Spam Slipping through as Whitelisted

Hi Guys,

I've just noticed a very small, however noticable dribble of
messages
which are slipping through Maia as whitelisted.

The addresses that these messages are from are not in any
whitelist on
our boxes.

Has anyone else seen this?

Example below:

Received: from xxx.xxxx.xxx.xx ([xxx.xx.xxx.xx]) by
xxxx.xxxxx.xxx
with Microsoft SMTPSVC(6.0.3790.1830);
	 Thu, 23 Nov 2006 12:14:24 +1100
Received: from localhost (localhost.localdomain [127.0.0.1])
	by xxx.xxxxxx.xxx.xx (Postfix) with ESMTP id D41907A800
	for <xxxxxxx.org>; Thu, 23 Nov 2006 12:14:10 +1100 (EST)
Received: from xxx.xxxx.xxx.xx ([127.0.0.1])
 by localhost (xxx.xxxx.xxx.xx [127.0.0.1]) (amavisd-new,
port 10024)
 with ESMTP id 00890-10 for <xxxxxxx.org>;
 Thu, 23 Nov 2006 12:14:08 +1100 (EST)
Received: by xxx.xxxx.xxx.xx (Postfix, from userid 1003)
	id 463777A806; Thu, 23 Nov 2006 12:14:08 +1100 (EST)
Received: from host-196.218.110.21.tedata.net (unknown
[196.218.21.110])
	by xxx.xxxxx.xxx.xx (Postfix) with ESMTP id D0F2B7A809
	for <xxxxxxx.xxx>; Thu, 23 Nov 2006 12:14:03 +1100 (EST)
Received: from kr8.hostwide.net (port=2936 helo=qvcstalttx)
	by host-196.218.110.21.tedata.net with smtp
	id ke1O-M1yD4aGy-746
	for xxxxxxx.org; Thu, 23 Nov 2006 03:14:20 +0200
Message-ID: <000a01c70e9c$b433f720$0534aa3cqvcstalttx>
From: "Eddie Anderson" <mpttrwopydaisynell.com>
To: xxxxxxxx.org
Subject: together, with her.  And I and confess my Israel
didst eat ye servants
Date: Thu, 23 Nov 2006 03:14:20 +0200
MIME-Version: 1.0
Content-Type: multipart/related;
	type="multipart/alternative";
	boundary="----=_NextPart_000_000C_01C70EAD.77BCC720&qu
ot;
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2869
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962
X-Spam-and-Virus-Scanned: SpamBox 1.01
X-Spam-Status: No, hits=x tagged_above=-999 required=5
WHITELISTED
X-Spam-Level:
Return-Path: xxxxxxxx.org
X-OriginalArrivalTime: 23 Nov 2006 01:14:24.0918 (UTC)
FILETIME=[B6E02B60:01C70E9C]


-- 
Regards,

David Hooton
_______________________________________________
Maia-users mailing list
Maia-usersrenaissoft.com
http://www.renaissoft.com/mailman/listinfo/maia-users

David Hooton wrote:
> Hi Guys,
> 
> I've just noticed a very small, however noticable
dribble of messages
> which are slipping through Maia as whitelisted.
> 
> The addresses that these messages are from are not in
any whitelist on
> our boxes.
> 
> Has anyone else seen this?

Yes, it's been driving me crazy trying to find out how these
odd messages are
getting marked as whitelisted. I'm going to have to find a
way to turn up the
debugging and see this in action...


Joel
_______________________________________________
Maia-users mailing list
Maia-usersrenaissoft.com
http://www.renaissoft.com/mailman/listinfo/maia-users

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

David Hooton wrote:

> I've just noticed a very small, however noticable
dribble of messages
> which are slipping through Maia as whitelisted.
> 
> The addresses that these messages are from are not in
any whitelist on
> our boxes.

[snip]

> From: "Eddie Anderson" <mpttrwopydaisynell.com>

> Return-Path: xxxxxxxx.org

Note first of all that the "From:" address is not
the one you should be
looking at; Maia's whitelists operate on the envelope
sender, not the
(trivially forged) "From:" header.  You need to
look at the
"Return-Path:" header to see the address that Maia
used for
whitelisting.  See <ht
tps://secure.renaissoft.com/maia/wiki/WBList> for
more details about the differences.

If you're sure the address in the "Return-Path:"
header does not appear
in this recipient's whitelist, check the domain-default
(domain) user's
whitelist, and the system-default (.) user's whitelist, to see
if it
was inherited from a higher level.  System-default
whitelists are
inherited globally; domain-default whitelists are inherited
by all users
with addresses in that domain.

You should also check your amavisd.conf file for any
hard-coded
whitelists (and blacklists), which may be the case if you
formerly used
amavisd-new and you repurposed your existing configuration
file.  Any
"score_sender_maps()",
"whitelist_sender_maps()", and
"per_recip_whitelist_sender_lookup_tables" entries
should be empty (or
nonexistent, or commented-out), for example.  There's really
no reason
for hard-coding whitelist and blacklist entries in the
amavisd.conf
file, given the fact that Maia provides a more easily
configurable GUI.

If you're still at a loss to figure it out after that,
increase
$log_level to 5 in your amavisd.conf file, restart
amavisd-maia, and you
should be able to see the whitelist matching process in the
more
detailed log to understand how Maia is coming to this
conclusion.

- --
Robert LeBlanc <rjlrenaissoft.com>
Renaissoft, Inc.
Maia Mailguard <http://www.maiamail
guard.com/>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFFZjFMGmqOER2NHewRAmK8AJ9MNNTVFGKUbY2EHGo6mzMrjmuF5gCf
fJWj
Lrr8iLjS+ACVqusAWLXRse4=
=91Uz
-----END PGP SIGNATURE-----
_______________________________________________
Maia-users mailing list
Maia-usersrenaissoft.com
http://www.renaissoft.com/mailman/listinfo/maia-users

> If you're sure the address in the
"Return-Path:" header does not appear
> in this recipient's whitelist, check the domain-default
(domain) user's
> whitelist, and the system-default (.) user's
whitelist, to see if it
> was inherited from a higher level.  System-default
whitelists are
> inherited globally; domain-default whitelists are
inherited by all users
> with addresses in that domain.

Ahh - found it!  The  user had the recipients address in it. 
I'd
actually not realised that the whitelists were heirachial..

Thanks Robert!
-- 
Regards,

David Hooton
_______________________________________________
Maia-users mailing list
Maia-usersrenaissoft.com
http://www.renaissoft.com/mailman/listinfo/maia-users

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On Nov 23, 2006, at 6:35 PM, David Hooton wrote:

>> If you're sure the address in the
"Return-Path:" header does not  
>> appear
>> in this recipient's whitelist, check the
domain-default (domain)  
>> user's
>> whitelist, and the system-default (.) user's
whitelist, to see if it
>> was inherited from a higher level.  System-default
whitelists are
>> inherited globally; domain-default whitelists are
inherited by all  
>> users
>> with addresses in that domain.
>
> Ahh - found it!  The  user had the recipients
address in it.  I'd
> actually not realised that the whitelists were
heirachial..


I'm not sure just how to implement it, but perhaps we need a
way for  
a user to "override" a system default setting and
remove a .  
whitelist.   It might at least be nice to list the
hierarchal entries  
on the wblist page...

David Morton
Maia Mailguard http://www.maiamailguard
.com
mortondadgrmm.net



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Darwin)

iD8DBQFFZyPsUy30ODPkzl0RAojWAKCd1otn5wl546BYEi4zSfzYjecU+wCf
douE
7wfxsLF1Ylq/h62UPi9gr9o=
=+UHh
-----END PGP SIGNATURE-----
_______________________________________________
Maia-users mailing list
Maia-usersrenaissoft.com
http://www.renaissoft.com/mailman/listinfo/maia-users

>>> On Fri, Nov 24, 2006 at  9:55 AM, in message
<B4262BA4-B721-45BC-B8C6-502FA603D530dgrmm.net>, David Morton
<mortondadgrmm.net> wrote: 
> I'm not sure just how to implement it, but perhaps we
need a way for  
> a user to "override" a system default setting
and remove a .  
> whitelist.   It might at least be nice to list the
hierarchal entries  
> on the wblist page...

The hierarchal listing would be pretty nifty - a listing
that showed "where" W/B was located, with the user
only being able to change those for his own userid, but it
would at least show where they were coming from.  Of course,
I doubt that things in the amavisd.conf or local.cf would
show up there, but at least this would be a "Maia"
start.

Danita


_______________________________________________
Maia-users mailing list
Maia-usersrenaissoft.com
http://www.renaissoft.com/mailman/listinfo/maia-users