Am 2020-09-16 05:28, schrieb John Hardin:
On Tue, 15 Sep 2020, Mark London wrote:
Hi - I receive email from spiceworks.com help desk, which are sent via
sendgrid. Why do these URLs trigger the SENDGRID_REDIR rule score,
which is 3.4 ? Thanks. - Mark
They trigger the rule because they match the rule's conditions - a
message having a Sendgrid redirect URL. They've been abused in a lot
of phishing lately.
The score is that high because spams that have such aren't scoring
highly based on all the other rules, and the SpamAssassin masscheck
corpora does not have many instances of legitimate Sendgrid redirects.
An important question is: are these mails being scored as spammy and
is that interfering with proper delivery? Or are you just worried
about a single high-scoring rule hit?
I will take a look and see if the FP rate can be reduced. If you could
send me an example of one or more of these messages privately (zipped,
with all message headers intact) then I might be able to do a better
job of that.
As a workaround, you could whitelist the spiceworks.com help desk email
address.
The rule is absolutely useless, from more than 5.000 hits last week, at
least 2.000 were false positives. 10% were definitely spam, the rest was
unclassified with scores mostly less than 5.0. I've set the score to
0.001.
Michael
