<div dir="ltr"><div dir="ltr"><br></div>Hi,<div><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div><blockquote type="cite"><blockquote type="cite"><pre>I was using the hash-type arrays. Would something like this work for the
</pre>
</blockquote>
<pre>hash array to represent any sender at this domain?
'.<a href="http://email.avi-8.com" target="_blank">email.avi-8.com</a>' => -100.0,
</pre>
</blockquote>
Yes, but I was under the impression that you wanted to match
VERP-style sender addresses, specifically.<br></div></blockquote><div><br></div><div>I don't think I'm tied to any particular style, but still confused about why whitelisting doesn't appear to work reliably for me yet.</div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div><blockquote type="cite">
<blockquote type="cite">
<pre>Apr 19 17:21:23 xavier amavis[679593]: (679593-18)
{"@timestamp":"2024-04-19T21:21:22.452Z","action":["DISCARD","PASS"],"actions_performed":"DiscardedInbound
RelayedInbound Quarantined","attached_file_names":["message.msg"],"author":<a href="mailto:watchrecon.com@gmail.com" target="_blank">"watchrecon.com@gmail.com"</a>]
Looks like a multi-recipient mail, where one of the recipients triggered a
Discard+Quarantine and the other a Pass.
</pre>
</blockquote>
<pre>Ah, yes, that looks like the case. I have an always_bcc user being used
here, but it never used to be quarantined, even when the other recipient
was.
I traced the message to the final recipient, and he did receive it, but the
bcc-user did not. What could have changed?
</pre>
</blockquote>
Are you sure? I am not able to reproduce that. Your logline
indicates that you log the report_json. Please check `action` and
`ccat_main` of your bcc recipient in the report's `recipients`
structure.<br></div></blockquote><div><br></div><div>Here's a pastebin from an email similar to the above where one of the recips is whitelisted while the other is quarantined (using report_json).</div><div><a href="https://pastebin.com/8i6qwjvM">https://pastebin.com/8i6qwjvM</a><br></div><div><br></div><div> "recipients": [<br> {<br> "action": "DISCARD",<br> "ccat_blocking": "Spam",<br> "rcpt_is_local": true,<br> "rcpt_to": "<a href="mailto:bcc-user@gambit.example.com">bcc-user@gambit.example.com</a>",<br> "smtp_code": "250",<br> "smtp_response": "250 2.7.0 Ok, discarded, id=773043-07 - spam",<br> "spam_score": 5.988<br> },<br> {<br> "action": "PASS",<br> "ccat_main": "CleanTag",<br> "queued_as": "D44BDDC2",<br> "rcpt_is_local": true,<br> "rcpt_to": "<a href="mailto:hartmann@tenney.com">hartmann@tenney.com</a>",<br> "smtp_code": "250",<br> "smtp_response": "250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as D44BDDC2",<br> "spam_score": -94.012<br> }<br></div><div><br></div><div>It also reports the score in the quarantined file like, apparently showing the value for each email.</div><div>X-Spam-Status: Yes, score=-94.012..5.988 tag=-200 tag2=5 kill=5<br></div><div><br></div><div><br></div></div></div></div>