spamassassin-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From jaso...@mail-central.com
Subject Which SA test can detect/score this (fairly common) 'freemail' whack-a-mole?
Date Sat, 25 Jun 2016 22:29:48 GMT
An inbound spam was caught by SpamAssassin, flagged with

	BAYES_50=0.8
	DCC_CHECK=1.1
	DIGEST_MULTIPLE=0.293
	HTML_MESSAGE=0.001
	MIME_HTML_MOSTLY=0.428
	MISSING_HEADERS=1.021
	PYZOR_CHECK=2.5
	REPLYTO_WITHOUT_TO_CC=1.552

To get to SA, it snuck by my DNSBLS, and passed SPF/DKIM/DMARC tests,

	Authentication-Results: dmarc.mail.example.com/876fg6sdf6876498f; dmarc=none header.from=gmail.com

	Authentication-Results: dkim.mail.example.com/876fg6sdf6876498f;
	dkim=pass (2048-bit key; unprotected) header.d=yahoo.com header.i=@yahoo.com header.b=UFAXzzUL

	Authentication-Results: spf.mail.example.com; spf=softfail (domain owner discourages use
of this host) smtp.mailfrom=gmail.com (client-ip=212.82.96.171; helo=nm12-vm1.bullet.mail.ir2.yahoo.com;
envelope-from=mrs.djoel11@gmail.com; receiver=user@example.com)

(TBH, I'm not exactly clear on how/why a msg this fake gets by all 3; need to take a closer
look at that !)

But, not being caught is NOT my current question.

Instead, I'd like to know which specific test I can use to hit/score the 'freemail' whack-a-mole.

For example, this particular email is

	Sent via 'freemail' @ YAHOO
	From 'freemail' @GMAIL
	ReplyTo 'freemail' @HOTMAIL

Here are some of the headers

	Received: from nm12-vm1.bullet.mail.ir2.yahoo.com (nm12-vm1.bullet.mail.ir2.yahoo.com [212.82.96.171])
		by mail.example.com (Postfix) with ESMTPS
		for <user@example.com>; Fri, 24 Jun 2016 08:26:08 -0400 (EDT)
	...
	From: Dion Joelle <mrs.djoel11@gmail.com>
	Reply-To: Dion Joelle <mrs.dionj11@hotmail.com>
	Message-ID: <#####.JavaMail.yahoo@mail.yahoo.com>

What I don't see there are any of the FREEMAIL hits.

Obviously, the fake freemail 'trifecta' (gmail/hotmail/yahoo) is an easy signature to hit
on.

I just need some guidance as to what test I need to use/configure/enable to hot/score on this
patter/behavior?

Jason

Mime
View raw message