Mailing List Archive

Butrus orman wrote:
> is there a way to confirm an address made it to the white list when
> using the command line form

AS THE USER WHO RAN --add-addr-to-whitelist=, try 'check_whitelist |
grep addr'

check_whitelist may not be in your path, depending on how you installed
spamassassin. Under debian, a precompiled version was under
/usr/share/doc/spamassassin.

- Bob

> AS THE USER WHO RAN --add-addr-to-whitelist=, try 'check_whitelist |
> grep addr'
>
> check_whitelist may not be in your path, depending on how you installed
> spamassassin. Under debian, a precompiled version was under
> /usr/share/doc/spamassassin.


i dont seem to have that tool instaled

> spamassassin. Under debian, a precompiled version was under
> /usr/share/doc/spamassassin.
>


i confirm is not working for me b/c an address i had put in whitelist
just got tag as spam?
any idea and how to i get check_whitelist install

Butrus orman wrote:

>>not sure what you mean by copy tools out?
>>
>
>
To wherever you want them. If you're admin, /usr/local/bin. If not,
~/bin. Wherever you want.


>>i installed from source and
>>i dont see the tools installed i see them in the source tree
>>
>>
>
>
I just did perl Makefile.pl, then make. It was under tools/.

- Bob

On Sun, 2004-03-07 at 11:57, Bob George wrote:
> Butrus orman wrote:
>
> >>not sure what you mean by copy tools out?
> >>
> >

boricua@pepino:~$ /usr/share/spamassassin/bin/check_whitelist
-100.0 (-100.0/1) -- nydirect@nytimes.com|ip=cmd


ok seems to be ok but address keep getting tag as spam

Butrus orman wrote:

>boricua@pepino:~$ /usr/share/spamassassin/bin/check_whitelist
> -100.0 (-100.0/1) -- nydirect@nytimes.com|ip=cmd
>
>ok seems to be ok but address keep getting tag as spam
>
>
What does the X-Spam-Report: header show on those messages?

And you're sure the user you ran that command for is the one scoring
messages? If you're using spamd, did you run it as the user spamd runs as?

- Bob

i think i was not using -a when invoking, this one came in ok but how to
i do i know it was b/c is autho whitelist?


From: NYTimes.com <nytdirect@nytimes.com>
Reply-To: nytdirect@nytimes.com
Date: Mon, 08 Mar 2004 03:24:00 -0500
To: landy@despiertapr.com
Subject: Today's Headlines: Monday, March 8, 2004
Content-Type: TEXT/PLAIN; charset=US-ASCII
Mime-version: 1.0
Message-Id: <20040308101333.0563310343@pepino.despiertapr.com>
X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on
pepino.despiertapr.com
X-Spam-Level:
X-Spam-Status: No, hits=0.2 required=4.8 tests=CLICK_BELOW,
HTTP_WITH_EMAIL_IN_URL,LINES_OF_YELLING autolearn=no version=2.63





On Sun, 2004-03-07 at 13:19, Bob George wrote:
> Butrus orman wrote:
>
> >boricua@pepino:~$ /usr/share/spamassassin/bin/check_whitelist
> > -100.0 (-100.0/1) -- nydirect@nytimes.com|ip=cmd
> >
> >ok seems to be ok but address keep getting tag as spam
> >
> >
> What does the X-Spam-Report: header show on those messages?
>
> And you're sure the user you ran that command for is the one scoring
> messages? If you're using spamd, did you run it as the user spamd runs as?
>
> - Bob

Butrus orman wrote:
> i think i was not using -a when invoking, this one came in ok but how
> to i do i know it was b/c is autho whitelist?

Check the X-Spam-Report: header and you can see exactly what rules are
being hit and what points are being added/subtracted. Try it with and
without -a.

> X-Spam-Status: No, hits=0.2 required=4.8 tests=CLICK_BELOW,
> HTTP_WITH_EMAIL_IN_URL,LINES_OF_YELLING autolearn=no version=2.63

Doesn't look like AWL is coming into play at all on these. Was AWL
scoring points as spam (positive scores)?

You might also make a point of training bayes with these as non-spam so
it can help in the future.

- Bob

well awl is not working at all or i dont know ow awl works

i put this address in awl with the command we spoke before

boricua@pepino:~$ /usr/share/spamassassin/bin/check_whitelist | grep -i
rolan
-100.0 (-100.0/1) -- rolando721@yahoo.com|ip=cmd

and i have a microsoft_executable to 5 and send my self an email from
that email address.

and it gets tag as spam even if the address is in AWL

BTW when i run check_whitelist i see a bunch of email there, how did
they get AWL?



From:
butrus orman
<rolando721@yahoo.com>
To:
landy@despiertapr.com
Subject:

Date:
Mon, 8 Mar 2004
14:26:45 -0800
(PST)

Spam detection software, running on the system "pepino.despiertapr.com",
has
identified this incoming email as possible spam. The original message
has been attached to this so you can view it (if it isn't spam) or block
similar future email. If you have any questions, see
the administrator of that system for details.

Content preview: Do you Yahoo!? Yahoo! Search - Find what youre
looking for faster http://search.yahoo.com [skipped
application/octet-stream attachment] [...]

Content analysis details: (5.9 points, 4.8 required)

pts rule name description
---- ----------------------
--------------------------------------------------
0.9 FROM_ENDS_IN_NUMS From: ends in numbers
5.0 MICROSOFT_EXECUTABLE RAW: Message includes Microsoft executable
program

The original message was not completely plain text, and may be unsafe to
open with some email clients; in particular, it may contain a virus,
or confirm that your address can receive spam. If you wish to view
it, it may be safer to save it to a file and open it with an editor.

Butrus orman wrote:

> well awl is not working at all or i dont know ow awl works

Likely the latter. It works well, but it's not necessarily obvious HOW
it works.

> i put this address in awl with the command we spoke before
>
> boricua@pepino:~$ /usr/share/spamassassin/bin/check_whitelist | grep -i
> rolan
> -100.0 (-100.0/1) -- rolando721@yahoo.com|ip=cmd

OK, so you manually entered a whitelist entry for user boricua, and it's
showing up. Good.

> and i have a microsoft_executable to 5 and send my self an email from
> that email address.
>
> and it gts tag as spam even if the address is in AWL

HOW ARE YOU CALLING SPAMASSASSIN? Are you running spamc or spamassassin?
If spamc, su to spamd and see if the whitelist entry is there (in user
spamd's AWL). If not, try adding it there.

> BTW when i run check_whitelist i see a bunch of email there, how did
> they get AWL?

It's automatic! Are you sometimes calling spamc, other times spamassassin?

> [...]
> Content analysis details: (5.9 points, 4.8 required)

You've changed the threshold to 4.8. Not bad, but just keep in mind
it'll be more sensitive now.

> pts rule name description
> ---- ----------------------
> --------------------------------------------------
> 0.9 FROM_ENDS_IN_NUMS From: ends in numbers
> 5.0 MICROSOFT_EXECUTABLE RAW: Message includes Microsoft executable
> program

It appears you changed the rule for MICROSOFT_EXECUTABLE to 5.0 (from
.1) which exceeds the threshold. Is this the only combination causing
you these problems?

If you're doing this as an anti-virus measure, I wouldn't count on AWL
as your sole means of protection. I'd put a proper virus scanner to work
on inbound attachments, regardless of WHO sends them.

- Bob

> Likely the latter. It works well, but it's not necessarily obvious HOW
> it works.
>

:-)

> HOW ARE YOU CALLING SPAMASSASSIN?

via procmailrc

:0fw:spamassassin.lock
* < 256000
| /usr/bin/spamassassin

>

>
> You've changed the threshold to 4.8. Not bad, but just keep in mind
> it'll be more sensitive now.
>

yet to get a false negative other then with awl



> It appears you changed the rule for MICROSOFT_EXECUTABLE to 5.0 (from
> .1) which exceeds the threshold. Is this the only combination causing
> you these problems?

i thaught awl would override the user_prefs file?

i have alter several rules in .spassassin/user_prefs


>

From: "Bob George" <mailings02@ttlexceeded.com>

> Butrus orman wrote:

> > Content analysis details: (5.9 points, 4.8 required)
>
> You've changed the threshold to 4.8. Not bad, but just keep in mind
> it'll be more sensitive now.

So he should try harder not to insult it?
{O,o}

Butrus orman wrote:

> via procmailrc
>
> :0fw:spamassassin.lock
> * < 256000
> | /usr/bin/spamassassin

So you're not using --auto-whitelist ? I don't think it's on by default.

>>You've changed the threshold to 4.8. Not bad, but just keep in mind
>>it'll be more sensitive now.
> yet to get a false negative other then with awl

4.8 is fine, but it doesn't look like you're USING AWL.

>>It appears you changed the rule for MICROSOFT_EXECUTABLE to 5.0 (from
>>.1) which exceeds the threshold. Is this the only combination causing
>>you these problems?
> i thaught awl would override the user_prefs file?

I'm no spamassassin god, but AWL just moves a sender's scores more
towards their average. If you add an address to your AWL with
--add-addr-to-whitelist=addr, you're just setting their average to -100
(very non-spammy). After the first messages flow, it will settle down
(watch it over time) until AWL will be 'nudging' it towards the average
for that user. I've seen the same with the default whitelists when a
spammer posts to an otherwise good list.

> i have alter several rules in .spassassin/user_prefs

That's perfectly allright. Just realize having one rule with a larger
score will impact that long-term AWL score. I heed the advice to only
add/subtract small amounts. 5 isn't outrageous, but if you DO expect MS
executables on occasion, it might not be your best approach. (You might
also check out some of the mime-defangers if you REALLY hate
ms-executable attachments.)

- Bob

jdow wrote:
> [...]
> So he should try harder not to insult it?
> {O,o}

What I get for trying to help without full info. :)

- Bob

> So you're not using --auto-whitelist ? I don't think it's on by default.
>


i am confusing auto-whitelist whitelist_from from user_prefs.... which
is what i really need...

thanks for all your insight