Mismarked mail - AWL

Julian Field mailscanner at ecs.soton.ac.uk
Tue Nov 12 21:02:08 GMT 2002 

Methinks I might want to change the default value in the distribution.
Thanks for doing the thorough analysis.

At 20:48 12/11/2002, you wrote:
>Well, the question wasn't "what is the AWL" it's "how is the AWL scored".
>
>Quite frankly it's my opinion that using the AWL with MailScanner is
>nothing short of broken. You can see my post under the subject "Re:
>[SAtalk] AWL broken in 2.43?" over on the SATalk list about one strong
>example of how the SA AWL breaks if you have a global AWL database,
>something which happens by necessity with MailScanner.
>
>I'd strongly recommend editing your MailScanner configs to disable the
>auto-whitelist.
>
>This is particularly catastrophic if you try to use any of SA's manual
>whitelisting features at the same time.
>
>As far as the AWL scoring method itself, the AWL is a system that tracks
>the average score of emails from a given sender/server IP combination. Each
>time an email arrives it is scored, and the AWL "pushes" the score of the
>individual email towards the average by a configurable factor. By default
>this "factor" is 0.5.
>
>So the final score of the email winds up being:
>
>(normal_score * (1-factor)) + (average_score * factor)
>
>so in the case of .5 it splits the difference between the current email and
>the average. This causes users that consistently send spam to have  their
>scores raised, and those that consistently send nonspam to have their
>scores lowered.
>
>Of course, you can see how if you have manual whitelists and a global AWL,
>in particular to: type whitelists, the AWL winds up averaging the effects
>of those settings to all users on the system.
>
>i.e.: if I ALL_SPAM_TO my postmaster account and a spammer spams
>postmaster, then 10 other users, he'll have a roughly -100 score average
>when he sends to the other 10. I've effectively created a way for spammers
>to site-wide whitelist themselves by spaming a particular account first.
>
>
>
>
>
>At 02:07 PM 11/12/2002 -0600, Mike Kercher wrote:
>>AWL is AutoWhiteList
>>
>>-----Original Message-----
>>From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK]On
>>Behalf Of Bill Anderson
>>Sent: Tuesday, November 12, 2002 2:05 PM
>>To: MAILSCANNER at JISCMAIL.AC.UK
>>Subject: Mismarked mail - AWL
>>
>>
>>How is scoring determined for AWL?  I can find the scores for SMTPD_IN_RCVD,
>>SPAM_PHRASE_00_01, USER_AGENT_OUTLOOK, however can't see what score is given
>>to AWL.  Why is it being triggered?  This should be a valid email, which it
>>is in version 3, however with version 4 it is being triggered.
>>
>>X-MailScanner-SpamCheck: SpamAssassin (score=7.7, required 5, AWL,
>>         SMTPD_IN_RCVD, SPAM_PHRASE_00_01, USER_AGENT_OUTLOOK)

--
Julian Field                Teaching Systems Manager
jkf at ecs.soton.ac.uk         Dept. of Electronics & Computer Science
Tel. 023 8059 2817          University of Southampton
                             Southampton SO17 1BJ

More information about the MailScanner mailing list