|
Email - unapproved Whitelisting
I'm receiving lots of spam on my GoDaddy RH Fedora Core 6 server. One of my users sent this to me. In looking at the header it appears that this spammer (from Russia) has been "whitelisted". How?
Does anyone know anything about this? X-Spam-Status: No, score=-81.5 required=3.1 tests=BAYES_40,DRUGS_ERECTILE, DRUG_ED_CAPS,HTML_90_100,HTML_IMAGE_ONLY_12,HTML_MESSAGE, HTML_SHORT_LINK_IMG_1,MIME_HTML_ONLY,NO_REAL_NAME,URIBL_AB_SURBL, URIBL_JP_SURBL,URIBL_SC_SURBL,USERPASS,USER_IN_WHITELIST autolearn=no Thanks. Duane |
USER_IN_WHITELIST is a Spamassassin rule that applies a negative score to a message (hence here you have -81.5). From memory it's -90 but with the other rules this mail hit on, it's dropped. If the user was not in the whitelist it would have scored 9.5. Given you have a required level of 3.1, that would have hit as spam.
Without seeing the full headers and Spamassassin config (which I would *not* post for disclosure reasons) help is going to be limited to telling you to check your Spamassassin(SA) config. Check all the addresses in the header (Return Path/From/To/Last external 'Received From IP') against entries in: 1. any of the .cf files starting with the word 'whitelist' 2. check local.cf (or any .cf files) looking for 'whitelist_<BLAH>' entries matching the 4 headers above. 3. You may want to additionally check local.cf and see if 'use_auto_whitelist' is set to off (0) or on (1). This is normally tied to a separate issue, but I've mentioned it FYI. The issue of whitelisting in Spamassassin is sometimes not as obvious as it could be. This is almost certainly a whitelist rule you have added yourself and I suspect it could be for your own domain. I also suspect the headers have been trivially forged in your spam mails so that the return path carries your own domain or user which happens to match a 'whitelist_from' entry in one of your .cf files.If it becomes a real PITA whilst you troubleshoot it, you can always add this line to your local.cf Quote:
In addition, if you have root access to your server (which I doubt, but you may have a dedicated or VPS) I would set the MTA up to knock out the obvious trash before it even gets passed to Spamassassin. In the example above it probably would not help as I don't see it catching on anything in the network ruleset other than a blocklisted URI in the body (on three blocklists from what I can see there). HTH |
Quote:
Many thanks for the info. I am following it and checking now. I found a whitelist for several local email addresses in the "local.cf" file which purports to update Spamassassin. I removed the email entries preceeded by "whitelist"q. After changing the "local.cf" file, do I need to do some sort of update to get local.cf to update spamassassin? Incidentally, I do have root access as I'm using a VPS. |
Once you make any changes to Spamassassin, restart it. Without knowing which bread of OS you have on your VPS I can't tell you how to do that but it could be as simple as;
Quote:
|
Quote:
Your server has unexpectedly terminated the connection. Possible causes for this include server problems, network problems, or a long period of inactivity. Account: 'jscrxxxxer@asienxxxxs.com' <mailto:'jscribner@asienterprises.com'> , Server: 'mail.asienxxxxs.com', Protocol: SMTP, Port: 587, Secure(SSL): Yes, Error Number: 0x800CCC0F No other user has made any mention of an error. Do you think this might be related? |
| All times are GMT -5. The time now is 09:56 AM. |