@Dave you're sure that trusted_networks must be changed in case of fetching mails? I fetch mines from gmail too and sa always has the correct first non trusted relay. Without changing *_networks. With fetching you do not get an smtp received header so sa jumps to the next relay. And (at least from what I see in my gmail mails) the first smtp received header without a private ip address is the one that handsoff to gmail aka the one to feed to sa
Chees tobi ----- Originale Nachricht ----- Von: David Jones <djo...@ena.com> Gesendet: 11.12.17 - 17:27 An: users@spamassassin.apache.org Betreff: Re: Flakey spam email. How to filter? > On 12/11/2017 09:44 AM, Mark London wrote: >> I'm getting a lot of flakey spam messages, that don't trigger any >> significant spamassassin rules, even though it obviously looks really >> bogus. >> >> Here's an example. Any suggestions? >> >> https://pastebin.com/bZUt0ThS >> >> These spams are being sent to my gmail account, and then forwarded to my >> work address I tried stripping off all the forwarding headers, but it >> doesn't trigger any RBLs >> >> Thanks for any help. >> >> - Mark >> >> >> > > It's going to be very difficult to filter mail properly that has been > forwarded from Gmail. Why would you want to do this anyway? Report it > as Spam at Gmail and let Google block it for you and everyone else on > Gmail and G-Suite. > > If you want to continue this mail flow and use Spamassassin, I would > recommend using POP to pull the email from Google and not forward it > which breaks a lot of stuff like SPF. You will need to setup your > trusted_networks to cover all of Google's mail servers IPs listed in > their SPF record to get RBLs to work correctly which could be challenging. > > I ran that email through my filters and it scored a 12.5 for me. Make > sure you have DCC installed and working. I realize that time has passed > so DCC may not have hit the original SMTP receive time but still it > should have scored well above 6.0 based on properly trained Bayes and > some other SA hits: > > 0.9 DKIM_ADSP_NXDOMAIN No valid author signature and domain not in DNS > 0.0 HTML_MESSAGE BODY: HTML included in message > 1.2 BAYES_50 BODY: Bayes spam probability is 40 to 60% > [score: 0.5000] > 0.7 MIME_HTML_ONLY BODY: Message only has text/html MIME parts > 0.8 HTML_TAG_BALANCE_HEAD BODY: HTML has unbalanced "head" tags > 1.5 BODY_8BITS BODY: Body includes 8 consecutive 8-bit > characters > 2.2 DCC_CHECK Detected as bulk mail by DCC (dcc-servers.net) > 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not > necessarily valid > 0.4 HTML_MIME_NO_HTML_TAG HTML-only message, but there is no HTML tag > 0.0 T_DKIM_INVALID DKIM-Signature header exists but is not valid > 0.2 KAM_HUGEIMGSRC Message contains many image tags with huge > http urls > 2.3 S25R_4 T_S25R: Bottom of rDNS ends w/ num, next > lvl has num-num > > That IP of 158.69.185.128 is not listed on any RBLs so it's pretty much > left to SA content-based rules like DCC, Bayes, and a few others above. > > -- > David Jones