Hi, >> https://pastebin.com/raw/Fv5NKRAP >> >> Anyone able to take a look and provide ideas on how to block them? It >> passes with DKIM_VALID_AU, RCVD_IN_SENDERSCORE_90_100 and SPF_PASS. >> >> It's missing headers, and I've written a rule to account for that, but >> it would be great to have some other input. >> >> Interestingly, it was passed through a mimecast system first. > > You mean "last." Unless the pointless (yes: POINTLESS, also INTENTIONALLY > DECEPTIVE) 'example.com' munging in your paste is masking a machine other > than your own.
I meant first before it was delivered, but you're right. Thanks for your help, as always. It's just easier to avoid any issues with the domain owner, but I'll consider it. > Anyway, Mimecast only sucks less than MS as a consequence of scale. > Fortunately, their lesser scale and sub-par spam/ham ratio makes their IPs a > very reasonable target for rejection-by-default. Do you have more info on their sub-par spam/ham ratio? I understood they were very competitive and a big player... >> The amount of Outlook/O365/Exchange headers in this email is enormous! > > Yeah, but they are not very useful in this case. > > If the garbage in the HTML of the body isn't misguided paste-munging, it > seems like a great basis for a rawbody rule. I was just noting that a good majority of the email itself was in the large, superflous O365 headers. > Score badness: > > RCVD_IN_DNSWL_LOW=-0.7 > > That's got to be a political score. In my experience, RCVD_IN_DNSWL_LOW > means "probably spam" so I score it at 0.8. YMMV. I get a lot of complaints about false-positives. Aren't there ratios in masschecks for these that we can follow or use as a basis? This is actually another case where it's scored -0.7 in 50_scores.cf and also the same score in KAM.cf. I'm assuming since it's part of the default SA that it's been set that way for a reason? I'm just concerned that changing a default rule by such a big shift from -0.7 to +0.8 could screw up the balance. > RCVD_IN_HOSTKARMA_W=-2.5 > > That's wishful thinking. I gave up using the Hostkarma "white" result at all > after seeing no discernible utility to it over the course of a year. Marc > Perkel isn't as smart as he thinks. He's plenty smart, just not THIS smart. I agree the score is too low. > RCVD_IN_SENDERSCORE_90_100=-0.6 > > That does not make sense. Logically *at best* any Senderscore below 99 (do > 100 scores really exist? I've never noticed any...) should have some > derogatory (i.e. positive) score. A 90 score means they've seen *some* > recent spam from that IP. Do yopu really want to reward that? I've also reduced this one (and the 80-89 score) to have much less impact. It would be nice to get these in regular masschecks rotation too.
