Mailing List Archive

At 10:57 AM 3/1/2004, Ilan Aisic wrote:
>whitelist_from_rcvd *@apache.org mail.apache.org
>whitelist_from_rcvd *@incubator.apache.org mail.apache.org
>
>I tried various variations like:
>whitelist_from_rcvd *@apache.org apache.org
>whitelist_from_rcvd * mail.apache.org
>whitelist_from_rcvd *@* mail.apache.org
>
>But none seem to work.
>
>I have other mailing lists which are whitelisted and work fine.

None of the posts on this list are "from" apache.org at all... they're to
spamassassin-users@incubator.apache.org.

Thus, in SpamAssassin you'd have to use whitelist_to, more_spam_to, or
all_spam_to spamassassin-users@incubator.apache.org.

If you use procmail, it'd be better to use a procmail rule to just go
around the call to SA.. this way you don't have to worry about the bayes
autolearner kicking in and learning posts on the list.

Thanks I'll use it.
However, it won't check that the server the mail comes from is
mail.apache.org which is a weakness.

--ilan

> -----Original Message-----
> From: Matt Kettler [mailto:mkettler@evi-inc.com]
> Sent: Monday, March 01, 2004 6:09 PM
> To: Ilan Aisic; spamassassin-users@incubator.apache.org
> Subject: Re: How to Whitelist spamassassin-users ?
>
>
> At 10:57 AM 3/1/2004, Ilan Aisic wrote:
> >whitelist_from_rcvd *@apache.org mail.apache.org
> >whitelist_from_rcvd *@incubator.apache.org mail.apache.org
> >
> >I tried various variations like:
> >whitelist_from_rcvd *@apache.org apache.org
> >whitelist_from_rcvd * mail.apache.org
> >whitelist_from_rcvd *@* mail.apache.org
> >
> >But none seem to work.
> >
> >I have other mailing lists which are whitelisted and work fine.
>
> None of the posts on this list are "from" apache.org at
> all... they're to
> spamassassin-users@incubator.apache.org.
>
> Thus, in SpamAssassin you'd have to use whitelist_to,
> more_spam_to, or
> all_spam_to spamassassin-users@incubator.apache.org.
>
> If you use procmail, it'd be better to use a procmail rule to just go
> around the call to SA.. this way you don't have to worry
> about the bayes
> autolearner kicking in and learning posts on the list.
>
>
>
>
>

At 11:15 AM 3/1/2004, Ilan Aisic wrote:
>Thanks I'll use it.
>However, it won't check that the server the mail comes from is
>mail.apache.org which is a weakness.

Yes, it is a weakness. Unfortunately, whitelist_to wasn't really written
with mailing-lists in mind. It was more written with the idea of reducing
FPs for a local user who subscribes to spammy newsletters.

Perhaps a "whitelist_to_rcvd" feature wouldn't be such a bad idea, since it
would be useful for mailing lists.

On Mon, 1 Mar 2004, Matt Kettler wrote:

> At 11:15 AM 3/1/2004, Ilan Aisic wrote:
> >Thanks I'll use it.
> >However, it won't check that the server the mail comes from is
> >mail.apache.org which is a weakness.
>
> Yes, it is a weakness. Unfortunately, whitelist_to wasn't really written
> with mailing-lists in mind. It was more written with the idea of reducing
> FPs for a local user who subscribes to spammy newsletters.
>
> Perhaps a "whitelist_to_rcvd" feature wouldn't be such a bad idea, since it
> would be useful for mailing lists.

There's no guarantee that the "To:" address would be predictable and
thus -not- usefull for this purpose.

There are pleny of posts to this list that don't include "apache.org"
in the "To:" Usually "apache.org" does appear in either "Cc:" or "To:"
but if the poster uses "Bcc:" it won't.

Some lists use something like "To: undisclosed-recipients:;"
(see RFC-2822).

People, I've said this before, it's worth repeating.

READ RFC-2821, section 3.10. Worthwhile mailing list systems
will set the ENVELOPE FROM address to something predictable.

IF you configure your mail system in such a way that the Envelope From
address is available to SpamAssassin, then the 'whitelist_from_rcvd'
functionality works just fine to whitelist -all-kinds- of lists
(including this one. ;).

Why try to invent new hacks when the existing tools work just fine
if properly used.


--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{

David B Funk wrote:
> IF you configure your mail system in such a way that the Envelope From
> address is available to SpamAssassin, then the 'whitelist_from_rcvd'
> functionality works just fine to whitelist -all-kinds- of lists
> (including this one. ;).

Anyone know if this setup works using Fetchmail? Fetchmail pulls my
mail off the imap server at my hosting provider, then throws it at Exim
as an SMTP session. Will fetchmail still feed it the correct envelope
from address? I'm not sure that it can know the envelope from, seeing
as how these messages have already been (technically) delivered.

Steven
--
Steven Dickenson <steven@mrchuckles.net>
http://www.mrchuckles.net

David B Funk <dbfunk@engineering.uiowa.edu> wrote:
> [...]
> IF you configure your mail system in such a way that the
> Envelope From address is available to SpamAssassin, then the
> 'whitelist_from_rcvd' functionality works just fine to
> whitelist -all-kinds- of lists (including this one. ;).

Aha! You answered the question I had posted (with no replies :( ) on the topic
of spams to whitelisted lists getting high ham scores with AWL! I'd been bitten
by spam to securityfocus lists, only to (finally) notice:

def_whitelist_from_rcvd *@securityfocus.com
securityfocus.com

in /usr/share/spamassassin/60_whitelist.cf

So am I correct in thinking any spams to any un/poorly-moderated lists from
domains listed in the default whitelist probably will sail through with a high
(negative) spam score, right?

- Bob

On Mon, 1 Mar 2004, Steven Dickenson wrote:

> David B Funk wrote:
> > IF you configure your mail system in such a way that the Envelope From
> > address is available to SpamAssassin, then the 'whitelist_from_rcvd'
> > functionality works just fine to whitelist -all-kinds- of lists
> > (including this one. ;).
>
> Anyone know if this setup works using Fetchmail? Fetchmail pulls my
> mail off the imap server at my hosting provider, then throws it at Exim
> as an SMTP session. Will fetchmail still feed it the correct envelope
> from address? I'm not sure that it can know the envelope from, seeing
> as how these messages have already been (technically) delivered.
>
> Steven

Strictly speaking Fetchmail cannot do it unless your LDA (Local Delivery
Agent) adds a recognized header that contains the Envelope From.
SA is writtent to look for "From" type addresses in a number of
specific headers:

Envelope-Sender:
X-Envelope-From:
Return-Path:
Resent-From:

So as long as your mail system has some way of putting the Envelope From
into one of these headers (either before or during the delivery process)
your SA should be good to go.

For example, I use the UWashington IMAP server kit. I use its "tmail"
program as the LDA. It takes the Envelope From and uses it to
generate a "Return-Path:" header during the delivery process.
That would work for your Fetchmail configuration.

I do my SA filtering via sendmail using miltrassassin to call spamd. I
modified miltrassassin to take the Envelope From address and use
it to synthesize a "X-Envelope-From:" header as it passed the message
to spamd.

--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{

On Mon, 1 Mar 2004, Bob George wrote:

> Aha! You answered the question I had posted (with no replies :( ) on the topic
> of spams to whitelisted lists getting high ham scores with AWL! I'd been bitten
> by spam to securityfocus lists, only to (finally) notice:
>
> def_whitelist_from_rcvd *@securityfocus.com
> securityfocus.com
>
> in /usr/share/spamassassin/60_whitelist.cf
>
> So am I correct in thinking any spams to any un/poorly-moderated lists from
> domains listed in the default whitelist probably will sail through with a high
> (negative) spam score, right?

That's the net result of whitlisting a list. ANY post (legit or spam) that
makes it thru the listserver gets "blessed".
Now note that the "def_whitelist.." stuff only gives a -15 score,
not the full bore -100 so the damage shouldn't be -too- severe.

--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{

David B Funk <dbfunk@engineering.uiowa.edu> wrote:
> On Mon, 1 Mar 2004, Bob George wrote:
> [...]
>> So am I correct in thinking any spams to any
>> un/poorly-moderated lists from domains listed in the default
>> whitelist probably will sail through with a high (negative)
>> spam score, right?
>
> That's the net result of whitlisting a list. ANY post (legit
> or spam) that makes it thru the listserver gets "blessed".
> Now note that the "def_whitelist.." stuff only gives a -15
> score, not the full bore -100 so the damage shouldn't be
> -too- severe.

Ah, I'd missed the -15, so THAT'S not too bad. I'll re-read the whitelist docs
again.

If AWL is in use, a first-time spammer that manages to post via one of the
whitelisted listservers also gets an entry in a user's local AWL with a
starting score reduced by 15, no? And that spammer's domain probably has
nothing to do with that listed in the whitelist_to_rcvd entry, no?

What bit me, I believe, was the fact that AWL entries remain in play even AFTER
white/blacklists are updated. An entry in a system config rippled changes down
to user AWLs that were persistent after the system config was fixed. In my
case, only the spamd user was affected, but I could see a simple configuration
goof rippling to hundreds of users' AWLs.

Thanks for the clarification!

- Bob