Nikolaos Milas <nmi...@noa.gr> writes: > I am trying to understand what is wrong with these mails and they > trigger the "FORGED_GMAIL_RCVD" rule.
What is wrong with them is that they have a From: of gmail and do not have a gmail DKIM signature. They are in fact forged -- even if the user that owns the email address agreed to this. > Can you please help me understand why the rule was triggered? I have > done my search but I have not really understood why. Did you read the rules? 20_head_tests.cf has if (version >= 3.004002) header FORGED_GMAIL_RCVD eval:check_for_forged_gmail_received_headers() describe FORGED_GMAIL_RCVD 'From' gmail.com does not match 'Received' headers endif But I do not see a score assigned. In my own system, the score for this rule (as seen in debug output) is 1.0. That seems entirely reasonable for a fairly common but irregular situation. > Secondarily, if I understand right, the following rules: > > FREEMAIL_FORGED_FROMDOMAIN > > HEADER_FROM_DIFFERENT_DOMAINS > > were also triggered because the Envelope-From is different from > "From:" but this is expectable from mailing lists. > > How should these (and possibly other ones too) rules be treated in > production systems to avoid banning legitimate mailing list mails? If you want to welcomelist mailchip, you can do that. I suspect your real problem is that there is config to increase the score for FORGED_GMAIL_RCVD. Your example shows 4.0 which I think everyone would say is too high.
signature.asc
Description: PGP signature
