If you do that you will guarantee yourself to get bunches of spam that might
otherwise be tagged by SA.
the "welcomelist" mechanism says:
Anybody who matches this criteria we consider strongly not to be spam
(regardless of how spammy all the other metrics may say it is).
You should "welcomelist" stuff that you want to guarantee passage of, regarless
of all other considerations.
Given that Google:
a) SPF & DKIMs all the stuff that comes out of their system
b) has lots of spammers who have Gmail accounts and spew spam from them.
c) does not seem to care two hoots about (b) and lets (b) happen even in the
case of reports.
So if you do those lines (or the more all-encompasing 'welcomelist_auth' form)
you guarantee those spammers a free ride into your system.
Now if you want to find those critters that forge "n...@gmail.com" as a sender
you'll need to create a custom rule set:
1) a non-scoring rule that fires when from == "@gmail.com"
2) a 'meta rule' that says if-from-gmail && not DKIM_VALID then give
it a spam score
DKIM_SIGNED is a standard SA rule that detects a properly valid DKIM or DK
signature.
On Tue, 25 Jul 2023, J Doe wrote:
Hi,
I am currently using SpamAssassin 4.0.0 and I had a question on how I can
ensure that any e-mail from @gmail.com has a valid SPF and DKIM signature.
I am aware that the following can be easily fooled, because it is not
checking SPF and DKIM:
welcomelist_from *@gmail.com
... so to ensure valid SPF and DKIM, I believe I would need:
welcomelist_from_spf *@gmail.com
welcomelist_from_dkim *@gmail.com
... or *two* entries.
Is that correct ?
Thanks,
- J
--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center, 103 S Capitol St.
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{
