Re: Still seeing lots of false positives caused by SHOPIFY_IMG_NOT_RCVD_SFY

[Bill Cole]

On 2026-01-10 at 13:54:03 UTC-0500 (Sat, 10 Jan 2026 13:54:03 -0500)
Bill Cole <sausers-20150...@billmail.scconsult.com>
is rumored to have said:
On 2026-01-10 at 13:05:10 UTC-0500 (Sat, 10 Jan 2026 18:05:10 +0000)
Niamh Holding <users@spamassassin.apache.org>
is rumored to have said:

Hello Bill,

Saturday, January 10, 2026, 5:34:02 PM, you wrote:

BC> Here's your problem. Your MTA is doing something to strip all of 
the Received headers from the message before SpamAssassin is seeing 
it.

OK, I've looked again and those were the headers of the message sent 
by procmail and not the ones on the incoming external email which 
will follow.

I don't see any evidence of Shopify in those headers either and at 
first I suspected that maybe the mail isn't really from Shopify, since 
there are indicators of both Sendgrid and Klayvio in those headers.

As it turns out, apparently Shopify has outsourced to Klayvio who has 
outsourced to Sendgrid. It's not clear to me whether the full message 
would hit SHOPIFY_IMG_NOT_RCVD_SFY, since there are multiple ways for 
the body or headers  to be exempt from the basic "Shopify-hosted image 
without Shopify in headers" concept of the rule, but I will shortly 
add a sub-rule to detect Klayvio and prevent this class of FP.

Oops, these rules are in John Hardin's testing sandbox, so I will let 
him do the fix.

I expect something like these subrules added as exclusions to the 
SHOPIFY_IMG_NOT_RCVD_SFY meta-rule  will do the trick:

describe	__HDR_RCVD_KLAYVIO	Has a Klayvio machine in the Received 
headers
header		__HDR_RCVD_KLAYVIO	X-Spam-Relays-External =~ 
/\srdns=\S+\.klayvio\.com\s/

describe        __HDR_SGEID     Has Sendgrid EID header
header          __HDR_SGEID     exists:X-SG-EID

describe        __HDR_SGID      Has Sendgrid ID header
header          __HDR_SGID      exists:X-SG-ID

describe        __HDR_SGIDS     Has both Sendgrid ID headers
meta            __HDR_SGIDS     __HDR_SGEID && __HDR_SGID


And the replacement meta with new FP prevention:

meta		__SHOPIFY_IMG_NOT_RCVD_SFY  __URI_IMG_SHOPIFY && 
!__HDR_RCVD_SHOPIFY && !__HDR_ENVFROM_SHOPIFY && !__HDR_RCVD_KLAYVIO && 
!__HDR_SGIDS



--
 Bill Cole
 b...@scconsult.com or billc...@apache.org
 (AKA @grumpybozo@toad.social and many *@billmail.scconsult.com 
addresses)
 Not Currently Available For Hire