yep, it is matching the Return-Path.  any reason why that's got
a valid whitelisted addr in it?

Subject: RE:  False reporting of USER_IN_WHITELIST for non-ASCII sender

Yes, because the spammer forged it!  There is nothing on the server
which would add such an address, since it is not the server's own
domain.  This field does get changed by Procmail and such, so I don't
think it is reliable.  The return-path here was not even a valid
address, but is in the same domain as the recipient, who has it
whitelisted with a wildcard to receive e-mail from other valid addresses
in that domain, who all work in the same company.  I have replaced the
wildcard with a lengthy list of specific addresses, and hope that none
of the legit mail gets marked as spam.

John Hynes

> -----Original Message-----
> From: bugzilla-daemon@hughes-family.org
[mailto:bugzilla-daemon@hughes-
> family.org]
> Sent: Tuesday, October 01, 2002 3:02 AM
> To: spamassassin.org@hynes.net
> Subject: [Bug 1038] False reporting of USER_IN_WHITELIST for non-ASCII
> sender
> 
> http://www.hughes-family.org/bugzilla/show_bug.cgi?id=1038
> 
> jm@jmason.org changed:
> 
>            What    |Removed                     |Added
>
------------------------------------------------------------------------
--
> --
>              Status|NEW                         |ASSIGNED
> 
> 
> 
> ------- Additional Comments From jm@jmason.org  2002-10-01 03:02
-------
> yep, it is matching the Return-Path.  any reason why that's got
> a valid whitelisted addr in it?
> 
> 
> 
> ------- You are receiving this mail because: -------
> You reported the bug, or are watching the reporter.

unfortunately there's no way (currently) to match a message
that has been "bounced", "resent" or "redirected" (as various
MUAs call it), apart from matching Return-Path.

(bouncing et al = resending the mail to another recipient with
all headers intact.)

Also, note that the spammer could just as easily have forged
the To: or From: addresses as well; that's the danger.

If you want *safe*, reliable, much-harder-to-forge
whitelisting based on From or To addrs, use
whitelist_from_rcvd so you can grep the Received headers as
well, or write your own site-specific rule.  (the latter is
more reliable as each site will have a different rule, making
it harder for spammers to guess them!)

Subject: RE:  False reporting of USER_IN_WHITELIST for non-ASCII sender

Thank you, I did not know that there was such an option as
whitelist_from_rcvd.  I see that there are some other new ones, as well.
I am sure that will be useful for some addresses, although it still
presents the same problem.
 
The documentation at
http://spamassassin.org/doc/Mail_SpamAssassin_Conf.html does not state
which field is matched by whitelist_from.  One would assume that "from"
means "from", not "return-path," as these can often be different.  As a
matter of fact, this gets changed in most of my e-mail, because I use
corporate mailboxes and distribution lists that forward to my personal
mailbox, so this usually ends up being the "to" address instead of the
"from" address.  This would explain why SpamAssassin lets BCC mail
through, since some of these lists are listed as whitelist_from.

I suppose that I will have to write my own whitelist_from rule, once I
figure out how to do that.

BTW, here are a few from my inbox:


Return-Path: <abuse@netwiz.net>
From: "Vanitha Darley" vanitha@techsinfo.com (spam)

Return-Path: <admin@netwiz.net>
From: "marilynn xxxxxxxxx" <xxxxxx@lycos.com>

Return-Path: <admin@netwiz.net>
From: webmaster@netwiz.net

Return-Path: <admin@netwiz.net>
From: elance@xgforce.com (spam)

Return-Path: <host@netwiz.net>
From: "IQ - Standard Life " sli@insiq.us (spam)

Return-Path: <admin@netwiz.net>
From: xxxxxxxx@aol.com
 
> -----Original Message-----
> From: bugzilla-daemon@hughes-family.org
[mailto:bugzilla-daemon@hughes-
> family.org]
> Sent: Wednesday, October 02, 2002 4:20 AM
> To: spamassassin.org@hynes.net
> Subject: [Bug 1038] False reporting of USER_IN_WHITELIST for non-ASCII
> sender
> 
> http://www.hughes-family.org/bugzilla/show_bug.cgi?id=1038
> 
> jm@jmason.org changed:
> 
>            What    |Removed                     |Added
>
------------------------------------------------------------------------
--
> --
>              Status|ASSIGNED                    |RESOLVED
>          Resolution|                            |WONTFIX
> 
> 
> 
> ------- Additional Comments From jm@jmason.org  2002-10-02 04:19
-------
> unfortunately there's no way (currently) to match a message
> that has been "bounced", "resent" or "redirected" (as various
> MUAs call it), apart from matching Return-Path.
> 
> (bouncing et al = resending the mail to another recipient with
> all headers intact.)
> 
> Also, note that the spammer could just as easily have forged
> the To: or From: addresses as well; that's the danger.
> 
> If you want *safe*, reliable, much-harder-to-forge
> whitelisting based on From or To addrs, use
> whitelist_from_rcvd so you can grep the Received headers as
> well, or write your own site-specific rule.  (the latter is
> more reliable as each site will have a different rule, making
> it harder for spammers to guess them!)
> 
> 
> 
> 
> ------- You are receiving this mail because: -------
> You reported the bug, or are watching the reporter.

Subject: RE:  False reporting of USER_IN_WHITELIST for non-ASCII sender

Sorry, whitelist_from_rcvd does not work, either, probably because when
the mail is redirected an additional Received: line is added with the
mail server's hostname, and your program is matching that instead of the
external server it was received from on the previous Received: line.

Is there no way to simply match the From: line???

I know I can very easily do this using other filtering programs, such as
Procmail, but it would be nice to be able to use SpamAssassin for this,
so that whitelist_from matches the From: address instead of the To:
address.

 
> -----Original Message-----
> From: bugzilla-daemon@hughes-family.org
[mailto:bugzilla-daemon@hughes-
> family.org]
> Sent: Wednesday, October 02, 2002 4:20 AM
> To: spamassassin.org@hynes.net
> Subject: [Bug 1038] False reporting of USER_IN_WHITELIST for non-ASCII
> sender
> 
> http://www.hughes-family.org/bugzilla/show_bug.cgi?id=1038
> 
> jm@jmason.org changed:
> 
>            What    |Removed                     |Added
>
------------------------------------------------------------------------
--
> --
>              Status|ASSIGNED                    |RESOLVED
>          Resolution|                            |WONTFIX
> 
> 
> 
> ------- Additional Comments From jm@jmason.org  2002-10-02 04:19
-------
> unfortunately there's no way (currently) to match a message
> that has been "bounced", "resent" or "redirected" (as various
> MUAs call it), apart from matching Return-Path.
> 
> (bouncing et al = resending the mail to another recipient with
> all headers intact.)
> 
> Also, note that the spammer could just as easily have forged
> the To: or From: addresses as well; that's the danger.
> 
> If you want *safe*, reliable, much-harder-to-forge
> whitelisting based on From or To addrs, use
> whitelist_from_rcvd so you can grep the Received headers as
> well, or write your own site-specific rule.  (the latter is
> more reliable as each site will have a different rule, making
> it harder for spammers to guess them!)
> 
> 
> 
> 
> ------- You are receiving this mail because: -------
> You reported the bug, or are watching the reporter.

> Is there no way to simply match the From: line???

There are many rules that just match the From line.  You can do something
like this:

header LOCAL_FROM_BOB        From =~ /bob\@bob\.org/i
describe LOCAL_FROM_BOB      Message from Bob
score LOCAL_FROM_BOB         -4.0

Positive score if it's someone you don't want to get mail from.