You did well. Not perfect, but nearly there. The key words here are: dynamic, helo, from and to. No need to use a black list.
The message was sent from a dynamic IP. No reputable email server does that. The next reason to reject is the failure of SPF. The recipient should implement SPF correctly. The third reason is the Message-ID. RG On Fri, Oct 5, 2018 at 23:57, David Jones <djo...@ena.com> wrote: > On 10/5/18 4:38 PM, Antony Stone wrote: >> On Friday 05 October 2018 at 23:26:12, Rupert Gallagher wrote: >> >>>> https://pastebin.com/TRD7FzRQ >>>> >>>> I have a sample here >>> >>> There are at least three reasons to reject that e-mail upfront, with no >>> need to parse its body. >> >> Hints might be appreciated for the uninitiated. >> >> >> Antony. >> >> >> PS: Please do NOT set Reply-To to your own address on list postings. >> > > Are you doing any RBLs at the MTA? This thing looks really bad and > would never have made it past my Postfix postscreen_dnsbl_sites list. > > http://multirbl.valli.org/lookup/114.46.223.46.html > > If it had made it to SpamAssassin, here's what my rules would have scored: > > Content analysis details: (29.8 points, 5.0 required) > > pts rule name description > ---- ---------------------- > -------------------------------------------------- > 5.2 BAYES_99 BODY: Bayes spam probability is 99 to 100% > [score: 1.0000] > 3.2 BAYES_999 BODY: Bayes spam probability is 99.9 to 100% > [score: 1.0000] > 0.5 FROM_DOMAIN_NOVOWEL From: domain has series of non-vowel letters > 1.5 CK_HELO_DYNAMIC_SPLIT_IP Relay HELO'd using suspicious hostname > (Split IP) > 0.2 CK_HELO_GENERIC Relay used name indicative of a Dynamic Pool or > Generic rPTR > 1.9 DATE_IN_FUTURE_06_12 Date: is 6 to 12 hours after Received: date > 3.2 DCC_CHECK Detected as bulk mail by DCC (dcc-servers.net) > 0.1 FROM_EQUALS_TO From: and To: have the same username > 0.0 KHOP_DYNAMIC Relay looks like a dynamic address > 3.6 HELO_DYNAMIC_IPADDR2 Relay HELO'd using suspicious hostname (IP addr > 2) > 1.0 RDNS_DYNAMIC Delivered to internal network by host with > dynamic-looking rDNS > 2.2 ENA_RELAY_NOT_US Relayed from outside the US and not on > whitelists > 0.1 HDR_ORDER_FTSDMCXX_DIRECT Header order similar to spam > (FTSDMCXX/boundary variant) + direct-to-MX > 2.0 MIMEOLE_DIRECT_TO_MX MIMEOLE + direct-to-MX > 2.5 DOS_OE_TO_MX Delivered direct to MX with OE headers > 2.5 NO_FM_NAME_IP_HOSTN No From name + hostname using IP address > 0.0 ENA_BAD_SPAM Spam hitting really bad rules. > > -- > David Jones
