From sa-exim at edschooler.com  Sun Jan 11 22:10:18 2009
From: sa-exim at edschooler.com (sa-exim)
Date: Sun, 11 Jan 2009 22:10:18 -0800
Subject: [SA-exim] user in whitelist but not
Message-ID: <496ADECA.2060205@edschooler.com>

I just received an email from  juanitat40 at hookedonmicrosoft.com
with  -100 USER_IN_WHITELIST

But I do not have an awl and my whitelist does not have this person in it.

How can this be?

X-Spam-Score -86.4 (---------------------------------------------------)

Spam detection software, running on the system 
"hosting.wecanhost4u.com", has    identified this incoming email as 
possible spam.  The original message    has been attached to this so you 
can view it (if it isn't spam) or label    similar future email.  If you 
have any questions, see    postmaster for details.    Content preview:  
[...]     Content analysis details:   (-86.4 points, 5.6 required)    
pts rule name              description    ---- ---------------------- 
--------------------------------------------------    -100 
USER_IN_WHITELIST      From: address is in the user's white-list   
3.5 BAYES_99               BODY: Bayesian spam probability is 99 to 
100%    [score: 0.9926]   
0.0 FH_HOST_EQ_VERIZON_P   Host is pool-.+verizon.net   
2.6 FH_HELO_EQ_D_D_D_D     Helo is d-d-d-d   
2.6 HELO_DYNAMIC_IPADDR    Relay HELO'd using suspicious hostname (IP 
addr    1)    3.0 BOTNET                 Relay might be a spambot or 
virusbot    
[botnet0.7,ip=68.238.67.203,hostname=pool-68-238-67-203.lax.dsl-w.verizon.net,maildomain=hookedonmicrosoft.com,baddns,client,ipinhostname,clientwords]    
1.8 BOTNET_IPINHOSTNAME    Hostname contains its own IP address    
[botnet_ipinhosntame,ip=68.238.67.203,rdns=pool-68-238-67-203.lax.dsl-w.verizon.net]    
0.1 RDNS_DYNAMIC           Delivered to trusted network by host with    
dynamic-looking rDNS


From marc at merlins.org  Sun Jan 11 22:24:33 2009
From: marc at merlins.org (Marc MERLIN)
Date: Sun, 11 Jan 2009 22:24:33 -0800
Subject: [SA-exim] user in whitelist but not
In-Reply-To: <496ADECA.2060205@edschooler.com>
References: <496ADECA.2060205@edschooler.com>
Message-ID: <20090112062433.GH20071@merlins.org>

On Sun, Jan 11, 2009 at 10:10:18PM -0800, sa-exim wrote:
> I just received an email from  juanitat40 at hookedonmicrosoft.com
> with  -100 USER_IN_WHITELIST
> 
> But I do not have an awl and my whitelist does not have this person in it.
> 
> How can this be?

This is not an sa-exim question, it's a SA question, better asked on the SA
list.

That said, try spamassassin -t -D < mesg and it may give you hint why, but
really you should look at your SA config.

Marc

> X-Spam-Score -86.4 (---------------------------------------------------)
> 
> Spam detection software, running on the system 
> "hosting.wecanhost4u.com", has    identified this incoming email as 
> possible spam.  The original message    has been attached to this so you 
> can view it (if it isn't spam) or label    similar future email.  If you 
> have any questions, see    postmaster for details.    Content preview:  
> [...]     Content analysis details:   (-86.4 points, 5.6 required)    
> pts rule name              description    ---- ---------------------- 
> --------------------------------------------------    -100 
> USER_IN_WHITELIST      From: address is in the user's white-list   
> 3.5 BAYES_99               BODY: Bayesian spam probability is 99 to 
> 100%    [score: 0.9926]   
> 0.0 FH_HOST_EQ_VERIZON_P   Host is pool-.+verizon.net   
> 2.6 FH_HELO_EQ_D_D_D_D     Helo is d-d-d-d   
> 2.6 HELO_DYNAMIC_IPADDR    Relay HELO'd using suspicious hostname (IP 
> addr    1)    3.0 BOTNET                 Relay might be a spambot or 
> virusbot    
> [botnet0.7,ip=68.238.67.203,hostname=pool-68-238-67-203.lax.dsl-w.verizon.net,maildomain=hookedonmicrosoft.com,baddns,client,ipinhostname,clientwords]    
> 1.8 BOTNET_IPINHOSTNAME    Hostname contains its own IP address    
> [botnet_ipinhosntame,ip=68.238.67.203,rdns=pool-68-238-67-203.lax.dsl-w.verizon.net]    
> 0.1 RDNS_DYNAMIC           Delivered to trusted network by host with    
> dynamic-looking rDNS
> 
> _______________________________________________
> SA-Exim mailing list
> SA-Exim at lists.merlins.org
> http://lists.merlins.org/lists/listinfo/sa-exim
> 

-- 
"A mouse is a device used to point at the xterm you want to type in" - A.S.R.
Microsoft is to operating systems & security ....
                                      .... what McDonalds is to gourmet cooking
Home page: http://marc.merlins.org/