>On Sun, 4 Apr 2021 13:21:08 +0200 Matus UHLAR - fantomas wrote:
>> I prefer to solve problems instead of playing with scores.
>>
>> It seems that abusers have worked around SA by using google domains
>> and addresses for sending spam from.
On 04.04.21 14:19, RW wrote:
>If google have been foolish enough to allow abuse on the
>organizational domain it should definitely be taken out of the def
>whitelists until they move anything abusable to a different
>subdomain/domain.
On Sun, 4 Apr 2021 16:47:18 +0200 Matus UHLAR - fantomas wrote:
That's what I'm trying to say.
And I'm agreeing. But I'm also saying that this kind of thing would be
less of a problem if the 'def' whitelists were better organized.
> For the
>'def' whitelists to have any point they should be tuned to prevent
>most such FPs while having a minimal impact on TPs. The rules are
>scored far too strongly, but the fact they are additively scored
>makes it impossible to fine tune them.
>
>There's no point in additive scoring anyway. If any of them is hit
>it's most likely the spam has gone through an abused server.
if you mean using combination of USER_IN_DEF_SPF_WL,
USER_IN_DEF_DKIM_WL and USER_IN_DEF_WELCOMELIST, they could be put
into if condition.
On 04.04.21 17:01, RW wrote:
I give them all a score of -0.001 and then score
USER_IN_DEF_WELCOMELIST || USER_IN_DEF_SPF_WL || USER_IN_DEF_DKIM_WL
...add USER_IN_DEF_WHITELIST there?
The way it's currently setup you could get a total def whitelist
score of -7.5, -15 -22.5 or -30, which is insane if you want there to
be a useful distinction between def and full whitelisting.
The worst part is that the commonest form, "def_whitelist_auth", is
scored separately for SPF and DKIM for a single whitelisting entry. So
even if you avoid overlap with def_whitelist_from_rcvd, you still have
this random N and 2N point scoring whatever you set N to.
I have just found that
def_whitelist_auth *@google.com
leads to:
USER_IN_DEF_DKIM_WL
...and since there's no undef_whitelist_from_auth, it sucks pretty much and
I can only disable the whole rule because of google.
I can guess that USER_IN_DEF_WHITELIST only applies for def_whitelist_from
and def_whitelist_from_rcvd which are used for mail without SPF/DKIM
authentication.
which then makes even less sense to give it -15 while authenticated
whitelists have -7.5
I have an idea how to rewrite them, will post later.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Linux is like a teepee: no Windows, no Gates and an apache inside...
