Bill Cole skrev den 2024-04-24 19:37:
On 2024-04-24 at 12:27:01 UTC-0400 (Wed, 24 Apr 2024 18:27:01 +0200)
Benny Pedersen <m...@junc.eu>
is rumored to have said:
For example, it matches on
* 3.1 URI_IMG_CWINDOWSNET Non-MSFT image hosted by Microsoft Azure
infra, possible phishing
this is not in spamassassin core rules
Yes, it is:
updates_spamassassin_org # grep -n '[^A-Z]* URI_IMG_CWINDOWSNET' *
72_active.cf:5635:##{ URI_IMG_CWINDOWSNET
72_active.cf:5637:meta URI_IMG_CWINDOWSNET
__URI_IMG_CWINDOWSNET && !__RCD_RDNS_SMTP && !__REPTO_QUOTE &&
!__URI_DOTEDU
72_active.cf:5638:#score URI_IMG_CWINDOWSNET 3.500 #
limit
72_active.cf:5639:describe URI_IMG_CWINDOWSNET Non-MSFT
image hosted by Microsoft Azure infra, possible phishing
72_active.cf:5640:tflags URI_IMG_CWINDOWSNET publish
it is publish, so waste of config in public :)
72_active.cf:5641:##} URI_IMG_CWINDOWSNET
72_scores.cf:408:score URI_IMG_CWINDOWSNET 3.136
3.060 3.136 3.060
It is being drawn in from John Hardin's sandbox, where he committed the
rule on 2024-01-21 in r1915356
i know this, so if its stable rule in core rules i can turn of to get it
from trunk
* 2.6 HOSTED_IMG_DIRECT_MX Image hosted at large ecomm, CDN or
hosting
* site, message direct-to-mx
also not in default rule sets
Also NOT TRUE. That one is in the same sandbox source and was last
tweaked in r1915433 on 2024-01-28
i do not always check changelogs on core rulesets, sorry for that
It also matches on ANY_BOUNCE_MESSAGE and BOUNCE_MESSAGE. Should
metas
be created to avoid adding the above scores?
What more can be done to improve deliverability of these messages?
Perhaps this is something postfix can identify and bypass scanning?
it matches bounces since its a bounce, alt that is seen as a results
of forwarding emails
More helpfully, it is possible to exempt bounces from filtering by
SpamAssassin, a trick that is accomplished by whatever mechanism you
use to 'glue' SA and your MTA (postfix, I assume...) not by SA itself.
In the case of postfix, there are about a half-dozen mechanisms one can
use so I can't say for sure. However, in general, if you are using a
milter interface you must do the discrimination in the milter, while
other glue mechanisms can provide selective filtering in postfix (at
the cost of doing it within postfix.)
yes, vbounce should handle this to only make noice on localy bounces,
and since spamassassin does not reject we all have to see external
bounces aswell
A message which matches BOUNCE_MESSAGE (and hence also
ANY_BOUNCE_MESSAGE) is fairly unlikely to be spam, but we have pegged
the scores for all the *BOUNCE_MESSAGE rules at 0.1 just to make sure
that they are always published and visible as control points that can
be used by sites that have a particular need to accept (or shun) some
or all bounces.
i have disabled this plugin, if that matter
