On 07/13/2017 12:56 PM, Dave Jones wrote:
On 07/13/2017 12:39 PM, Alex wrote:
Hi,

header          RCVD_IN_SENDERSCORE_0_29
eval:check_rbl('senderscore0-lastexternal','score.senderscore.com.','^127\.0\.4\.([1-2]?[0-9])$') describe RCVD_IN_SENDERSCORE_0_29 Senderscore.org score of 0
to 29
score           RCVD_IN_SENDERSCORE_0_29        5.2
tflags          RCVD_IN_SENDERSCORE_0_29        net

At least in my environment, this one in particular would catch a ton
of legitimate mail. This also assumes a 6.0 score for you, correct?


Correct.  My block threshold of 6.0 is the default in MailScanner.

The legit email should be SHORTCIRCUIT'd with whitelist_auth entries.

I SHORTCIRCUIT any trustworthy sender with a legit unsubscribe process to put control back in the hands/mouse of the end user. I also SHORTCIRCUIT with whitelist_auth any domains (primarily subdomains) that are system-generated and consistently score very low.

From my own email analysis, the majority of my spam is from FREEMAIL senders and compromised accounts with zero-hour spam campaigns that the mail server is not yet on any RBLs. Botnet controlled devices are another source of spam but they seem to be sending through compromised accounts these days. They will phish a password, sit on it for days or weeks, craft a zero-hour spam campaign to get through most mail filters, then blast as much spam as they can until RBLs and DCC catch up to it in about 30 minutes or so. These compromised accounts from normally trusted mail server IPs are they reason why some SA RBL rules need to go beyond the lastexternal hop.


Let me clarify a bit. Don't put any FREEMAIL or domains with human accounts (potentially compromised) in your whitelist_auth unless you have to for some reason. Some senders may not have SPF or DKIM setup properly so you may have to put some of them in the whitelist_from_rcvd to get the same result.

Doing this will separate out trustworthy senders from potential content pitfalls. For example, legit eBay emails will get through while spoofed emails with identical email content can be blocked by Bayes or other content rules.

I am seeing a lot of email spoofing USAA insurance lately to phish accounts. I whitelist_auth legit USAA emails then train the rest as spam so Bayes and other rules can block the phishing.

--
David Jones

Reply via email to