Philip Prindeville wrote: > I recently saw an email get bounced that was legitimately coming > from Microsoft: > > Nov 13 14:59:26 mail mimedefang.pl[19053]: helo: maila.microsoft.com > (131.107.115.212) said "helo smtp.microsoft.com" > Nov 13 14:59:26 mail sendmail[21067]: kADLxLLR021067: from=<[EMAIL > PROTECTED]>, size=1207, class=0, nrcpts=1, msgid=<[EMAIL PROTECTED]>, > bodytype=7BIT, proto=ESMTP, daemon=MTA-v4, relay=maila.microsoft.com > [131.107.115.212] > Nov 13 14:59:29 mail mimedefang.pl[20521]: kADLxLLR021067: hits=6.909, req=5, > names=DNS_FROM_RFC_ABUSE,DNS_FROM_RFC_POST,L_WIN_CHARSET > Nov 13 14:59:29 mail mimedefang.pl[20521]: > MDLOG,kADLxLLR021067,spam,6.909,131.107.115.212,<[EMAIL PROTECTED]>,<[EMAIL > PROTECTED]>,Out of Office: Software Development with Microsoft > Nov 13 14:59:29 mail mimedefang.pl[20521]: filter: kADLxLLR021067: bounce=1 > discard=1 > Nov 13 14:59:29 mail mimedefang[5737]: kADLxLLR021067: Bouncing because > filter instructed us to > Nov 13 14:59:29 mail sendmail[21067]: kADLxLLR021067: Milter: data, > reject=554 5.7.1 Message rejected; scored too high on the Spam test. > Nov 13 14:59:29 mail sendmail[21067]: kADLxLLR021067: to=<[EMAIL PROTECTED]>, > delay=00:00:03, pri=31207, stat=Message rejected; scored too high on the Spam > test. > > I've put into my spamassassin/sa-mimedefang.cf file: > > whitelist_from_rcvd [EMAIL PROTECTED] smtp.microsoft.com > > > What am I missing at this point? > > Does the 2nd arg to the whitelist_from_rcvd need to be > maila.microsoft.com instead? > > And what do DNS_FROM_RFC_ABUSE and DNS_FROM_RFC_POST correspond to? > postmaster and abuse lists at rfc-ignorant.org. Both are wildly prone to false positives and have been removed from the 3.2 devel branch. They effectively list sites that violate the RFCs for mail hosts and refuse mail sent to postmaster or abuse.
That said, neither scores very high.. Assuming set3 (bayes and network) the combined score in SA 3.1.x is only 1.908 points.. What's L_WIN_CHARSET.. that's not a stock rule I'm aware of. Looks like an add-on to me, and probably the real culprit here. I found some references to it from list conversations, and looks like it's trying to match email with a windows-specific character set (windows-1252). But it's not in any ruleset I can find anywhere. Actually, it looks like a rule you yourself were developing back in April.. What did you set the score to? http://www.gossamer-threads.com/lists/spamassassin/users/72328 > Where do I get the descriptions of these tests, why some sites get > tagged with them, etc?
