On 2017-03-06 (04:45 MST), David Jones <djo...@ena.com> wrote:
>
>> From: @lbutlr <krem...@kreme.com>
>> Sent: Monday, March 6, 2017 5:24 AM
>> To: users@spamassassin.apache.org
>> Subject: Re: New whitelisting trick using from and spf
>
>> On 2017-03-05 (18:59 MST), David Jones <djo...@ena.com> wrote:
>>>
>>> whitelist_auth does this against SPF_PASS and DKIM_VALID_AU
>
>> I tired to do something along these lines at some point in the past by
>> adding some lines to my local.cf like these:
>
>> blacklist_from *@amazon.com
>> whitelist_auth *@amazon.com
>> blacklist_from *@paypal.com
>> whitelist_auth *@paypal.com
>
>> It didn’t have the desired effect and simply blacklisted all PayPal mail.
>> While *I* was ok with blacklisting PayPal, others not so much...
>
> Spam/phishing emails pretending to be from Paypal won't have an
> envelope-from of *@paypal.com which is why you didn't get the
> desired effect. You rarely use the blacklist_from only when there
> is very dumb senders that you want to block.
>
> A multi-level approach will give you the results you expect:
> Level 1: RBLs, other DNS checks, postscreen, greylisting, etc.
> Level 2: SA bayes, ClamAV w extra sigs, meta rules, RBL scores, etc.
Do all of that and fake PayPal/amazon/apple/{random bank} emails are received
every day.
It seems it should be easy to setup “If mail claims to be From: PayPal.com and
is not from PayPal, score +100” but it is not.
--
Apple broke AppleScripting signatures in Mail.app, so no random signatures.
