>From: @lbutlr <krem...@kreme.com> >Sent: Monday, March 6, 2017 5:24 AM >To: users@spamassassin.apache.org >Subject: Re: New whitelisting trick using from and spf >On 2017-03-05 (18:59 MST), David Jones <djo...@ena.com> wrote: >> >> whitelist_auth does this against SPF_PASS and DKIM_VALID_AU
>I tired to do something along these lines at some point in the past by >adding some lines to my local.cf like these: >blacklist_from *@amazon.com >whitelist_auth *@amazon.com >blacklist_from *@paypal.com >whitelist_auth *@paypal.com >It didn’t have the desired effect and simply blacklisted all PayPal mail. >While *I* was ok with blacklisting PayPal, others not so much... Spam/phishing emails pretending to be from Paypal won't have an envelope-from of *@paypal.com which is why you didn't get the desired effect. You rarely use the blacklist_from only when there is very dumb senders that you want to block. A multi-level approach will give you the results you expect: Level 1: RBLs, other DNS checks, postscreen, greylisting, etc. Level 2: SA bayes, ClamAV w extra sigs, meta rules, RBL scores, etc. Level 1 above is very low resource and fast. Level 2 is more resource intensive. By safelisting with whitelist_auth entries for trusted senders, you can turn up the sensitivity (increase scores) a bit more. Level 1 will knock down the majority of junk before SA sees it. For this reason, you have to whitelist certain sending IPs from Level 1 using postwhite so they get to Level 2. Dave