On 07/13/2017 12:56 PM, Dave Jones wrote:
On 07/13/2017 12:39 PM, Alex wrote:
Hi,
header RCVD_IN_SENDERSCORE_0_29
eval:check_rbl('senderscore0-lastexternal','score.senderscore.com.','^127\.0\.4\.([1-2]?[0-9])$')
describe RCVD_IN_SENDERSCORE_0_29 Senderscore.org score
of 0
to 29
score RCVD_IN_SENDERSCORE_0_29 5.2
tflags RCVD_IN_SENDERSCORE_0_29 net
At least in my environment, this one in particular would catch a ton
of legitimate mail. This also assumes a 6.0 score for you, correct?
Correct. My block threshold of 6.0 is the default in MailScanner.
The legit email should be SHORTCIRCUIT'd with whitelist_auth entries.
I SHORTCIRCUIT any trustworthy sender with a legit unsubscribe process
to put control back in the hands/mouse of the end user. I also
SHORTCIRCUIT with whitelist_auth any domains (primarily subdomains) that
are system-generated and consistently score very low.
From my own email analysis, the majority of my spam is from FREEMAIL
senders and compromised accounts with zero-hour spam campaigns that the
mail server is not yet on any RBLs. Botnet controlled devices are
another source of spam but they seem to be sending through compromised
accounts these days. They will phish a password, sit on it for days or
weeks, craft a zero-hour spam campaign to get through most mail filters,
then blast as much spam as they can until RBLs and DCC catch up to it in
about 30 minutes or so. These compromised accounts from normally
trusted mail server IPs are they reason why some SA RBL rules need to go
beyond the lastexternal hop.
Let me clarify a bit. Don't put any FREEMAIL or domains with human
accounts (potentially compromised) in your whitelist_auth unless you
have to for some reason. Some senders may not have SPF or DKIM setup
properly so you may have to put some of them in the whitelist_from_rcvd
to get the same result.
Doing this will separate out trustworthy senders from potential content
pitfalls. For example, legit eBay emails will get through while spoofed
emails with identical email content can be blocked by Bayes or other
content rules.
I am seeing a lot of email spoofing USAA insurance lately to phish
accounts. I whitelist_auth legit USAA emails then train the rest as
spam so Bayes and other rules can block the phishing.
--
David Jones
