LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Fedora
User Name
Password
Fedora This forum is for the discussion of the Fedora Project.

Notices


Reply
  Search this Thread
Old 06-08-2010, 05:25 PM   #1
loftus49
Member
 
Registered: May 2010
Location: Phoenix
Distribution: Ubuntu, CentOS5, Fedora, Mint, MX Linux
Posts: 178
Blog Entries: 1

Rep: Reputation: 20
Email - unapproved Whitelisting


I'm receiving lots of spam on my GoDaddy RH Fedora Core 6 server. One of my users sent this to me. In looking at the header it appears that this spammer (from Russia) has been "whitelisted". How?

Does anyone know anything about this?

X-Spam-Status: No, score=-81.5 required=3.1 tests=BAYES_40,DRUGS_ERECTILE,
DRUG_ED_CAPS,HTML_90_100,HTML_IMAGE_ONLY_12,HTML_MESSAGE,
HTML_SHORT_LINK_IMG_1,MIME_HTML_ONLY,NO_REAL_NAME,URIBL_AB_SURBL,
URIBL_JP_SURBL,URIBL_SC_SURBL,USERPASS,USER_IN_WHITELIST autolearn=no

Thanks. Duane
 
Old 06-09-2010, 12:49 AM   #2
spampig
Member
 
Registered: Feb 2010
Location: /Earth/UK/England/Hampshire
Distribution: Debian, Ubuntu, CentOS, Slackware
Posts: 262
Blog Entries: 2

Rep: Reputation: 56
USER_IN_WHITELIST is a Spamassassin rule that applies a negative score to a message (hence here you have -81.5). From memory it's -90 but with the other rules this mail hit on, it's dropped. If the user was not in the whitelist it would have scored 9.5. Given you have a required level of 3.1, that would have hit as spam.

Without seeing the full headers and Spamassassin config (which I would *not* post for disclosure reasons) help is going to be limited to telling you to check your Spamassassin(SA) config. Check all the addresses in the header (Return Path/From/To/Last external 'Received From IP') against entries in:
1. any of the .cf files starting with the word 'whitelist'
2. check local.cf (or any .cf files) looking for 'whitelist_<BLAH>' entries matching the 4 headers above.
3. You may want to additionally check local.cf and see if 'use_auto_whitelist' is set to off (0) or on (1). This is normally tied to a separate issue, but I've mentioned it FYI.

The issue of whitelisting in Spamassassin is sometimes not as obvious as it could be. This is almost certainly a whitelist rule you have added yourself and I suspect it could be for your own domain. I also suspect the headers have been trivially forged in your spam mails so that the return path carries your own domain or user which happens to match a 'whitelist_from' entry in one of your .cf files.If it becomes a real PITA whilst you troubleshoot it, you can always add this line to your local.cf
Quote:
score USER_IN_WHITELIST 0
which will disable the feature period. I don't recommend this approach as it's better to fix the whitelist issues.

In addition, if you have root access to your server (which I doubt, but you may have a dedicated or VPS) I would set the MTA up to knock out the obvious trash before it even gets passed to Spamassassin. In the example above it probably would not help as I don't see it catching on anything in the network ruleset other than a blocklisted URI in the body (on three blocklists from what I can see there).

HTH

Last edited by spampig; 06-09-2010 at 01:02 AM.
 
Old 06-10-2010, 12:18 AM   #3
loftus49
Member
 
Registered: May 2010
Location: Phoenix
Distribution: Ubuntu, CentOS5, Fedora, Mint, MX Linux
Posts: 178

Original Poster
Blog Entries: 1

Rep: Reputation: 20
Quote:
Originally Posted by spampig View Post
USER_IN_WHITELIST is a Spamassassin rule that applies a negative score to a message (hence here you have -81.5). From memory it's -90 but with the other rules this mail hit on, it's dropped. If the user was not in the whitelist it would have scored 9.5. Given you have a required level of 3.1, that would have hit as spam.

Without seeing the full headers and Spamassassin config (which I would *not* post for disclosure reasons) help is going to be limited to telling you to check your Spamassassin(SA) config. Check all the addresses in the header (Return Path/From/To/Last external 'Received From IP') against entries in:
1. any of the .cf files starting with the word 'whitelist'
2. check local.cf (or any .cf files) looking for 'whitelist_<BLAH>' entries matching the 4 headers above.
3. You may want to additionally check local.cf and see if 'use_auto_whitelist' is set to off (0) or on (1). This is normally tied to a separate issue, but I've mentioned it FYI.

The issue of whitelisting in Spamassassin is sometimes not as obvious as it could be. This is almost certainly a whitelist rule you have added yourself and I suspect it could be for your own domain. I also suspect the headers have been trivially forged in your spam mails so that the return path carries your own domain or user which happens to match a 'whitelist_from' entry in one of your .cf files.If it becomes a real PITA whilst you troubleshoot it, you can always add this line to your local.cf

which will disable the feature period. I don't recommend this approach as it's better to fix the whitelist issues.

In addition, if you have root access to your server (which I doubt, but you may have a dedicated or VPS) I would set the MTA up to knock out the obvious trash before it even gets passed to Spamassassin. In the example above it probably would not help as I don't see it catching on anything in the network ruleset other than a blocklisted URI in the body (on three blocklists from what I can see there).

HTH

Many thanks for the info. I am following it and checking now. I found a whitelist for several local email addresses in the "local.cf" file which purports to update Spamassassin. I removed the email entries preceeded by "whitelist"q.

After changing the "local.cf" file, do I need to do some sort of update to get local.cf to update spamassassin?
Incidentally, I do have root access as I'm using a VPS.
 
Old 06-10-2010, 01:56 AM   #4
spampig
Member
 
Registered: Feb 2010
Location: /Earth/UK/England/Hampshire
Distribution: Debian, Ubuntu, CentOS, Slackware
Posts: 262
Blog Entries: 2

Rep: Reputation: 56
Once you make any changes to Spamassassin, restart it. Without knowing which bread of OS you have on your VPS I can't tell you how to do that but it could be as simple as;

Quote:
/etc/init.d/spamassassin restart
HTH
 
Old 06-10-2010, 10:25 PM   #5
loftus49
Member
 
Registered: May 2010
Location: Phoenix
Distribution: Ubuntu, CentOS5, Fedora, Mint, MX Linux
Posts: 178

Original Poster
Blog Entries: 1

Rep: Reputation: 20
Quote:
Originally Posted by spampig View Post
Once you make any changes to Spamassassin, restart it. Without knowing which bread of OS you have on your VPS I can't tell you how to do that but it could be as simple as;



HTH
I'm on GoDaddy with a RedHat Fedora Core 6 server. I know its older than dirt but I am going to change soon. I eliminated the whitelist entries that referred back to email addresses on this server. We'll see if that has any effect. In the meantime, I received the following error message from a user in NC this morning:

Your server has unexpectedly terminated the connection. Possible causes for this include server problems, network problems, or a long period of inactivity. Account: 'jscrxxxxer@asienxxxxs.com' <mailto:'jscribner@asienterprises.com'> , Server: 'mail.asienxxxxs.com', Protocol: SMTP, Port: 587, Secure(SSL): Yes, Error Number: 0x800CCC0F

No other user has made any mention of an error. Do you think this might be related?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Whitelisting specific domain for rDNS green_dood Linux - Networking 1 02-22-2010 02:17 AM
WhiteListing My Mail Domain fedoraman Linux - Server 1 05-19-2008 05:55 AM
Postfix whitelisting by recipient address? carlmarshall Linux - Server 4 12-07-2006 07:12 AM
Whitelisting websites in linux OneSeventeen Linux - Networking 1 12-08-2005 11:29 AM
postfix question - whitelisting wijnands Linux - Software 2 03-30-2005 03:28 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Fedora

All times are GMT -5. The time now is 09:46 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration