<html>
  <head>
    <meta content="text/html; charset=ISO-8859-1"
      http-equiv="Content-Type">
  </head>
  <body text="#000000" bgcolor="#FFFFFF">
    <div class="moz-cite-prefix">On 12/11/2012 01:19, Paul Welsh wrote:<br>
    </div>
    <blockquote
cite="mid:CAA510g6U6-VBHx7SuRkw3t_U5jUVvnxdo5xvuFSqNqzZ_z+QEw@mail.gmail.com"
      type="cite">
      <pre wrap="">Hi all

Bit off-topic but thought I'd mention dnswl.org which the spamassassin
wiki describes here -
<a class="moz-txt-link-freetext" href="http://wiki.apache.org/spamassassin/Rules/RCVD_IN_DNSWL_MED">http://wiki.apache.org/spamassassin/Rules/RCVD_IN_DNSWL_MED</a> - and
which describes itself as "the leading whitelist provider for email
filtering".

I was tweaking my spam.assassin.prefs.conf today and noticed
RCVD_IN_DNSWL_MED gets a -2.3 spamassassin score by default.  However,
on doing some digging I noticed this:

2012-11-10 11:01:45 1TX8or-0008Fj-1P &lt;= <a class="moz-txt-link-abbreviated" href="mailto:service@santander.co.uk">service@santander.co.uk</a>
H=p02c11o144.mxlogic.net [208.65.144.77] P=esmtps
X=TLSv1:AES256-SHA:256 S=3244
<a class="moz-txt-link-abbreviated" href="mailto:id=FS3rRZ1UbDBRArVc4Iu00000255@fs3.ellison.local">id=FS3rRZ1UbDBRArVc4Iu00000255@fs3.ellison.local</a> T="YOUR ONLINE
ACCOUNT HAS BEEN SUSPENDED" from <a class="moz-txt-link-rfc2396E" href="mailto:service@santander.co.uk">&lt;service@santander.co.uk&gt;</a> for &lt;snip&gt;

This phishing email came from mxlogic.net, now called McAfee SaaS
Email Protection &amp; Continuity.  dnswl.org gives mxlogic.net a
classification of:
"Medium        Rare spam occurrences, corrected promptly."

Fair enough, this is doubtless one of those rare occurrences but I
just thought I'd highlight that phishing does appear to be getting
through mxlogic.net and because of dnswl.org's treatment of it,
spamassassin is subtracting nearly 3 points from its score.

In the case of the phishing mail I saw, it still got picked up as high
scoring spam and deleted but had the attempts to forge the Outlook
headers been better and/or had I given RCVD_IN_DNSWL_MED a higher
negative score (which I was seriously considering doing), this would
have been delivered:

Nov 10 11:01:50 mail MailScanner[27602]: Message 1TX8or-0008Fj-1P from
208.65.144.77 (<a class="moz-txt-link-abbreviated" href="mailto:service@santander.co.uk">service@santander.co.uk</a>) to &lt;snip&gt; is spam,
SpamAssassin (score=10.984, required 6, autolearn=disabled,
AXB_XMAILER_MIMEOLE_OL_1ECD5 3.26, FORGED_MUA_OUTLOOK 2.79,
FORGED_OUTLOOK_HTML 0.00, FROM_MISSPACED 0.00, FROM_MISSP_EH_MATCH
0.00, FROM_MISSP_MSFT 0.00, FROM_MISSP_URI 0.00, FROM_MISSP_USER 0.00,
FSL_NEW_HELO_USER 0.00, HTML_IMAGE_ONLY_16 1.05, HTML_MESSAGE 0.00,
HTML_TAG_BALANCE_BODY 0.71, MIME_HTML_ONLY 1.10, MISSING_HEADERS 1.21,
NSL_RCVD_FROM_USER 0.00, RCVD_IN_DNSWL_MED -2.30, SUBJ_ALL_CAPS 1.62,
TVD_PH_BODY_ACCOUNTS_PRE 1.53, T_REMOTE_IMAGE 0.01)
Nov 10 11:01:50 mail MailScanner[27602]: Non-delivery of spam: message
1TX8or-0008Fj-1P from <a class="moz-txt-link-abbreviated" href="mailto:service@santander.co.uk">service@santander.co.uk</a> to &lt;snip&gt; with subject
YOUR ONLINE ACCOUNT HAS BEEN SUSPENDED
Nov 10 11:01:50 mail MailScanner[27602]: Spam Actions: message
1TX8or-0008Fj-1P actions are delete
</pre>
    </blockquote>
    A whitelist entry has to be earned, I trust no one by default and
    create my own whitelists - works for me..<br>
    <br>
    <br>
    <br>
    <br>
    <div class="moz-signature">-- <br>
      <table style="border-collapse: collapse" width="100%" border="0"
        cellpadding="0" cellspacing="0">
        <tbody>
          <tr>
            <td bgcolor="E57c09"><img alt="horizontal ruler"
                src="cid:part1.05070402.06080809@farrows.org" height="7"
                width="1"> </td>
          </tr>
        </tbody>
      </table>
      <table style="border-collapse: collapse" border="0"
        cellpadding="0" cellspacing="0">
        <tbody>
          <tr>
            <td colspan="2" style="font-family: Arial;font-weight:bold;
              font-size: 12pt;">Peter Farrow</td>
          </tr>
          <tr>
            <td height="100" valign="center" width="100"> <img
                alt="avatar"
                src="cid:part2.02080601.08070807@farrows.org"
                height="100" width="100"> </td>
            <td valign="center">
              <table style="border-collapse: collapse; font-family:
                Tahoma; font-size: 10pt;">
                <tbody>
                  <tr>
                    <td colspan="2" style="font-weight:bold;">
                      ______________________</td>
                  </tr>
                  <tr>
                    <td style="text-align: right; font-weight: bold;
                      font-size: 8pt;">Home:</td>
                    <td style="text-align:center;"> 01249 654183</td>
                  </tr>
                  <tr>
                    <td style="text-align: right; font-weight: bold;
                      font-size: 8pt;">Fax:</td>
                    <td style="text-align:center;">01249 461 548</td>
                  </tr>
                  <tr>
                    <td style="text-align: right; font-weight: bold;
                      font-size: 8pt;">Mobile:</td>
                    <td style="text-align:center;">07799605617</td>
                  </tr>
                  <tr>
                    <td style="text-align: right; font-weight: bold;
                      font-size: 8pt;">Skype:</td>
                    <td style="text-align:center;">peter_farrow</td>
                  </tr>
                  <tr>
                    <td style="text-align: right; font-weight: bold;
                      font-size: 8pt;">Web:</td>
                    <td style="text-align:center;"><a
                        href="http://www.peterfarrow.com">www.peterfarrow.com</a></td>
                  </tr>
                  <tr>
                    <td colspan="2" style="font-size: 6pt;"
                      align="center"><br>
                    </td>
                  </tr>
                </tbody>
              </table>
            </td>
          </tr>
        </tbody>
      </table>
    </div>
  </body>
</html>