On 02/22/2018 06:10 PM, John Hardin wrote:

I was just referring to the OFFICE365 subrule, as there isn't one like that yet - hotmail, sure, outlook, sure, but not office365. We should have added that back when O365 started up.

I had already added a generic rule for this in my sandbox so you can see it at http://ruleqa.spamassassin.org now:


Hotmail and Office 365 tenants come from this so it's not a direct relationship to spam but can be used in meta rules to amplify other spammy rules.


This is interesting because often when there is a true compromised account on O365, spammers will use authenticated SMTP to blast out spam not using the Outlook Web interface or an Outlook client. This will hit on normal mail clients like Thunderbird or Apple Mail so it too is not a direct indication of spam.

My local __RCVD_OFFICE365 rule that combines sources of freemail like O365 in with FREEMAIL_* rules is already working well the past 24 hours. I am offsetting my BAYES_00 score of -3.2 by adding back 2.0 when for email from O365. It has helped to blocked a bogus file sharing email using a URL shortener that would have scored just below the MailScanner default threshold of 6.0.

David Jones

Reply via email to