On Thu, 22 Feb 2018, David Jones wrote:

On 02/22/2018 03:49 PM, John Hardin wrote:
On Thu, 22 Feb 2018, David Jones wrote:

My SA filters just received 45 unsolicited junk emails from Office 365 that hit ENCRYPTED_MESSAGE which subtracted a point.  Looking at 72_active.cf, the description for this rule is:

"Message is encrypted, not likely to be spam"

The body of the email was a MIME attachment of application/pkcs7-mime so SA didn't have access to it for body content rules.

I am seriously thinking about changing the score on this rule locally to 1.0 or 2.0 to add points if SA can't do any body checks.

I'd recommend against that. It would be better to do offsetting scores in a meta rule...

Good idea.

 Outlook and Outlook Web was able to display the email automatically. This may be a new feature that we are about to see more often to hide spam from SA.

It also hit BAYES_00 (not much can be done to change that), DCC_CHECK, PYZOR_CHECK, and FSL_BULK_SIG to score 2.88.

...e.g. ENCRYPTED_MESSAGE && (DCC_CHECK || PYZOR_CHECK || FSL_BULK_SIG) as bulk encrypted mail seems unlikely


This is not hitting FREEMAIL* rules but I have started treating anything coming from Google and Office 365 with local meta rules like this:

header __RCVD_GOOGLE    Received =~ /\.google\.com \[/

Is that accurately freemail? Wouldn't that also hit Google corporate emails?

header __RCVD_OFFICE365 Received =~ /\.outbound\.protection\.outlook\.com \[/

You might want to drop that in your sandbox so that it gets published...




That above would end up being a net score of +2.0 for freemail sources of email.

That sounds a lot safer. The rule *was* added with a negative score for a specific reason, after all...

 John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
 jhar...@impsec.org    FALaholic #11174     pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
  Vista is at best mildly annoying and at worst makes you want to
  rush to Redmond, Wash. and rip somebody's liver out.      -- Forbes
 Today: George Washington's 286th Birthday

Reply via email to