Re: DNSWL overriding bayes_99 and bayes_999 rules

[Greg Troxel]

Steve Dondley <s...@dondley.com> writes:

> Note: I've changed the score of RCVD_IN_DNSWL_HI hits to -2.0 from
> -5.0 until I get my misconfiguration figured out. Thanks for your
> patience.

Fair enough; that's not an unreasonable thing to do.

Probably you want to turn report_safe to 0 for doing this testing.


> Content analysis details:   (23.2 points, 5.0 required)

I would expect your MTA to be configured to hard reject mail that has a
score of 23.  15 if you're cautious, 10 if you're aggressive.


>  pts rule name              description
> ---- ---------------------- 
> --------------------------------------------------
> -2.0 RCVD_IN_DNSWL_HI       RBL: Sender listed at
> https://www.dnswl.org/,
>                             high trust
>                             [203.160.71.180 listed in list.dnswl.org]
I looked up this, and the other one, and didn't find them in dnswl.   As
others said, if you are using public DNS, stop doing that immediately.
And, run the dnswl queries with dig or host yourself on your own machine.

> -0.0 RCVD_IN_MSPIKE_H2      RBL: Average reputation (+2)
>                             [203.160.71.180 listed in wl.mailspike.net]

This is H2, not higher, which is consistent with DNSWL_LO or
DNSWL_NONE.  (Just a comment.)

>  2.7 RCVD_IN_PSBL           RBL: Received via a relay in PSBL
>                             [203.160.71.180 listed in psbl.surriel.com]
>  3.5 BAYES_99               BODY: Bayes spam probability is 99 to 100%
>                             [score: 1.0000]
>  0.5 BAYES_999              BODY: Bayes spam probability is 99.9 to 100%
>                             [score: 1.0000]
>  2.0 LOCAL_SPAM_TLD         Domain originates a lot of spam
>  1.0 LOCAL_UNCOMMON_TLD     From address is not a common TLD
>  1.3 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in
>                             bl.spamcop.net
>              [Blocked - see
> <https://www.spamcop.net/bl.shtml?203.160.71.180>]
>  1.3 RCVD_IN_VALIDITY_RPBL  RBL: Relay in Validity RPBL,
>                             https://senderscore.org/blocklistlookup/
>                            [203.160.71.180 listed in
> bl.score.senderscore.com]

So the address is in some blocklists.

> Received-SPF: Softfail (mailfrom) identity=mailfrom;
> client-ip=203.160.71.180; helo=yahoo.co.jp;
> envelope-from=qy5cbma-yu...@yahoo.co.jp; receiver=<UNKNOWN>
> Received: from yahoo.co.jp (unknown [203.160.71.180])
>       by email.dondley.com (Postfix) with SMTP id 842C2210C0
>       for <sdond...@dondley.com>; Sat, 10 Apr 2021 05:49:55 -0400 (EDT)

Note the lack of rDNS, and what is probably a spoofed HELO.


So overall SA di the right thing: 23.5 is a score for an email that is
so spammy that I have no qualms about outright rejecting it.

signature.asc
Description: PGP signature