On 2024-04-24 at 12:27:01 UTC-0400 (Wed, 24 Apr 2024 18:27:01 +0200) Benny Pedersen <m...@junc.eu> is rumored to have said:
>> For example, it matches on >> * 3.1 URI_IMG_CWINDOWSNET Non-MSFT image hosted by Microsoft Azure >> infra, possible phishing > > this is not in spamassassin core rules Yes, it is: updates_spamassassin_org # grep -n '[^A-Z]* URI_IMG_CWINDOWSNET' * 72_active.cf:5635:##{ URI_IMG_CWINDOWSNET 72_active.cf:5637:meta URI_IMG_CWINDOWSNET __URI_IMG_CWINDOWSNET && !__RCD_RDNS_SMTP && !__REPTO_QUOTE && !__URI_DOTEDU 72_active.cf:5638:#score URI_IMG_CWINDOWSNET 3.500 # limit 72_active.cf:5639:describe URI_IMG_CWINDOWSNET Non-MSFT image hosted by Microsoft Azure infra, possible phishing 72_active.cf:5640:tflags URI_IMG_CWINDOWSNET publish 72_active.cf:5641:##} URI_IMG_CWINDOWSNET 72_scores.cf:408:score URI_IMG_CWINDOWSNET 3.136 3.060 3.136 3.060 It is being drawn in from John Hardin's sandbox, where he committed the rule on 2024-01-21 in r1915356 >> * 2.6 HOSTED_IMG_DIRECT_MX Image hosted at large ecomm, CDN or >> hosting >> * site, message direct-to-mx > > also not in default rule sets Also NOT TRUE. That one is in the same sandbox source and was last tweaked in r1915433 on 2024-01-28 >> It also matches on ANY_BOUNCE_MESSAGE and BOUNCE_MESSAGE. Should metas >> be created to avoid adding the above scores? >> >> What more can be done to improve deliverability of these messages? >> Perhaps this is something postfix can identify and bypass scanning? > > it matches bounces since its a bounce, alt that is seen as a results of > forwarding emails More helpfully, it is possible to exempt bounces from filtering by SpamAssassin, a trick that is accomplished by whatever mechanism you use to 'glue' SA and your MTA (postfix, I assume...) not by SA itself. In the case of postfix, there are about a half-dozen mechanisms one can use so I can't say for sure. However, in general, if you are using a milter interface you must do the discrimination in the milter, while other glue mechanisms can provide selective filtering in postfix (at the cost of doing it within postfix.) A message which matches BOUNCE_MESSAGE (and hence also ANY_BOUNCE_MESSAGE) is fairly unlikely to be spam, but we have pegged the scores for all the *BOUNCE_MESSAGE rules at 0.1 just to make sure that they are always published and visible as control points that can be used by sites that have a particular need to accept (or shun) some or all bounces. -- Bill Cole