>From: Alex <[email protected]> >Sent: Thursday, May 12, 2016 9:37 AM >To: SA Mailing list >Subject: Received header and matching
>Hi, >I'm trying to match some Apple/iTunes fraud and would like to use the >lack of the email having been passed through anything relating to >Apple (contains apple.com, etc), and having some difficulty with this >header: >Received: from 56.119.233.220.static.exetel.com.au ([220.233.119.56] >helo=smtp.vic.exemail.com.au) > by pecan.exetel.com.au with esmtps (TLSv1:DHE-RSA-AES256-SHA:256) > (Exim 4.84) > (envelope-from <[email protected]>) > id 1b0RAr-0003bC-72 > for [email protected]; Wed, 11 May 2016 20:15:43 +1000 >This rule apparently matches due to the envelope-from line above. >header __LOC_APPLE_RCVD Received =~ /apple\.com/ >How can I get it to only match on the server name in that line? >Perhaps someone has a more effective rule for spam such as this one? >I'm using pypolicyd-spf and it's detected that there is an SPF >permerror, but apparently not a SA rule detected the SPF fail. It >would be good to add a few points for that somehow... >http://pastebin.com/SYq3Rysr whitelist_auth *@apple.com whitelist_auth *@*.apple.com whitelist_auth *@*.icloud.com whitelist_auth *@itunes.com whitelist_auth *@*.itunes.com Then increase your scores a little for BAYES_*, SPF_FAIL, T_DMARC_TESTS_FAIL, etc. Over time, you can build up the whitelist_auth list of trusted senders that are not human accounts that can be compromised then the major domains that are commonly spoofed will be covered properly to let them through. Then you train your bayes with the bad ones to get those BAYES_* hits up closer to BAYES_99 which will help scoring overall. >Thanks, >Alex
