Re: SpamSender with 2 @-signs in the address

2018-12-04 Thread Alan Hodgson 
On Wed, 2018-12-05 at 00:17 +, David Jones wrote:
> 
I think he meant that DKIM related to DMARC means the DKIM signature has 
> to align/match the From: header domain to pass which is DKIM_VALID_AU in SA.
> 
> In the case of SPF, DMARC will pass if the envelope-from domain check 
> hits SPF_PASS in SA.
> 

Not quite; DMARC also requires the envelope sender domain to be aligned
with the From: header domain to pass on an SPF_PASS.

Re: Bayes underperforming, HTML entities?

2018-12-04 Thread John Hardin 

On Tue, 4 Dec 2018, Amir Caspi wrote:


On Dec 1, 2018, at 10:31 AM, John Hardin  wrote:



On Thu, 29 Nov 2018, Amir Caspi wrote:


A) Could you sandbox the proposed rule change (AC_HTML_ENTITY_BONANZA_NEW) and 
see how it performs, including possible FPs?


Done.


Any preliminary results?


Not that are really usable yet. There's something strange going on with 
peoples' masschecks that is interfering with everybody getting results in 
a timely manner.



--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  We should endeavour to teach our children to be gun-proof
  rather than trying to design our guns to be child-proof
---
 3 days until The 77th anniversary of Pearl Harbor

Re: SpamSender with 2 @-signs in the address

2018-12-04 Thread David Jones 
On 12/4/18 9:09 AM, Benny Pedersen wrote:
> Bill Cole skrev den 2018-12-04 03:58:
> 
>> DKIM and DMARC *ONLY* operate on headers, *NEVER* on the envelope.
> 
> SPF is part of DMARC so not correct

I think he meant that DKIM related to DMARC means the DKIM signature has 
to align/match the From: header domain to pass which is DKIM_VALID_AU in SA.

In the case of SPF, DMARC will pass if the envelope-from domain check 
hits SPF_PASS in SA.

DMARC_PASS = SPF_PASS || DKIM_VALID_AU
DMARC_FAIL = !SPF_PASS && !DKIM_VALID_AU
DMARC_REJECT = DMARC_FAIL && DMARC record contains p=reject

-- 
David Jones

Re: Bayes underperforming, HTML entities?

2018-12-04 Thread Amir Caspi 
On Dec 1, 2018, at 10:31 AM, John Hardin  wrote:
> 
>> On Thu, 29 Nov 2018, Amir Caspi wrote:
>> 
>>> A) Could you sandbox the proposed rule change (AC_HTML_ENTITY_BONANZA_NEW) 
>>> and see how it performs, including possible FPs?
> 
> Done.

Any preliminary results?

Looks like we have a couple other HTML-related things that need to be added.  
See spample:
https://pastebin.com/Few8fVfF 

1) Looks like  is now being used instead of regular spaces to join some 
highly spammy words.  Are these turned into "regular" spaces by the HTML 
interpreter prior to body rules?  Or do they get turned into non-breaking space 
characters which are different than regular spaces?  Like all the ZW stuff, 
this seems like it should get "normalized" so it can be available both in raw 
and normal form for Bayes to pick up...

2) This particular spample has its "Bayes poison" text within a div with 
line-height:0, but there does not appear to be a rule to capture this.  That 
same div uses font-size:1px, so I would have thought this would trigger a "tiny 
fonts" rule, but apparently not.

It would seem our tiny font and/or other "trying to make this invisible" rules 
should be updated to capture these attempts.

I also saw another spample which had opacity:0 set on its "Bayes poison" text, 
but the "low contrast" rule didn't pop.

Cheers.

--- Amir

Re: SpamSender with 2 @-signs in the address

2018-12-04 Thread Benny Pedersen 

Bill Cole skrev den 2018-12-04 03:58:


DKIM and DMARC *ONLY* operate on headers, *NEVER* on the envelope.


SPF is part of DMARC so not correct

Re: SpamSender with 2 @-signs in the address

2018-12-04 Thread Benny Pedersen 

Grant Taylor skrev den 2018-12-03 20:16:

From: "John Doe " 



it could be tested that From:name is equal with From:addr on the domain 
part


but debate is 2 @ in From:addr not 2 in whole From:

just something to try if it helps

Re: SpamSender with 2 @-signs in the address

2018-12-04 Thread Bill Cole 
On 3 Dec 2018, at 15:04, Grant Taylor wrote:

> It's my understanding that spamass-milter provides the envelope details to 
> SpamAssassin.  -  I thought (assumed?) that SpamAssassin was treating the 
> SMTP envelope information properly and independently of the From: header.


See the documentation of envelope_sender_header ('perldoc 
Mail::SpamAssassin::Conf' is your friend!)

A milter receives messages without any headers (like Return-Path and the 
terminal Received) that get added by the MTA as it queues mail for delivery. 
The only way it can provide the envelope details to SpamAssassin is through 
synthetic headers which mimic what the MTA and/or delivery agent would add 
during queueing and/or delivery. I would expect that this is what 
spamass-milter does, as it has been done by other SA milters (e.g. MIMEDefang) 
forever.

signature.asc
Description: OpenPGP digital signature