>From: Joe Quinn <jqu...@pccc.com> >Sent: Tuesday, March 31, 2015 11:44 AM >To: users@spamassassin.apache.org >Subject: Re: RBL/SPF if header exists
>On 3/31/2015 12:23 PM, Mike Cardwell wrote: >> * on the Tue, Mar 31, 2015 at 12:15:31PM -0400, Joe Quinn wrote: >>> Here's an example from when Yahoo's internal Received headers were >>> hitting RCVD_ILLEGAL_IP, taken from here: >>> http://www.pccc.com/downloads/SpamAssassin/contrib/KAM.cf >>> >>> header __KAM_YAHOO_MISTAKE1 From =~ /\@yahoo\./i >>> >>> meta KAM_YAHOO_MISTAKE (SPF_PASS && __KAM_YAHOO_MISTAKE1 && >>> RCVD_ILLEGAL_IP) >>> describe KAM_YAHOO_MISTAKE Reversing score for some idiotic Yahoo >>> received headers >>> score KAM_YAHOO_MISTAKE -3.0 >>> >>> This rule undoes RCVD_ILLEGAL_IP, which has a score of 3.0. >> Thanks for the example. The only problem with the above is that I believe >> I would have to write a rule for every single RBL and keep those rules >> up to date whenever a new RBL is added or score updated by upstream. >> Is there any way of avoiding that? >> >Not an easy way that I know of offhand. Others might know, or if you >have the coding ability you might try writing a plugin to automate at l>east tracking the RBL scores. Sounds like you need to look into shortcircuit'ing some messages as long as there is something consistent about them that meta rules can work with. You have to find some safe, consistent and reliable ways to detect the emails that you want to shortcircuit. https://spamassassin.apache.org/full/3.2.x/doc/Mail_SpamAssassin_Plugin_Shortcircuit.html I safely shortcircuit a high percentage of mail which lowers the processing time dramatically. If you spend a little time analyzing your high volume senders that always score very low, then you can use _specific characteristics_ from those messages to shortcircuit them through SA quickly. What worked for me was to add: shortcircuit ALL_TRUSTED off in my local.cf so I would filter outbound email. Then turn on some reliable whitelists (based on your mail logs): shortcircuit RCVD_IN_RP_CERTIFIED on shortcircuit RCVD_IN_DNSWL_HI on shortcircuit RCVD_IN_IADB_LISTED on And you can write custom rules to fire early: header __SUBJ_LIB_NOTICE Subject =~ /(^Notice from your Library|^Hold Placed$)/ meta LIBRARY_NOTICE ALL_TRUSTED && __SUBJ_LIB_NOTICE describe LIBRARY_NOTICE Sent by a library notification system on our network to patrons. score LIBRARY_NOTICE -0.001 priority LIBRARY_NOTICE -400 shortcircuit LIBRARY_NOTICE ham tflags LIBRARY_NOTICE noautolearn nice >I remember there was a similar question asked a few months ago about >canceling an AWL score or something similar which might be useful. I >can't find it in Google, but you might have luck finding a better >solution from that thread.
