On Wed, 13 May 2009 08:16:19 -0400 Greg Troxel <g...@ir.bbn.com> wrote:
> > RW <rwmailli...@googlemail.com> writes: > > > On Sun, 10 May 2009 16:04:47 -0400 > > Adam Katz <antis...@khopis.com> wrote: > > > > > >> That's why I've got my KHOP_RCVD_UNTRUST score ... spammers are > >> going out of their way to send from whitelisted servers these > >> days, a testament to how powerful DNSBLs are. > > > > The other day I had a lottery scam spam sent via University > > College London wemail, from a Nigerian IP address. It hit > > RCVD_IN_DNSWL_MED and RCVD_IN_SBL, which have a combined score of > > -2.4. > > > > I think it might be useful to redefine DNSWL rules as meta rules, > > so a strong DNSBL hit turns them off. > > I wonder if the right fix is to only give the DNSWL_MED score if that > host doesn't show a previous-hop relay. But, it makes sense to give > the MED points to authenticated senders. I don't think it does, in the case I mentioned, they logged into https://www.squirrelmail.ucl.ac.uk from Nigeria, and used the @ucl.ac.uk email address. If ucl.ac.uk had SPF records it would have passed. The previous phishing spam only hit KHOP_RCVD_UNTRUST because they tried to pass it off as a Bank of America email.
