On Thu, 22 Feb 2018, David Jones wrote:
My SA filters just received 45 unsolicited junk emails from Office 365 that
hit ENCRYPTED_MESSAGE which subtracted a point. Looking at 72_active.cf, the
description for this rule is:
"Message is encrypted, not likely to be spam"
The body of the email was a MIME attachment of application/pkcs7-mime so SA
didn't have access to it for body content rules.
I am seriously thinking about changing the score on this rule locally to 1.0
or 2.0 to add points if SA can't do any body checks.
I'd recommend against that. It would be better to do offsetting scores in
a meta rule...
Outlook and Outlook Web
was able to display the email automatically. This may be a new feature that
we are about to see more often to hide spam from SA.
It also hit BAYES_00 (not much can be done to change that), DCC_CHECK,
PYZOR_CHECK, and FSL_BULK_SIG to score 2.88.
...e.g. ENCRYPTED_MESSAGE && (DCC_CHECK || PYZOR_CHECK || FSL_BULK_SIG) as
bulk encrypted mail seems unlikely
...or possibly ENCRYPTED_MESSAGE && FREEMAIL_FROM
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhar...@impsec.org FALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Christian martyrs don't explode. -- Marisol
-----------------------------------------------------------------------
Today: George Washington's 286th Birthday
