<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">On 12/11/2012 01:19, Paul Welsh wrote:<br>
</div>
<blockquote
cite="mid:CAA510g6U6-VBHx7SuRkw3t_U5jUVvnxdo5xvuFSqNqzZ_z+QEw@mail.gmail.com"
type="cite">
<pre wrap="">Hi all
Bit off-topic but thought I'd mention dnswl.org which the spamassassin
wiki describes here -
<a class="moz-txt-link-freetext" href="http://wiki.apache.org/spamassassin/Rules/RCVD_IN_DNSWL_MED">http://wiki.apache.org/spamassassin/Rules/RCVD_IN_DNSWL_MED</a> - and
which describes itself as "the leading whitelist provider for email
filtering".
I was tweaking my spam.assassin.prefs.conf today and noticed
RCVD_IN_DNSWL_MED gets a -2.3 spamassassin score by default. However,
on doing some digging I noticed this:
2012-11-10 11:01:45 1TX8or-0008Fj-1P <= <a class="moz-txt-link-abbreviated" href="mailto:service@santander.co.uk">service@santander.co.uk</a>
H=p02c11o144.mxlogic.net [208.65.144.77] P=esmtps
X=TLSv1:AES256-SHA:256 S=3244
<a class="moz-txt-link-abbreviated" href="mailto:id=FS3rRZ1UbDBRArVc4Iu00000255@fs3.ellison.local">id=FS3rRZ1UbDBRArVc4Iu00000255@fs3.ellison.local</a> T="YOUR ONLINE
ACCOUNT HAS BEEN SUSPENDED" from <a class="moz-txt-link-rfc2396E" href="mailto:service@santander.co.uk"><service@santander.co.uk></a> for <snip>
This phishing email came from mxlogic.net, now called McAfee SaaS
Email Protection & Continuity. dnswl.org gives mxlogic.net a
classification of:
"Medium Rare spam occurrences, corrected promptly."
Fair enough, this is doubtless one of those rare occurrences but I
just thought I'd highlight that phishing does appear to be getting
through mxlogic.net and because of dnswl.org's treatment of it,
spamassassin is subtracting nearly 3 points from its score.
In the case of the phishing mail I saw, it still got picked up as high
scoring spam and deleted but had the attempts to forge the Outlook
headers been better and/or had I given RCVD_IN_DNSWL_MED a higher
negative score (which I was seriously considering doing), this would
have been delivered:
Nov 10 11:01:50 mail MailScanner[27602]: Message 1TX8or-0008Fj-1P from
208.65.144.77 (<a class="moz-txt-link-abbreviated" href="mailto:service@santander.co.uk">service@santander.co.uk</a>) to <snip> is spam,
SpamAssassin (score=10.984, required 6, autolearn=disabled,
AXB_XMAILER_MIMEOLE_OL_1ECD5 3.26, FORGED_MUA_OUTLOOK 2.79,
FORGED_OUTLOOK_HTML 0.00, FROM_MISSPACED 0.00, FROM_MISSP_EH_MATCH
0.00, FROM_MISSP_MSFT 0.00, FROM_MISSP_URI 0.00, FROM_MISSP_USER 0.00,
FSL_NEW_HELO_USER 0.00, HTML_IMAGE_ONLY_16 1.05, HTML_MESSAGE 0.00,
HTML_TAG_BALANCE_BODY 0.71, MIME_HTML_ONLY 1.10, MISSING_HEADERS 1.21,
NSL_RCVD_FROM_USER 0.00, RCVD_IN_DNSWL_MED -2.30, SUBJ_ALL_CAPS 1.62,
TVD_PH_BODY_ACCOUNTS_PRE 1.53, T_REMOTE_IMAGE 0.01)
Nov 10 11:01:50 mail MailScanner[27602]: Non-delivery of spam: message
1TX8or-0008Fj-1P from <a class="moz-txt-link-abbreviated" href="mailto:service@santander.co.uk">service@santander.co.uk</a> to <snip> with subject
YOUR ONLINE ACCOUNT HAS BEEN SUSPENDED
Nov 10 11:01:50 mail MailScanner[27602]: Spam Actions: message
1TX8or-0008Fj-1P actions are delete
</pre>
</blockquote>
A whitelist entry has to be earned, I trust no one by default and
create my own whitelists - works for me..<br>
<br>
<br>
<br>
<br>
<div class="moz-signature">-- <br>
<table style="border-collapse: collapse" width="100%" border="0"
cellpadding="0" cellspacing="0">
<tbody>
<tr>
<td bgcolor="E57c09"><img alt="horizontal ruler"
src="cid:part1.05070402.06080809@farrows.org" height="7"
width="1"> </td>
</tr>
</tbody>
</table>
<table style="border-collapse: collapse" border="0"
cellpadding="0" cellspacing="0">
<tbody>
<tr>
<td colspan="2" style="font-family: Arial;font-weight:bold;
font-size: 12pt;">Peter Farrow</td>
</tr>
<tr>
<td height="100" valign="center" width="100"> <img
alt="avatar"
src="cid:part2.02080601.08070807@farrows.org"
height="100" width="100"> </td>
<td valign="center">
<table style="border-collapse: collapse; font-family:
Tahoma; font-size: 10pt;">
<tbody>
<tr>
<td colspan="2" style="font-weight:bold;">
______________________</td>
</tr>
<tr>
<td style="text-align: right; font-weight: bold;
font-size: 8pt;">Home:</td>
<td style="text-align:center;"> 01249 654183</td>
</tr>
<tr>
<td style="text-align: right; font-weight: bold;
font-size: 8pt;">Fax:</td>
<td style="text-align:center;">01249 461 548</td>
</tr>
<tr>
<td style="text-align: right; font-weight: bold;
font-size: 8pt;">Mobile:</td>
<td style="text-align:center;">07799605617</td>
</tr>
<tr>
<td style="text-align: right; font-weight: bold;
font-size: 8pt;">Skype:</td>
<td style="text-align:center;">peter_farrow</td>
</tr>
<tr>
<td style="text-align: right; font-weight: bold;
font-size: 8pt;">Web:</td>
<td style="text-align:center;"><a
href="http://www.peterfarrow.com">www.peterfarrow.com</a></td>
</tr>
<tr>
<td colspan="2" style="font-size: 6pt;"
align="center"><br>
</td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
</div>
</body>
</html>