On 02/22/2018 03:49 PM, John Hardin wrote:
On Thu, 22 Feb 2018, David Jones wrote:
My SA filters just received 45 unsolicited junk emails from Office 365
that hit ENCRYPTED_MESSAGE which subtracted a point. Looking at
72_active.cf, the description for this rule is:
"Message is encrypted, not likely to be spam"
The body of the email was a MIME attachment of application/pkcs7-mime
so SA didn't have access to it for body content rules.
I am seriously thinking about changing the score on this rule locally
to 1.0 or 2.0 to add points if SA can't do any body checks.
I'd recommend against that. It would be better to do offsetting scores
in a meta rule...
Outlook and Outlook Web was able to display the email automatically.
This may be a new feature that we are about to see more often to hide
spam from SA.
It also hit BAYES_00 (not much can be done to change that), DCC_CHECK,
PYZOR_CHECK, and FSL_BULK_SIG to score 2.88.
...e.g. ENCRYPTED_MESSAGE && (DCC_CHECK || PYZOR_CHECK || FSL_BULK_SIG)
as bulk encrypted mail seems unlikely
...or possibly ENCRYPTED_MESSAGE && FREEMAIL_FROM
This is not hitting FREEMAIL* rules but I have started treating anything
coming from Google and Office 365 with local meta rules like this:
header __RCVD_GOOGLE Received =~ /\.google\.com \[/
header __RCVD_OFFICE365 Received =~
meta __RCVD_FREEMAIL (__RCVD_GOOGLE || __RCVD_OFFICE365)
meta ENA_FREEMAIL (FREEMAIL_FROM || FREEMAIL_REPLYTO ||
FREEMAIL_FORGED_REPLYTO || __RCVD_FREEMAIL)
meta ENA_FREEMAIL_ENCRYPTED_MESSAGE ENCRYPTED_MESSAGE && ENA_FREEMAIL
score ENA_FREEMAIL_ENCRYPTED_MESSAGE 3.0
That above would end up being a net score of +2.0 for freemail sources