On 9/2/19 7:39 PM, Loren Wilton wrote:
>> Hi Loren
>> If you could add the source of the mail you get, the SA devs could
>> take a look
>> at it as well and provide a better answer for you.
>
> Ok, here is one from today with a few fields edited for slight privacy
> on my part.
> Note that they have their own address they use for the replies, which I
> think (without looking) is pretty common in most of them.
>
> Loren
>
> Return-Path: <[email protected]>
> Received: from mail.earthlink.net [209.86.93.211]
> for <xxx> (single-drop); Sun, 01 Sep 2019 22:56:19 -0700 (PDT)
> Received: from noehlo.host ([209.86.89.133])
> by mdl-afraid.atl.sa.earthlink.net (EarthLink SMTP Server) with SMTP id
> 1I4FiW4fu3Nl36X0; Mon, 2 Sep 2019 01:55:07 -0400 (EDT)
> Received-SPF: pass (ibscan-saipan.atl.sa.earthlink.net: domain of
> computer-news.pro designates 158.69.197.183 as permitted sender)
> client-ip=158.69.197.183; [email protected];
> helo=notifications;Return-Path: <[email protected]>
> Received: from notifications ([158.69.197.183])
> by ibscan-saipan.atl.sa.earthlink.net (EarthLink SMTP Server) with ESMTP
> id 1I4FiW3sU3PGoUl1
> for <xxx>; Mon, 2 Sep 2019 01:55:06 -0400 (EDT)
> Received: by notifications (Postfix, from userid 0)
> id 3A5A0116157; Mon, 2 Sep 2019 01:55:06 -0400 (EDT)
> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=computer-news.pro;
> s=mail; t=1567403706;
> bh=FoloiwIHxTIWA6HaVG4htahENDXhoOLNOUYPE6kCu6c=;
> h=To:Subject:Date:From:Reply-To:List-Unsubscribe:From;
> b=CQ6a0sxkuAl8aIkdJyXfphLmVFeYZKBGrja9mDcm3zyM/VWyCPmA17IeB6bii5+Rm
> xOc9UDKb+9iqAMGlTrunvVtG+e/11hhKdc7/Z8pNVwpK++7YyB3BowlcG5tWxKlPzS
> in3cbt+KrpwzsxViU2dyz+yS4Ns3nF6PUuhPAtVE=
> To: Loren Wilton <xxx>
> Subject: Notice of cancellation
> Date: Sun, 1 Sep 2019 22:55:06 -0700
> From: Advanced Computer System Repair <[email protected]>
> Reply-To: Advanced Computer System Repair <[email protected]>
> Message-ID: <[email protected]>
> List-Unsubscribe:
> <mailto:[email protected]?subject=Unsubscribe>,
> <http://computer-news.pro/u.php?param=xxx>
> MIME-Version: 1.0
> Content-Type: text/html; charset=iso-8859-1
> Content-Transfer-Encoding: 8bit
> X-Authentication-Results: dkim="pass"; (0:DKIM_STAT_OK: function
> completed successfully); dmarc="none"; (1); dwl="miss"; den="not exempt"
> X-ELNK-SMM: -+-+105-55-74-70hefd50hedl55
> X-ELNK-AV: 0
> X-ELNK-Info: sbv=0; sbrc=.0; sbf=0b; sbw=000;
> X-NKVIR: Scanned
NOTE: the preferred method to report this to the SA mailing list is to
post the original with minimal redaction to a service like pastebin.com
to keep the original formatting intact.
Here's how my SA filters scored it (I think the score is a little high
because of some formatting issues that would be resolved with pastebin.com):
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on smtp2n.ena.net
X-Spam-Flag: YES
X-Spam-Level: *************************
X-Spam-ASN: AS7029 209.86.0.0/16
X-Spam-Status: Yes, score=25.8 required=6.0 tests=BAYES_00,BODY_8BITS,
DCC_CHECK,DKIM_INVALID,DKIM_SIGNED,ENA_BAD_OPTOUT,ENA_BAD_OPTOUT1,
ENA_BAD_OPTOUT2,ENA_BAD_OPTOUT3,ENA_BAD_SPAM,ENA_BAD_SPAM_FREEMAIL,
ENA_BAD_SPAM_FREEMAIL_BAYES_OFFSET,ENA_BAYES_00_OFFSET,
ENA_BAYES_OFFSET,ENA_FREEMAIL,ENA_FREEMAIL_BAD_OPTOUT,
ENA_FREEMAIL_DIGEST,ENA_NO_TO_CC,MISSING_DATE,MISSING_FROM,
MISSING_HEADERS,MISSING_MID,MISSING_SUBJECT,PP_MIME_FAKE_ASCII_TEXT,
SPF_HELO_SOFTFAIL,UNPARSEABLE_RELAY shortcircuit=no autolearn=no
autolearn_force=no version=3.4.2
This would solve the problem locally if you want to put this in your
local.cf:
blacklist_from *@computer-news.pro
--
David Jones
