spamassassin-users January 2011 archive
Main Archive Page > Month Archives  > spamassassin-users archives
spamassassin-users: Re: Fwd: Re: Q about short-circuit over ruli

Re: Fwd: Re: Q about short-circuit over ruling blacklisting rule

From: J4 <junk4_at_nospam>
Date: Tue Jan 18 2011 - 16:12:54 GMT
To: users@spamassassin.apache.org

On 01/18/2011 04:20 PM, Martin Gregorie wrote:
> On Tue, 2011-01-18 at 09:00 -0500, Bowie Bailey wrote:
>> On 1/18/2011 4:13 AM, J4 wrote:
>>> I have Dovecot LDA so Sieve might well be a good idea, but I would
>>> like to inform the sender that the Email was dropped as spam, and
>>> avoid backscatter. I don't think I can do this with Sieve/Dovecot LDA.
>> You cannot do this from the delivery agent without creating
>> backscatter. If you want to inform the sender, the only reliable way to
>> do it is to scan the message when it first comes in and simply reject
>> the spam. This way, you never accept the message and the sending system
>> is responsible for notifying the sender that the message did not go through.
>>
> If you're thinking of detecting spam at SMTP time you should consider
> greylisting. When my ISP implemented it the spam I get dropped
> immediately from 80% of my mail to 8%, where its remained ever since.
> After that you can take a view whether you want to:
>
> - scan the remaining mail at SMTP time (and reject spam as you
> originally described)
>
> - use SA as an MTA filter and let the recipient's MUA put it in a spam
> folder or bin depending on what the user decides. Or your MTA filter
> could silently bin spam or feed it to Bayes to be learned as spam.
> Your choice: you just can't reject it at this stage.
>
> - use a procmail recipe to scan mail and either reject spam or pass it
> to the recipient's MUA as above. Use this if you want the recipients
> to have some control over spam recognition, individual Bayes filters,
> etc.
>
> Martin
>
>
Hi!

    Right - I've moved the SA scanning to the front of postfix, and it
scans accordingly and adds headers.

What is odd, is that :-
    It seems that the AWL white-lists the email addresses that were
black-listed. Additionally, the shortcircuit should have classes these
as blacklisted addresses.
  
Tue Jan 18 17:07:18 2011 [28825] info: spamd: clean message (-0.1/6.0)
for nobody:5002 in 0.9 seconds, 2231 bytes.
Tue Jan 18 17:07:18 2011 [28825] info: spamd: result: . 0 -
AWL,HTML_MESSAGE,SPF_HELO_PASS
scantime=0.9,size=2231,user=nobody,uid=5002,required_score=6.0,rhost=localhost,raddr=127.0.0.1,rport=51653,mid=<4D35BABB.8020008@abc.com>,autolearn=ham,shortcircuit=no

The mysql spamassassin.userpref table has the entry in it:
| username | preference |
value
| prefid |
| test@test.info | blacklist_from |
abc@abc.com
| 19 |
+----------------------------+--------------------------------+------------------------------------------------------------------------------------------------------+--------+

Here is the entry it added to the awl table:
select * from awl;
+-------------------------+------------------------+-------+-------+----------+
| username | email | ip | count |
totscore |
+-------------------------+------------------------+-------+-------+----------+
| simon@simonloewen.info | abc@abc.com | 62.58 | 1 | -0.7 |
| nobody | blah@blah.com | 62.58 | 7 | -0.7 |
+-------------------------+------------------------+-------+-------+----------+

My testing was based on rejecting spam using a blacklist, and now this
test method has been circumvented :D Brought a smile to my face. I
could simply disable AWL for testing purposes...

Q) I would like to understand why a blacklisted address in the userpref
table is overridden. Does anyone know?

Cheers.