On 16-10-19 12:19, Simon Wilson wrote:
Hi, I have a Horde system submitting to a
postfix/amavisd-new/spamassassin server for spam detection (different
servers, same subnet). I *do* consciously run SA over internally
submitted emails to catch compromised accounts (it happened once to me
when a family member's email password was compromised and a bunch of
spam got sent out).
I'm having occasional issues with mail sent by some users from their
home ISP connections (i.e. Chrome client on ISP dynamic IP -> Horde
server/postfix etc). Email validly sent through the trusted host Horde
server gets a bonus (ALL_TRUSTED = -2) which SA is triggering fine when
appropriate, but some emails are still triggering thresholds, so I was
wondering what others do for configuring for traffic that is *mostly*
trusted but should still be checked for obvious spam?
This is not a new system, it's well trained with thousands of ham and
spam over several years. This email was genuine ham, and was discarded
(Amavis threshold 6.0 -> discard).
Content analysis details: (6.0 points, 6.2 required)
pts rule name description
---- ----------------------
--------------------------------------------------
-2.0 ALL_TRUSTED Passed through trusted hosts only via SMTP
0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60%
[score: 0.5000]
0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record
0.0 HTML_MESSAGE BODY: HTML included in message
3.6 HELO_DYNAMIC_IPADDR2 Relay HELO'd using suspicious hostname (IP
addr
2)
1.0 RDNS_DYNAMIC Delivered to internal network by host with
dynamic-looking rDNS
2.1 TO_NO_BRKTS_DYNIP To: lacks brackets and dynamic rDNS
0.5 NO_FM_NAME_IP_HOSTN No From name + hostname using IP address
It feels like the dynamic IP rules are killing it here - what do others
do for valid dynamic IP emails inbound from a web client email through
trusted hosts? Just give ALL_TRUSTED more of a boost? Or anything more
scientific??
The default rule scores obviously don't apply for your use case here:
dynamic RDNS is to be expected for the relayed emails you are scanning.
Also it is not an indicator that the sender is abusing a (hacked)
end-user host. So you should adjust the scores of the rules that are not
applicable for your use case:
score RDNS_DYNAMIC 0.001
score HELO_DYNAMIC_IPADDR2 0.001
Something to note: RDNS_DYNAMIC tries to exclude authenticated email.
Are you accepting email from senders without authentication? Or maybe
your trusted_networks/internal_networks are misconfigured, so the
authentication is not properly detected?
Kind regards,
Tom
