An inbound spam was caught by SpamAssassin, flagged with BAYES_50=0.8 DCC_CHECK=1.1 DIGEST_MULTIPLE=0.293 HTML_MESSAGE=0.001 MIME_HTML_MOSTLY=0.428 MISSING_HEADERS=1.021 PYZOR_CHECK=2.5 REPLYTO_WITHOUT_TO_CC=1.552
To get to SA, it snuck by my DNSBLS, and passed SPF/DKIM/DMARC tests, Authentication-Results: dmarc.mail.example.com/876fg6sdf6876498f; dmarc=none header.from=gmail.com Authentication-Results: dkim.mail.example.com/876fg6sdf6876498f; dkim=pass (2048-bit key; unprotected) header.d=yahoo.com header.i=@yahoo.com header.b=UFAXzzUL Authentication-Results: spf.mail.example.com; spf=softfail (domain owner discourages use of this host) smtp.mailfrom=gmail.com (client-ip=212.82.96.171; helo=nm12-vm1.bullet.mail.ir2.yahoo.com; envelope-from=mrs.djoe...@gmail.com; receiver=u...@example.com) (TBH, I'm not exactly clear on how/why a msg this fake gets by all 3; need to take a closer look at that !) But, not being caught is NOT my current question. Instead, I'd like to know which specific test I can use to hit/score the 'freemail' whack-a-mole. For example, this particular email is Sent via 'freemail' @ YAHOO From 'freemail' @GMAIL ReplyTo 'freemail' @HOTMAIL Here are some of the headers Received: from nm12-vm1.bullet.mail.ir2.yahoo.com (nm12-vm1.bullet.mail.ir2.yahoo.com [212.82.96.171]) by mail.example.com (Postfix) with ESMTPS for <u...@example.com>; Fri, 24 Jun 2016 08:26:08 -0400 (EDT) ... From: Dion Joelle <mrs.djoe...@gmail.com> Reply-To: Dion Joelle <mrs.dion...@hotmail.com> Message-ID: <#####.javamail.ya...@mail.yahoo.com> What I don't see there are any of the FREEMAIL hits. Obviously, the fake freemail 'trifecta' (gmail/hotmail/yahoo) is an easy signature to hit on. I just need some guidance as to what test I need to use/configure/enable to hot/score on this patter/behavior? Jason