Whitelisting problems

Gary Faith gafaith at asdm.net
Mon Jan 7 19:52:32 GMT 2013 

Dennis,
 
I tried both:
 
header    FROM_BLACKBERRY       From =~ /\.us\.blackberry\.com/
header    FROM_BLACKBERRY       From =~ /.*\.us\.blackberry\.com/
but it still doesn't match the rule.
 
Gary

>>> Denis Beauchemin <Denis.Beauchemin at usherbrooke.ca> 1/7/2013 9:54 AM
>>>
Gary,

This rule is wrong:
header    FROM_BLACKBERRY       From =~ /\.*\.us\.blackberry\.com/

It should read:
header    FROM_BLACKBERRY       From =~ /\.us\.blackberry\.com/

Rethinking about your rule, I'm not so sure anymore it was wrong
because the part I removed \.* would match any number of periods, from
zero to infinity. I'm pretty sure you don't have to match the complete
from, but if you wanted to you would rewrite your rule this way:
header    FROM_BLACKBERRY       From =~ /.*\.us\.blackberry\.com/

Denis


De : mailscanner-bounces at lists.mailscanner.info
[mailto:mailscanner-bounces at lists.mailscanner.info] De la part de Gary
Faith
Envoyé : 7 janvier 2013 09:13
À : mailscanner at lists.mailscanner.info
Objet : Re: Whitelisting problems

Finally, getting close to figuring this out but I could really use some
help here.  I figured out part of the issues was spamassassin was
caching data and I had to delete the cache to get it to process the
rules for this message.

I created these three spamassassin rules:

# Rule to find Whitelist Blackberry mail
header    FROM_BLACKBERRY       From =~ /\.*\.us\.blackberry\.com/
score     FROM_BLACKBERRY       -10
describe  FROM_BLACKBERRY       email From blackberry user
header COM_DOMAIN_MAIL From =~ /\.com/i
score COM_DOMAIN_MAIL 0.1
header NET_DOMAIN_MAIL From =~ /\.net/i
score NET_DOMAIN_MAIL 0.1
Here is the problem now.  The meessage is being sent

From: srs0=jc450o=la=mydomain.net=gafaith at srs.bis6.us.blackberry.com

and in the Spam report, I get:

-0.50
BAYES_00
Bayesian spam probability is 0 to 1%
0.10
NET_DOMAIN_MAIL

1.53
RATWARE_EFROM
Bulk email fingerprint (envfrom) found
-0.00
SPF_PASS
SPF: sender matches SPF record

It should match the FROM_BLACKBERRY and the COM_DOMAIN_MAIL rule but
instead it matches the NET_DOMAIN_MAIL rule.  It looks like it is
matching on the first instance of a domain instead of what is after the
@ sign.

Maybe with this information someone can tell me why it is doing this
and what I can do to have it match the us.blackberry.com.

Thanks in advance,

Gary

-- 
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website! 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130107/7026eaee/attachment.html

More information about the MailScanner mailing list