Mailing List Archive

On 28 Jan 2021, at 8:01, Alex wrote:

> Hi,
>
> This message passes DKIM for adobespark.com and hits the sendgrid SPBL
> rule, but also USER_IN_DEF_SPF_WL. I'm trying to understand how this
> message was not caught and how it was allowed to apparently manipulate
> these services.

Clearly the reason it was not deemed to be spam was the -7.5 score of
USER_IN_DEF_SPF_WL, which completely counteracted the Bayes and
NIXSPAM_IXHASH scores. The full story is told by the X-Spam-Status
header. Personally, I weaken the "default whitelist" scores on systems I
administer because of this sort of travesty and a general lack of
"spammy" wanted mail from domains in that list. YMMV.

As for Adobe Spark and Sendgrid, they are both designed to facilitate
spamming, so this is just normal use, not manipulation. I personally
don't believe that Adobe has earned their position in the "default
whitelist" but apparently some people get substantial wanted mail from
them and are convinced that they act on spam reports.

> What is the attachment included in the email?

The 2 attachments are both PNG images: the DocuSign logo and a
"download" icon. Harmless.

The "payload" is the Spark-obfuscated link claiming to be for viewing a
signed DocuSign document. Spark redirects that to a Google Firebase URL
which is now dead.


--
Bill Cole
bill@scconsult.com or billcole@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire