>From: Alex <mysqlstud...@gmail.com> >Sent: Sunday, September 11, 2016 4:10 PM >To: SA Mailing list >Subject: Re: RCVD_IN_SORBS_SPAM and google IPs
>Hi, >> COMMIT/trunk/rules/50_scores.cf >> >> Committed revision 1760066. >> >> score RCVD_IN_SORBS_SPAM 0 0.5 0 0.5 >> >> should show up after next SA update >Has RCVD_IN_SORBS_WEB been considered for adjustment as well? It's >hitting a lot more ham than spam here, including mail from facebook. You should be safely whitelisting any major senders like Facebook at the MTA level and in SA: whitelist_auth *@facebookmail.com whitelist_auth *@sendgrid.net whitelist_auth *@amazon.com whitelist_auth *@amazonses.com whitelist_auth *@icloud.com whitelist_auth *@geicomail.com whitelist_auth *@linkedin.com There is a top tier of mail senders that should be whitelisted like this: 1. They are responsible senders with a good reputation 2. They take abuse reports seriously and will block bad senders 3. They don't have end user mailboxes that can be compromised 4. They have valid opt-out links and processes to unsubscribe 5. They are very large and send high volumes of mail so safe whitelisting lowers the SA processing 6. 99% of the time they are going to score under the SA threshold anyway I have a script that runs weekly to find these types of trusted senders from my mail logs and adds them to my whitelist_auth file based on certain criteria derived from the 6 items above. I have found patterns that are very reliable for the SA level when you have other MTA level things in place like postscreen with RBL weighting, reverse DNS checks, SMTP HELO checks, etc. Enable the Shortcircuit plugin which can also help major trusted senders pass through: shortcircuit USER_IN_WHITELIST on shortcircuit USER_IN_DEF_WHITELIST on shortcircuit USER_IN_BLACKLIST on shortcircuit USER_IN_DKIM_WHITELIST on shortcircuit USER_IN_DEF_DKIM_WL on shortcircuit USER_IN_SPF_WHITELIST on shortcircuit USER_IN_DEF_SPF_WL on shortcircuit RCVD_IN_MSPIKE_H5 on shortcircuit RCVD_IN_RP_CERTIFIED on shortcircuit RCVD_IN_RP_SAFE on shortcircuit RCVD_IN_DNSWL_HI on shortcircuit RCVD_IN_IADB_LISTED on shortcircuit ALL_TRUSTED off The majority of the junk can be blocked with zen.spamhaus.org and sip.invaluement.com RBLs. Every small mail filtering platform should use zen.spamhaus.org as long as they are under the free usage limit. The sip.invaluement.com is a private RBL but very reasonably priced and is a great complement to zen.spamhaus.org. The major senders should not be listed in these 2 major RBLs so they fit right in with the 6 items above. A properly configured MTA should be blocking > 85 percent of the junk so SA only has to deal with a very small percentage of email. Even then, my SA still only has to block a very small percent of what the MTA doesn't block. The majority of my SA traffic is whitelisted or shortcircuited. I run MailScanner filtering about 60,000 mailboxes so SA is not integrated into the MTA. The only complaints I get for spam by our customers is the occasional compromised accounts which are very hard to block on zero-day spam. They come through trusted servers that aren't listed on any RBLs yet and they have paid sweat shops to craft the email to get through most major mail filters. Hope this helps, Dave
