Re: Tips for improving bounce message deliverability?

Wed, 24 Apr 2024 10:37:43 -0700 

On 2024-04-24 at 12:27:01 UTC-0400 (Wed, 24 Apr 2024 18:27:01 +0200)
Benny Pedersen <m...@junc.eu>
is rumored to have said:

>> For example, it matches on
>> *  3.1 URI_IMG_CWINDOWSNET Non-MSFT image hosted by Microsoft Azure
>> infra, possible phishing
>
> this is not in spamassassin core rules

Yes, it is:

        updates_spamassassin_org # grep -n '[^A-Z]* URI_IMG_CWINDOWSNET' *
        72_active.cf:5635:##{ URI_IMG_CWINDOWSNET
        72_active.cf:5637:meta       URI_IMG_CWINDOWSNET         
__URI_IMG_CWINDOWSNET && !__RCD_RDNS_SMTP && !__REPTO_QUOTE && !__URI_DOTEDU
        72_active.cf:5638:#score      URI_IMG_CWINDOWSNET         3.500 # limit
        72_active.cf:5639:describe   URI_IMG_CWINDOWSNET         Non-MSFT image 
hosted by Microsoft Azure infra, possible phishing
        72_active.cf:5640:tflags     URI_IMG_CWINDOWSNET         publish
        72_active.cf:5641:##} URI_IMG_CWINDOWSNET
        72_scores.cf:408:score URI_IMG_CWINDOWSNET                   3.136 
3.060 3.136 3.060

It is being drawn in from John Hardin's sandbox, where he committed the rule on 
2024-01-21 in r1915356

>>  *  2.6 HOSTED_IMG_DIRECT_MX Image hosted at large ecomm, CDN or
>> hosting
>>  *      site, message direct-to-mx
>
> also not in default rule sets

Also NOT TRUE. That one is in the same sandbox source and was last tweaked in 
r1915433 on 2024-01-28

>> It also matches on ANY_BOUNCE_MESSAGE and BOUNCE_MESSAGE. Should metas
>> be created to avoid adding the above scores?
>>
>> What more can be done to improve deliverability of these messages?
>> Perhaps this is something postfix can identify and bypass scanning?
>
> it matches bounces since its a bounce, alt that is seen as a results of 
> forwarding emails

More helpfully, it is possible to exempt bounces from filtering by 
SpamAssassin, a trick that is accomplished by whatever mechanism you use to 
'glue' SA and your MTA (postfix, I assume...) not by SA itself. In the case of 
postfix, there are about a half-dozen mechanisms one can use so I can't say for 
sure. However, in general, if you are using a milter interface you must do the 
discrimination in the milter, while other glue mechanisms can provide selective 
filtering in postfix (at the cost of doing it within postfix.)

A message which matches BOUNCE_MESSAGE (and hence also ANY_BOUNCE_MESSAGE) is 
fairly unlikely to be spam, but we have pegged the scores for all the 
*BOUNCE_MESSAGE rules at 0.1 just to make sure that they are always published 
and visible as control points that can be used by sites that have a particular 
need to accept (or shun) some or all bounces.

-- 
Bill Cole

Reply via email to