Take a logwatch email with lots of "bad ips etc" and run it through spamassassin as the same user that spamassassin runs under on that machine and it will give you some info you need to make better decisions You will actually see how it is getting eval'd and scored... The best answer(s), and what you use to solve the issue may not be the same thing. Once you do that, you could actually create a rule called ADMIN_LOGWATCH_LOCAL and have it score appropriately. Whitelisting is a kludge. Possibly your trust path could be messed up too. Many people would say don't allow the MTA to hand to SA, yet if all email must be handed to SA by policy.... you get the idea... - rh