On 4/17/19 4:16 PM, jandev wrote: > Hi all > > Yesterday our mail server received unwanted email from simpliv.com. It was > valid DKIM signed for mail.simpliv.com > Despite the sender ip was listed at Sorbs the email even passed the bayesian > filter: > > > Surprisingly the ip/domain is part of a SA shipped white list: Rule > USER_IN_DEF_SPF_WL gave it -7.5! > > simpliv.com sent the spam to an email address which was used solely for > registering an account with slack.com. It seems that simpliv.com > bought/stole/harvested email addresses in shady ways and uses the email > database as spam to advertise its courses. > > /var/lib/spamassassin/3.004002/updates_spamassassin_org/60_whitelist_auth.cf > where the simpliv.com is added says: "These senders should be considered > trusted following proper opt-in and opt-out practices,..." > > There was no proper opt-in, even Sorbs list them now, probably because they > hit a honey pot, hence I request simpliv.com to be removed from this white > list. > Otherwise having spammers in this SA shipped white list makes the list > useless. >
Please post a lightly redacted version in pastebin.com so I can see what went wrong. That seems odd to hit USER_IN_DEF_SPF_WL when it was DKIM signed for mail.simpliv.com. The envelope-from domain would have been mail.simpliv.com and I can't find that in my database going back 6+ months. The def_whitelist_auth entries are only supposed to hit when SPF_PASS or DKIM_VALID_AU are hit. I need to see the original headers to learn what happened and possibly adjust the logic in the determination of trustworthy senders. I have no problem with removing this entry if this sender is no longer trustworthy. They were at the time it was added but things do change over time. This would be the second entry in a couple of years to be removed out of the hundreds of entries. P.S. blacklist_from entries should override any whitelist_* entry, if I remember correctly. -- David Jones
