Hi, I believe the MISSING_MIMEOLE rule may be broken due to a possible change with how yahoo.com mail is being sent. Is it possible it just no longer uses the X-MimeOLE header any longer?
I have a legitimate yahoo.com email with an empty body and a PDF attachment that hits MISSING_MIMEOLE. https://pastebin.com/r28UCEdj I also have a few questions about other rules that hit this email as well as some other rules I've come across today that I don't understand. Most of the questions relate to scoring appearing to be very high for the single rule. * 1.4 PYZOR_CHECK Listed in Pyzor (http://pyzor.sf.net/) This rule hits messages with an empty body. We receive a lot of mail with invoices, PDF and other attachments with an empty body. Doesn't 1.4 points seem a little high just because there is nothing in the body? * 3.3 MSGID_NOFQDN1 Message-ID with no domain name We also receive a lot of email from machine-generated systems that don't follow all the rules. Doesn't this also seem high? * 2.1 HTML_IMAGE_ONLY_12 BODY: HTML: images with 800-1200 bytes of words This one appears to happen on very simple messages. People send legitimate emails with just "Dear customer, Please find attached a copy of your invoice." and an attachment. As likely of a spam indicator as it is, it also sends our legitimate messages to the quarantine. * 1.5 SUBJ_ALL_CAPS Subject is all capitals This is another that we see frequently with short subjects with just a few capital letters and a date in legitimate email. As I've spent my weekend going through the quarantine, I've noticed a significant amount of legitimate mail being tagged with these rules. * 1.8 MG_YAHOO_FS Yahoo message-ID, not From: yahoo or associates This one was tagged because it wasn't From a yahoo.com address, but it was routed and received by a yahoo system: Received: from sonic303-28.consmr.mail.ne1.yahoo.com (sonic303-28.consmr.mail.ne1.yahoo.com [66.163.188.154]) by mail03.example.com (Postfix) with ESMTP id 05169209EDFE for <33...@example.com>; Wed, 26 Apr 2017 12:17:31 -0400 (EDT) From: sudha t <su...@tourslimited.com> Reply-To: sudha t <sudha.to...@yahoo.com> Message-ID: <1041548987.1331826.1493222771...@mail.yahoo.com> That is a legitimate use of the yahoo service. I realize these scores could all be changed locally, but I'm just wondering if these rules need more general scrutiny? I also realize there was probably a good reason for setting these scores, but I don't want to just go changing scores when it could have an adverse impact on allowing spam through. They just seem excessive to my eye, and was looking for input. Thanks for any ideas.
