Joey J wrote:
Thanks Everyone.
Within all of the responses, I will try to reply here.
1. The legit sender will talk about big numbers because of the real things he is involved with so big numbers is still a valid method to score, just not in this case. 2. The SPF record is set to fail on no match, however this does not automatically say, ok it's the approved source everything is ok, let them spam out, SA will still score content, and simply not score for bad SPF. 3. The goal is to say for user j...@company.com <mailto:j...@company.com>, if we can confirm the source is their mail server IP, the lets add some negative value, lets say -2, to allow message that might be scored such as the above #1 because they are legit.

Unless there is something I'm missing, I'm not sure how to better explain it. Yes, I can provide the full headers, but I thought the spam info was enough to provide the SA aspect of the scoring.

This is why I thought of the extra rule based on email address and IP combo, almost confirming its legit, to add ot the negative score.

If you really want to go down this road, and assign small or individualized scores for senders like this instead of just using welcomelist_from_(rcvd|dkim|spf) or welcomelist_auth, use something like this:

header __FROM_GOODGUY   From:addr =~ /^joe\@company\.com$/
header __RCVD_GOODGUY   X-Spam-Relays-External =~ /^\[ ip=1\.2\.3\.4 /
meta NOTSPAM_GOODGUY    __FROM_GOODGUY && __RCVD_GOODGUY
describe NOTSPAM_GOODGUY Score nudge for j...@company.com
score NOTSPAM_GOODGUY   -2

Have a long read through "man Mail::SpamAssassin::Conf" to deconstruct those.

But that doesn't scale well to very many senders, where welcomelist_* seem to scale pretty well to at least low thousands of entries. _spf and _dkim in particular also rely on other information published by the sender, so *you* don't have to keep manually updating your rules if their mail sending infrastructure changes.

I'd be more inclined to to some per-user score setting on the *recipient* account - ie, whoever is receiving these can have a line added to ~/.spamassassin/user_prefs (or whereever you're storing SA userprefs) saying "score BIGNUM_EMAILS_MANY (-1)".

I'd also see if you can narrow down exactly what Phishing.Email.SpoofedDomain is hitting on, IME it's all too likely to fire on a certain class of legitimate mail and what you've described sounds like a prime place for FPs. Calling ClamAV like this either requires a plugin or relies on ClamAV being called earlier, and leaving a header for SA to check. You'll have to do a bit more digging to find out how it's configured.

Locally I started with the plugin on the wiki (https://cwiki.apache.org/confluence/display/SPAMASSASSIN/ClamAVPlugin) and extended it quite a bit. I've just posted the current production version at http://deepnet.cx/~kdeugau/spamtools/clamav.pm. I have that particular Clam hit scored at 1.5 due to the FP potential.

-kgd

Reply via email to