Re: MailChimp with link to javascript/zip malware

Fri, 20 Oct 2017 03:48:55 -0700 

On 10/19/2017 08:15 PM, Alex wrote:

On Thu, Oct 19, 2017 at 6:22 PM, Bill Cole
<sausers-20150...@billmail.scconsult.com> wrote:

On 19 Oct 2017, at 17:59 (-0400), Alex wrote:


Hi,

On Thu, Oct 19, 2017 at 4:04 PM, Bill Cole
<sausers-20150...@billmail.scconsult.com> wrote:


On 19 Oct 2017, at 15:38 (-0400), Alex wrote:


Third day, third set of false-negatives (20 this time) whitelisted
through mailchimp

https://pastebin.com/6vkxNXxX

I had removed the mcsv.net but forgot mcdlv.net. It's still not being
tagged properly without the whitelisting.




That one hit USER_IN_SPF_WHITELIST, so you're still whitelisting it. Did
you
restart amavisd after changing the rules?



As I mentioned just above the link in this message, yes, the domain
was whitelisted. I've since removed it from the whitelist, but the
email still is not tagged by spamassassin.



So, do you have an example of a message that didn't hit
USER_IN_SPF_WHITELIST? One you got AFTER removing your whitelisting rule?
I ask because the sample message also shows a SHORTCIRCUIT hit, which is
probably due to your USER_IN_SPF_WHITELIST rule being short-circuited but
maybe due to something else. SHORTCIRCUIT does as it is documented to do: if
there are pending DNS queries for evil URLs in a message when a
short-circuited rule is hit, their answers are ignored.


Why wouldn't you just run the sample I provided through spamassassin again?

My apologies if it wasn't clear that I've run the message through
spamassassin after having removed mailchimp from the whitelist and it
still is not properly tagged as spam. I've reported all of them to
mailchimp and added some basic body rules that are specific to this
message, but it seems to me this represents a larger problem.

There were others received that were tagged properly and not
whitelisted because they involved my specific body rules.
If I remove my whitelisting and other rules based on trusting MailChimp, I get a score of 7.8 mostly because of local rules that don't trust FREEMAIL senders. If a FREEMAIL sender hits anything like DCC, Razor, Pyzor, high percentage Bayes, and other bad content rules, I amplify those rule scores a bit with meta rules.
From my experience, trying to maintain specific body rules for each new spam campaign is going to be very time consuming and always behind the spammers. 

--
David Jones

Reply via email to