On Tue, 6 Feb 2018, Kris Deugau wrote:
Alex wrote:
These phishes we've received were all from otherwise trusted sources
like salesforce, amazonses and sendgrid. These are examples that I
believe were previously whitelisted because of having received a phish
through these systems but have no been disabled.
whitelist_auth *@bounce.mail.salesforce.com
whitelist_auth *@sendgrid.net
whitelist_auth *@*.mcdlv.net
I've seen enough spam sent through all three - both by way of whole
apparently spammer-owned accounts and cracked-but-otherwise-legitimate
accounts - that I would never blanket-whitelist whole bulk email providers.
Legitimate mail sent through them generally gets through anyway IME.
An alternative is to use "def_whitelist_auth" instead of "whitelist_auth"
That gives a -7.5 point bump to usually good sources which may occasionally get
abused.
That way if one of their accounts gets p0wned your anti-phish rules have a
chance of pulling the junk into the spam-tagged range.
--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{
