spf and didn't get pass, skipping whitelist check [9060] dbg: spf: whitelist_from_spf: already checked spf and didn't get pass, skipping whitelist check ... Original received header: Received: from sls-sn-smtp-pmail3.wachovia.com [169.200.184.174] by mail.visioncomm.net with ESMTP (SMTPD32-8.15) id A1253F3B0064; Wed, 02 Jan 2008 03:53:57 -0500 Hacked received header: Received: from 169.200.184.174 (EHLO sls-sn-smtp-pmail3.wachovia.com (169.200.184.174) by mail.visioncomm.net with ESMTP (SMTPD32-8.15) id A1253F3B0064; Wed, 02 Jan 2008 03:53:57 -0500 User_prefs: whitelist_from_rcvd [EMAIL PROTECTED] sls-sn-smtp-pmail3.wachovia.com whitelist_from_rcvd [EMAIL PROTECTED] wachovia.com whitelist_from_rcvd *wachovia.com wachovia.com -----Original Message----- From: Loren Wilton [mailto:[EMAIL PROTECTED] Sent: Friday, January 04, 2008 7:21 PM To: users@spamassassin.apache.org Subject: Re: Whitelist_from_rcvd not working It occurs to me to wonder about Received: from sls-sn-smtp-pmail3.wachovia.com [169.200.184.174] by mail.visioncomm.net with ESMTP I only see one symbolic wachovia name in that header. Shouldn't there be a HELO name or the like assocated with 169.200.184.174? Loren
