Doug Poulin wrote:
> Well here is the actual headers:
>
> Mar 11 13:48:20 x1mail spamd[6116]: spamd: result: Y 22 -
> DATE_IN_FUTURE_12_24,
> FORGED_MUA_OUTLOOK,HTML_MESSAGE,URIBL_AB_SURBL,URI BL_JP_SURBL,URIBL_OB_SURBL,
> URIBL_SC_SURBL
> scantime=17.6,size=3023,user=root,uid=501,required _score=3.0,
> rhost=localhost,raddr=127.0.0.1 ,rport=34757,
> mid=<31c3ff01c883a2$bb044920$be727ddd@jacky3b8126d7b>,autolearn=disabled


Ahh, that's the spamd logs, not the X-Spam headers..

All the rhost=localhost... bit means is that's where spamc is running
and feeding spamd messages. Since it's possible to run spamd on a
separate server than your email frontent, this isn't always localhost
for everyone, but in your case it likely always will be. However, that
part has nothing to do with spamassassin's analysis. SA will always
process the message the same way, no matter how it got fed to spamd, and
the spam tests do not have access to that information.


>
> Thanks for any help. And believe it or not, that was a LEGITIMATE
> message....I need to do a little digging to see where this guy was
> sending from, but it was a proposal to reorder some forms we use!

Sounds like he needs to fix his clock, and find out what URL in the
message body was blacklisted by every SURBL test... The rest is probably
minor.. the FORGED_MUA_OUTLOOK is probably a FP. Microsoft changes
outlook's output formats faster than you can blink an eye.
>
> Thanks again!

No problem.