Hi, >> http://pastebin.com/m4a4d990e >> >> Is the criteria for being listed on the JMF_W simply that it contains >> a domain that is whitelisted, despite whether it contains another URL >> that is blacklisted? > > I'm not sure what you are saying here, it's not as if the people > running the whitelist could lookup the IP address on razor.
I'm saying that it appears odd that it would be listed on both RAZOR and JMF_W, unless the JMF_W found the kraftfoods.com URL and the RAZOR rules found the bogus http://ADSENSETREASUREONLINE.yolasite.com URL. Unless the yolasite.com is a legitimate kraftfoods site? >> meta META_NOT_JMF_RAZOR (RCVD_IN_JMF_W && !RAZOR2_CHECK) > > Why RAZOR2_CHECK? Why not other positive scoring rules? The trouble is > that the whitelist rule is then pointless. Set it's score at a value > that's commensurate with it's effectiveness on your email. Does my question now make sense? I was looking at it from more of a validation point of view for JMF_W, because of the apparent conflict with RAZOR. >> It also appears to spoof the kraftfoods.com mail server, correct? Is >> there a possible rule to be created here? > > No, it was almost certainly sent through kraftfoods.com. It's based on > an IP address recorded by your trusted network. Maybe I should have used a better example. Can I ask you to look at this one? http://pastebin.com/m7d61b26f This uses IP 66.132.135.108 as its URL (xybersleuth.com), and unless that's not a spammer's site, then there's something wrong. This email includes JMF_W and RAZOR2_CF_RANGE_51_100 and URIBL_BLACK in the same message, although it has a very low bayes score. Which is correct? Thanks, Alex
