On Sun, 2017-04-30 at 14:42 -0400, Alex wrote: > It sounds like you're saying you're adding points to bounce emails > that don't originate from email sent by your system? > Correct, or more specifically this is intended to catch spam spoofing my domain as sender and rejected by its destination.
Of course there are still domains out there that don't look at SPF, so they don't realise they're bouncing spam. I also have a suspicion that at least some spammers have deliberately sent spoofed bounce reports as a way past SA and friends. > I'm seeing far too many legitimate bounces being tagged as spam > because they are hitting stock SA rules, including bayes50 and > URI_PHISH, which is a really involved rule, and almost assuredly is a > FP here. I was receiving a lot of bounces where the bounced message was obvious spam and which had not been sent from here but where the bounce wrapper was either genuine or a very good fake. In any case, regardless of whether I get bounced spam containing my domain as forged sender or whether the whole bounce message is a forgery, it can be safely binned, hence my rule. Martin
