I have a particularly aggressive phisher sending messages from IPs that don't have rDNS. We're an ISP to our Spamassassin threshold is 8. I've left some evidence below whereby Spamassassin picked up a message, as it's score was 8.2. I leave another report where Spamassassin did not pick it up, as threshold was 7.9.
For now my only recourse is that block messages where no rDNS is set up. I've googled to death and articles on this forum from 2014 and 2015 refers to a setting in the Exim Configuration Editor that I simply cannot find. This setting is:
Section:
Setting:
I cannot find either Section or requisite Setting. Please help.
Evidence #1 SA score of 8.2
`X-Spam-Report: Spam detection software, running on the system "REDACTED",
has identified this incoming email as possible spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
root\@localhost for details.
Content preview: Dear manager, We are deactivating all mailbox users that are
still using the old Version of kingsley.co.za Mailbox , And your email [email protected]
is still using old version, Please tap the blue button below to upgrade your
mailbox to the latest version,
Content analysis details: (8.2 points, 8.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60%
[score: 0.4693]
1.3 RCVD_IN_RP_RNBL RBL: Relay in RNBL,
Blocklist Lookup | Sender Score | Return Path
[REDACTED.252.172.96 listed in bl.score.senderscore.com]
0.1 URI_HEX URI: URI hostname has long hexadecimal sequence
0.0 HTML_MESSAGE BODY: HTML included in message
0.0 HTML_FONT_LOW_CONTRAST BODY: HTML font color similar or
identical to background
0.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
1.0 KAM_LAZY_DOMAIN_SECURITY Sending domain does not have any
anti-forgery methods
2.0 RDNS_NONE Delivered to internal network by a host with no rDNS
1.2 PDS_FROM_2_EMAILS No description available.
1.6 NORDNS_LOW_CONTRAST No rDNS + hidden text
X-Spam-Flag: YES`
Evidence #2 SA score of 7.9:
`X-Ham-Report: Spam detection software, running on the system "mail.kingsley.co.za",
has NOT identified this incoming email as spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
root\@localhost for details.
Content preview: Dear manager, We are deactivating all mailbox users that are
still using the old Version of kingsley.co.za Mailbox , And your email [email protected]
is still using old version, Please tap the blue button below to upgrade your
mailbox to the latest version,
Content analysis details: (7.9 points, 8.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60%
[score: 0.4693]
1.3 RCVD_IN_RP_RNBL RBL: Relay in RNBL,
Blocklist Lookup | Sender Score | Return Path
[REDACTED.252.172.96 listed in bl.score.senderscore.com]
0.1 URI_HEX URI: URI hostname has long hexadecimal sequence
0.0 HTML_FONT_LOW_CONTRAST BODY: HTML font color similar or
identical to background
0.0 HTML_MESSAGE BODY: HTML included in message
0.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
1.0 KAM_LAZY_DOMAIN_SECURITY Sending domain does not have any
anti-forgery methods
2.0 RDNS_NONE Delivered to internal network by a host with no rDNS
1.1 PDS_FROM_2_EMAILS No description available.
1.5 NORDNS_LOW_CONTRAST No rDNS + hidden text
X-Spam-Flag: NO`
For now my only recourse is that block messages where no rDNS is set up. I've googled to death and articles on this forum from 2014 and 2015 refers to a setting in the Exim Configuration Editor that I simply cannot find. This setting is:
Section:
custom_begin_check_message_preSetting:
require verify = reverse_host_lookupI cannot find either Section or requisite Setting. Please help.
Evidence #1 SA score of 8.2
`X-Spam-Report: Spam detection software, running on the system "REDACTED",
has identified this incoming email as possible spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
root\@localhost for details.
Content preview: Dear manager, We are deactivating all mailbox users that are
still using the old Version of kingsley.co.za Mailbox , And your email [email protected]
is still using old version, Please tap the blue button below to upgrade your
mailbox to the latest version,
Content analysis details: (8.2 points, 8.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60%
[score: 0.4693]
1.3 RCVD_IN_RP_RNBL RBL: Relay in RNBL,
Blocklist Lookup | Sender Score | Return Path
[REDACTED.252.172.96 listed in bl.score.senderscore.com]
0.1 URI_HEX URI: URI hostname has long hexadecimal sequence
0.0 HTML_MESSAGE BODY: HTML included in message
0.0 HTML_FONT_LOW_CONTRAST BODY: HTML font color similar or
identical to background
0.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
1.0 KAM_LAZY_DOMAIN_SECURITY Sending domain does not have any
anti-forgery methods
2.0 RDNS_NONE Delivered to internal network by a host with no rDNS
1.2 PDS_FROM_2_EMAILS No description available.
1.6 NORDNS_LOW_CONTRAST No rDNS + hidden text
X-Spam-Flag: YES`
Evidence #2 SA score of 7.9:
`X-Ham-Report: Spam detection software, running on the system "mail.kingsley.co.za",
has NOT identified this incoming email as spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
root\@localhost for details.
Content preview: Dear manager, We are deactivating all mailbox users that are
still using the old Version of kingsley.co.za Mailbox , And your email [email protected]
is still using old version, Please tap the blue button below to upgrade your
mailbox to the latest version,
Content analysis details: (7.9 points, 8.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60%
[score: 0.4693]
1.3 RCVD_IN_RP_RNBL RBL: Relay in RNBL,
Blocklist Lookup | Sender Score | Return Path
[REDACTED.252.172.96 listed in bl.score.senderscore.com]
0.1 URI_HEX URI: URI hostname has long hexadecimal sequence
0.0 HTML_FONT_LOW_CONTRAST BODY: HTML font color similar or
identical to background
0.0 HTML_MESSAGE BODY: HTML included in message
0.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
1.0 KAM_LAZY_DOMAIN_SECURITY Sending domain does not have any
anti-forgery methods
2.0 RDNS_NONE Delivered to internal network by a host with no rDNS
1.1 PDS_FROM_2_EMAILS No description available.
1.5 NORDNS_LOW_CONTRAST No rDNS + hidden text
X-Spam-Flag: NO`
