Hi, all. I received a mail from a qq.com user that went over the spam
threshold. From the rules that triggered, it looks like the dynamic rDNS
rules triggered on the qq.com sending server, which contributed around
4.2 points to this message (which was not spam). Relevant headers:
X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-14) on snowy
X-Spam-Flag: YES
X-Spam-Level: *****
X-Spam-Status: Yes, score=5.7 required=5.2 tests=BAYES_50,DKIM_SIGNED,
DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,DYN_RDNS_AND_INLINE_IMAGE,
FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,FROM_EXCESS_BASE64,
HELO_DYNAMIC_IPADDR,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,RDNS_DYNAMIC,
SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=disabled
version=4.0.0
X-Spam-Report:
* -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no
* trust
* [203.205.221.192 listed in list.dnswl.org]
* -0.2 SPF_PASS SPF: sender matches SPF record
* 0.1 SPF_HELO_NONE SPF: HELO does not publish an SPF Record
* -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's
* domain
* -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from
* envelope-from domain
* -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
* 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily
* valid
* 1.5 BAYES_50 BODY: Bayes spam probability is 40 to 60%
* [score: 0.5000]
* 0.2 FREEMAIL_FROM Sender email is commonly abused enduser mail provider
* [<REDACTED>(at)qq.com]
* 0.2 FREEMAIL_ENVFROM_END_DIGIT Envelope-from freemail username ends in
* digit
* [<REDACTED>(at)qq.com]
* 0.0 HTML_MESSAGE BODY: HTML included in message
* 1.0 RDNS_DYNAMIC Delivered to internal network by host with
* dynamic-looking rDNS
* -0.0 T_SCC_BODY_TEXT_LINE No description available.
* 1.2 DYN_RDNS_AND_INLINE_IMAGE Contains image, and was sent by dynamic
* rDNS
* 0.0 FROM_EXCESS_BASE64 From: base64 encoded unnecessarily
* 2.0 HELO_DYNAMIC_IPADDR Relay HELO'd using suspicious hostname (IP addr
* 1)
Received: from out203-205-221-192.mail.qq.com (out203-205-221-192.mail.qq.com [203.205.221.192])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by snowy.routify.me (Postfix) with ESMTPS id B8E0C23484
for <sean@seangreenslade.com>; Thu, 16 Nov 2023 09:09:32 +0000 (UTC)
I can totally see why that sending rDNS looks dynamic, but perhaps there
should be a special case exception for mail.qq.com, since that seems to
be their template for all sending servers.
--Sean
threshold. From the rules that triggered, it looks like the dynamic rDNS
rules triggered on the qq.com sending server, which contributed around
4.2 points to this message (which was not spam). Relevant headers:
X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-14) on snowy
X-Spam-Flag: YES
X-Spam-Level: *****
X-Spam-Status: Yes, score=5.7 required=5.2 tests=BAYES_50,DKIM_SIGNED,
DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,DYN_RDNS_AND_INLINE_IMAGE,
FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,FROM_EXCESS_BASE64,
HELO_DYNAMIC_IPADDR,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,RDNS_DYNAMIC,
SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=disabled
version=4.0.0
X-Spam-Report:
* -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no
* trust
* [203.205.221.192 listed in list.dnswl.org]
* -0.2 SPF_PASS SPF: sender matches SPF record
* 0.1 SPF_HELO_NONE SPF: HELO does not publish an SPF Record
* -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's
* domain
* -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from
* envelope-from domain
* -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
* 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily
* valid
* 1.5 BAYES_50 BODY: Bayes spam probability is 40 to 60%
* [score: 0.5000]
* 0.2 FREEMAIL_FROM Sender email is commonly abused enduser mail provider
* [<REDACTED>(at)qq.com]
* 0.2 FREEMAIL_ENVFROM_END_DIGIT Envelope-from freemail username ends in
* digit
* [<REDACTED>(at)qq.com]
* 0.0 HTML_MESSAGE BODY: HTML included in message
* 1.0 RDNS_DYNAMIC Delivered to internal network by host with
* dynamic-looking rDNS
* -0.0 T_SCC_BODY_TEXT_LINE No description available.
* 1.2 DYN_RDNS_AND_INLINE_IMAGE Contains image, and was sent by dynamic
* rDNS
* 0.0 FROM_EXCESS_BASE64 From: base64 encoded unnecessarily
* 2.0 HELO_DYNAMIC_IPADDR Relay HELO'd using suspicious hostname (IP addr
* 1)
Received: from out203-205-221-192.mail.qq.com (out203-205-221-192.mail.qq.com [203.205.221.192])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by snowy.routify.me (Postfix) with ESMTPS id B8E0C23484
for <sean@seangreenslade.com>; Thu, 16 Nov 2023 09:09:32 +0000 (UTC)
I can totally see why that sending rDNS looks dynamic, but perhaps there
should be a special case exception for mail.qq.com, since that seems to
be their template for all sending servers.
--Sean