Re: Spam rule for HTTP/HTTPS request to sender's root domain

[Mike Marynowski]

Thank you! I have no idea how I missed that...

On 3/13/2019 7:11 PM, RW wrote:

On Wed, 13 Mar 2019 17:40:57 -0400
Mike Marynowski wrote:


Can someone help me form the correct SOA record in my DNS responses
to ensure the NXDOMAIN responses get cached properly? Based on the
logs I don't think downstream DNS servers are caching it as requests
for the same valid HTTP domains keep hitting the service instead of
being cached for 4 days.

...

Based on random sampling of responses from other DNS servers this
seems correct to me. Nothing I'm reading indicates that TTL factors
into the negative caching but is it possible servers are only caching
the negative response for 15 mins because of the TTL on the SOA
record, using the smaller value between that and the default TTL?

I believe so, from RFC 2308:

3 - Negative Answers from Authoritative Servers

Name servers authoritative for a zone MUST include the SOA record of
the zone in the authority section of the response when reporting an
NXDOMAIN or indicating that no data of the requested type exists.
This is required so that the response may be cached.  The TTL of this
record is set from the minimum of the MINIMUM field of the SOA record
and the TTL of the SOA itself, and indicates how long a resolver may
cache the negative answer.

Re: Whitelist_from??

[David Jones]

On 3/14/19 5:50 PM, @lbutlr wrote:
> I've been having a lot of problems with emails from comixology getting tagged 
> as spam and then the message attachment is often, but not always, corrupt.
> 
> Content analysis details:   (6.8 points, 5.0 required)
> 
> pts rule name  description
>  -- --
> -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/,
>  no trust
> [54.240.13.78 listed in list.dnswl.org]
> 0.2 BAYES_999  BODY: Bayes spam probability is 99.9 to 100%
> [score: 1.]
> 3.5 BAYES_99   BODY: Bayes spam probability is 99 to 100%
> [score: 1.]
> 0.0 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level
> mail domains are different
> 0.8 MPART_ALT_DIFF BODY: HTML and text parts are different
> 0.0 HTML_MESSAGE   BODY: HTML included in message
> 0.4 MIME_HTML_MOSTLY   BODY: Multipart message mostly text/html MIME
> 0.1 DKIM_SIGNEDMessage has a DKIM or DK signature, not necessarily
> valid
> 0.7 MIME_HEADER_CTYPE_ONLY 'Content-Type' found without required
> MIME headers
> 0.1 DKIM_INVALID   DKIM or DK signature exists, but is not valid
> 1.0 BODY_URI_ONLY  Message body is only a URI in one line of text or
> for an image
> 0.0 T_REMOTE_IMAGE Message contains an external image
> 
> The attached message when I open it starts:
> 
> =23outlook A =7B  PADDING-BOTTOM: 0px; PADDING-LEFT: 0px; PADDING-RIGHT: 
> 0px=
> ; PADDING-TOP: 0px =7D
> BODY =7BPADDING-BOTTOM: 0px; MARGIN: 0px; PADDING-LEFT: 0px; WIDTH: 100% =
> =21important; PADDING-RIGHT: 0px; PADDING-TOP: 0px; -webkit-text-size-adjus=
> t: 100%; -ms-text-size-adjust: 100%
> =7D
> =7D =20
> 
> 
> I added whitelist_auth comixology.com to local.cf and still had issues, so I 
> also added whitelist_from comixology.com, but messages are still tagged as 
> spam.
> 
> From: Comics by comiXology 
> 
> But the message are actually coming from amazon.com. I have these references 
> to amazon in local.cf
> 
> adsp_override amazon.com custom_high
> adsp_override amazon.com
> whitelist_auth *@amazon.com
> 
> (not sure about the first two lines, don't recall those settings)
> 
> 
> 

I would recommend using this if they hit SPF_PASS or DKIM_VALID_AU

whitelist_auth *@*.comixology.com

If they don't have good SPF or DKIM like this one, then use:

whitelist_from_rcvd *@*.comixology.com amazonses.com

The "amazonses.com" would be the part of the sending mail server's name 
when it has good FCrDNS.  If that mail server doesn't have good FCrDNS, 
then use:

whitelist_from_rcvd *@*.comixology.com [ip.ad.dr.ess]


whitelist_from should be the last option and I only use it on a full 
email address that is very unique so spammers won't be able to match 
that by accident from any source server or IP address.

-- 
David Jones