On Tue, 19 Jun 2018 16:39:09 +0200 Andy Smith wrote: > Hi all, > > the last week or so we are having a lot of problems with emails > either with subjects like "New Approach Contractors Ltd wants to > share Scan" or "Invoice INV-03056 from Encompass Environmental Ltd" > which contian an HREF to see your "scan" or "invoice" at a URL > ending /share or /directory respectively. These aren't detected by > Spamassassin, I have Razor and iHash configured running on > Spamassassin 3.4.1. Even when I have Bayes learn a few examples, > subsequent Spams can get Bayes as low as 50%. > > Example: https://pastebin.com/85v2nHkF > > My question is does anyone have any ideas/tips/rules for catching > these. I've created a custom rule that checks for the subject and > HREF, but ever time a new variant comes out I'll have to update this. > Anyone got any better solutions?
I think in this day and age if an email has 'invoice' in the subject, and doesn't pass either dkim or spf, it's worth a few points.
