Hi, >>> I'm interested in how your system would have (or currently does) >>> handle this email I received some days ago: >>> https://pastebin.com/innRFvZt >>> >>> Its IP (106.186.119.240) is still not listed with spamhaus, sorbs or >>> hostkarma, and has an 83 rating with senderscore. >> >> >> This never would have made it to SA on most systems I have recently >> managed: >> >> 1. Null sender with From & Subject both inconsistent with DSN or other >> legit null-sender mail. > > Yes. My MTA would have never accepted this email either. I manually ran it > through SA to see how it would have scored.
Rejected on what basis? What method? How do you reject in postfix based on ASN? Do you have a list? >> My personal SA would have rejected it because: >> >> 1. I don't trust BAYES_00 as much as masscheck because a lot of my ham >> describes or includes spam. I have that problem too. They are crafted very close to what real ham looks like. > 1. Null sender with From & Subject both inconsistent with DSN or other legit > null-sender mail. I believe the return-path is null because it's quarantined. > 2. That MIME structure is pathological. It merits a specific hard rejection > with a derisive text part. Anything generating FPs (never seen one...) needs > spanking. I don't understand? > 3. Horrifically bad Received-SPF header, but I guess probably that's > generated by something broken in *your* system, so isn't relevant. Yes, that SPF header is added by us. How is it broken? > 4. Lots of example.com in headers but again, I guess that's you munging stuff > and it's not stuff other sites would see. Yes, that's my doing. > 6. I reject at 4.5. I quarantine nothing because quarantining is an > intrinsically bad idea. This message appears to have been quarantined, but > should have been rejected. I've just lowered it to 4.8 for a while. I've also lowered BAYES_00 to -1.0 from -1.9. The ones that got through (this example was quarantined) had fewer than 3.0 points. I don't have access to them because they were received longer than our normal retention period we use for analysis. Rarely do legitimate emails get sent to the quarantine, and only our administrators have access to it, but sometimes it's necessary, and avoids a big explanation and a bigger apology to the customer. >> 2. I have FROM_EXCESS_BASE64 pegged to 2, originally because it was too >> high and had FPs, now because masscheck scores it too low. > > Good point. I have checked my hits on this rule and bumped up the score > too. Hopefully my work on the masscheck system will improve this score once > I am able to figure out the current problem and we resume score updates > again. I am working on this issue again this morning for a few hours. Thanks. I've also now increased the score here. This is the more general conversation that I find very beneficial, rather than the specifics about only this particular email.
