On 07/13/2017 12:39 PM, Alex wrote:
Hi,
header RCVD_IN_SENDERSCORE_0_29
eval:check_rbl('senderscore0-lastexternal','score.senderscore.com.','^127\.0\.4\.([1-2]?[0-9])$')
describe RCVD_IN_SENDERSCORE_0_29 Senderscore.org score of 0
to 29
score RCVD_IN_SENDERSCORE_0_29 5.2
tflags RCVD_IN_SENDERSCORE_0_29 net
At least in my environment, this one in particular would catch a ton
of legitimate mail. This also assumes a 6.0 score for you, correct?
Correct. My block threshold of 6.0 is the default in MailScanner.
The legit email should be SHORTCIRCUIT'd with whitelist_auth entries.
I SHORTCIRCUIT any trustworthy sender with a legit unsubscribe process
to put control back in the hands/mouse of the end user. I also
SHORTCIRCUIT with whitelist_auth any domains (primarily subdomains) that
are system-generated and consistently score very low.
From my own email analysis, the majority of my spam is from FREEMAIL
senders and compromised accounts with zero-hour spam campaigns that the
mail server is not yet on any RBLs. Botnet controlled devices are
another source of spam but they seem to be sending through compromised
accounts these days. They will phish a password, sit on it for days or
weeks, craft a zero-hour spam campaign to get through most mail filters,
then blast as much spam as they can until RBLs and DCC catch up to it in
about 30 minutes or so. These compromised accounts from normally
trusted mail server IPs are they reason why some SA RBL rules need to go
beyond the lastexternal hop.
--
David Jones
