Re: Recent experience with RCVD_IN_SORBS_NR_SPAM and others
On 2021-05-27 at 20:40:28 UTC-0400 (Thu, 27 May 2021 20:40:28 -0400) Greg Troxel is rumored to have said: > But one thing jumped out at me: a fair number of > RCVD_IN_SORBS_NR_SPAM hits, including for yahoo servers. It seems to me > a bit much to apply that and 2.5 points for MTAs from freemails that > have mostly ham and some spam -- that's what 1 point for FREEMAIL_FROM > is for. As usual, I look up rules that hit on my ham and think about > changing the score, but I can't find it. > > So: was this rule in trunk or KAM, and was it withdrawn in the last > week? Perhaps because of listing yahoo and maybe others? I didn't find > anything about this on the users list. That rule does not now exist in trunk and IT NEVER HAS, according to the Subversion history. It is not in the current KAM channel rules and I see no evidence in my logs of any such rule ever hitting within the past 3 months. -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses) Not Currently Available For Hire signature.asc Description: OpenPGP digital signature
Re: Recent experience with RCVD_IN_SORBS_NR_SPAM and others
On Fri, 28 May 2021, RW wrote: There is a minor problem: header __RCVD_DOTEDU_EXT X-Spam-Relays-External =~ /\.edu\s/i allows a match on "by=" from the LE header, when it should just be on helo/rdns. D'oh! Fixed, thanks for catching that. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- The ["assault weapons"] ban is the moral equivalent of banning red cars because they look too fast. -- Steve Chapman, Chicago Tribune --- 4 days until Memorial Day - honor those who sacrificed for our liberty
Re: Recent experience with RCVD_IN_SORBS_NR_SPAM and others
On Thu, 27 May 2021, Greg Troxel wrote: The other problem on a small number of messages was RCVD_DOTEDU_SHORT. I realize this must have passed masscheck, but getting a message of 1-1.5 kB from an address in .edu is to me not at all suspicious, and 2.5 points is a lot for something likely to appear in legitimate mail. (In my case it was a notification of air conditioning shutdown in a particular building, and that's all there was to say.) Score limit adjusted. Do you know whether it happened to hit ALL_TRUSTED? I added an exclusion for that. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- The ["assault weapons"] ban is the moral equivalent of banning red cars because they look too fast. -- Steve Chapman, Chicago Tribune --- 4 days until Memorial Day - honor those who sacrificed for our liberty
Re: Recent experience with RCVD_IN_SORBS_NR_SPAM and others
On Thu, 27 May 2021 20:40:28 -0400 Greg Troxel wrote: > The other problem on a small number of messages was RCVD_DOTEDU_SHORT. > I realize this must have passed masscheck, but getting a message of > 1-1.5 kB from an address in .edu is to me not at all suspicious, and > 2.5 points is a lot for something likely to appear in legitimate > mail. (In my case it was a notification of air conditioning shutdown > in a particular building, and that's all there was to say.) If SA were running on an institution's mail system, that would most likely be an internal email. The intention seem to be that the .edu has to be in the external network. There is a minor problem: header __RCVD_DOTEDU_EXT X-Spam-Relays-External =~ /\.edu\s/i allows a match on "by=" from the LE header, when it should just be on helo/rdns. Probably the .edu is genuinely external for you, in which case I'd suggest overriding __RCVD_DOTEDU_EXT, either to turn it off or exclude specifc domains.
Recent experience with RCVD_IN_SORBS_NR_SPAM and others
I lost track of checking my spam folders recently for almost a week (I filter to a maybe-spam folder on scores that are lower than what doctrine says, splitting into really-ham, iffy, and really-spam -- it was the iffy I didn't look at). On checking, I refiled a bunch of ham that had from 2 to 6 points. There was much more of this than normal, at all scores. There are lots of reasons for the scores, some of which is just how it is (MIME HTML with no HTML tag), and rDNS lookup failures on google MTAs. But one thing jumped out at me: a fair number of RCVD_IN_SORBS_NR_SPAM hits, including for yahoo servers. It seems to me a bit much to apply that and 2.5 points for MTAs from freemails that have mostly ham and some spam -- that's what 1 point for FREEMAIL_FROM is for. As usual, I look up rules that hit on my ham and think about changing the score, but I can't find it. So: was this rule in trunk or KAM, and was it withdrawn in the last week? Perhaps because of listing yahoo and maybe others? I didn't find anything about this on the users list. The other problem on a small number of messages was RCVD_DOTEDU_SHORT. I realize this must have passed masscheck, but getting a message of 1-1.5 kB from an address in .edu is to me not at all suspicious, and 2.5 points is a lot for something likely to appear in legitimate mail. (In my case it was a notification of air conditioning shutdown in a particular building, and that's all there was to say.) Thanks, Greg signature.asc Description: PGP signature
