On 1/24/2019 6:20 AM, K Post wrote:
Daniel,
What value do you have for DoNoFromSelect?
I use 61, exactly for the reasons you mentioned. 63 is the default in
your version. Thomas changed this default in 19015
- the default value for 'DoNoFromSelect' is changed from 63 to 59
option 4 - multiple from: addresses or from: header tags found
(potential 2x score if option 2 is also enabled) - caused too
many false positives
I personally haven't seen the option 4 (4 - multiple from: addresses
or from: header tags found (potential 2x score if option 2 is also
enabled)) to be an issue, but I see lots of scenarios, like you're
seeing, where there's a different from and sender. So I removed 2
from my number ( 2 - different domains found in from: and sender:
email addresses - or multiple addresses in a single header (FROM: or
SENDER:) of different domains are found ) leaving me with 61. I've
been operating like this for a while without issue.
I'll fall back to that for a while - but I would think (outside of
mailing lists, and few at that) valid conditions of "option 2" are quite
rare while spoofing attempts are frequent. So my thought was block all
such occurrences but for whitelisted exceptions - but for my intent the
NPWL needs to be considered for "immunity" for condition 2 where both
Sender & From are in NPWL.
Daniel
_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test
