Re: Amazon phishing spam

[Christian Laußat]

Am 12.02.2015 23:44, schrieb Benny Pedersen:

On 12. feb. 2015 22.25.10 Alex Regan  wrote:


http://pastebin.com/C0YTr3Wn


I've added the IP range and sender to local blocklists. Can you 
suggest

any other possibilities for blocking these?


meta DKIM_ADSP_ALL (3) (3) (3) (3)

simple and neat imho


ADSP still works on some domains, but it's deprecated (demoted to 
historic in November 2013).
You can easily check DMARC compliance with a recent SVN Version of 
SpamAssassin:


--- 8< 
ifplugin Mail::SpamAssassin::Plugin::AskDNS

askdns   __DMARC_POLICY_NONE   _dmarc._AUTHORDOMAIN_ TXT /^v\s*=DMARC1 
(?=\s*;) .* ;\s* p\s*=\s*none   \s*(?:;|\z)/x
askdns   __DMARC_POLICY_QUAR   _dmarc._AUTHORDOMAIN_ TXT /^v\s*=DMARC1 
(?=\s*;) .* ;\s* p\s*=\s*quarantine \s*(?:;|\z)/x
askdns   __DMARC_POLICY_REJECT _dmarc._AUTHORDOMAIN_ TXT /^v\s*=DMARC1 
(?=\s*;) .* ;\s* p\s*=\s*reject \s*(?:;|\z)/x


meta DMARC_FAIL_REJECT !(DKIM_VALID_AU || SPF_PASS) && 
__DMARC_POLICY_REJECT
describe DMARC_FAIL_REJECT DMARC validation failed and policy is to 
reject

scoreDMARC_FAIL_REJECT 9.0

meta DMARC_FAIL_QUAR   !(DKIM_VALID_AU || SPF_PASS) && 
__DMARC_POLICY_QUAR
describe DMARC_FAIL_QUAR   DMARC validation failed and policy is 
quarantine

scoreDMARC_FAIL_QUAR   6.0

meta DMARC_FAIL_NONE   !(DKIM_VALID_AU || SPF_PASS) && 
__DMARC_POLICY_NONE

describe DMARC_FAIL_NONE   DMARC validation failed and policy is none
scoreDMARC_FAIL_NONE   1.2

meta DMARC_PASS_REJECT DKIM_VALID_AU && SPF_PASS && 
__DMARC_POLICY_REJECT
describe DMARC_PASS_REJECT DMARC validation passed and policy is to 
reject

tflags   DMARC_PASS_REJECT nice
scoreDMARC_PASS_REJECT -1.2

meta DMARC_PASS_QUAR   DKIM_VALID_AU && SPF_PASS && 
__DMARC_POLICY_QUAR
describe DMARC_PASS_QUAR   DMARC validation passed and policy is 
quarantine

tflags   DMARC_PASS_QUAR   nice
scoreDMARC_PASS_QUAR   -1.0

meta DMARC_PASS_NONE   DKIM_VALID_AU && SPF_PASS && 
__DMARC_POLICY_NONE

describe DMARC_PASS_NONE   DMARC validation passed and policy is none
tflags   DMARC_PASS_NONE   nice
scoreDMARC_PASS_NONE   -0.6

endif
--- 8< 

Please adjust scores to fit your setup.

--
Christian Laußat
https://blog.laussat.de

Re: NYTimes hitting Bayes_99?

[LuKreme]

> On 12 Feb 2015, at 19:05 , David B Funk  wrote:
> 
> On Thu, 12 Feb 2015, LuKreme wrote:
> 
>> An email from the New York times daily headlines service is hitting Bayes_99 
>> and Bayes_999
>> 
>> pts rule name  description
>>  -- 
>> --
>> 4.0 BAYES_99   BODY: Bayes spam probability is 99 to 100%
>>   [score: 1.]
>> 0.2 BAYES_999  BODY: Bayes spam probability is 99.9 to 100%
>>   [score: 1.]
>> 0.7 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
>> 0.0 HTML_MESSAGE   BODY: HTML included in message
>> -0.1 DKIM_VERIFIED  No description available.
>> -0.1 DKIM_VALID_AU  Message has a valid DKIM or DK signature from 
>> author's
>>   domain
>> 0.1 DKIM_SIGNEDMessage has a DKIM or DK signature, not 
>> necessarily valid
>> 3.0 DCC_CHECK  Detected as bulk mail by DCC (dcc-servers.net)
>> -0.1 DKIM_VALID Message has at least one valid DKIM or DK 
>> signature
>> 0.0 UNPARSEABLE_RELAY  Informational: message has unparseable relay lines
>> 0.5 MISSING_MIDMissing Message-Id: header
>> 
>> I’m curious about the two bayes hits and also the 3 points for bulk mail for 
>> something that I can’t see anyone would consider to be actual spam. Oh, and 
>> why is babes_999 so low scoring?
> 
> Where'd you get that score of 3.0 for DCC_CHECK, mine is 1.1. DCC is a bulk 
> mail
> detection service, not spam detection.

Probably in local.cf then. I’ve commented out all the score adjustments in 
there for right now.

> Those BAYES_99 & BAYES_999 hits for a bulk-but-solicted mail really say
> "mis-trained Bayes".
> For New York Times subscriptions my users usually hit either BAYES_00 or 
> BAYES_05.

Yeah, in my own email NYT hits bayes_00.

I just switched to using spamass-milter:

/usr/local/sbin/spamass-milter -f -p /var/run/spamass-milter.sock -u spamd -r 9 
-- -s 5242880

And it occurs to me that maybe it is not picking up bayes properly.

Should I train bayes as the spamd user?

use_bayes 1
bayes_auto_learn 1
bayes_store_module Mail::SpamAssassin::BayesStore::SQL
bayes_sql_dsn DBI:mysql:bayes:localhost:3306
bayes_sql_username user
bayes_sql_password *pass*
bayes_sql_override_username user

> That BAYES_999 is an addition to BAYES_99 thus the small score. It's more
> intended to be used as "meta fodder" (or re-scored based on your trust of
> your Bayes).

OK, that makes sense.

When I make changes to local.cf do I need to restart SA or does it relied that 
file if it sees it’s changed?

-- 
"Any man who says he can see through women is really missing a lot." -
Groucho Marx

Re: sa-compile seems to not clean up after itself

[listsb-spamassassin]

> On Feb 12, 2015, at 14.09, Kevin A. McGrail  wrote:
> 
> On 2/11/2015 7:25 PM, listsb-spamassas...@bitrate.net wrote:
>> i hope another solicitation for this help request is ok.
> 
> It's ok.
> 
> Overall, I agree.  I tested on a devel box and running sa-compile does have 
> an rm line but did leave these files listed below.
> 
> Because /tmp is a considered auto cleaning, I consider it a very low priority 
> but either re2c or the process in sa-compile is leaving files behind and you 
> should open a ticket with bugzilla, please.

yes, certainly - we just do housekeeping in the cron job which runs sa-compile 
for now, and that's just fine.

https://issues.apache.org/SpamAssassin/show_bug.cgi?id=7138

-ben

Re: NYTimes hitting Bayes_99?

[David B Funk]

On Thu, 12 Feb 2015, LuKreme wrote:


An email from the New York times daily headlines service is hitting Bayes_99 
and Bayes_999

pts rule name  description
 -- --
4.0 BAYES_99   BODY: Bayes spam probability is 99 to 100%
   [score: 1.]
0.2 BAYES_999  BODY: Bayes spam probability is 99.9 to 100%
   [score: 1.]
0.7 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
0.0 HTML_MESSAGE   BODY: HTML included in message
-0.1 DKIM_VERIFIED  No description available.
-0.1 DKIM_VALID_AU  Message has a valid DKIM or DK signature from 
author's
   domain
0.1 DKIM_SIGNEDMessage has a DKIM or DK signature, not necessarily 
valid
3.0 DCC_CHECK  Detected as bulk mail by DCC (dcc-servers.net)
-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
0.0 UNPARSEABLE_RELAY  Informational: message has unparseable relay lines
0.5 MISSING_MIDMissing Message-Id: header

I’m curious about the two bayes hits and also the 3 points for bulk mail for 
something that I can’t see anyone would consider to be actual spam. Oh, and why 
is babes_999 so low scoring?


Where'd you get that score of 3.0 for DCC_CHECK, mine is 1.1. DCC is a bulk mail
detection service, not spam detection.

Those BAYES_99 & BAYES_999 hits for a bulk-but-solicted mail really say
"mis-trained Bayes".
For New York Times subscriptions my users usually hit either BAYES_00 or 
BAYES_05.


That BAYES_999 is an addition to BAYES_99 thus the small score. It's more
intended to be used as "meta fodder" (or re-scored based on your trust of
your Bayes).


--
Dave Funk  University of Iowa
College of Engineering
319/335-5751   FAX: 319/384-0549   1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include 
Better is not better, 'standard' is better. B{

Re: Amazon phishing spam

[John Hardin]

On Thu, 12 Feb 2015, LuKreme wrote:


On 12 Feb 2015, at 17:58 , Dave Pooser  wrote:

On 2/12/15, 6:48 PM, "Alex Regan" wrote:


So shouldn't there be a rule for a rule that claims to come from Amazon
but does not pass through any of its servers?


I have a series of rules like:

whitelist_auth *@bankofamerica.com
blacklist_from *@bankofamerica.com


Interesting. What hits whitelist_auth?


If it hits SPF_PASS or DKIM_PASS it will hit whitelist_auth for that 
domain/subdomain.


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Therapeutic Phrenologist - send email for affordable rate schedule.
---
 Today: Abraham Lincoln's and Charles Darwin's 206th Birthdays

Re: Amazon phishing spam

[LuKreme]

On 12 Feb 2015, at 17:58 , Dave Pooser  wrote:
> On 2/12/15, 6:48 PM, "Alex Regan" wrote:
> 
>> So shouldn't there be a rule for a rule that claims to come from Amazon
>> but does not pass through any of its servers?
> 
> I have a series of rules like:
> 
> whitelist_auth *@bankofamerica.com
> blacklist_from *@bankofamerica.com

Interesting. What hits whitelist_auth? That is to say, what domains and/or 
email addresses can you use that with? Paypal? iTunes/Apple? 
Random-ecommerce-site.tld?

Care you share your list, Dave?

> So any bankofamerica.com address will be blacklisted, but for an
> authenticated address it's canceled by the whitelisting. (Also, I score
> blacklist_from at 80 points so an address that's both blacklisted and
> whitelisted will be effectively whitelisted, thanks to a net -20 score.)

This is interesting. I have a long list of blacklist_from for invalid tlds like 
.local or .lan, etc, but I’ve never seen this method before.

-- 
'What ho, b'zugda-hiara.' (Footnote: A killing insult in Dwarfish. It
means 'Lawn ornament'.)  --Wyrd Sisters

NYTimes hitting Bayes_99?

[LuKreme]

An email from the New York times daily headlines service is hitting Bayes_99 
and Bayes_999

pts rule name  description
 -- --
 4.0 BAYES_99   BODY: Bayes spam probability is 99 to 100%
[score: 1.]
 0.2 BAYES_999  BODY: Bayes spam probability is 99.9 to 100%
[score: 1.]
 0.7 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
 0.0 HTML_MESSAGE   BODY: HTML included in message
-0.1 DKIM_VERIFIED  No description available.
-0.1 DKIM_VALID_AU  Message has a valid DKIM or DK signature from 
author's
domain
 0.1 DKIM_SIGNEDMessage has a DKIM or DK signature, not necessarily 
valid
 3.0 DCC_CHECK  Detected as bulk mail by DCC (dcc-servers.net)
-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
 0.0 UNPARSEABLE_RELAY  Informational: message has unparseable relay lines
 0.5 MISSING_MIDMissing Message-Id: header

I’m curious about the two bayes hits and also the 3 points for bulk mail for 
something that I can’t see anyone would consider to be actual spam. Oh, and why 
is babes_999 so low scoring?

Here are the headers:

X-Envelope-From: 
X-Envelope-To: <*munged*>
Received: from pmta01.sea1.nytimes.com (unknown)
by mail.covisp.net(Postfix 2.11.3/8.13.0) with SMTP id unknown;
Thu, 05 Feb 2015 02:49:50 -0700
(envelope-from )
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=paperboy-1024; 
d=nytimes.com;
 
h=From:Reply-To:Date:To:Subject:List-Unsubscribe:Content-Type:Content-Transfer-Encoding:Mime-version;
 i=nytdir...@nytimes.com;
 bh=QBBvEngh4H4VJh+esN1V9ZXrEvM=;
 b=nEM/BXRsjVQS6eg8IbBlkoGyDkkvdum/HTeAHs23BWniftrODk69nY1G7aD/hyiSZ8Mt1mfugICd
   46Eo90oUmNPbl+PZG7gWQgJBu3Gzpy81GXM/WP/IiUe+rJAu3niemR2PLCHbAgB89JsfmuEM5cz4
   MvOqLffdWt61lyniYcA=
Received: by pmta01.sea1.nytimes.com (PowerMTA(TM) v3.5r3) id hqcubs0hstka for 
<*munged*>; Thu, 5 Feb 2015 04:48:51 -0500 (envelope-from 
)
X-SegmentId: 68668
X-CampaignId: 129
X-InstanceId: 53489
X-ClientId: 34527544
From: NYTimes.com 
Reply-To: nytdir...@nytimes.com
Date: Thu, 05 Feb 2015 04:48:51 -0500
To: *munged*
X-job: TH-20150205
Subject:  Today's Headlines: Claims Against Saudis Cast New Light on Secret 
Pages of 9/11 Report
List-Unsubscribe: 
,
 

Content-Type: text/html; charset=utf-8; 
Content-Transfer-Encoding: quoted-printable
Mime-version: 1.0


-- 
'Listen,' said Rincewind. 'It's all over, do you see? You can't put the
spells back in the book, you can't unsay what's been said, you can't-'
'You can try!' --The Light Fantastic

Re: Amazon phishing spam

[Dave Pooser]

On 2/12/15, 6:48 PM, "Alex Regan" wrote:

>So shouldn't there be a rule for a rule that claims to come from Amazon
>but does not pass through any of its servers?

I have a series of rules like:

whitelist_auth *@bankofamerica.com
blacklist_from *@bankofamerica.com


So any bankofamerica.com address will be blacklisted, but for an
authenticated address it's canceled by the whitelisting. (Also, I score
blacklist_from at 80 points so an address that's both blacklisted and
whitelisted will be effectively whitelisted, thanks to a net -20 score.)
-- 
Dave Pooser
Cat-Herder-in-Chief, Pooserville.com

Re: Amazon phishing spam

[Alex Regan]

Hi,


   4.0 LOTS_OF_MONEY  Huge... sums of money


Ugh, my update of 72_scores.cf (this morning at 5am) shows:

score LOTS_OF_MONEY 0.001 0.010 0.001 0.010

Were there a lot of recent FPs with this rule that it's been disabled,
basically?


No, by itself it's intended as informative. It's meant to be combined
with other rule to generate meaningful scores (e.g., LOTS_OF_MONEY +
FILL_THIS_FORM).

Talking about huge amounts of money isn't a great spam sign *by itself*.


Ah yes, right. It occurred to me after I ran it with debug and saw that 
it triggered just on the $1000 in the body.


It also looks like Jeremy should be undoing his local score change

So shouldn't there be a rule for a rule that claims to come from Amazon 
but does not pass through any of its servers?


Thanks,
Alex

Re: Amazon phishing spam

[John Hardin]

On Thu, 12 Feb 2015, Alex Regan wrote:


   4.0 LOTS_OF_MONEY  Huge... sums of money


Ugh, my update of 72_scores.cf (this morning at 5am) shows:

score LOTS_OF_MONEY 0.001 0.010 0.001 0.010

Were there a lot of recent FPs with this rule that it's been disabled, 
basically?


No, by itself it's intended as informative. It's meant to be combined with 
other rule to generate meaningful scores (e.g., LOTS_OF_MONEY + 
FILL_THIS_FORM).


Talking about huge amounts of money isn't a great spam sign *by itself*.


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Vista "security improvements" consist of attempting to shift blame
  onto the user when things go wrong.
---
 Today: Abraham Lincoln's and Charles Darwin's 206th Birthdays

Re: sa-compile seems to not clean up after itself

[RW]

On Thu, 12 Feb 2015 14:09:00 -0500
Kevin A. McGrail wrote:

> On 2/11/2015 7:25 PM, listsb-spamassas...@bitrate.net wrote:
> > i hope another solicitation for this help request is ok.
> 
> It's ok.
> 
> Overall, I agree.  I tested on a devel box and running sa-compile
> does have an rm line but did leave these files listed below.

sa-compile uses a temporary directory, the files (which start with "use
bytes") appear to be from Plugin/BodyRuleBaseExtractor.pm:


  my ($tmpf, $tmpfh) = Mail::SpamAssassin::Util::secure_tmpfile();
  $tmpfh  or die "failed to create a temporary file";
  untaint_var(\$tmpf);

  print $tmpfh "use bytes; m{" . $rule . "}" . $mods
or die "error writing to $tmpf: $!";
  close $tmpfh  or die "error closing $tmpf: $!";

  my $perl = $self->get_perl();
  local *IN;
  open (IN, "$perl -c -Mre=debug $tmpf 2>&1 |")
or die "cannot run $perl: ".exit_status_str($?,$!);

  my($inbuf,$nread,$fullstr); $fullstr = '';
  while ( $nread=read(IN,$inbuf,16384) ) { $fullstr .= $inbuf }
  defined $nread  or die "error reading from pipe: $!";

  close IN  or die "error closing pipe: $!";
  unlink $tmpf  or die "cannot unlink $tmpf: $!";
  defined $fullstr  or warn "empty result from a pipe";


I had some in /tmp, but  I'm not seeing any new ones when I run
sa-compile.

Re: Amazon phishing spam

[Benny Pedersen]

On 12. feb. 2015 22.25.10 Alex Regan  wrote:


http://pastebin.com/C0YTr3Wn



I've added the IP range and sender to local blocklists. Can you suggest
any other possibilities for blocking these?


meta DKIM_ADSP_ALL (3) (3) (3) (3)

simple and neat imho

Re: Amazon phishing spam

[Alex Regan]

Hi,


-2.0 BAYES_00   BODY: Bayes spam probability is 0 to 1%


Interesting that yours also hit bayes00.


  4.0 LOTS_OF_MONEY  Huge... sums of money


Ugh, my update of 72_scores.cf (this morning at 5am) shows:

score LOTS_OF_MONEY 0.001 0.010 0.001 0.010

Were there a lot of recent FPs with this rule that it's been disabled, 
basically?


I wonder if I should also be blocking on these:

X-Amavis-Alert: BAD HEADER SECTION, Duplicate header field: "To"

Perhaps a meta rule with the DKIM_ADSP_ALL rule?

Shouldn't there be an SPF or DKIM rule, considering it is supposed to be 
from amazon.com and USER_IN_DEF_SPF_WL failed?


Thanks,
Alex

Re: Amazon phishing spam

[Jeremy McSpadden]

Content analysis details:   (5.1 points, 5.0 required)

 pts rule name  description
 -- --
-2.0 SPF_HELO_PASS  SPF: HELO matches SPF record
 0.8 DKIM_ADSP_ALL  No valid author signature, domain signs all mail
-2.0 BAYES_00   BODY: Bayes spam probability is 0 to 1%
[score: 0.]
 0.0 HTML_MESSAGE   BODY: HTML included in message
 0.7 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
 1.5 BASE64_LENGTH_79_INF   BODY: base64 encoded email part uses line length
 greater than 79 characters
 1.1 DCC_CHECK  Detected as bulk mail by DCC 
(dcc-servers.net)
 1.0 KAM_HTMLNOISE  Spam containing useless HTML padding
 4.0 LOTS_OF_MONEY  Huge... sums of money
 0.0 T_REMOTE_IMAGE Message contains an external image
--
Jeremy McSpadden
Flux Labs | http://www.fluxlabs.net | Endless 
Solutions
Office : 850-250-5590x501 | Cell : 
850-890-2543 | Fax : 850-254-2955

On Feb 12, 2015, at 3:25 PM, Alex Regan 
mailto:mysqlstud...@gmail.com>> wrote:

Hi,
I was hoping someone could help me analyze this possible phishing scam:

http://pastebin.com/C0YTr3Wn

It hit bayes00 for me, which is obviously a problem, but the body looks to be 
from an actual amazon email with the exception of a Word document attachment, 
so is it all that unusual for it to hit bayes00?

I've added the IP range and sender to local blocklists. Can you suggest any 
other possibilities for blocking these?

Any ideas greatly appreciated.
It's still not hitting any RBLs here for me.

Thanks,
Alex

Amazon phishing spam

[Alex Regan]

Hi,
I was hoping someone could help me analyze this possible phishing scam:

http://pastebin.com/C0YTr3Wn

It hit bayes00 for me, which is obviously a problem, but the body looks 
to be from an actual amazon email with the exception of a Word document 
attachment, so is it all that unusual for it to hit bayes00?


I've added the IP range and sender to local blocklists. Can you suggest 
any other possibilities for blocking these?


Any ideas greatly appreciated.
It's still not hitting any RBLs here for me.

Thanks,
Alex

Re: SPF rules do not look at spoofed From: address

[Benny Pedersen]

On 12. feb. 2015 20.17.44 Dave Warren  wrote:


However, using a DMARC "quarantine" or "reject" policy causes breakage
when users attempt to participate in discussion based mailing lists, or
other systems which modify messages (adding subject tags, adding
footers, removing existing signatures), so DMARC quarantine or reject
policies are only really useful for domains which send mail in
predictable and largely automated ways, which are frequently forged,
with live users living at another domain for their own mailboxes.


if the maillist preserve dkim signed mails, then dmarc will pass, but yes 
sadly there is maillists that breaks dkim, this is not a design fault, but 
only a admin miss understanding that its not maillist server admins faults, 
but it is


spf is transperent to maillist, and since dkim have no ip at all it will be 
aswell if not breaked


mailman have support for take over ownerships of users dkim signed mails, 
but it will create more problems then it solves, since not many mua clients 
then know how to reply to maillist or to the origin sender to make a 
private mail


thanks to this maillist here its not a problem here, i get dmarc pass, super

note dmarc can break on spf if maillist is not spf protected, but the 
origin sender was

Re: SPF rules do not look at spoofed From: address

[Dave Warren]

On 2015-02-12 11:27, Martin Gregorie wrote:

On Thu, 2015-02-12 at 15:07 -0400, francis picabia wrote:

SPF works as designed.  Forget SPF.


Quite: the only real use for SPF is to prevent you inadvertently
spraying innocent people with backscatter. If the sender has been forged
by a spammer and your MTA can't deliver it (usually because the spammer
used an unrecognised recipient name) then an SPF check will show that
the sending IP is wrong and your MTA can drop the message in the bit
bucket rather than sending a reject message to the owner of the forged
sender address.


Not at all. SPF is very useful for whitelisting by domain, without 
having to guess at what IPs a sender uses today, might use tomorrow, and 
without having to trust every single thing coming from that IP space.


SPF based whitelisting trivially allows you to whitelist all mail from 
@example.com even if they use Google Apps and you don't want to blanket 
whitelist Google Apps. And it will still work when they transition to 
another provider and don't think to tell you.


It's not effective as a blacklist, nor a spam filter. Nor should it, 
that's not it's design goal; SPF does a /great/ job at telling you when 
a message is directly from a legitimate sender, allowing you to act 
accordingly.


DKIM is similar, it excels at identifying legitimate messages, using 
cryptography that survives forwarders rather than using IPs. More 
complicated to implement, but ultimately, technically, a better solution.


In both cases, it helps you pick out legitimate mail from wanted senders 
which can benefit spam filtering by allowing to you be just a little bit 
more aggressive against unknown senders without raising false positives 
too much in the process.


--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren

Re: SPF rules do not look at spoofed From: address

[Martin Gregorie]

On Thu, 2015-02-12 at 15:07 -0400, francis picabia wrote:
> SPF works as designed.  Forget SPF.
>
Quite: the only real use for SPF is to prevent you inadvertently
spraying innocent people with backscatter. If the sender has been forged
by a spammer and your MTA can't deliver it (usually because the spammer
used an unrecognised recipient name) then an SPF check will show that
the sending IP is wrong and your MTA can drop the message in the bit
bucket rather than sending a reject message to the owner of the forged
sender address. 

> Let's say you want to introduce a spamassassin tag on any
> email where the From: line contains exactly "@example.com"
> 
> I've read the page spamassassinConf.html and it is isn't clear
> to me what envelope_sender_header does.  What would happen
> if it was set to "From"?
> 
Its not what it does so much as who created it. Since its added by the
sending MTA its a bit harder to forge, especially by kiddies trying to
send spam via some social website. The From: header set up by the MUA
means nothing since anybody or anything could have put what they like in
it or even omitted it entirely.

If you run a mail archive, you can consider using that as a whitelist:
only whitelist addresses which your archive says you've previously sent
mail to.


Martin

Re: SPF rules do not look at spoofed From: address

[Dave Warren]

On 2015-02-12 08:17, francis picabia wrote:

Our spamassassin 3.3.1 is marking email with tags like and
SPF_SOFTFAIL and SPF_FAIL, as long as the sender info
is failing the SPF test.  But if the sender passes the test
and the From: address is from our domain, then there
are no SPF tags appearing.

The risk is that users don't look at the sender, only the From:
field of their email, and this can potentially allow phishing.

Has anyone encountered this issue and resolved it?


As others have said, this is by design. Sender-ID attempted to extend 
SPF records to the RFC5322.From header, and was not widely deployed 
because of the massive breakage. It's legacy at this point.


DMARC is a more modern solution, allowing senders to specify that mail 
from their domain must be identified and authenticated, including an 
alignment requirement between the RFC5321.Mail and RFC5322.From domains.


However, using a DMARC "quarantine" or "reject" policy causes breakage 
when users attempt to participate in discussion based mailing lists, or 
other systems which modify messages (adding subject tags, adding 
footers, removing existing signatures), so DMARC quarantine or reject 
policies are only really useful for domains which send mail in 
predictable and largely automated ways, which are frequently forged, 
with live users living at another domain for their own mailboxes.


With that being said, there could be some room for ham-detection 
(negative scoring, from a SA perspective) when RFC5322.From headers pass 
parsing of SPF records, but you should not attempt to use any 
spam-detection when there is a mismatch as a mismatch is normal and 
expected behaviour.


--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren

Re: sa-compile seems to not clean up after itself

[Kevin A. McGrail]

On 2/11/2015 7:25 PM, listsb-spamassas...@bitrate.net wrote:

i hope another solicitation for this help request is ok.


It's ok.

Overall, I agree.  I tested on a devel box and running sa-compile does 
have an rm line but did leave these files listed below.


Because /tmp is a considered auto cleaning, I consider it a very low 
priority but either re2c or the process in sa-compile is leaving files 
behind and you should open a ticket with bugzilla, please.


regards,
KAM

Orphaned files:

-rw---1 root root 2796 Feb 12 14:01 
.spamassassin274315sKPf3tmp
-rw---1 root root   45 Feb 12 14:01 
.spamassassin274319FoF6ltmp
-rw---1 root root  124 Feb 12 14:01 
.spamassassin27431a5kKo2tmp
-rw---1 root root 2816 Feb 12 14:01 
.spamassassin27431jsY1kCtmp
-rw---1 root root 3852 Feb 12 14:01 
.spamassassin27431kTvcGstmp
-rw---1 root root  839 Feb 12 14:01 
.spamassassin27431LEsufptmp
-rw---1 root root 1582 Feb 12 14:01 
.spamassassin27431o7GmV7tmp
-rw---1 root root 1337 Feb 12 14:01 
.spamassassin27431phBnYHtmp
-rw---1 root root 2673 Feb 12 14:01 
.spamassassin27431QxVWegtmp
-rw---1 root root  341 Feb 12 14:01 
.spamassassin27431W2HB3ctmp
-rw---1 root root 2653 Feb 12 14:01 
.spamassassin27431x1CzgItmp


Here's the full output for sa-compile
Feb 12 14:01:09.827 [27431] info: generic: base extraction starting. 
this can take a while...
Feb 12 14:01:09.827 [27431] info: generic: extracting from rules of type 
body_0
100% 
[] 
102.46 rules/sec 00m05s DONE
100% 
[=== 
] 177.71 bases/sec 00m15s DONE
Feb 12 14:01:30.616 [27431] info: body_0: 1128 base strings extracted in 
21 seconds
Feb 12 14:01:31.122 [27431] info: rules: meta test LOC_SHORT has 
dependency 'BAYES_00' with a zero score

cd /tmp/.spamassassin27431YWLPSstmp
reading bases_body_0.in
cd Mail-SpamAssassin-CompiledRegexps-body_0
re2c -i -b -o scanner1.c scanner1.re
re2c -i -b -o scanner2.c scanner2.re
re2c -i -b -o scanner3.c scanner3.re
re2c -i -b -o scanner4.c scanner4.re
re2c -i -b -o scanner5.c scanner5.re
re2c -i -b -o scanner6.c scanner6.re
/usr/local/bin/perl Makefile.PL 
PREFIX=/tmp/.spamassassin27431YWLPSstmp/ignored 
INSTALLSITEARCH=/var/lib/spamassassin/compiled/5.008/3.004001

Writing Makefile for Mail::SpamAssassin::CompiledRegexps::body_0
Writing MYMETA.yml and MYMETA.json
make
cp body_0.pm blib/lib/Mail/SpamAssassin/CompiledRegexps/body_0.pm
/usr/local/bin/perl /usr/local/lib/perl5/5.8.6/ExtUtils/xsubpp -typemap 
/usr/local/lib/perl5/5.8.6/ExtUtils/typemap  body_0.xs > body_0.xsc && 
mv body_0.xsc body_0.c
cc -c   -fno-strict-aliasing -pipe -I/usr/local/include 
-D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -I/usr/include/gdbm -O2 
-DVERSION=\"1.0\" -DXS_VERSION=\"1.0\" -fpic 
"-I/usr/local/lib/perl5/5.8.6/i686-linux/CORE"   body_0.c
cc -c   -fno-strict-aliasing -pipe -I/usr/local/include 
-D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -I/usr/include/gdbm -O2 
-DVERSION=\"1.0\" -DXS_VERSION=\"1.0\" -fpic 
"-I/usr/local/lib/perl5/5.8.6/i686-linux/CORE"   scanner1.c
cc -c   -fno-strict-aliasing -pipe -I/usr/local/include 
-D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -I/usr/include/gdbm -O2 
-DVERSION=\"1.0\" -DXS_VERSION=\"1.0\" -fpic 
"-I/usr/local/lib/perl5/5.8.6/i686-linux/CORE"   scanner2.c
cc -c   -fno-strict-aliasing -pipe -I/usr/local/include 
-D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -I/usr/include/gdbm -O2 
-DVERSION=\"1.0\" -DXS_VERSION=\"1.0\" -fpic 
"-I/usr/local/lib/perl5/5.8.6/i686-linux/CORE"   scanner3.c
cc -c   -fno-strict-aliasing -pipe -I/usr/local/include 
-D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -I/usr/include/gdbm -O2 
-DVERSION=\"1.0\" -DXS_VERSION=\"1.0\" -fpic 
"-I/usr/local/lib/perl5/5.8.6/i686-linux/CORE"   scanner4.c
cc -c   -fno-strict-aliasing -pipe -I/usr/local/include 
-D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -I/usr/include/gdbm -O2 
-DVERSION=\"1.0\" -DXS_VERSION=\"1.0\" -fpic 
"-I/usr/local/lib/perl5/5.8.6/i686-linux/CORE"   scanner5.c
cc -c   -fno-strict-aliasing -pipe -I/usr/local/include 
-D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -I/usr/include/gdbm -O2 
-DVERSION=\"1.0\" -DXS_VERSION=\"1.0\" -fpic 
"-I/usr/local/lib/perl5/5.8.6/i686-linux/CORE"   scanner6.c

Running Mkbootstrap for Mail::SpamAssassin::CompiledRegexps::body_0 ()
chmod 644 body_0.bs
rm -f blib/arch/auto/Mail/SpamAssassin/CompiledRegexps/body_0/body_0.so
cc  -shared -L/usr/local/lib body_0.o scanner1.o scanner2.o scanner3.o 
scanner4.o scanner5.o

Re: SPF rules do not look at spoofed From: address

[francis picabia]

On Thu, Feb 12, 2015 at 1:46 PM, Benny Pedersen  wrote:
> On 12. feb. 2015 17.40.13 "Kevin A. McGrail"  wrote:
>
>> Spf deals with the envelope sender not the from address.
>
>
> envelope_sender_header From
>
> bad example to follow, it not really a spf question, sender-id is the
> untrusted version of dkim
>
> current dmarc rfc have design faults :(

OK, let's phrase it differently.

SPF works as designed.  Forget SPF.
DKIM works as designed.  Forget that.

Let's say you want to introduce a spamassassin tag on any
email where the From: line contains exactly "@example.com"

I've read the page spamassassinConf.html and it is isn't clear
to me what envelope_sender_header does.  What would happen
if it was set to "From"?

Would that impact the meaning of "from" for all SA rules doing header checks?

Re: SPF rules do not look at spoofed From: address

[Benny Pedersen]

On 12. feb. 2015 17.40.13 "Kevin A. McGrail"  wrote:


Spf deals with the envelope sender not the from address.


envelope_sender_header From

bad example to follow, it not really a spf question, sender-id is the 
untrusted version of dkim


current dmarc rfc have design faults :(

Re: SPF rules do not look at spoofed From: address

[Reindl Harald]

Am 12.02.2015 um 17:58 schrieb francis picabia:

On Thu, Feb 12, 2015 at 12:33 PM, Kevin A. McGrail  wrote:

Spf deals with the envelope sender not the from address.

Beyond that it, you might find dkim to be a better solution to prevent
others spoofing your domain.


Thanks for the reply.  Has anyone tried a test like the Spoofing
test available at knowb4.com?

You fill in a form, then they send a test email
from your.b...@example.com , where example.com
is your own domain.

It is not caught by SPF, and it passes DKIM.

I'm talking about inbound email at your MX,
and spoofing of the From address.  Everything
else (sender, helo) matches the origin


AGAIN: it's all about envelopes and not From-Headers

YOU CAN NOT prevent "spoofing From-Header" without reject *for sure* a 
ton of legit mail too including your own to most mailing lists leading 
in a suspended subscription or unsubscribe when you permanently reject 
list mail


there is nothing to to about - period



signature.asc
Description: OpenPGP digital signature

Re: SPF rules do not look at spoofed From: address

[francis picabia]

On Thu, Feb 12, 2015 at 12:33 PM, Kevin A. McGrail  wrote:
> Spf deals with the envelope sender not the from address.
>
> Beyond that it, you might find dkim to be a better solution to prevent
> others spoofing your domain.
> Regards,
> KAM
>

Thanks for the reply.  Has anyone tried a test like the Spoofing
test available at knowb4.com?

You fill in a form, then they send a test email
from your.b...@example.com , where example.com
is your own domain.

It is not caught by SPF, and it passes DKIM.

I'm talking about inbound email at your MX,
and spoofing of the From address.  Everything
else (sender, helo) matches the origin.


> On February 12, 2015 11:17:38 AM EST, francis picabia 
> wrote:
>>
>> Our spamassassin 3.3.1 is marking email with tags like and
>> SPF_SOFTFAIL and SPF_FAIL, as long as the sender info
>> is failing the SPF test.  But if the sender passes the test
>> and the From: address is from our domain, then there
>> are no SPF tags appearing.
>>
>> The risk is that users don't look at the sender, only the From:
>> field of their email, and this can potentially allow phishing.
>>
>> Has anyone encountered this issue and resolved it?

Re: SPF rules do not look at spoofed From: address

[Reindl Harald]

Am 12.02.2015 um 17:17 schrieb francis picabia:

Our spamassassin 3.3.1 is marking email with tags like and
SPF_SOFTFAIL and SPF_FAIL, as long as the sender info
is failing the SPF test.  But if the sender passes the test
and the From: address is from our domain, then there
are no SPF tags appearing.

The risk is that users don't look at the sender, only the From:
field of their email, and this can potentially allow phishing.

Has anyone encountered this issue and resolved it?


which issue?
that your own mail to the list don't get rejected?

From: francis picabia 
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])

if you are doing checks on SPF, Sender-Spoofing or PTR on headers you 
don't understand how mail works resulting in break mailing-lists


large mail-filter companies like Barracuda networks did all that 
mistakes long ago multiple times leading in make feature after feature 
unuseable because it breaks legit mail





signature.asc
Description: OpenPGP digital signature

Re: SPF rules do not look at spoofed From: address

[Kevin A. McGrail]

Spf deals with the envelope sender not the from address.  

Beyond that it, you might find dkim to be a better solution to prevent others 
spoofing your domain.
Regards,
KAM

On February 12, 2015 11:17:38 AM EST, francis picabia  
wrote:
>Our spamassassin 3.3.1 is marking email with tags like and
>SPF_SOFTFAIL and SPF_FAIL, as long as the sender info
>is failing the SPF test.  But if the sender passes the test
>and the From: address is from our domain, then there
>are no SPF tags appearing.
>
>The risk is that users don't look at the sender, only the From:
>field of their email, and this can potentially allow phishing.
>
>Has anyone encountered this issue and resolved it?

SPF rules do not look at spoofed From: address

[francis picabia]

Our spamassassin 3.3.1 is marking email with tags like and
SPF_SOFTFAIL and SPF_FAIL, as long as the sender info
is failing the SPF test.  But if the sender passes the test
and the From: address is from our domain, then there
are no SPF tags appearing.

The risk is that users don't look at the sender, only the From:
field of their email, and this can potentially allow phishing.

Has anyone encountered this issue and resolved it?

Re: rule for restricting incoming email

[Matus UHLAR - fantomas]

On Tue, 10 Feb 2015, Rajesh M wrote:

now i need to set a rule such that u...@abc.com can receive emails
only from specific external domains and rest all should be rejected



On 11.02.15 10:47, Lucio Chiappetti wrote:

To me this seems a task for procmail.



On Wed, 11 Feb 2015, Matus UHLAR - fantomas wrote:

maybe for MTA. courier-mta supports filter that may allow this at SMTP
level.


On 12.02.15 09:47, Lucio Chiappetti wrote:
procmail can be configured as default mail delivery agent (mailer) in 
sendmail. This is the arrangement we use. We have graylisting and 
spamassassin milters in front of that. The milters do spam rejection 
for all users in the same way. Procmail can be tuned to do finer 
things by each user (although I'm probably the only one doing it 
here).


There is a learning curve for each tool. I am more familiar with 
procmail rules than spamassassin rules, so that's why I would do 
something like the OP is thinking in procmail.


yes, but the OP (Rajesh) may use different tools...
However this is definitely not the SpamAssassin issue...
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
My mind is like a steel trap - rusty and illegal in 37 states. 

Re: rule for restricting incoming email

[Lucio Chiappetti]

On Wed, 11 Feb 2015, Matus UHLAR - fantomas wrote:

On Tue, 10 Feb 2015, Rajesh M wrote:



now i need to set a rule such that u...@abc.com can receive emails
only from specific external domains and rest all should be rejected



On 11.02.15 10:47, Lucio Chiappetti wrote:

To me this seems a task for procmail.



maybe for MTA. courier-mta supports filter that may allow this at SMTP
level.


procmail can be configured as default mail delivery agent (mailer) in 
sendmail. This is the arrangement we use. We have graylisting and 
spamassassin milters in front of that. The milters do spam rejection for 
all users in the same way. Procmail can be tuned to do finer things by 
each user (although I'm probably the only one doing it here).


There is a learning curve for each tool. I am more familiar with procmail 
rules than spamassassin rules, so that's why I would do something like the 
OP is thinking in procmail.


--

Lucio Chiappetti - INAF/IASF - via Bassini 15 - I-20133 Milano (Italy)
For more info : http://www.iasf-milano.inaf.it/~lucio/personal.html

Do not like Firefox >=29 ?  Get Pale Moon !  http://www.palemoon.org