On 2021-04-27 01:19 PM, Dave Wreski wrote:
-2.5 RCVD_IN_HOSTKARMA_W RBL: Sender listed in HOSTKARMA-WHITE
[185.41.28.7 listed in
hostkarma.junkemailfilter.com]
We've reduced this score to -1 locally.
-1.0 BAYES_00 BODY: Bayes spam probability is 0 to 1%
Needs to be trained, obviously. Bayes is best for this body content.
Looks like it's coming from some kind of bulk mail service which is
whitelisted. Even after training with bayes, it will still be a false
negative.
Any ideas on the best way to tackle these kinds of fake order spam?
Investigate adding the SEM_FRESH rules - this domain was created less
than five days ago.
https://spameatingmonkey.com/services
OK, how do I get those rules installed? I've only installed KAM rules
using a channel. I don't see anything similar for SEM rules. I see the
page you linked to says to drop this into the config:
# SEM-FRESH
urirhssub SEM_FRESH fresh.spameatingmonkey.net. A 2
body SEM_FRESH eval:check_uridnsbl('SEM_FRESH')
describe SEM_FRESH Contains a domain registered less than 5 days ago
tflags SEM_FRESH net
score SEM_FRESH 0.5
I've never seen anything like this before. Looks like this is the
documentation for that:
https://spamassassin.apache.org/full/3.2.x/doc/Mail_SpamAssassin_Plugin_URIDNSBL.html
Should I be adding other services besides this one for urihssub lookups?
Invalid List-ID. You can then use that with other weirdness in a meta.
header __LIST_ID_DOMAIN_IN_BRACKETS List-id =~
/<([\w-]+)(\.[\w-]+)+>/
meta LIST_ID_IMPROPER_FORMAT __HAS_LIST_ID &&
!__LIST_ID_DOMAIN_IN_BRACKETS
score LIST_ID_IMPROPER_FORMAT 0.001
describe LIST_ID_IMPROPER_FORMAT List-id has improper format
You lost me here. The spam has this:
List-Id: MzY3NDAxMi01Nzg2LTU= <MzY3NDAxMi01Nzg2LTU=.list-id.mailin.fr>
That's not legit? It's in brackets.
Investigate configuring dcc. We also created a meta that matches DCC
and URIBLs.
Yes, on my todo list.
I believe the new Esp module that works to identify bad sendgrid
accounts also has support for sendinblue accounts, but to what extent?
X-Mailer: Sendinblue
To start, I wrote this rule that I think will probably work well because
it doesn't make sense for any order information is going to come from a
mailing list.
# fake order spam
header __LOCAL_FAKE_ORDER_SUBJ Subject =~ /your.order/i
header __LOCAL_FAKE_ORDER_1 X-Mailer =~ /Sendinblue/i
header __LOCAL_FAKE_ORDER_2 List-Id =~ /./
meta LOCAL_FAKE_ORDER _LOCAL_FAKE_ORDER_SUBJ + (__LOCAL_FAKE_ORDER_2 +
__LOCAL_FAKE_ORDER_3 >= 1)
score LOCAL_FAKE_ORDER 3.0
I believe later versions of SA also have more geolocation support - do
you have a need to receive mail from France?
$ whois 185.41.28.7
...
route: 185.41.28.0/22
descr: SENDINBLUE-185-41-28-0-22
origin: AS200484
Regards,
Dave
