Niamh Holding <ni...@fullbore.co.uk> writes: > Given the From: address can be so easily faked is a rule testing its validity > a great idea?
This seems tricky to figure out. The message's routing is obviously very sketchy. But, it also appears that spamassassin has validated the DKIM signature from paypal.com. So the key question is whether - 1) this email was emitted from paypal's mail system - 2) paypal's DKIM signing key is compromised - 3) spamassassin is misparsing DKIM - 4) something else I would take the message and run it through SA with -D -t. I am guessing we are in case 1. To be clear: if this is case 1, then it is not true that "the From: address [is] faked". If paypal is emitting user-generated content with DKIM signatures, then they should be summarily removed from DKIM WL. The point of those WL entries are to cover mail that is really from those companies, believed to be essentially never spam. Also there is DKIMWL at high, and if you have a message with a valid DKIM signature reporting it there as well would be good.
