spamassassin-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Jones <>
Subject Re: "bout u" campaign
Date Thu, 13 Jul 2017 18:06:37 GMT
On 07/13/2017 12:56 PM, Dave Jones wrote:
> On 07/13/2017 12:39 PM, Alex wrote:
>> Hi,
>>> header          RCVD_IN_SENDERSCORE_0_29
>>> eval:check_rbl('senderscore0-lastexternal','','^127\.0\.4\.([1-2]?[0-9])$')

>>> describe        RCVD_IN_SENDERSCORE_0_29 score 
>>> of 0
>>> to 29
>>> score           RCVD_IN_SENDERSCORE_0_29        5.2
>>> tflags          RCVD_IN_SENDERSCORE_0_29        net
>> At least in my environment, this one in particular would catch a ton
>> of legitimate mail. This also assumes a 6.0 score for you, correct?
> Correct.  My block threshold of 6.0 is the default in MailScanner.
> The legit email should be SHORTCIRCUIT'd with whitelist_auth entries.
> I SHORTCIRCUIT any trustworthy sender with a legit unsubscribe process 
> to put control back in the hands/mouse of the end user.  I also 
> SHORTCIRCUIT with whitelist_auth any domains (primarily subdomains) that 
> are system-generated and consistently score very low.
>  From my own email analysis, the majority of my spam is from FREEMAIL 
> senders and compromised accounts with zero-hour spam campaigns that the 
> mail server is not yet on any RBLs.  Botnet controlled devices are 
> another source of spam but they seem to be sending through compromised 
> accounts these days.  They will phish a password, sit on it for days or 
> weeks, craft a zero-hour spam campaign to get through most mail filters, 
> then blast as much spam as they can until RBLs and DCC catch up to it in 
> about 30 minutes or so.  These compromised accounts from normally 
> trusted mail server IPs are they reason why some SA RBL rules need to go 
> beyond the lastexternal hop.

Let me clarify a bit.  Don't put any FREEMAIL or domains with human 
accounts (potentially compromised) in your whitelist_auth unless you 
have to for some reason.  Some senders may not have SPF or DKIM setup 
properly so you may have to put some of them in the whitelist_from_rcvd 
to get the same result.

Doing this will separate out trustworthy senders from potential content 
pitfalls.  For example, legit eBay emails will get through while spoofed 
emails with identical email content can be blocked by Bayes or other 
content rules.

I am seeing a lot of email spoofing USAA insurance lately to phish 
accounts.  I whitelist_auth legit USAA emails then train the rest as 
spam so Bayes and other rules can block the phishing.

David Jones

View raw message