On 8 Apr 2021, at 8:04, Matus UHLAR - fantomas wrote: >>>> On Sun, 4 Apr 2021 13:21:08 +0200 Matus UHLAR - fantomas wrote: >>>>> I prefer to solve problems instead of playing with scores. >>>>> >>>>> It seems that abusers have worked around SA by using google domains >>>>> and addresses for sending spam from. >>> >>> On 04.04.21 14:19, RW wrote: >>>> If google have been foolish enough to allow abuse on the >>>> organizational domain it should definitely be taken out of the def >>>> whitelists until they move anything abusable to a different >>>> subdomain/domain. > >> On Sun, 4 Apr 2021 16:47:18 +0200 Matus UHLAR - fantomas wrote: >>> That's what I'm trying to say. >> >> And I'm agreeing. But I'm also saying that this kind of thing would be >> less of a problem if the 'def' whitelists were better organized. > > >>>> For the >>>> 'def' whitelists to have any point they should be tuned to prevent >>>> most such FPs while having a minimal impact on TPs. The rules are >>>> scored far too strongly, but the fact they are additively scored >>>> makes it impossible to fine tune them. >>>> >>>> There's no point in additive scoring anyway. If any of them is hit >>>> it's most likely the spam has gone through an abused server. >>> >>> if you mean using combination of USER_IN_DEF_SPF_WL, >>> USER_IN_DEF_DKIM_WL and USER_IN_DEF_WELCOMELIST, they could be put >>> into if condition. > > On 04.04.21 17:01, RW wrote: >> I give them all a score of -0.001 and then score >> >> USER_IN_DEF_WELCOMELIST || USER_IN_DEF_SPF_WL || USER_IN_DEF_DKIM_WL > > ...add USER_IN_DEF_WHITELIST there? > >> The way it's currently setup you could get a total def whitelist >> score of -7.5, -15 -22.5 or -30, which is insane if you want there to >> be a useful distinction between def and full whitelisting. >> >> The worst part is that the commonest form, "def_whitelist_auth", is >> scored separately for SPF and DKIM for a single whitelisting entry. So >> even if you avoid overlap with def_whitelist_from_rcvd, you still have >> this random N and 2N point scoring whatever you set N to. > > I have just found that > > def_whitelist_auth *@google.com > > leads to: > > USER_IN_DEF_DKIM_WL > > ...and since there's no undef_whitelist_from_auth, it sucks pretty much and > I can only disable the whole rule because of google.
unwhitelist_auth exists. 'perldoc Mail::SpamAssassin::Conf' is helpful. -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses) Not Currently Available For Hire
