Here's the output ( the relevant part I think ):
X-Spam-Status: No, score=4.2 required=4.4 tests=FREEMAIL_FROM,
HTML_FONT_LOW_CONTRAST,HTML_MESSAGE,HTTP_EXCESSIVE_ESCAPES,
PDS_OTHER_BAD_TLD,T_REMOTE_IMAGE,URI_NOVOWEL shortcircuit=no
autolearn=no autolearn_force=no version=3.4.6
X-Spam-Report:
* 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail
* provider
* [mauneypals[at]gmail.com]
* 2.0 PDS_OTHER_BAD_TLD Untrustworthy TLDs
* [URI: haligr.click (click)]
* 0.5 URI_NOVOWEL URI: URI hostname has long non-vowel sequence
* 1.0 HTTP_EXCESSIVE_ESCAPES URI: Completely unnecessary %-escapes
* inside a URL
* 0.7 HTML_FONT_LOW_CONTRAST BODY: HTML font color similar or
* identical to background
* 0.0 HTML_MESSAGE BODY: HTML included in message
* 0.0 T_REMOTE_IMAGE Message contains an external image
FREEMAIL_FROM,HTML_FONT_LOW_CONTRAST,HTML_MESSAGE,HTTP_EXCESSIVE_ESCAPES,PDS_OTHER_BAD_TLD,T_REMOTE_IMAGE,URI_NOVOWEL
FREEMAIL_FROM=0.001,HTML_FONT_LOW_CONTRAST=0.713,HTML_MESSAGE=0.001,HTTP_EXCESSIVE_ESCAPES=1,PDS_OTHER_BAD_TLD=1.999,T_REMOTE_IMAGE=0.01,URI_NOVOWEL=0.5
I can trap those because of the HTTP_EXCESSIVE_ESCAPES which I can give a
bit more aggressive score, but no "GOOG*" in report.
Obvioulsy I think it could be dangerous to give a greater score
to FREEMAIL_FROM as it could lead to false positive when receiving valid
mails from gmail, or I'm wrong ?
Could it be I'm missing something in config ?
For info I'm running SpamAssassin version 3.4.6 running on Perl version
5.22.2 just sa-updated few minutes ago.
I'm preparing the zip file woth some the
Do you want me to send the zip file ( I have 46 mails that have failed ) ?
Pierluigi
Il giorno mer 25 dic 2024 alle ore 18:42 John Hardin <jhar...@impsec.org>
ha scritto:
> On Wed, 25 Dec 2024, Pierluigi Frullani wrote:
>
> > Hi all, I know it's not really a new subject but I would like to ask how
> > can I stop url redirect from google.*.
> > These days I'm receiveind a lot of messages that are really spam, but
> they
> > pass trough spamassasin, containing the following:
> > "url?q=3Dhttps%3A%2F%2F" from several google location ( I mean,
> > images.google.com, google.es and so on.
> >
> > Is there any good rule to catch them ( at least to score some value to
> this
> > messages ) ?
>
> There are existing google redirect rules. It's possible they may not be
> hitting the variants you are seeing.
>
> If you run the message through SpamAssassin with these flags:
>
> --debug area=rules,rules-all
>
> you will get information about which rules and subrules hit. You can use
> that to make a meta rule that works better on such messages.
>
> Feel free ot zip up spamples and send them to me directly for review, if
> we're missing new variants or some Google domains that would help us
> improve our coverage.
>
>
> --
> John Hardin KA7OHZ http://www.impsec.org/~jhardin/
> jhar...@impsec.org pgpk -a jhar...@impsec.org
> key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
> -----------------------------------------------------------------------
> "Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never
> does quite what I want. I wish Christopher Robin was here."
> -- Peter da Silva in a.s.r
> -----------------------------------------------------------------------
> Today: Christmas
>
