On 20/12/2022 23:59, Joey J wrote:
Thanks to Bill and Matus for your responses.
Basically, the client is talking about real money transactions,
airplanes, paypal etc, but he is a legit sender with these often
flagged topics.
Sometimes the message goes through, but by the time you reply 2 or 3
times, there are more of the buzz words that SA looks at based on rules.
We can't whitelist j...@company.com because of course everyone
pretending to be him will more than likely get whitelisted and you
know the rest.
This is why I thought if user j...@company.com from ip 1.2.3.4
condition would allow me to add some negative score to get over the
total flagging it as spam.
You guys would know better than I as to which would be the best
method, I like scoring it some and going to -100.
Within the reject to the user it had the following:
Spam detection results: 3
ClamAVHeuristics 3 ClamAV heuristic test: Phishing.Email.SpoofedDomain
(clamav)
AWL -0.969 Adjusted score from AWL reputation of From: address
BAYES_00 -1.9 Bayes spam probability is 0 to 1%
BIGNUM_EMAILS_MANY 2.999 Lots of email addresses/leads, over and over
DKIM_INVALID 0.1 DKIM or DK signature exists, but is not valid
DKIM_SIGNED 0.1 Message has a DKIM or DK signature, not necessarily valid
HTML_FONT_LOW_CONTRAST 0.001 HTML font color similar or identical to
background
HTML_MESSAGE 0.001 HTML included in message
KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict
Alignment
SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record
SPF_PASS -0.001 SPF: sender matches SPF record
T_FILL_THIS_FORM_SHORT 0.01 Fill in a short form with personal information
URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was
blocked. See
http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
My approach is like this:
describe LOCAL_WELCOMING_4 Pseudo-welcomelist (case-insensitive)
score LOCAL_WELCOMING_4 -4
header LOCAL_WELCOMING_4 From =~ /(fred\@bloggs\.com|\@jones\.com)>?\s*$/i
I have a few of these with different score reductions (4,6,8,10 etc) all
held in /etc/spamassassin/local_welcoming.cf. If you end up with a lot
of addresses to be 'welcomed' (as I do) you need some code to manage
them, but the principle is simple enough: they act to reduce the score
of any email where the 'From:' address matches the regex. They do not
guarantee acceptance (the spam score is still calculated, only some
amount (4 in the case above) is deducted, and they do not (in my case
anyway) apply to virus-laden emails.
