On 17/04/12 11:54, joea wrote:
> Getting "scanned document", "pills" and stuff with a url of "blah.blah.ru"
>
Would emails with Russian URLs be legitimate in your organisation? Any
.ru URL gets 6pts here by default - no complaints yet.
> Some of these contain something like the snippet below, apparently put in by the sender or perhaps the mail provider.
> *******************************
> MIME-Version: 1.0
> X-OriginalArrivalTime: Tue, 17 Apr 2012 05:12:23 -0300
> X-SenderScore: 3
> X-Envelope-From:
LexLuthor@...
> X-SpamScore: 3
> X-VirusScore: 0
> X-SpamRefID: str=0001.0A010202.4F8D34EA.0094,ss=3,sh,fgs=0
> X-ForwardedBy: SJL01WMAIL08B
> *******************************
>
> Would it be sane, relatively speaking, to add a rule that looks at the X-SpamScore: and/or X-SenderScore: and flag those?
>
>
>
Not sure. Personally I don't see much value in it. In the vast majority
of cases I would rather trust the results of my own scanning with SA
than look at the X-Spam headers added by the outgoing mail server.
