Francis Russell wrote:
> >> Even with the default DKIM scores, I finding I am getting spam that are
> >> DKIM_VERIFIED causing the score to dip below zero and let the message
> >> through, for example:
> >>
> >> http://micah.riseup.net/1

> >
> > that's spam relayed by a debian list. definitely a different beast...

>
> I interpret those headers as spam being sent to a Debian e-mail address,
> then forwarded to a personal address.
>


That's what I meant. Maybe I use the term "relay" too "liberally"?
anyway, such spam is harder to stop unless you add the list relays to
your trusted_networks.

> As for DKIM, surely it's a bad thing to give it any score? It's supposed
> to be an authentication mechanism not an anti-spam mechanism in itself.
>


same can be said for many other rules/methods. checking that a message
is well formed is not an anti-spam measure in itself. checking that a
message is not html-only is not an anti-spam measure in itself. but
these things are patterns that can help detect spam. No single approach
will detect all spam. SA is about using multiple patterns to detect spam.

> The problem with all those emails is that the only sign that they're
> spam is the content itself. 20_advance_fee.cf contains all the rules
> that try to catch these types of messages. Your best bet is to try to
> create some more variations on those, or as John said, the sought_fraud
> ruleset as well.