sender maps and whitelisting

Damian amavis at arcsin.de
Mon Apr 22 16:11:36 CEST 2024 

> I've just started using sender_maps instead of the welcomelist in
> spamassassin directly and have a few questions. Here is my current
> sender_map:
Is this `@score_sender_maps`?
>     '.gtenney.com' => [{ '.*@send.undone.com'                     => -100.0,
>                          '.*@mg-d0.substack.com'      => -100.0,
>                          '.*@mg-d1.substack.com'       => -100.0,
>                          ....
> First, can you confirm it is only the envelope from that yo can whitelist
> using this method?
Amavis checks envelope-from as well as header-from.
> Is there any way to require SPF pass?
To my knowledge, no. If you want some kind of authentication, you can 
use @author_to_policy_bank_maps (based on DKIM).
> Instead of effectively whitelisting any emails from all of substack based
> on the above, I wondered if I can use more of the lhs of the address. This
> is the full envelope sender address:
>
> bounce+77295b.63af5d-noelbaron=gtenney.com at mg-d0.substack.com
>
> I think the "77295b.63af5d" part may be dynamic (like a message-ID kind of
> thing), so I was wondering if I could restrict it like the following?
>
>                   '.*gtenney.com at mg-d0.substack.com'    => -100.0,


> @score_sender_maps = ({
>     '.gtenney.com' => [
>         new_RE(
>            [ qr'=gtenney\.com at send\.undone\.com'    => -100],
>            [ qr'=gtenney\.com at mg-d0\.substack\.com' => -100],
>            [ qr'=gtenney\.com at mg-d1\.substack\.com' => -100],
>         ),
>     ],
> });

> Also, when a message is whitelisted using this method, what is the
> "actions_performed" field defined to be? It seems like SA still considers
> it to be spam, but then amavisd also considers it to be quarantined yet
> also delivers it?
>
> Here's an example:
>
> Apr 19 17:21:23 xavier amavis[679593]: (679593-18)
> {"@timestamp":"2024-04-19T21:21:22.452Z","action":["DISCARD","PASS"],"actions_performed":"DiscardedInbound
> RelayedInbound Quarantined","attached_file_names":["message.msg"],"author":"
> watchrecon.com at gmail.com"]
Looks like a multi-recipient mail, where one of the recipients triggered 
a Discard+Quarantine and the other a Pass.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.amavis.org/pipermail/amavis-users/attachments/20240422/14e6012e/attachment.htm>

More information about the amavis-users mailing list