On 7 Jul 2017, at 13:04, Alex wrote:
I'm interested in how your system would have (or currently does)
handle this email I received some days ago:
https://pastebin.com/innRFvZt
Its IP (106.186.119.240) is still not listed with spamhaus, sorbs or
hostkarma, and has an 83 rating with senderscore.
This never would have made it to SA on most systems I have recently
managed:
1. Null sender with From & Subject both inconsistent with DSN or other
legit null-sender mail.
2. That MIME structure is pathological. It merits a specific hard
rejection with a derisive text part. Anything generating FPs (never seen
one...) needs spanking.
3. Horrifically bad Received-SPF header, but I guess probably that's
generated by something broken in *your* system, so isn't relevant.
4. Lots of example.com in headers but again, I guess that's you munging
stuff and it's not stuff other sites would see.
5. For my own system and some I manage, AS2516 is intrinsically suspect
and that particular /18 can't talk to port 25 at all.
My personal SA would have rejected it because:
1. I don't trust BAYES_00 as much as masscheck because a lot of my ham
describes or includes spam.
2. I have FROM_EXCESS_BASE64 pegged to 2, originally because it was too
high and had FPs, now because masscheck scores it too low.
3. I have a local rule catching the same header as RCVD_DOUBLE_IP_SPAM
catches in that one with a higher score because it has a perfect record.
4. Other proprietary local rules would add 1.7 to the score.
5. For my own system (but not most sites I have managed) any From header
with a domain part directly under .cn scores so high that its message
MUST be sent to an address with a special treatment (i.e.
more_spam_to/all_spam_to or totally SA-exempt).
6. I reject at 4.5. I quarantine nothing because quarantining is an
intrinsically bad idea. This message appears to have been quarantined,
but should have been rejected.
It's just a short body with a URI which downloads malware. We got hit
by this pretty hard. This is where the real threats are. Receive one
of these to an Exchange distribution list and your reputation with the
customer suffers badly.
I'm also interested in other solutions - are those of you with
MIMEDefang or other systems blocking these?
Some of my pre-SA blocking is in MIMEDefang, which is also what I use to
hook in SA. If you run a milter-capable MTA and are comfortable writing
small-scale Perl, MD is an ideal tool for hooking in SA and whatever AV
you feel compelled to use. I have absolutely no critique of amavisd-new,
which I gather is quite good, but I came from the Sendmail world where
MD was dominant and I chose to stick with it when I switched to Postfix
as my preferred MTA. If the idea of writing a little Perl disturbs you,
MIMEDefang is probably not for you.
