Does the SpamAssassin whitelist work?

[davebach]

I have SpamAssaassin enabled and have an email address used for a form on my website in the SpamAssaassin whitelist, but email to that address is still flagged as spam occasionally.

Everything is configured like this: SpamAssaassin is enabled. Anything above 5 is considered spam. The address formaddress@myserver.com is on the SpamAssaassin whitelist. All mail is received, checked by SpamAssassin and forwarded to my primary email account, where a cpanel filter discards anything scoring higher than a 10.

Email from formaddress@myserver.com is passing through SpamAssaassin, but it is not left alone even though its on the whitelist. If I use enough 'organ enlarging' words, it will easily score a 7 (also because the 'From' and 'Received' headers don't match, since a cgi script sends the email from my server).

I was under the impression that the whitelist would cause SpamAssassin to bypass filtering the mail and just send it on its way, or at least score it a 0. Does the SpamAssassin whitelist work?

Dave

[charlie]

The WHITELIST_TO feature works, but not as you would expect. All e-mails, even those in the whitelist are scanned and scored. Negative scores are applied to the whitelisted e-mails.
Example: An e-mail that gets a spam score of 14 will get 6 points subtracted if it is in the whitelist. The final score will be 8, still high enough to trip your SA as spam.

Spam Assassin has three rules that allow some spam, more spam and all spam to be received by addresses you add to the three lists.

The three lists and their default scores are
WHITELIST_TO -6
MORE_SPAM_TO -20
ALL_SPAM_TO -100

As you can see "whitelist_to" is really a "let some spam through" list. All_spam_to" is the real whitelist.

Three choices To solve your problem
1. In your user_prefs file, change the WHITELIST_TO score to -100
score whitelist_to -100
OR
2. Put the address in the ALL_SPAM_TO list
all_spam_to address@yourdomain.com
OR
3. Fix the formmail script so that it scores low without the address needing to be on any list. This is more important when a script generated e-mail goes somewhere besides your own domain. Someone else is not likely to have your form address whitelisted (or all_spam_to listed).

Most high spam scores from script generated emails come from having no MIME type, "Short" Message ID, and no "from" address.I alway have the script generate a message ID header, add a "from" header, and a mime type header.
Look through the SA tags in the headers for hints on where you can reduce the score for that script.

Hope this clears it up a bit.

[davebach]

Thanks for the help. I first tried "score whitelist_to -100" but it did not work... it never showed up in the header when I looked at the received email.

But "all_spam_to" with the addresses I use in my forms worked fine. This is OK in my circumstance because the addresses are not public and are not passed to formmail as a hidden value (I use a modified version of formail that adds my domain to the email value). This setting actually gives the email a -100 score before normal filtering.

Dave

[goodmove]

Originally posted by davebach
Everything is configured like this: SpamAssaassin is enabled. Anything above 5 is considered spam. The address formaddress@myserver.com is on the SpamAssaassin whitelist. All mail is received, checked by SpamAssassin and forwarded to my primary email account, where a cpanel filter discards anything scoring higher than a 10.

When you say the "primary email account", do you mean your username email account? I thought email filters were processed before Spamassassin (and therefroe didn't work) for the username accounts.

[davebach]

Originally posted by goodmove
When you say the "primary email account", do you mean your username email account? I thought email filters were processed before Spamassassin (and therefroe didn't work) for the username accounts.

Sorry, probably not the best terminology to use there... no, not the username/login account, an additional email account that is also assigned as the 'default' address. This always seemed to be a good thing to do even before I turned on SA... this way your login password isn't thrown around so much.

Dave