Re: [vps-mail] Spoofed Return-Path:

[Matt Cohen <lists@xxxxxxxxxx>]

I've been playing with this as well - the solution/next step that 
i've found is to work with the whitelist_from_rcvd test in your 
local.cf file.

e.g. this is what I have:

whitelist_from *@iwbyte.com
whitelist_from_rcvd *@iwbyte.com iwbyte.com

It means that whitelist anything from iwbyte.com, BUT make sure that 
anything you are going to whitelist as being from iwbyte.com should 
also have iwbyte.com on the RECIEVED line.

I haven't tested it much - i just set it up and went to fight other 
fires, so I don't know if it works at all.

My next question to the list or SA lists was going to be - how can we 
adjust the value for WHITELIST_FROM and make it -20 intsead of -100 
(since you can see in the list below that a -20 would have resulted 
in almost a positive spam result below)

Matt

At 9:36 AM -0400 6/15/04, AlpineWeb said something about:
> Hello,
>
> I've been having a problem with spam getting past SA due to the
> USER_IN_WHITELIST score. Can someone help to enlighten me as to why this
> happens and how I can plug this hole?
>
> Here's a sample header:
>
> Return-Path: <awd@xxxxxxxxxxxxx>
> Received: from cm218-254-91-17.hkcable.com.hk
> (cm218-254-91-17.hkcable.com.hk [218.254.91.17])
> 	by alpineweb.com (8.12.11/8.12.6) with SMTP id i5FDHs1l049911
> 	for <awd@xxxxxxxxxxxxx>; Tue, 15 Jun 2004 09:17:55 -0400 (EDT)
> 	(envelope-from awd@xxxxxxxxxxxxx)
> Message-Id: <200406151317.i5FDHs1l049911@xxxxxxxxxxxxx>
> X-Message-Info: 8TKN148HNWfqx8ukCVxK0KB9wZXXkUSP9
> Received: from spectroscopy.awd@xxxxxxxxxxxxx
> (wga18088.i365553230852399.zlh-yg.y.awd@xxxxxxxxxxxxx [137.38.162.227])
> 	by entrepreneuryacht.awd@xxxxxxxxxxxxx
> 	id PIELK023284; Sat, 19 Jun 2004 04:11:57 -0100
> 	[tanakaHost SMTP Relay 88.017]
> Reply-To: "Garth Putnam" <awd@xxxxxxxxxxxxx>
> From: "Garth Putnam" <awd@xxxxxxxxxxxxx>
> To: "Awd" <awd@xxxxxxxxxxxxx>
> Subject: deficit 5220 ruffians
> Date: Sat, 19 Jun 2004 09:02:57 +0400
> MIME-Version: 1.0
> Content-Type: multipart/alternative;
> 	boundary="--=_TZbBCx1R07PZ"
> X-ClamAV: clean
> X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on alpineweb.com
> X-Spam-Status: No, hits=-79.6 required=4.0 tests=BAYES_60,HTML_70_80,
> 	HTML_FONTCOLOR_BLUE,HTML_FONTCOLOR_RED,HTML_FONT_BIG,HTML_MESSAGE,
> 	MIME_HTML_ONLY,MIME_HTML_ONLY_MULTI,MSGID_FROM_MTA_HEADER,
> 	RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_DSBL,RCVD_IN_DYNABLOCK,RCVD_IN_SORBS,
> 	USER_IN_WHITELIST autolearn=no version=2.63
>
> Thanks,
> Uwe Schneider
>
> AlpineWeb Design
> http://AlpineWeb.com/
> (603) 356-8797
>
> ======================================================================
> This is <vps-mail@xxxxxxxxxxxx>       <http://www.perlcode.org/lists/>
> Before posting a question, please search the archives (see above URL).

--
:-:+:-:+:-:+:-:+:-:+:-:+:-:+:-:+:-:+:-:+:-:+:-:+:-:+:-:+:-:+:-:+:-:+:-:+
Matthew I. Cohen                                   http://www.iwbyte.com/
It Won't Byte Web Design & Hosting.     Ob. Quote: "Reality is for those
email: lists@xxxxxxxxxx                  people who can't handle Fantasy"
======================================================================
This is <vps-mail@xxxxxxxxxxxx>       <http://www.perlcode.org/lists/>
Before posting a question, please search the archives (see above URL).