On Sun, 4 Apr 2021 16:47:18 +0200 Matus UHLAR - fantomas wrote: > >> On 04.04.21 13:09, Benny Pedersen wrote: > >> >change score to 7.5 > >> >change score to -3.5 > > >On Sun, 4 Apr 2021 13:21:08 +0200 Matus UHLAR - fantomas wrote: > >> I prefer to solve problems instead of playing with scores. > >> > >> It seems that abusers have worked around SA by using google domains > >> and addresses for sending spam from. > > On 04.04.21 14:19, RW wrote: > >If google have been foolish enough to allow abuse on the > >organizational domain it should definitely be taken out of the def > >whitelists until they move anything abusable to a different > >subdomain/domain. > > That's what I'm trying to say.
And I'm agreeing. But I'm also saying that this kind of thing would be less of a problem if the 'def' whitelists were better organized. > > For the > >'def' whitelists to have any point they should be tuned to prevent > >most such FPs while having a minimal impact on TPs. The rules are > >scored far too strongly, but the fact they are additively scored > >makes it impossible to fine tune them. > > > >There's no point in additive scoring anyway. If any of them is hit > >it's most likely the spam has gone through an abused server. > > if you mean using combination of USER_IN_DEF_SPF_WL, > USER_IN_DEF_DKIM_WL and USER_IN_DEF_WELCOMELIST, they could be put > into if condition. I give them all a score of -0.001 and then score USER_IN_DEF_WELCOMELIST || USER_IN_DEF_SPF_WL || USER_IN_DEF_DKIM_WL The way it's currently setup you could get a total def whitelist score of -7.5, -15 -22.5 or -30, which is insane if you want there to be a useful distinction between def and full whitelisting. The worst part is that the commonest form, "def_whitelist_auth", is scored separately for SPF and DKIM for a single whitelisting entry. So even if you avoid overlap with def_whitelist_from_rcvd, you still have this random N and 2N point scoring whatever you set N to.
