On Thu, 27 May 2021 20:40:28 -0400 Greg Troxel wrote:
> The other problem on a small number of messages was RCVD_DOTEDU_SHORT. > I realize this must have passed masscheck, but getting a message of > 1-1.5 kB from an address in .edu is to me not at all suspicious, and > 2.5 points is a lot for something likely to appear in legitimate > mail. (In my case it was a notification of air conditioning shutdown > in a particular building, and that's all there was to say.) If SA were running on an institution's mail system, that would most likely be an internal email. The intention seem to be that the .edu has to be in the external network. There is a minor problem: header __RCVD_DOTEDU_EXT X-Spam-Relays-External =~ /\.edu\s/i allows a match on "by=" from the LE header, when it should just be on helo/rdns. Probably the .edu is genuinely external for you, in which case I'd suggest overriding __RCVD_DOTEDU_EXT, either to turn it off or exclude specifc domains.
