On Wed, 4 Jul 2018, Axb wrote:
On 07/04/2018 06:23 AM, [email protected] wrote:
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7592
--- Comment #3 from John Hardin <[email protected]> ---
I just scanned my inbox for sendgrid.net - lots of hits in ham, a few in
spam.
Most hams seem to come from domain-branded hosts (e.g.
o5.sgmail.github.com,
o6.email.quora.com).
The ham I see that comes closest is: o1678961x80.outbound-mail.sendgrid.net
-
but that doesn't use the dashed-quad format so it doesn't "look" dynamic.
I don't have *any* ham hits that look like your example.
There are some hits in my spam like the one above, and *two* that look like
your example.
One was on June 6, so the scores are fairly recent:
* 1.0 RDNS_DYNAMIC Delivered to internal network by host with
* dynamic-looking rDNS
* 2.0 HELO_DYNAMIC_IPADDR Relay HELO'd using suspicious hostname
(IP
addr
* 1)
Received: from o168-245-111-164.outbound-mail.sendgrid.net
(o168-245-111-164.outbound-mail.sendgrid.net [168.245.111.164])
by ga.impsec.org (8.14.7/8.14.7) with ESMTP id w56NOWd5015495
(version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256
verify=NO)
for <[email protected]>; Wed, 6 Jun 2018 17:24:38 -0600
This is scoreset 3 (Bayes + net tests) - the scores are higher if Bayes is
disabled.
Do you have Bayes disabled? If so, you might want to enable and train it.
IMO, these rules should be considered "legacy" and could be deprecated.
RDNS_DYNAMIC S/O is .770 and HELO_DYNAMIC_IPADDR S/O is .937 so I'd first
reduce the scores before tossing them.
I was first going to add an exclusion to HELO_DYNAMIC_IPADDR to avoid
overlap here, as that's the higher-scoring rule.
The only place I see that particular RDNS pattern in sendgrid messages is
where they are spam, I'm presuming where the sendgrid client hasn't
bothered to set up domain-specific RDNS because they expect to be
terminated soon anyway.
On a related note:
The scores of "base" rules don't appear to be changed by the masscheck
score generator - for example, these two only appear in 50_scores.cf
Do we need to plan for another global rescoring, or is there a way to get
the masscheck rescore to also rescore the non-sandbox rules (short of
moving them all to a sandbox)?
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
[email protected] FALaholic #11174 pgpk -a [email protected]
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
People who are unable to figure out how to make change without
the help of a cash register are demanding a $15/hr minimum wage?
-----------------------------------------------------------------------
Today: the 242nd anniversary of the Declaration of Independence
