MySQL Student wrote:
> Hi,
>
> I have a set of users that are authorized to use the mail server via
> pop-before-smtp, but SA catches the mail they send through the system
> as spam because they are on blacklisted Verizon or Comcast IPs:
>
> X-Spam-Status: Yes, hits=5.4 tag1=-300.0 tag2=5.0 kill=5.0
> use_bayes=1 tests=BAYES_50, BOTNET, FH_HOST_EQ_VERIZON_P, RCVD_IN_PBL,
> RCVD_IN_SORBS_DUL, RDNS_DYNAMIC, RELAYCOUNTRY_US, SPF_SOFTFAIL
>
Does your pop-before-smtp method cause your MTA to indicate they've been
authed in the Received: header?
> I also don't understand how SPF_SOFTFAIL could happen when there
> wasn't any SPF record to test to begin with.
>
Are you sure? What was the envelope from domain for the message? (keep
in mind, this checks the envelope from, not the from header..)
> One of the Comcast users:
>
> X-Spam-Status: Yes, hits=6.4 tag1=-300.0 tag2=5.0 kill=5.0
> use_bayes=1 tests=BAYES_50, BOTNET, DYN_RDNS_SHORT_HELO_HTML, HTML_MESSAGE,
> RCVD_IN_PBL, RCVD_IN_SORBS_DUL, RDNS_DYNAMIC, RELAYCOUNTRY_US, SPF_SOFTFAIL,
> SUBJ_ALL_CAPS
>
> We are working on better Bayes training, but sans that problem, what
> is the right way to address this, through a rule that whitelists their
> specific IP?
>
> Another mail that I'm dealing with is one sent by Marriott that hit
> SARE_HTML_URI_REFID, DCC_CHECK, and AE_DETAILS_WITH_MONEY, among being
> whitelisted by JMF/HOSTKARMA. I don't know how it hit DCC when there
> are details in there specific to the user, including account numbers,
> user names, etc.
Some of DCC's signatures are "fuzzy", thus will match similar messages
with minor differences. This is done to avoid spammers bypassing by
simply adding a text counter to the message, or some other similar bit
to make each one "unique". Combine that with DCC being strictly a
measure of "bulkiness" not "spamminess", and you most likely have your
answer.
You could run it through dccproc to see which of DCC's signatures matched.
As for dealing with it:
whitelist Marriott at the SA level (as you suggest)
whitelist Marriott at the dcc level
remove or severely cut back the score of AE_DETAILS_WITH_MONEY, if
you ever actually expect to get important email about traveling to the UAE.
Personally I strongly recommend the third option if you're likely to get
emails about travel to the UAE. That rule (with the IMO overly strong
3.0 score that floats around) is really designed for people who would
never travel there, but get hammered with spam offering trips there. For
folks that might actually do so, maybe 0.5 is more appropriate.
> How should I go about allowing this type of mail
> without disrupting its ability to block mail that should be blocked
> with these rules? I'm sure I can add a rule subtracting points if it
> hits these and comes from Marriott, but I thought there might be
> something that could address the more general problem rather than this
> specific one from Marriott. Perhaps I'm making it too hard.
>
> Thanks,
> Alex
>
>
>
