You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Joseph Brennan <br...@columbia.edu> on 2017/05/05 15:42:21 UTC

"Google Docs" message

Below, this is the non-standard Received header that was in the message
that caused a
UNPARSEABLE_RELAY match. I am splitting it into 2 lines here for
readability.

Received: from 946634442539 named unknown by
gmailapi.google.com with HTTPREST; Wed, 3 May 2017 11:47:36 -0700

This Received header appears to be the format used in a message sent by an
app using oauth to send as a user. If so, legit use is rare. For a short
time I had Mimedefang logging matches on the pattern  /gmailapi.google.com
with HTTPREST/ and saw only a few.



The link in the html part started as follows:

<a href="https://accounts.google.com/o/oauth2/auth?client_id=

I don't have samples of legit mail to compare this to. It strikes me as odd
that mail sent using an app (diagnosed from the Received header) would
contain a link to allow an app to get an oauth token. If that's a red flag
then a meta on these two things will diagnose future attempts.



-- 
Joseph Brennan