On Nov 12, 2020, at 11:54 AM, John Hardin <jhar...@impsec.org> wrote: > > On Thu, 12 Nov 2020, Darrell Budic wrote: > >> Got a few of these 411 google form spams recently and was wondering why they >> weren’t getting caught by SA. Looks like the Return-Path: is triggering a >> whitelist rule on google.com so the rest of the tests aren’t enough to get >> it tagged. Anything I can do to keep the whitelist rule from firing when the >> free mail rules have been tripped? > > You can't keep it from firing beyond removing google.com from the whitelist, > which would impact non-gmail google mails. What you *can* do is define a meta > to offset the whitelist score: > > meta FREEM_WLIST_OFFSET USER_IN_SPF_WHITELIST && FREEMAIL_FROM > score FREEM_WLIST_OFFSET 100.000 # offset whitelist score > describe FREEM_WLIST_OFFSET Offset SPF whitelist on freemail From > > Of course, that would prevent you from auth-whitelisting any freemail > provider, if you wanted to do such a thing.
Thanks, figured it would be something like that. Would this make sense for something a bit more granular? uri GOOGLE_FORMS /docs\.google\.com\/forms\// meta FREEM_WLIST_OFFSET_GOOGLE GOOGLE_FORMS && USER_IN_SPF_WHITELIST && FREEMAIL_FROM score FREEM_WLIST_OFFSET_GOOGLE 100.000 # offset whitelist score describe FREEM_WLIST_OFFSET_GOOGLE Offset SPF whitelist on freemail From for google forms >> X-Spam-Tests: >> BAYES_60,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM,FREEMAIL_REPLYTO,FREEMAIL_REPLYTO_END_DIGIT,HEADER_FROM_DIFFERENT_DOMAINS,HTML_MESSAGE,LOTS_OF_MONEY,MONEY_FRAUD_8,NOT_FROM_SENDER,NOT_SENDER_MSGID,SO_PUB_SNDR_DOMAIN_DKIM_50,SPF_HELO_NONE,SPF_PASS,TXREP,T_GB_FREEM_FROM_NOT_REPLY,USER_IN_SPF_WHITELIST > > -- > John Hardin KA7OHZ http://www.impsec.org/~jhardin/ > jhar...@impsec.org pgpk -a jhar...@impsec.org > key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 > ----------------------------------------------------------------------- > You can't reason a person out of a position if > he didn't use reason to get there in the first place. > -- Jonathan Swift, paraphrased > ----------------------------------------------------------------------- > 166 days since the first private commercial manned orbital mission (SpaceX)
