spamassassin-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Chris <cpoll...@embarqmail.com>
Subject Re: Short Circuit USER_IN_DKIM_WHITELIST hits sometimes
Date Sat, 05 Mar 2011 17:37:59 GMT
On Sat, 2011-03-05 at 08:40 -0800, John Hardin wrote:
> On Sat, 5 Mar 2011, Chris wrote:
> 
> > In the example I posted I also see this in the To: headers when saved as
> > a .txt file - "@pop.embarq.synacor.com>, \"ballard\", \"aajhp"
> > <bunnysittr@aol.com>
> 
> > I see the same thing -
> > "@pop.embarq.synacor.com>, \"cantrell, james\", \"billybeckner\"
> > <billybeckner@yahoo.com>, \"ballard\" <bunnysittr@aol.com>, \"aajhp"
> > <jldna@embarqmail.com>, I have no idea where the '\' are coming from.
> 
> That means the email address <bunnysittr@aol.com> has the comment 
> "@pop.embarq.synacor.com>, \"ballard\", \"aajhp" associated with it, and 
> the email address <jldna@embarqmail.com> has the comment 
> "@pop.embarq.synacor.com>, \"cantrell, james\", \"billybeckner\"
> > <billybeckner@yahoo.com>, \"ballard\" <bunnysittr@aol.com>, \"aajhp"
> 
> A more-expected example would be: "John Hardin" <jhardin@impsec.org>
> 
> That's why the quotes are escaped - they are embedded in the comment.
> 
> _something_ is farking up the recipients list. Whether it's whatever is 
> composing the message (perhaps it's not properly parsing a recipients 
> database, or the recipients database is dirty), or some intermediate MTA, 
> we can't tell from the receiving end.
> 
> You might want to contact the sender and see how the recipient list is 
> being generated. While this shouldn't affect delivery, as you can see it's 
> having effects on DKIM and spam scoring.
> 
Thanks John, maybe this is a better example:

Recipients list in spam:

To: wayne watts <edpw@clear.net>, ebethbaize@yahoo.com, 
 jpmalone58@centurylink.net, jnrsmi@dishmail.com, reebjm@swbell.net,
"."
 <bobby.c.baize@US.army.mil>,  training
<training@sheriff.co.coryell.tx.us>,
  wills <wills.marty@yahoo.com>, jaredbruton <jaredbruton@yahoo.com>, 
 darrell <darrell.wharton@sbcglobal.net>,  rthornley
<rthornley@hot.rr.com>,
  "Rocwood, Farron" <flcdrock4@yahoo.com>,  "Patterson, Randy"
 <rapatterson60@yahoo.com>,  "mcminn, carolyn" <dedee5858@yahoo.com>,
kenny
 worthington <kenny.worthington@embarqmail.com>,  hitt
 <hitt@rocketmail.com>, "haines, mark" <hainesmark11@yahoo.com>,
Debi4452
 <Debi4452@yahoo.com>, cpollock <cpollock@embarqmail.com>,  "cheek, tom"
 <tomandchee@netzero.net>,  Chancy <chancyfain@embarqmail.com>,
cdneumann
 <cdneumann@hot.rr.com>,  "cantrell, james" <jldna@embarqmail.com>, 
 "@pop.embarq.synacor.com>, \"ballard\", \"aajhp" <bunnysittr@aol.com>

Recipients list in ham:

To: wayne watts <edpw@clear.net>, ebethbaize@yahoo.com, 
 jpmalone58@centurylink.net, jnrsmi@dishmail.com, reebjm@swbell.net,
"."
 <bobby.c.baize@US.army.mil>,  training
<training@sheriff.co.coryell.tx.us>,
  wills <wills.marty@yahoo.com>, jaredbruton <jaredbruton@yahoo.com>, 
 darrell <darrell.wharton@sbcglobal.net>,  rthornley
<rthornley@hot.rr.com>,
  "Rocwood, Farron" <flcdrock4@yahoo.com>,  "Patterson, Randy"
 <rapatterson60@yahoo.com>,  "mcminn, carolyn" <dedee5858@yahoo.com>,
kenny
 worthington <kenny.worthington@embarqmail.com>,  hitt
 <hitt@rocketmail.com>, "haines, mark" <hainesmark11@yahoo.com>,
Debi4452
 <Debi4452@yahoo.com>, cpollock <cpollock@embarqmail.com>,  "cheek, tom"
 <tomandchee@netzero.net>,  Chancy <chancyfain@embarqmail.com>,
cdneumann
 <cdneumann@hot.rr.com>,  "cantrell, james" <jldna@embarqmail.com>,
ballard
 <bunnysittr@aol.com>, aajhp <aajhp@embarqmail.com> 

The two look the same except for the last few entries where the one
marked spam has the last few addressees borked. Apparently something is
intermittently adding the @pop.embarq.synacor.com to the list. Do these
lines mean he's using Embarqs webmail instead of sending direct from his
computer? If so, that could be where the glitches are coming from:

X-originating-ip: [76.0.87.41]
X-mailer: Zimbra 6.0.5_GA_2213.RHEL4_64 (ZimbraWebClient - IE8
(Win)/6.0.5_GA_2213.RHEL4_64)
X-senderip: 10.50.3.117

I'll have to watch for anymore tagged spam and compare to non-spam

-- 
Chris
KeyID 0xE372A7DA98E6705C
31.11°N 97.89°W (Elev. 1092 ft)


Mime
View raw message