On Sun, 2011-03-06 at 11:39 -0800, JP Kelly wrote: > Yeah that sender's email address had been forged for a bunch of spam I > received.
Without reading the following paragraph, I'd immediately suspect a cracked account, not address forgery. The AWL is limited by address and originating net-block (default /16, configurable since 3.3), thus it is rather unlikely, spam with that address forged is sent from a nearby address... > I used spamasassin --remove-addr-from-whitelist for that address > Also I did not have internal_networks and trusted_networks lines in my > local.cf, which I added. Hopefully that will help. Thanks! Bad internal and trusted networks settings would also explain this, though. If those are missing a forwarding / relay system, that one will be considered the handing-over machine -- which renders most DNSBLs as well as a lot of rules useless. Plus, as far as AWL is concerned, the net-block constraint effectively is disabled. Kind of wonder though, why that Amazon outgoing SMTP cluster should be part of your internal network. Or, how a forged address ended up being sent through it... > > > -4.0 RCVD_IN_DNSWL_MED RBL: Sender listed at http://www.dnswl.org/, > > > medium trust > > > [72.21.212.35 listed in list.dnswl.org] -- char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4"; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1: (c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
