On Thu, 12 Nov 2020, Darrell Budic wrote:
Got a few of these 411 google form spams recently and was wondering why
they weren’t getting caught by SA. Looks like the Return-Path: is
triggering a whitelist rule on google.com so the rest of the tests
aren’t enough to get it tagged. Anything I can do to keep the whitelist
rule from firing when the free mail rules have been tripped?
You can't keep it from firing beyond removing google.com from the
whitelist, which would impact non-gmail google mails. What you *can* do is
define a meta to offset the whitelist score:
meta FREEM_WLIST_OFFSET USER_IN_SPF_WHITELIST && FREEMAIL_FROM
score FREEM_WLIST_OFFSET 100.000 # offset whitelist score
describe FREEM_WLIST_OFFSET Offset SPF whitelist on freemail From
Of course, that would prevent you from auth-whitelisting any freemail
provider, if you wanted to do such a thing.
X-Spam-Tests:
BAYES_60,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM,FREEMAIL_REPLYTO,FREEMAIL_REPLYTO_END_DIGIT,HEADER_FROM_DIFFERENT_DOMAINS,HTML_MESSAGE,LOTS_OF_MONEY,MONEY_FRAUD_8,NOT_FROM_SENDER,NOT_SENDER_MSGID,SO_PUB_SNDR_DOMAIN_DKIM_50,SPF_HELO_NONE,SPF_PASS,TXREP,T_GB_FREEM_FROM_NOT_REPLY,USER_IN_SPF_WHITELIST
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
You can't reason a person out of a position if
he didn't use reason to get there in the first place.
-- Jonathan Swift, paraphrased
-----------------------------------------------------------------------
166 days since the first private commercial manned orbital mission (SpaceX)
