On Sun, 8 Apr 2018 07:41:50 -0500 David Jones wrote: > On 04/07/2018 10:42 AM, Sebastian Arcus wrote:
> > I've enclosed one of the messages received here: > > > > https://pastebin.com/9Bmu3pj1 > > I added this to the 60_whitelist_auth.cf to trust this sender: > > def_whitelist_auth *@*.tpr.gov.uk > > This will get pushed out in a couple of days by sa-update. > > I know it's not directly addressing your question about the rule's > high score FWIW with the defaults it would have scored only 1.04. Even with BAYES_50 instead of BAYES_00 or without RCVD_IN_DNSWL_MED, it's still comfortably under threshold. That said, perhaps someone could see how this compares with the existing version: /^\s*<?[A-Z]+\@(?!(?:mailcity|whowhere)\.com|.*[\da-fA-F]{14})/ It excludes cases where the RHS has a long decimal number or hex string. The 14 could be increased if the spam hits drop significantly. I don't have any hits on MSGID_SPAM_CAPS, but my guess is that doing "clever" things with message-ids is indicative of ham, and most spam hits will have something simpler.