On 02.10.18 09:36, Rob McEwen wrote:
A client of mine wasn't getting my own hand-typed messages.
Unfortunately, they had their SA set to block on a score of 3 (which
is aggressive), and this particular rule hit plus a tiny bit of other
things put it above 3. But what is weird - is that it was hitting on
hand typed-messages from me - that I sent directly from my
latest-version of Thunderbird. So this was NOT "forged" at all! (Also,
I suspect that the bayes hit was due to previous such messages from me
getting blocked and feeding his bayes?)
Any suggestions? Could my client be using a very old version of SA -
where this is fixed already? (they are using SA from Kerio).
Here are the headers:
X-Kerio-Anti-Spam: Build: [Engines: 2.15.8.1169, Stamp: 3], Multi:
[Enabled, t: (0.000012,0.017258)], BW: [Enabled, t: (0.000013)], RTDA:
[Enabled, t: (0.052863), Hit: No, Details: v2.7.15; Id:
15.1i65djr.1conscun2.ocr1k], total: 0(700)
X-Spam-Status: Yes, hits=3.8 required=3.0
tests=KERIO_ANTI_SPAM: -0.000, AWL: -0.000, BAYES_50: 1.567,
FORGED_MUA_MOZILLA: 2.309, HTML_MESSAGE: 0.001, URIBL_BLOCKED: 0.001,
TOTAL_SCORE: 3.878,autolearn=no
Suggestions?
can you post the headers?
or at least the Message-Id?
meta FORGED_MUA_MOZILLA (__MOZILLA_MUA && !__UNUSABLE_MSGID &&
!__MOZILLA_MSGID)
header __MOZILLA_MUA User-Agent =~ /^mozilla\b/i
header __MOZILLA_MSGID MESSAGEID =~
/^<(?:[a-f\d]{8}-(?:[a-f\d]{4}-){3}[a-f\d]{12}|[A-F\d]{8}\.[A-F1-9][A-F\d]{0,7})\@\S+>$/m
meta __UNUSABLE_MSGID (__LYRIS_EZLM_REMAILER ||
__GATED_THROUGH_RCVD_REMOVER || __WACKY_SENDMAIL_VERSION ||
__IPLANET_MESSAGING_SERVER || __HOTMAIL_BAYDAV_MSGID || __SYMPATICO_MSGID)
header __HOTMAIL_BAYDAV_MSGID MESSAGEID =~
/^<[A-Z]{3}\d+-(?:DAV|SMTP)\d+[A-Z0-9]{25}\@phx\.gbl>$/m
header __IPLANET_MESSAGING_SERVER Received =~ /iPlanet Messaging Server/
header __LYRIS_EZLM_REMAILER List-Unsubscribe =~
/<mailto:(?:leave-\S+|\S+-unsubscribe)\@\S+>$/
header __SYMPATICO_MSGID MESSAGEID =~
/^<BAYC\d+-PASMTP\d+[A-Z0-9]{25}\@CEZ\.ICE>$/m
header __WACKY_SENDMAIL_VERSION Received =~ /\/CWT\/DCE\)/
SIDE NOTE: I don't think there was any domain my message that was
blacklisted on URIBL - so I can't explain the "URIBL_BLOCKED", but
that only scored 0.001, so that was innocuous. I suspect that that
rule is malfunctioning on their end, and then they changed the score
to .001 - so just please ignore that for the purpose of this
discussion.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
The only substitute for good manners is fast reflexes.
