On 5/11/2015 9:42 AM, Alex Regan wrote:
Hi,
I have a fp that was passed through thomsonreuters, hitting
RCVD_IN_DNSWL_HI, receiving -5 points, from an obvious hacked account.
http://pastebin.com/5LYS7s2v
This is with v3.4.1, but an older bayes database, so perhaps it needs
to be rebuilt. Even with BAYES_99, it still wouldn't have been tagged
properly, however.
I'm curious if there's anything further that could have been done to
block this outside of a body rule matching this specific pattern?
Is it also interesting that thomsonreuters.com has no SPF information?
Thanks,
Alex
It's definitely common to find domains hitting on
KAM_LAZY_DOMAIN_SECURITY. You might bump the score of that rule into the
3-4 range in addition to fixing the Bayes classification and writing a
specific rule, however it would depend heavily on what your ham is. The
potential for FP is huge.
In an ideal world, KAM_LAZY_DOMAIN_SECURITY would be poison-pill but
there's just too many legitimate places that pay no regard to
anti-forgery mechanisms.