Here is a good example of a spoof that might get user clicks. It didn't
have good SPF or DKIM but it could have pretty easily making it look
pretty clean in a default SA installation.
https://pastebin.com/GTG8K56a
Need to get this IP off of the HostKarma and dnswl.org whitelists if
anyone from there is on this list.
On the other hand, here is a legit AmEx email that looks nearly
identical. I challenge everyone to run these through your SA instances
by saving them to your servers as a file then running "spamassassin -D <
file" and see how they score.
https://pastebin.com/KLQyaZrJ
I will be adding this entry to 60_whitelist_auth.cf soon so in less than
a week the authentic AmEx emails will be scoring very low for everyone
that is running sa-update regularly:
def_whitelist_auth *@*.aexp.com
Kevin already had something similar to this in KAM.cf checking for
SPF_FAIL from aexp.com but it wouldn't help with that spoofed one at the
top with the "m" in the domain.
--
David Jones
