Re: spoofing mail
On 12/1/18 8:31 AM, Matus UHLAR - fantomas wrote: >> El vie., 30 nov. 2018 a las 3:06, Matus UHLAR - fantomas >> () escribió: >>> And, yes, there could be rule that catches message-id added by internal >>> server. Note that: >>> - Message-ID is not required (has SHOULD in RFC) >>> - many mailservers add message-id if it doesn't exist. > >>> >> https://pastebin.com/ktMUDLps > >>> not available anymore :-( > > On 30.11.18 10:55, Rick Gutierrez wrote: >> Hi , here it is https://pastebin.com/3TtsjXSX >> >> last trace , after my gateway analyzes it >> >> https://pastebin.com/76rNVnnp > > - is "mydomain.com" your real domain? > > - funny that Message-Id is signed in DKIM and DKIM is valid. > > hmmm more to think about later. > DKIM_VALID only confirms it was signed correctly by any domain. Anyone can generate keys and DNS records to sign an email with a domain for which they control/manage the DNS. I can sign all emails leaving my edge mail servers with an ena.net or ena.com key. That only means you can be sure it is authentic (unmodified) and came from my servers. It doesn't mean I am allowed to send for that domain. DKIM_VALID_AU confirms the DKIM signature aligned with the author's From: header domain and is authentic (unmodified). This means something but is still not an indicator of ham or spam -- just that it came from that domain unmodified. If you trust the domain like paypal.com to not send UCE or spam from compromised accounts, then you can whitelist_auth that domain. -- David Jones
Re: spoofing mail
El vie., 30 nov. 2018 a las 3:06, Matus UHLAR - fantomas () escribió: And, yes, there could be rule that catches message-id added by internal server. Note that: - Message-ID is not required (has SHOULD in RFC) - many mailservers add message-id if it doesn't exist. >> https://pastebin.com/ktMUDLps not available anymore :-( On 30.11.18 10:55, Rick Gutierrez wrote: Hi , here it is https://pastebin.com/3TtsjXSX last trace , after my gateway analyzes it https://pastebin.com/76rNVnnp - is "mydomain.com" your real domain? - funny that Message-Id is signed in DKIM and DKIM is valid. hmmm more to think about later. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Linux is like a teepee: no Windows, no Gates and an apache inside...
Re: spoofing mail
On 29.11.18 09:30, Rupert Gallagher wrote: Message-ID and To have the same domain, but From does not. You should have never received that mail. On 30.11.18 21:09, Rupert Gallagher wrote: Although the RFC allows muas not to include the mid, the same RFC does not mandate mtas to accept them. Since 100% of such emails on our records are spam, then we reject them upfront. I understand that spammers and scummers hate our policy, but hey, who cares, right? Our inbox, our rules. you have mistaken "You should have never received that mail." with "We would have never received that mail." I am of course aware of such policies, but they differ site to a site, admin to an admin and company to a company. The fact that you refuse some kind of e-mail does not mean that others should be doing the same. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Linux IS user friendly, it's just selective who its friends are...
Re: spoofing mail
On Fri, 30 Nov 2018, Rupert Gallagher wrote: Although the RFC allows muas not to include the mid, the same RFC does not mandate mtas to accept them. Since 100% of such emails on our records are spam, then we reject them upfront. ...and if you're adopting that policy, the configure your MTA to reject messages missing a Message-ID during the SMTP phase before it ever touches SA. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- 610 days since the first commercial re-flight of an orbital booster (SpaceX)
Re: spoofing mail
Although the RFC allows muas not to include the mid, the same RFC does not mandate mtas to accept them. Since 100% of such emails on our records are spam, then we reject them upfront. I understand that spammers and scummers hate our policy, but hey, who cares, right? Our inbox, our rules. On Fri, Nov 30, 2018 at 10:06, Matus UHLAR - fantomas wrote: > On 29.11.18 09:30, Rupert Gallagher wrote: >>Message-ID and To have the same domain, but From does not. You should have >> never received that mail. > > this happens when message-id is added by mailserver of the recipient. > Should hit MSGID_FROM_MTA_HEADER. > > And, yes, there could be rule that catches message-id added by internal > server. Note that: > - Message-ID is not required (has SHOULD in RFC) > - many mailservers add message-id if it doesn't exist. > >>On Wed, Nov 28, 2018 at 19:15, Rick Gutierrez wrote: >> >>> El mié., 28 nov. 2018 a las 6:03, Christian Grunfeld >>> () escribió: Hi, this is a logcould you paste the email headers? cheers >>> I do not know if it is useful, the amavisd + spamassassin I have it in >>> front of the mail server. >>> >>> https://pastebin.com/ktMUDLps > > not available anymore :-( > -- > Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ > Warning: I wish NOT to receive e-mail advertising to this address. > Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. > The 3 biggets disasters: Hiroshima 45, Tschernobyl 86, Windows 95
Re: spoofing mail
El vie., 30 nov. 2018 a las 3:06, Matus UHLAR - fantomas () escribió: > And, yes, there could be rule that catches message-id added by internal > server. Note that: > - Message-ID is not required (has SHOULD in RFC) > - many mailservers add message-id if it doesn't exist. > > >> > >> https://pastebin.com/ktMUDLps > > not available anymore :-( > -- Hi , here it is https://pastebin.com/3TtsjXSX last trace , after my gateway analyzes it https://pastebin.com/76rNVnnp -- rickygm http://gnuforever.homelinux.com
Re: spoofing mail
On 29.11.18 09:30, Rupert Gallagher wrote: Message-ID and To have the same domain, but From does not. You should have never received that mail. this happens when message-id is added by mailserver of the recipient. Should hit MSGID_FROM_MTA_HEADER. And, yes, there could be rule that catches message-id added by internal server. Note that: - Message-ID is not required (has SHOULD in RFC) - many mailservers add message-id if it doesn't exist. On Wed, Nov 28, 2018 at 19:15, Rick Gutierrez wrote: El mié., 28 nov. 2018 a las 6:03, Christian Grunfeld () escribió: Hi, this is a logcould you paste the email headers? cheers I do not know if it is useful, the amavisd + spamassassin I have it in front of the mail server. https://pastebin.com/ktMUDLps not available anymore :-( -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. The 3 biggets disasters: Hiroshima 45, Tschernobyl 86, Windows 95
Re: spoofing mail
El mié., 28 nov. 2018 a las 19:08, Reindl Harald () escribió: > > > > > these are the files that increase the score of the rule , If I'm > > missing someone, please someone guide me or update me if I'm doing it > > wrong. > > > > /var/lib/spamassassin/3.004001/updates_spamassassin_org/72_scores.cf > > /usr/share/spamassassin/72_scores.cf > > just don't touch the files > they will be overwritten > > please learn basics how to and where write local overrides > > https://support.configserver.com/en/knowledgebase/article/how-do-i-change-the-score-for-a-specific-spamassassin-test > Ok , understood. Thnk -- rickygm http://gnuforever.homelinux.com
Re: spoofing mail
El jue., 29 nov. 2018 a las 10:18, David Jones () escribió: > > On 11/29/18 9:44 AM, Paul Stead wrote: > > I can't find MSGID_BELONGS_RECIPIENT in the standard distribution - I think > > this might be because my Plugin is installed. > > > > Another to get into branch? > > > > I think this one is worthy of consideration to be included in the core > SA ruleset. > > https://github.com/fmbla > > [root@server spamassassin]# pwd > /etc/mail/spamassassin > [root@server spamassassin]# cat 99_recipient_msgid.cf > ifplugin Mail::SpamAssassin::Plugin::RecipientMsgID > >meta __PDS_MAILING_SOFTWARE (__VIA_ML || __DOS_HAS_MAILING_LIST || > __DOS_HAS_LIST_UNSUB || __HAS_LIST_ID || __DOS_HAS_LIST_ID || > __HAS_X_MAILING_LIST) > >meta MSGID_BELONGS_RECIPIENT __MSGID_BELONGS_RECIPIENT && > !__PDS_MAILING_SOFTWARE && !ENA_TRUSTED_LIST >describe MSGID_BELONGS_RECIPIENT Message-ID domain belongs to recipient >score MSGID_BELONGS_RECIPIENT 2.2 > >meta MSGID_FAKE_FROM_2_EMAILS (__PLUGIN_FROMNAME_SPOOF && > __MSGID_BELONGS_RECIPIENT) >describe MSGID_FAKE_FROM_2_EMAILS MSGID belongs to recipient and > faked froms >score MSGID_FAKE_FROM_2_EMAILS 4.2 > >full __FROM_NAME_LAST_THING > /From:\W*([\w+.-]+\@[\w.-]+\.\w\w++).*\1(?:\s*|<\/\w+>|--[\w_\-\.\=]{2,}--)+$/s > >meta SPOOF_NAME_LAST_THING (__PLUGIN_FROMNAME_SPOOF && > __FROM_NAME_LAST_THING) >describe SPOOF_NAME_LAST_THING From 2 emails and fake from name as > last thing >score SPOOF_NAME_LAST_THING 2.2 > > endif > > -- > David Jones Thank David , that rule is not within the github repository, it has certainly been removed , you could upload it to github, gmail puts an ugly format. -- rickygm http://gnuforever.homelinux.com
Re: spoofing mail
On 11/29/18 9:44 AM, Paul Stead wrote: > I can't find MSGID_BELONGS_RECIPIENT in the standard distribution - I think > this might be because my Plugin is installed. > > Another to get into branch? > I think this one is worthy of consideration to be included in the core SA ruleset. https://github.com/fmbla [root@server spamassassin]# pwd /etc/mail/spamassassin [root@server spamassassin]# cat 99_recipient_msgid.cf ifplugin Mail::SpamAssassin::Plugin::RecipientMsgID meta __PDS_MAILING_SOFTWARE (__VIA_ML || __DOS_HAS_MAILING_LIST || __DOS_HAS_LIST_UNSUB || __HAS_LIST_ID || __DOS_HAS_LIST_ID || __HAS_X_MAILING_LIST) meta MSGID_BELONGS_RECIPIENT __MSGID_BELONGS_RECIPIENT && !__PDS_MAILING_SOFTWARE && !ENA_TRUSTED_LIST describe MSGID_BELONGS_RECIPIENT Message-ID domain belongs to recipient score MSGID_BELONGS_RECIPIENT 2.2 meta MSGID_FAKE_FROM_2_EMAILS (__PLUGIN_FROMNAME_SPOOF && __MSGID_BELONGS_RECIPIENT) describe MSGID_FAKE_FROM_2_EMAILS MSGID belongs to recipient and faked froms score MSGID_FAKE_FROM_2_EMAILS 4.2 full __FROM_NAME_LAST_THING /From:\W*([\w+.-]+\@[\w.-]+\.\w\w++).*\1(?:\s*|<\/\w+>|--[\w_\-\.\=]{2,}--)+$/s meta SPOOF_NAME_LAST_THING (__PLUGIN_FROMNAME_SPOOF && __FROM_NAME_LAST_THING) describe SPOOF_NAME_LAST_THING From 2 emails and fake from name as last thing score SPOOF_NAME_LAST_THING 2.2 endif -- David Jones
Re: spoofing mail
El jue., 29 nov. 2018 a las 7:47, David Jones () escribió: > > Here's what my mail filters say. You can ignore the DKIM_INVALID > because the body was intentionally modified (redacted) to post to pastbin. > > X-Spam-Status: Yes, score=11.0 required=5.0 tests=BAYES_99,DKIM_INVALID, > DKIM_SIGNED,ENA_BAD_SPAM,ENA_RELAY_NOT_US,MSGID_BELONGS_RECIPIENT, > RCVD_IN_IVMBL,UNPARSEABLE_RELAY shortcircuit=no autolearn=no > autolearn_force=no version=3.4.1 > X-Spam-Report: > * 5.2 BAYES_99 BODY: Bayes spam probability is 99 to 100% > * [score: 0.9980] > * 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily > * valid > * 1.2 RCVD_IN_IVMBL No description available. > * 0.0 UNPARSEABLE_RELAY Informational: message has unparseable relay > lines > * 0.1 DKIM_INVALID DKIM or DK signature exists, but is not valid > * 2.2 ENA_RELAY_NOT_US Relayed from outside the US and not on > whitelists > * 2.2 MSGID_BELONGS_RECIPIENT Message-ID domain belongs to recipient > * 0.0 ENA_BAD_SPAM Spam hitting really bad rules. > > A well-trained Bayes helps a lot. Yes, the problem is that on this server I only have it as a gateway, everything is sent to my mail server. > > You could/should increase the score on MSGID_BELONGS_RECIPIENT in your > /etc/mail/spamassassin local scores file. I can not find that rule, I do not know if adding it to my local.cf works? > > Local overrides of scores and settings is typically done in > /etc/mail/spamassassin/local.cf but feel free to make your own *.cf > files in /etc/mail/spamassassin. Amavis can create it's own files to > customize settings in /etc/mail/spamassassin so compare a vanilla SA > installation to what you have to find the best place to put your local > settings. > > -- > David Jones regards! -- rickygm http://gnuforever.homelinux.com
Re: spoofing mail
I can't find MSGID_BELONGS_RECIPIENT in the standard distribution - I think this might be because my Plugin is installed. Another to get into branch? -- On 29/11/2018, 13:47, "David Jones" wrote: On 11/29/18 3:30 AM, Rupert Gallagher wrote: > Message-ID and To have the same domain, but From does not. You should > have never received that mail. > Here's what my mail filters say. You can ignore the DKIM_INVALID because the body was intentionally modified (redacted) to post to pastbin. X-Spam-Status: Yes, score=11.0 required=5.0 tests=BAYES_99,DKIM_INVALID, DKIM_SIGNED,ENA_BAD_SPAM,ENA_RELAY_NOT_US,MSGID_BELONGS_RECIPIENT, RCVD_IN_IVMBL,UNPARSEABLE_RELAY shortcircuit=no autolearn=no autolearn_force=no version=3.4.1 X-Spam-Report: * 5.2 BAYES_99 BODY: Bayes spam probability is 99 to 100% * [score: 0.9980] * 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily * valid * 1.2 RCVD_IN_IVMBL No description available. * 0.0 UNPARSEABLE_RELAY Informational: message has unparseable relay lines * 0.1 DKIM_INVALID DKIM or DK signature exists, but is not valid * 2.2 ENA_RELAY_NOT_US Relayed from outside the US and not on whitelists * 2.2 MSGID_BELONGS_RECIPIENT Message-ID domain belongs to recipient * 0.0 ENA_BAD_SPAM Spam hitting really bad rules. A well-trained Bayes helps a lot. You could/should increase the score on MSGID_BELONGS_RECIPIENT in your /etc/mail/spamassassin local scores file. Local overrides of scores and settings is typically done in /etc/mail/spamassassin/local.cf but feel free to make your own *.cf files in /etc/mail/spamassassin. Amavis can create it's own files to customize settings in /etc/mail/spamassassin so compare a vanilla SA installation to what you have to find the best place to put your local settings. -- David Jones Paul Stead Senior Engineer (Tools & Technology) Zen Internet
Re: spoofing mail
On 11/29/18 3:30 AM, Rupert Gallagher wrote: > Message-ID and To have the same domain, but From does not. You should > have never received that mail. > Here's what my mail filters say. You can ignore the DKIM_INVALID because the body was intentionally modified (redacted) to post to pastbin. X-Spam-Status: Yes, score=11.0 required=5.0 tests=BAYES_99,DKIM_INVALID, DKIM_SIGNED,ENA_BAD_SPAM,ENA_RELAY_NOT_US,MSGID_BELONGS_RECIPIENT, RCVD_IN_IVMBL,UNPARSEABLE_RELAY shortcircuit=no autolearn=no autolearn_force=no version=3.4.1 X-Spam-Report: * 5.2 BAYES_99 BODY: Bayes spam probability is 99 to 100% * [score: 0.9980] * 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily * valid * 1.2 RCVD_IN_IVMBL No description available. * 0.0 UNPARSEABLE_RELAY Informational: message has unparseable relay lines * 0.1 DKIM_INVALID DKIM or DK signature exists, but is not valid * 2.2 ENA_RELAY_NOT_US Relayed from outside the US and not on whitelists * 2.2 MSGID_BELONGS_RECIPIENT Message-ID domain belongs to recipient * 0.0 ENA_BAD_SPAM Spam hitting really bad rules. A well-trained Bayes helps a lot. You could/should increase the score on MSGID_BELONGS_RECIPIENT in your /etc/mail/spamassassin local scores file. Local overrides of scores and settings is typically done in /etc/mail/spamassassin/local.cf but feel free to make your own *.cf files in /etc/mail/spamassassin. Amavis can create it's own files to customize settings in /etc/mail/spamassassin so compare a vanilla SA installation to what you have to find the best place to put your local settings. -- David Jones
Re: spoofing mail
Message-ID and To have the same domain, but From does not. You should have never received that mail. On Wed, Nov 28, 2018 at 19:15, Rick Gutierrez wrote: > El mié., 28 nov. 2018 a las 6:03, Christian Grunfeld > () escribió: >> >> Hi, >> >> this is a logcould you paste the email headers? >> >> cheers >> > I do not know if it is useful, the amavisd + spamassassin I have it in > front of the mail server. > > https://pastebin.com/ktMUDLps > > I appreciate any comments or help. > > -- > rickygm > > http://gnuforever.homelinux.com
Re: spoofing mail
in days past when I start this type of messages / spammer increase the score of this rule HEADER_FROM_DIFFERENT_DOMAINS=0.001 , add the score to 3, but keep the default 0.001 , update my spamassassin once a day, I'm using version 3.4.1. these are the files that increase the score of the rule , If I'm missing someone, please someone guide me or update me if I'm doing it wrong. /var/lib/spamassassin/3.004001/updates_spamassassin_org/72_scores.cf /usr/share/spamassassin/72_scores.cf One doubt, is it a good idea to increase the score to that rule? look , the last mail of today. https://pastebin.com/9s2WaSmL regards! -- rickygm http://gnuforever.homelinux.com
Re: spoofing mail
El mié., 28 nov. 2018 a las 6:03, Christian Grunfeld () escribió: > > Hi, > > this is a logcould you paste the email headers? > > cheers > I do not know if it is useful, the amavisd + spamassassin I have it in front of the mail server. https://pastebin.com/ktMUDLps I appreciate any comments or help. -- rickygm http://gnuforever.homelinux.com
Re: spoofing mail
Hi, this is a logcould you paste the email headers? cheers El mar., 27 nov. 2018 a las 22:57, Rick Gutierrez () escribió: > El mar., 27 nov. 2018 a las 16:22, David Jones () > escribió: > > > > > Can you send a copy of the original email lightly redacted via pastebin > > so I can run it through my filters to give some pointers? > > > > -- > > David Jones > > Hi David , the email is very simple, but I attach it in the following link > > https://pastebin.com/cYaLibt1 > > and the trace for a better reading > > https://pastebin.com/8vpVejPc > > the name of one of my users is Ariana Molina and the valid mail of > another of my users is lvasquez. > > regards > > -- > rickygm > > http://gnuforever.homelinux.com >
Re: spoofing mail
On Wed, 28 Nov 2018 at 01:57, Rick Gutierrez wrote: > El mar., 27 nov. 2018 a las 16:22, David Jones () > escribió: > > > > > Can you send a copy of the original email lightly redacted via pastebin > > so I can run it through my filters to give some pointers? > > > > -- > > David Jones > > Hi David , the email is very simple, but I attach it in the following link > > https://pastebin.com/cYaLibt1 > > and the trace for a better reading > > https://pastebin.com/8vpVejPc > > the name of one of my users is Ariana Molina and the valid mail of > another of my users is lvasquez. > So the real user's name and email (Ariana Molina mol...@domain.com) occurs only in the body of the email, and not anywhere in the headers, nor in the SMTP transaction? I think this is hard to catch because a real user's name and email may legitimately be found in the body of an email from another user.
Re: spoofing mail
El mar., 27 nov. 2018 a las 16:22, David Jones () escribió: > > Can you send a copy of the original email lightly redacted via pastebin > so I can run it through my filters to give some pointers? > > -- > David Jones Hi David , the email is very simple, but I attach it in the following link https://pastebin.com/cYaLibt1 and the trace for a better reading https://pastebin.com/8vpVejPc the name of one of my users is Ariana Molina and the valid mail of another of my users is lvasquez. regards -- rickygm http://gnuforever.homelinux.com
Re: spoofing mail
On 11/27/18 11:22 AM, Rick Gutierrez wrote: > El mar., 27 nov. 2018 a las 11:14, Alan Hodgson > () escribió: > >> >> Wow, that's hard to read. >> >> It was close to being tagged because of the Pakistan relay. Just add a few >> points for Word docs and you should be good. Word docs from spammy countries >> should really get a lot of points. > > Hi Alan , I think it's a valid point, except for one thing, what > happens if you do not attach a document? > > Something I want to ask you, where can I increase this score or in what rules? > > Can you send a copy of the original email lightly redacted via pastebin so I can run it through my filters to give some pointers? -- David Jones
Re: spoofing mail
El mar., 27 nov. 2018 a las 11:54, Alan Hodgson () escribió: > > > > Malware/phishes are usually either in an attachment or the message has a > link. Personally I add a lot of points to either if they come through > questionable countries. Users can dig them out of their Junk if they happen > to be expecting a resume from Algeria. Ok > You'd probably have to write your own. I'm not even sure where you got that > RELAY_PK rule from but I'd guess a download from Ironport or something. > > Personally I have one set of rules for classifying countries and a few metas > on top of those. > > But you probably wouldn't want to use my rules; my servers are small with > homegenous user bases and they don't get real mail from, say, Russia or > Pakistan or the Sudan. You can tag a lot of real mail if you're not careful > writing rules. I have is a file where I have scores on the countries, including Pakistan look the rule header RELAYCOUNTRY_PKX-Relay-Countries =~/\bPK\b/ describeRELAYCOUNTRY_PKRelayed through Pakistan score RELAYCOUNTRY_PK3.0 you have some example of a rule, how to assign scores to doc , xls files, ppt regards. -- rickygm http://gnuforever.homelinux.com
Re: spoofing mail
On Tue, 2018-11-27 at 11:22 -0600, Rick Gutierrez wrote: > El mar., 27 nov. 2018 a las 11:14, Alan Hodgson > () escribió: > > > Wow, that's hard to read. > > > > It was close to being tagged because of the Pakistan relay. Just > > add a few points for Word docs and you should be good. Word docs > > from spammy countries should really get a lot of points. > > Hi Alan , I think it's a valid point, except for one thing, what > happens if you do not attach a document? > Malware/phishes are usually either in an attachment or the message has a link. Personally I add a lot of points to either if they come through questionable countries. Users can dig them out of their Junk if they happen to be expecting a resume from Algeria. > Something I want to ask you, where can I increase this score or in > what rules? > > You'd probably have to write your own. I'm not even sure where you got that RELAY_PK rule from but I'd guess a download from Ironport or something. Personally I have one set of rules for classifying countries and a few metas on top of those. But you probably wouldn't want to use my rules; my servers are small with homegenous user bases and they don't get real mail from, say, Russia or Pakistan or the Sudan. You can tag a lot of real mail if you're not careful writing rules.
Re: spoofing mail
El mar., 27 nov. 2018 a las 11:14, Alan Hodgson () escribió: > > Wow, that's hard to read. > > It was close to being tagged because of the Pakistan relay. Just add a few > points for Word docs and you should be good. Word docs from spammy countries > should really get a lot of points. Hi Alan , I think it's a valid point, except for one thing, what happens if you do not attach a document? Something I want to ask you, where can I increase this score or in what rules? -- rickygm http://gnuforever.homelinux.com
Re: spoofing mail
On Tue, 2018-11-27 at 10:42 -0600, Rick Gutierrez wrote: > Hi , I have a situation a little complicated, I have emails from > spammers that come with the name of one of my users, but the email > address is not from my domain , they send it from a valid domain, > which complies with spf, DKIM etc etc, some idea that could help me to > adjust my spamassassin and stop this kind of post, someone has had > experience in this type of evasion? > > my user is lvelasquez > Wow, that's hard to read. It was close to being tagged because of the Pakistan relay. Just add a few points for Word docs and you should be good. Word docs from spammy countries should really get a lot of points.