On Thu, 12 Nov 2020 13:56:10 -0600 Darrell Budic wrote: > > On Nov 12, 2020, at 1:01 PM, RW <rwmailli...@googlemail.com> wrote: > > > > On Thu, 12 Nov 2020 11:23:29 -0600 > > Darrell Budic wrote: > > > >> Got a few of these 411 google form spams recently and was wondering > >> why they weren’t getting caught by SA. Looks like the Return-Path: > >> is triggering a whitelist rule on google.com so the rest of the > >> tests aren’t enough to get it tagged. Anything I can do to keep the > >> whitelist rule from firing when the free mail rules have been > >> tripped? > > > > That whitelisting rule is your own. > > > > Take a look at how the default whitelisting of google.com is done in > > the core rules using the lower scoring "def_" whitelist > > definitions. > > Ah, good point, I missed that at first. I’d added the whitelist_auth > *.google.com <http://google.com/> with rules to add points to things > with google From: addresses to catch a things claiming to be from > them but not. I will have to reconsider those and at least change > them to the def_ versions, thanks for pointing that out.
The def versions are already there by default. The important thing is that those default rules didn't hit that spam: ./60_whitelist_auth.cf:def_whitelist_auth *@google.com ./60_whitelist_auth.cf:def_whitelist_auth *@accounts.google.com ./60_whitelist_dkim.cf:def_whitelist_from_dkim googlealerts-nore...@google.com ./60_whitelist_dkim.cf:def_whitelist_from_dkim *@*.google.com ./60_whitelist_dkim.cf:# def_whitelist_from_dkim *@google.com where def_whitelist_auth is SPF or DKIM. The only envelope subdomain checked with SPF is accounts.google.com.
