On 2021-04-04 12:54, Matus UHLAR - fantomas wrote:
Hello,
I have received spam from:
From: "Linda marry (via Google Drive)"
<drive-shares-nore...@google.com>
it wasn't catches because of:
60_whitelist_auth.cf:def_welcomelist_auth *@google.com
Now that users can abuse google.com domain, isn't it time to remove
*@google.com from def_whitelist_* ?
the full header:
X-Spam-Report:
* 3.5 L_URIBL_FANTOMAS contains locally blocklisted URI
* [URIs: sites.google.com]
change score to 7.5
* 0.5 BAYES_999 BODY: Bayes spam probability is 99.9 to 100%
* [score: 1.0000]
* 4.0 BAYES_99 BODY: Bayes spam probability is 99 to 100%
* [score: 1.0000]
* -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2)
* [209.85.167.206 listed in wl.mailspike.net]
* -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at
* https://www.dnswl.org/, no trust
* [209.85.167.206 listed in list.dnswl.org]
* -0.0 SPF_PASS SPF: sender matches SPF record
* 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record
* -7.5 USER_IN_DEF_DKIM_WL From: address is in the default DKIM
* white-list
change score to -3.5
* 0.0 HTML_MESSAGE BODY: HTML included in message
* 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not
necessarily
* valid
* -0.1 DKIM_VALID Message has at least one valid DKIM or DK
signature
* -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature
from
* author's domain
* 1.0 GOOGLE_DRIVE_REPLY_BAD_NTLD From Google Drive and
Reply-To is
* from a suspicious TLD
or add more score to this
score GOOGLE_DRIVE_REPLY_BAD_NTLD (3) (3) (3) (3)
will add 3 to masscheck scoreing
I even have following in my local.cf to be able to carch google
docs/drive/whatever spam via URIBL:
clear_uridnsbl_skip_domain goo.gl google.com
util_rb_2tld google.com
seems working
