[SOLVED] Scores for RCVD_IN_PBL and HTML_SINGLET_MANY

[zolthar]

I have started to migrate our outbound emails to go through PMG - however I have also started to notice emails sent from users being blocked (yes I have added additional checks not standard to PMG):

Spam detection results:  5
AWL                    -0.745 Adjusted score from AWL reputation of From: address
BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
DC_GIF_UNO_LARGO            1 Message contains a single large gif image
HELO_NO_DOMAIN          0.001 Relay reports its domain incorrectly
HTML_MESSAGE            0.001 HTML included in message
HTML_SINGLET_MANY       2.499 Many single-letter HTML format blocks
KAM_DMARC_STATUS         0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
KAM_LOTSOFHASH           0.25 Emails with lots of hash-like gibberish
LOTS_OF_MONEY           0.001 Huge... sums of money
RCVD_IN_PBL             3.335 Received via a relay in Spamhaus PBL
RDNS_NONE               0.793 Delivered to internal network by a host with no rDNS
SHORT_HELO_AND_INLINE_IMAGE    0.1 Short HELO string, with inline image

RCVD_IN_PBL
This appears to only hit on outgoing emails and I have simply down-scored to 0.01 via Custom Score - has anyone have any experience for another better method? Or how it integrates with X-Originating-IP?

HTML_SINGLET_MANY
Does anyone have any material information about this? It seems to hit legitimate emails both inbound and outbound. I found this article https://www.futurequest.net/docs/SA/ which states: Many single-letter HTML format blocks

This does not seem a problem given the number of html emails being sent these days as those 'hits' are sent from Google and Outlook.com.

Thanks for any replies.

 

[Stoiko Ivanov]

HTML_SINGLET_MANY
Does anyone have any material information about this? It seems to hit legitimate emails both inbound and outbound. I found this article https://www.futurequest.net/docs/SA/ which states: Many single-letter HTML format blocks

nothing more than what the docs say - it matches e-mails which have more than 20 single letter html format blocks `<b>`, `<i>` and so on

fwiw - a system I have access to receiving 200k mails / month did not have a single match on that rule in the past month.

RCVD_IN_PBL
This appears to only hit on outgoing emails and I have simply down-scored to 0.01 via Custom Score - has anyone have any experience for another better method? Or how it integrates with X-Originating-IP?

see - https://bz.apache.org/SpamAssassin/show_bug.cgi?id=6501
short answer - as long as this header is added SA treats it as source for matching against PBL (which might not be what you want)
-> configure your downstream mailserver not to add that header.

I hope this helps!

EDIT: if it fits in your setup - you can of course also disable these rules by assigning a custom score of 0 to them (GUI->Configuration->Spam Detector->Custom Scores)

 

[zolthar]

fwiw - a system I have access to receiving 200k mails / month did not have a single match on that rule in the past month.

Yes you are correct, its from one of the additional checks that I have implemented and I do not know which. I thought that would be correct and hence I had reduced its score to 0.

see - https://bz.apache.org/SpamAssassin/show_bug.cgi?id=6501
short answer - as long as this header is added SA treats it as source for matching against PBL (which might not be what you want)
-> configure your downstream mailserver not to add that header

Thanks mate - this is exactly what I have done as it didnt seem to be needed and an easier fix.