clarification on whitelist_from

Discussion:

clarification on whitelist_from_rcvd

Lucio Chiappetti

2009-12-09 11:25:43 UTC

We have an institute-wide spamassassin+amavisd arrangement running on our
mx's, which generally behaves very well. Spam is quarantined in a system
wide folder, and then a daily crontab sends a "spam report" to each user
(so that they can reclaim false positives, which occurs about once per
month).

We have this in the spamassassin systemwide local.cf

whitelist_from ***@lambrate.inaf.it
whitelist_from ***@iasf-milano.inaf.it
whitelist_from_rcvd *@lambrate.inaf.it lambrate.inaf.it
whitelist_from_rcvd *@iasf-milano.inaf.it lambrate.inaf.it

which we interpreted as :

- everything coming "apparently" (From kwd) xyzt (not the real username,
anyhow it's our system manager personal account) should pass unfiltered

- everything coming THROUGH (Received kwd) one of our local machines,
from an user in either one of our two domains, should pass unfiltered

Now reading "perldoc Mail::SpamAssassin::Conf", I find

whitelist_from_rcvd ***@lists.sourceforge.net sourceforge.net
Use this to supplement the whitelist_from addresses with a
check against the Received headers.

... the word "supplement" leaves me perplexed. Does this mean the two
conditions above are ANDed instead of ORed ?

If so, messages coming e.g. from ***@ourserver.lambrate.inaf.it should
not be subject to the whitelist_from_rcvd (which is not what we want).

In fact we noticed (for the first time, and after a long weekend holiday
during which there was a burst of spam, which was quenched in a couple of
days) that a few of our daily spam reports (originated by the crontab and
sent as ***@ourserver.lambrate.inaf.it) were quarantined (and also the
relevant mailer-daemon replies), with a score marginally above threshold.

We did also a check_whitelist /etc/mail/spamassassin/awlst/awl looking for
address ***@ourserver.lambrate.inaf.it and ip=155.253 (so truly
from our LAN), and found a score of -1.0 (which should mean it is
correctly whitelisted).

Nevertheless the reports were quarantined. So the suspects are :

- whitelist_from_rcvd does NOT unconditionally whitelist messages
irrespective of other scores

- whitelist_from_rcvd is de facto NOT ENABLED for root (because of
the AND/OR confusion quoted above)

Any clue ? Thanks

--
------------------------------------------------------------------------
Lucio Chiappetti - INAF/IASF - via Bassini 15 - I-20133 Milano (Italy)
For more info : http://www.iasf-milano.inaf.it/~lucio/personal.html
------------------------------------------------------------------------
Multi pertransibunt et augebitur scientia
Francis Bacon Instauratio Magna (http://tinyurl.com/2j3qk5)
------------------------------------------------------------------------

Michael Scheidell

2009-12-09 11:56:57 UTC

Permalink

Post by Lucio Chiappetti
... the word "supplement" leaves me perplexed. Does this mean the two
conditions above are ANDed instead of ORed ?

it basically means, use whitelist_from_rcvd if you can, so its ORed.
(but use spf or dkim whitelisting if you can, and SA whitelist only
subtracts -100 points, where amavis would just whitelist it.
see amavis group) but don't whitelist a local user without _from
rcvd,dkim or spf

Post by Lucio Chiappetti
should not be subject to the whitelist_from_rcvd (which is not what we
want).

whitelist_from ***@lambrate.inaf.it

you didn't include ***@ourserver.lambrate.inaf.it, only lambrate.inaf.it.
either case, lots of spammers use the 'from/to' address (forge the from
address), so whitelisting anyone on your local network that way WILL get
them spam.
use dkim/spf whitelisting or from_rcvd.

whitelist_from_rcvd *@lambrate.inaf.it lambrate.inaf.it

you didn't include 'ourserver' in that glob

also, LOCALLY generated emails might look like 'localhost'.

Post by Lucio Chiappetti
We did also a check_whitelist /etc/mail/spamassassin/awlst/awl looking
from our LAN), and found a score of -1.0 (which should mean it is
correctly whitelisted).

that is AWL, not SA whitelisting.
don't confuse the two.
--
Michael Scheidell, CTO
Phone: 561-999-5000, x 1259

Post by Lucio Chiappetti
*| *SECNAP Network Security Corporation

* Certified SNORT Integrator
* 2008-9 Hot Company Award Winner, World Executive Alliance
* Five-Star Partner Program 2009, VARBusiness
* Best Anti-Spam Product 2008, Network Products Guide
* King of Spam Filters, SC Magazine 2008

_________________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r).
For Information please see http://www.spammertrap.com
_________________________________________________________________________

Mark Martinec

2009-12-09 18:23:47 UTC

Permalink

Lucio,

Post by Lucio Chiappetti
We have an institute-wide spamassassin+amavisd arrangement running on our
mx's, which generally behaves very well. Spam is quarantined in a system
wide folder, and then a daily crontab sends a "spam report" to each user
(so that they can reclaim false positives, which occurs about once per
month).
We have this in the spamassassin systemwide local.cf
- everything coming "apparently" (From kwd) xyzt (not the real username,
anyhow it's our system manager personal account) should pass unfiltered

Yes. Not safe to use, get rid of it if you can.

Post by Lucio Chiappetti
- everything coming THROUGH (Received kwd) one of our local machines,
from an user in either one of our two domains, should pass unfiltered

Right.

Post by Lucio Chiappetti
Now reading "perldoc Mail::SpamAssassin::Conf", I find
Use this to supplement the whitelist_from addresses with a
check against the Received headers.
... the word "supplement" leaves me perplexed. Does this mean the two
conditions above are ANDed instead of ORed ?

The description is misleading, each whitelisting mechanism functions
independently. So, the answer to your question is "OR" - each whitelist
mechanism which triggers, contributes its negative score points.

As it happens, if a whitelist_from fires, a test for whitelist_from_rcvd
is skipped, but this can be regarded as just an optimization trick.

Perhaps a phrasing like the following would be more appropriate:
<<<
Use this to supplement the whitelist_from addresses with a check against the
Received headers.
Works similarly to whitelist_from, except that in addition to matching
a sender address, a relay's rDNS name must match too for the whitelisting
rule to fire.

Post by Lucio Chiappetti
not be subject to the whitelist_from_rcvd (which is not what we want).
In fact we noticed (for the first time, and after a long weekend holiday
during which there was a burst of spam, which was quenched in a couple of
days) that a few of our daily spam reports (originated by the crontab and
relevant mailer-daemon replies), with a score marginally above threshold.
We did also a check_whitelist /etc/mail/spamassassin/awlst/awl looking for
from our LAN), and found a score of -1.0 (which should mean it is
correctly whitelisted).

Don't confuse AWL with whitelisting. AWL is just an averaging mechanism,
independent from whitelist_from, whitelist_from_rcvd, and other
whitelist rules.

Post by Lucio Chiappetti
- whitelist_from_rcvd does NOT unconditionally whitelist messages
irrespective of other scores
- whitelist_from_rcvd is de facto NOT ENABLED for root (because of
the AND/OR confusion quoted above)
Any clue ? Thanks

You need to add a whitelist_from_rcvd rule which will match your
sending address ***@ourserver.lambrate.inaf.it, something like:

whitelist_from_rcvd ***@ourserver.lambrate.inaf.it lambrate.inaf.it

or relax your existing rule, like:

whitelist_from_rcvd *@lambrate.inaf.it lambrate.inaf.it
whitelist_from_rcvd *@*.lambrate.inaf.it lambrate.inaf.it

Mark