Wow, I got a pile of these today.
Fortunately, it was easy to filter them out using SpamAssassin. A real UPS message comes from a valid UPS server. While they don't DKIM sign their Quantum View messages (shame!) at least their servers are white-listed. I see this in a valid QuantumView message:
X-Spam-Status: No, score=-8.9 required=5.0 tests=AWL,BAYES_00,HTML_MESSAGE,
RCVD_IN_DNSWL_HI autolearn=ham version=3.2.5
Note that other ups.com email is signed, but does not come from a whitelisted server, so we end up with something like this in local.cf:
header FROM_UPS From =~ /\@ups\.com/i
meta DKIM_OR_DNSWL (RCVD_IN_DNSWL_HI || DKIM_VERIFIED)
meta FROM_UPS_FAKE_SERVER (FROM_UPS && !DKIM_OR_DNSWL)
score FROM_UPS_FAKE_SERVER 5.0
Problem solved!
Fortunately, it was easy to filter them out using SpamAssassin. A real UPS message comes from a valid UPS server. While they don't DKIM sign their Quantum View messages (shame!) at least their servers are white-listed. I see this in a valid QuantumView message:
X-Spam-Status: No, score=-8.9 required=5.0 tests=AWL,BAYES_00,HTML_MESSAGE,
RCVD_IN_DNSWL_HI autolearn=ham version=3.2.5
Note that other ups.com email is signed, but does not come from a whitelisted server, so we end up with something like this in local.cf:
header FROM_UPS From =~ /\@ups\.com/i
meta DKIM_OR_DNSWL (RCVD_IN_DNSWL_HI || DKIM_VERIFIED)
meta FROM_UPS_FAKE_SERVER (FROM_UPS && !DKIM_OR_DNSWL)
score FROM_UPS_FAKE_SERVER 5.0
Problem solved!
