AWL scores high after receiving spam "from myself"?

Fri, 22 Feb 2008 06:36:24 -0800 

Hello list, 

this is my first post here, although I have been happily using spamassassin 
for years now.

I noticed something unsettling some time ago, and yesterday I think I found 
the cause.

What I noticed was that when sending mail from one of my addresses to a 
mailing list (or to myself) it would, upon retrieving it (using getmail and 
spamc), often get a very high AWL score. Here is an example from a posting to 
the freebsd-test mailing list:

X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on pseudoterminal.org
X-Spam-Level: ****
X-Spam-Status: No, score=4.9 required=5.0 
tests=[AWL=11.504,BAYES_00=-2.599,RCVD_IN_DNSWL_MED=-4,SPF_PASS=-0.001]         
                
<dns:53.83.147.69.list.dnswl.org> [127.0.9.2]
<dns:freebsd.org?type=MX> [10 mx1.freebsd.org.]
<dns:freebsd.org> [69.147.83.40] autolearn=ham version=3.2.4
...
From: Andreas Ntaflos <[EMAIL PROTECTED]>

On AWL it scored over 11 points and only by means of the various other tests 
the message barely got under the spam threshold.

Naturally I was a little worried. Then, after reading up on AWL once again, I 
got the idea to look through my spam folder and check whether I got any 
spam "from" myself, i.e. where the From: header field indicated that the spam 
was sent from [EMAIL PROTECTED]

Of course I found one, because it doesn't seem uncommon for spammers to make 
spam seem to come from the recipient:

X-Spam-Flag: YES
X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on pseudoterminal.org
X-Spam-Level: ****************
X-Spam-Status: Yes, score=16.4 required=5.0 
tests=[AWL=0.363,BAYES_99=3.5,HTML_IMAGE_ONLY_32=1.778,HTML_MESSAGE=...]
...
From: <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>

To spamassassin this spam appears to come from myself. It scored a low AWL but 
over 16 points all in all so the next message received from 
[EMAIL PROTECTED] would certainly get high AWL score.

My questions are these: did I get this right? Is that really what seems to be 
happening? If so, how do I handle such a scenario? When it is so easy to 
forge header fields does it even make sense to have an AWL that assigns 
scores based on where the mail *appears* to be coming from? 

Or am I looking in the completely wrong direction here?

Any help appreciated!

Thanks in advance, 

Andreas
-- 
Andreas Ntaflos 
Vienna, Austria 

GPG Fingerprint: 6234 2E8E 5C81 C6CB E5EC  7E65 397C E2A8 090C A9B4

Attachment: signature.asc
Description: This is a digitally signed message part.

Reply via email to