On Mon, Nov 12, 2012 at 3:19 AM, Paul Welsh <span dir="ltr"><<a href="mailto:paul@welshfamily.com" target="_blank">paul@welshfamily.com</a>></span> wrote:<br><div class="gmail_extra"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Hi all<br>
<br>
Bit off-topic but thought I'd mention <a href="http://dnswl.org" target="_blank">dnswl.org</a> which the spamassassin<br>
wiki describes here -<br>
<a href="http://wiki.apache.org/spamassassin/Rules/RCVD_IN_DNSWL_MED" target="_blank">http://wiki.apache.org/spamassassin/Rules/RCVD_IN_DNSWL_MED</a> - and<br>
which describes itself as "the leading whitelist provider for email<br>
filtering".<br>
<br>
I was tweaking my spam.assassin.prefs.conf today and noticed<br>
RCVD_IN_DNSWL_MED gets a -2.3 spamassassin score by default. However,<br>
on doing some digging I noticed this:<br>
<br>
2012-11-10 11:01:45 1TX8or-0008Fj-1P <= <a href="mailto:service@santander.co.uk">service@santander.co.uk</a><br>
H=<a href="http://p02c11o144.mxlogic.net" target="_blank">p02c11o144.mxlogic.net</a> [208.65.144.77] P=esmtps<br>
X=TLSv1:AES256-SHA:256 S=3244<br>
id=FS3rRZ1UbDBRArVc4Iu00000255@fs3.ellison.local T="YOUR ONLINE<br>
ACCOUNT HAS BEEN SUSPENDED" from <<a href="mailto:service@santander.co.uk">service@santander.co.uk</a>> for <snip><br>
<br>
This phishing email came from <a href="http://mxlogic.net" target="_blank">mxlogic.net</a>, now called McAfee SaaS<br>
Email Protection & Continuity. <a href="http://dnswl.org" target="_blank">dnswl.org</a> gives <a href="http://mxlogic.net" target="_blank">mxlogic.net</a> a<br>
classification of:<br>
"Medium Rare spam occurrences, corrected promptly."<br>
<br>
Fair enough, this is doubtless one of those rare occurrences but I<br>
just thought I'd highlight that phishing does appear to be getting<br>
through <a href="http://mxlogic.net" target="_blank">mxlogic.net</a> and because of <a href="http://dnswl.org" target="_blank">dnswl.org</a>'s treatment of it,<br>
spamassassin is subtracting nearly 3 points from its score.<br>
<br>
In the case of the phishing mail I saw, it still got picked up as high<br>
scoring spam and deleted but had the attempts to forge the Outlook<br>
headers been better and/or had I given RCVD_IN_DNSWL_MED a higher<br>
negative score (which I was seriously considering doing), this would<br>
have been delivered:<br>
<br>
Nov 10 11:01:50 mail MailScanner[27602]: Message 1TX8or-0008Fj-1P from<br>
208.65.144.77 (<a href="mailto:service@santander.co.uk">service@santander.co.uk</a>) to <snip> is spam,<br>
SpamAssassin (score=10.984, required 6, autolearn=disabled,<br>
AXB_XMAILER_MIMEOLE_OL_1ECD5 3.26, FORGED_MUA_OUTLOOK 2.79,<br>
FORGED_OUTLOOK_HTML 0.00, FROM_MISSPACED 0.00, FROM_MISSP_EH_MATCH<br>
0.00, FROM_MISSP_MSFT 0.00, FROM_MISSP_URI 0.00, FROM_MISSP_USER 0.00,<br>
FSL_NEW_HELO_USER 0.00, HTML_IMAGE_ONLY_16 1.05, HTML_MESSAGE 0.00,<br>
HTML_TAG_BALANCE_BODY 0.71, MIME_HTML_ONLY 1.10, MISSING_HEADERS 1.21,<br>
NSL_RCVD_FROM_USER 0.00, RCVD_IN_DNSWL_MED -2.30, SUBJ_ALL_CAPS 1.62,<br>
TVD_PH_BODY_ACCOUNTS_PRE 1.53, T_REMOTE_IMAGE 0.01)<br>
Nov 10 11:01:50 mail MailScanner[27602]: Non-delivery of spam: message<br>
1TX8or-0008Fj-1P from <a href="mailto:service@santander.co.uk">service@santander.co.uk</a> to <snip> with subject<br>
YOUR ONLINE ACCOUNT HAS BEEN SUSPENDED<br>
Nov 10 11:01:50 mail MailScanner[27602]: Spam Actions: message<br>
1TX8or-0008Fj-1P actions are delete</blockquote><div><br></div><div>Thanks for sharing! </div></div><br>-- <br>Stephen Cox<br><br>
</div>