Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. SpamAssassin>
  3. users
Why is SENDGRID_REDIR score so high?
mrl at psfc
Sep 15, 2020, 6:40 PM
Post #1 of 4 (1432 views)
Permalink
Hi - I receive email from spiceworks.com help desk, which are sent via
sendgrid. Why do these URLs trigger the SENDGRID_REDIR rule score,
which is 3.4 ? Thanks. - Mark

Terms and Conditions:
https://u2752257.ct.sendgrid.net/ls/click?upn=cXUsNXpk4aguQpIafAEOmIejjD9ZkCNTPoNNmoa1ebrAUotywMJTp7DEBn7GytalLkTf_8lxoDjRwBLjcEcMtF8M5ApYR1AJKfKZukCa01OUZ6PgghULd-2FNN7L6qPk5t3kRl0b1zrUCfn5j7veAMSuKobLbvM1i2BY9-2FM8B1BpQSRnSs54y0iV7P8FnmuQXGD4eQkIqKfPELx6aNdbuFCgIQecDPo5\
EFoQxdE7JySPVPuU9N49Iip-2FAXbBQj-2BLN0cly9tAICcjMYqlAxin7RkTG4oRA

Privacy Policy:
https://u2752257.ct.sendgrid.net/ls/click?upn=cXUsNXpk4aguQpIafAEOmIejjD9ZkCNTPoNNmoa1ebqRhFzshCDTA7-2BL-2FYYwBE3VGk_y_8lxoDjRwBLjcEcMtF8M5ApYR1AJKfKZukCa01OUZ6PgghULd-2FNN7L6qPk5t3kRl0YIWr1WEURsRppHsiq7oYUNdAmf1x7n6J-2BNofwjd7xwa8e-2FvvCVFrqBYuLGxS3Z7NV0qlW-2FJoasrFm8xaQ0-2BrfN04MfX-2Bo-2BobNtFOsUHtI-2BERUMY5rBGmZTY7WFV7eoMJ8Kal5pHd-2FjR5xXpKzlEzjQ
Re: Why is SENDGRID_REDIR score so high? [ In reply to ]
jhardin at impsec
Sep 15, 2020, 8:28 PM
Post #2 of 4 (1432 views)
Permalink
On Tue, 15 Sep 2020, Mark London wrote:

> Hi - I receive email from spiceworks.com help desk, which are sent via
> sendgrid. Why do these URLs trigger the SENDGRID_REDIR rule score, which is
> 3.4 ? Thanks. - Mark

They trigger the rule because they match the rule's conditions - a message
having a Sendgrid redirect URL. They've been abused in a lot of phishing
lately.

The score is that high because spams that have such aren't scoring highly
based on all the other rules, and the SpamAssassin masscheck corpora does
not have many instances of legitimate Sendgrid redirects.

An important question is: are these mails being scored as spammy and is
that interfering with proper delivery? Or are you just worried about a
single high-scoring rule hit?

I will take a look and see if the FP rate can be reduced. If you could
send me an example of one or more of these messages privately (zipped,
with all message headers intact) then I might be able to do a better job
of that.

As a workaround, you could whitelist the spiceworks.com help desk email
address.


--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Gun Control laws cannot reduce violent crime, because gun control
laws assume a violent criminal will obey the law.
-----------------------------------------------------------------------
2 days until the 233rd anniversary of the signing of the U.S. Constitution
RE: Why is SENDGRID_REDIR score so high? [ In reply to ]
M.Roos at f1-outsourcing
Sep 16, 2020, 1:24 AM
Post #3 of 4 (1432 views)
Permalink
So ask spiceworks to use a different supplier or use their own range
that is not being abused by others. Complain to spiceworks, they should
solve this problem for you. Don't do their work, unless they pay you to.



-----Original Message-----
To: users@spamassassin.apache.org
Subject: Why is SENDGRID_REDIR score so high?

Hi - I receive email from spiceworks.com help desk, which are sent via
sendgrid. Why do these URLs trigger the SENDGRID_REDIR rule score,
which is 3.4 ? Thanks. - Mark

Terms and Conditions:
https://u2752257.ct.sendgrid.net/ls/click?upn=cXUsNXpk4aguQpIafAEOmIejjD9ZkCNTPoNNmoa1ebrAUotywMJTp7DEBn7GytalLkTf_8lxoDjRwBLjcEcMtF8M5ApYR1AJKfKZukCa01OUZ6PgghULd-2FNN7L6qPk5t3kRl0b1zrUCfn5j7veAMSuKobLbvM1i2BY9-2FM8B1BpQSRnSs54y0iV7P8FnmuQXGD4eQkIqKfPELx6aNdbuFCgIQecDPo5\
EFoQxdE7JySPVPuU9N49Iip-2FAXbBQj-2BLN0cly9tAICcjMYqlAxin7RkTG4oRA

Privacy Policy:
https://u2752257.ct.sendgrid.net/ls/click?upn=cXUsNXpk4aguQpIafAEOmIejjD9ZkCNTPoNNmoa1ebqRhFzshCDTA7-2BL-2FYYwBE3VGk_y_8lxoDjRwBLjcEcMtF8M5ApYR1AJKfKZukCa01OUZ6PgghULd-2FNN7L6qPk5t3kRl0YIWr1WEURsRppHsiq7oYUNdAmf1x7n6J-2BNofwjd7xwa8e-2FvvCVFrqBYuLGxS3Z7NV0qlW-2FJoasrFm8xaQ0-2BrfN04MfX-2Bo-2BobNtFOsUHtI-2BERUMY5rBGmZTY7WFV7eoMJ8Kal5pHd-2FjR5xXpKzlEzjQ
Re: Why is SENDGRID_REDIR score so high? [ In reply to ]
Michael.Storz at lrz
Sep 16, 2020, 1:56 AM
Post #4 of 4 (1432 views)
Permalink
Am 2020-09-16 05:28, schrieb John Hardin:
> On Tue, 15 Sep 2020, Mark London wrote:
>
>> Hi - I receive email from spiceworks.com help desk, which are sent via
>> sendgrid. Why do these URLs trigger the SENDGRID_REDIR rule score,
>> which is 3.4 ? Thanks. - Mark
>
> They trigger the rule because they match the rule's conditions - a
> message having a Sendgrid redirect URL. They've been abused in a lot
> of phishing lately.
>
> The score is that high because spams that have such aren't scoring
> highly based on all the other rules, and the SpamAssassin masscheck
> corpora does not have many instances of legitimate Sendgrid redirects.
>
> An important question is: are these mails being scored as spammy and
> is that interfering with proper delivery? Or are you just worried
> about a single high-scoring rule hit?
>
> I will take a look and see if the FP rate can be reduced. If you could
> send me an example of one or more of these messages privately (zipped,
> with all message headers intact) then I might be able to do a better
> job of that.
>
> As a workaround, you could whitelist the spiceworks.com help desk email
> address.

The rule is absolutely useless, from more than 5.000 hits last week, at
least 2.000 were false positives. 10% were definitely spam, the rest was
unclassified with scores mostly less than 5.0. I've set the score to
0.001.

Michael

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal