An inbound spam was caught by SpamAssassin, flagged with
BAYES_50=0.8
DCC_CHECK=1.1
DIGEST_MULTIPLE=0.293
HTML_MESSAGE=0.001
MIME_HTML_MOSTLY=0.428
MISSING_HEADERS=1.021
PYZOR_CHECK=2.5
REPLYTO_WITHOUT_TO_CC=1.552
To get to SA, it snuck by my DNSBLS, and passed SPF/DKIM/DMARC tests,
Authentication-Results: dmarc.mail.example.com/876fg6sdf6876498f;
dmarc=none header.from=gmail.com
Authentication-Results: dkim.mail.example.com/876fg6sdf6876498f;
dkim=pass (2048-bit key; unprotected) header.d=yahoo.com
header.i=@yahoo.com header.b=UFAXzzUL
Authentication-Results: spf.mail.example.com; spf=softfail (domain
owner discourages use of this host) smtp.mailfrom=gmail.com
(client-ip=212.82.96.171; helo=nm12-vm1.bullet.mail.ir2.yahoo.com;
envelope-from=mrs.djoe...@gmail.com; receiver=u...@example.com)
(TBH, I'm not exactly clear on how/why a msg this fake gets by all 3; need to
take a closer look at that !)
But, not being caught is NOT my current question.
Instead, I'd like to know which specific test I can use to hit/score the
'freemail' whack-a-mole.
For example, this particular email is
Sent via 'freemail' @ YAHOO
From 'freemail' @GMAIL
ReplyTo 'freemail' @HOTMAIL
Here are some of the headers
Received: from nm12-vm1.bullet.mail.ir2.yahoo.com
(nm12-vm1.bullet.mail.ir2.yahoo.com [212.82.96.171])
by mail.example.com (Postfix) with ESMTPS
for <u...@example.com>; Fri, 24 Jun 2016 08:26:08 -0400 (EDT)
...
From: Dion Joelle <mrs.djoe...@gmail.com>
Reply-To: Dion Joelle <mrs.dion...@hotmail.com>
Message-ID: <#####.javamail.ya...@mail.yahoo.com>
What I don't see there are any of the FREEMAIL hits.
Obviously, the fake freemail 'trifecta' (gmail/hotmail/yahoo) is an easy
signature to hit on.
I just need some guidance as to what test I need to use/configure/enable to
hot/score on this patter/behavior?
Jason
