On 02/20/2018 04:08 PM, David Jones wrote:
On 02/20/2018 03:48 PM, David Jones wrote:
On 02/20/2018 12:57 PM, Kevin A. McGrail wrote:
On 2/20/2018 1:53 PM, David Jones wrote:
Over the years I have noticed junk/spam email coming from these
servers so I created this rule:
header ENA_RCVD_NOTRUST Received =~
/\.(secureserver\.net|web-hosting\.com|websitewelcome\.com|inmotionhosting\.com|unifiedlayer\.com|ezhostingserver\.com|siteprotect\.com|internetbilisim\.net|privateemail\.com|registrar-servers\.com|emailsrvr\.com|registeredsite\.com)
\[/
Well just spot checking, you've identified some of the largest ISPs
on the planet. Secure Server is Wild West/Godaddy WebsiteWelcome is
HostGator, etc.
I knew they were major ISPs but spam still comes out of their servers
at a higher rate than the occasional compromised account or bad
customer of a good ESP (Exact Target, Mail Chimp, EMMA, etc).
I don't think they are going to be indicative of spam or ham and I
would individually blacklist domains and contact their abuse.
I was doing that but always behind the whack-a-mole game. I wanted to
do the opposite and set a level playing field from a whitelist
perspective for those servers by offsetting the whitelist negative
scores to get them back to around zero and let Bayes plus other
content-based rules determine the allow or block.
It doesn't seem like a good idea for whitelists to list these senders
just because most of the email is ham. If a small percentage is spam,
then how do we report that back to Hostkarma and dnswl.org? I can
report it to SpamCop but that doesn't make it's way to the other
whitelists.
SPF record for websitewelcome.com that Hostgator recommends to their
customers:
v=spf1 include:spf.websitewelcome.com include:spf1.websitewelcome.com
include:_spf.google.com
That is ridiculous!!! It requires 8 DNS queries and shouldn't include
Google's servers.
I just received this perfect example where BAYES_80, DCC, and
UNWANTED_LANGUAGE_BODY were the primary hits that blocked this. I see
some with many whitelists that would normally bring it below the block
threshold but now I have meta rules with ENA_RCVD_NOTRUST to add back
points with local *_OFFSET rules.
https://pastebin.com/mjvB0MKg (scored 10.96)
Score Matching Rule Description
3.20 BAYES_80 Bayesian analysis determined this message has a 80%-95%
chance of being spam.
3.20 DCC_CHECK Spam check using a checksum comparison with other mail
servers on the Internet.
0.10 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily
valid
-0.10 DKIM_VALID Message has at least one valid DKIM or DK signature
0.01 DMARC_NONE
0.20 ENA_NOT_DKIM_VALID_AU
1.20 ENA_RCVD_NOTRUST Received from servers not trusted
1.20 ENA_RCVD_NOTRUST_MSPIKE_H2_OFFSET
0.25 HEADER_FROM_DIFFERENT_DOMAINS
0.00 HTML_MESSAGE HTML emails can be used to hide or obscure spam.
0.50 JMQ_SPF_NEUTRAL_ALL
-0.20 RCVD_IN_DNSWL_NONE Sender listed at http://www.dnswl.org/, no trust
-1.20 RCVD_IN_MSPIKE_H2 Average reputation (+2)
-0.20 RCVD_IN_SENDERSCORE_80_89
-0.00 SPF_PASS SPF: sender matches SPF record
2.80 UNWANTED_LANGUAGE_BODY Message written in an undesired language
--
David Jones