On 02/22/2018 06:10 PM, John Hardin wrote:
I was just referring to the OFFICE365 subrule, as there isn't one like
that yet - hotmail, sure, outlook, sure, but not office365. We should
have added that back when O365 started up.
I had already added a generic rule for this in my sandbox so you can see
it at http://ruleqa.spamassassin.org now:
__RCVD_OFFICE365
Hotmail and Office 365 tenants come from this so it's not a direct
relationship to spam but can be used in meta rules to amplify other
spammy rules.
__RCVD_OFFICE365_PROXY
This is interesting because often when there is a true compromised
account on O365, spammers will use authenticated SMTP to blast out spam
not using the Outlook Web interface or an Outlook client. This will hit
on normal mail clients like Thunderbird or Apple Mail so it too is not a
direct indication of spam.
My local __RCVD_OFFICE365 rule that combines sources of freemail like
O365 in with FREEMAIL_* rules is already working well the past 24 hours.
I am offsetting my BAYES_00 score of -3.2 by adding back 2.0 when for
email from O365. It has helped to blocked a bogus file sharing email
using a URL shortener that would have scored just below the MailScanner
default threshold of 6.0.
--
David Jones
