Re: List of available query templates?
as per AskDNS.pm (lottsa info in there) Currently recognized RR types in the rr_type parameter are: ANY, A, ,MX, TXT, PTR, NAPTR, NS, SOA, CERT, CNAME, DNAME, DHCID, HINFO, MINFO, RP, HIP, IPSECKEY, KX, LOC, SRV, SSHFP, SPF. On 10/4/19 3:54 PM, Tobi wrote: Yes I mean the _tags_ like given below to construct dns queries with askdns. Sorry if I was not precise enough :-) I found several examples all over the docs but nowhere a central list of those supported tags. Am 04.10.19 um 15:27 schrieb Giovanni Bechis: On 10/4/19 3:01 PM, Bill Cole wrote: On 4 Oct 2019, at 3:36, Tobi wrote: Hi list is there any doc where one can find a list of supported DNS query templates? What does that even mean??? SpamAssassin does many different sorts of DNS query. I am unaware of any "template" construct in SA used for its many possible DNS queries. I think the user is referring to rules such as: askdns __FROM_FMBLA_NEWDOM_AUTHORDOMAIN_.fresh.fmb.la. A /^127\.2\.0\.2$/ In Mail::SpamAssassin::Conf you have docs about what _AUTHORDOMAIN_ and other tags means. Giovanni
Re: Rule for detecting two email addresses in From: field.
Am 04.10.19 um 16:40 schrieb Grant Taylor: > On 10/4/19 6:43 AM, A. Schulze wrote: >> that happen from time to time but currently I suspect the sender like to >> trigger a Bug in OpenDMARC to generate dmarc=pass for messages that >> otherwise would be classified as dmarc=reject. > > Based on my understanding of DMARC, which could be wrong, I don't think this > is a bug in OpenDMARC, as an implementation, but rather an unexpected > behavior around the DMARC standard. > > My understanding is that the DMARC standard is to check alignment of the > From: address, which means the part inside angle brackets, outside of the > optional double quoted friendly name. > > From: "John Doe " > > Thus DMARC is supposed to /only/ check and /not/ check > . Hi Grant, Maybe we're talking about different things :-) The OpenDMARC bug could be triggered by this RFC5322.From: From: user , user Mallory could send a message which authenticates as badguy.example but OpenDMARC report "dmarc=pass domain=yahoo.example" That's fixed with https://github.com/trusteddomainproject/OpenDMARC/pull/48/commits/f6b615e345037408b88b2ffd1acd03239af8a858 But back to SA: there is a difference between this comma separated list and the display name containing a second address ... Andreas
Subject not always included as first line of body
Hi! In SA 3.4.2 I have noticed a slight score difference between consecutive SA executions. Digging out, i have discovered that in plugin methods that use $body from the third argument, like in this example: sub pdf_is_empty_body { my ($self, $pms, $body, $min) = @_; the subject is not always included as first line of body (as expected), but only in 50% of calls (aprox.) In SA 3.4.1 it works ok. any idea of why? (I have asked as well to dev list) Thanks.-Pedreter
Re: Rule for detecting two email addresses in From: field.
I use a plugin that detects mismatches, but tries to be a little smart about what counts as a mismatch (like making sure the mismatch isn't really just that one address is from a subdomain of the other's domain, or someone carelessly using the "@" character in the name part of the From header). https://github.com/enkidushane/sa-frommismatch On Fri, 4 Oct 2019, Philip wrote: Morning List, Lately I'm getting a bunch of emails that are showing up with two email addresses in the From: field. From: "Persons Name " When you look in your mail client (Outlook, Thunderbird) it's showing only "Persons Name " Is there a way I can mark From: that has 2 email addresses in it as spam? Pro's Cons? Phil -- Public key #7BBC68D9 at| Shane Williams http://pgp.mit.edu/| System Admin - UT CompSci =--+--- All syllogisms contain three lines | sha...@shanew.net Therefore this is not a syllogism | www.ischool.utexas.edu/~shanew
Re: Rule for detecting two email addresses in From: field.
On 10/4/19 6:43 AM, A. Schulze wrote: that happen from time to time but currently I suspect the sender like to trigger a Bug in OpenDMARC to generate dmarc=pass for messages that otherwise would be classified as dmarc=reject. Based on my understanding of DMARC, which could be wrong, I don't think this is a bug in OpenDMARC, as an implementation, but rather an unexpected behavior around the DMARC standard. My understanding is that the DMARC standard is to check alignment of the From: address, which means the part inside angle brackets, outside of the optional double quoted friendly name. From: "John Doe " Thus DMARC is supposed to /only/ check and /not/ check . As such, some enterprising individuals have taken to using putting an address they want to pretend to be inside the double quoted friendly name while using something else they control in the actual from address. Thus their messages /do/ /pass/ DMARC alignment tests while still appearing to be from what humans (mis)perceive as the address inside the double quoted friendly name. To me, this is what the DMARC specification states. Thus why enterprising individuals have taken to using this work around to make messages appear to be from j...@example.net. This is also why some DMARC implementations have started going beyond the DMARC specification and looking for what appears to be an email address inside the double quoted friendly name and applying DMARC alignment tests to that in addition to what the specification says. Hence why I referred to these implementations as over zealous. I'm aware, the Debian package of opendmarc was updated some weeks ago: https://www.debian.org/security/2019/dsa-4526 I thought that this bug was based on multiple From: headers in a message. From: "unknown" From: "John Doe " The first part of this issue centering around the fact that some DMARC implementations would test the first From: header for alignment and ignoring other From: headers, assuming that there is only one. The second part of this issue centering around the fact that some MUAs only display the last From: header and ignore other From: headers. The combined interaction being that the questionable message passes DMARC alignment tests without any problems and the last From: address is displayed to the end user. Thus making a message seemingly from John Doe passed DMARC when was the real sender that passed DMARC. -- Grant. . . . unix || die smime.p7s Description: S/MIME Cryptographic Signature
Re: Rule for detecting two email addresses in From: field.
On 10/4/19 5:41 AM, Reindl Harald wrote: there is nothing ill advised because otherwise you have no way to see the original address of the sender There is nothing ill advised about having the information. There is unfortunately a potential gotcha if the information is formatted as "" inside of the friendly name / double quoted. The problem comes from over zealous DMARC implementations that look inside the friendly name / double quoted portion in addition to the actual email address. I recommend that people format the information differently so that it does not appear as an actual email address to such questionable DMARC implementations. E.g. "user at example.com". Thus the information is there for the end user to utilize with much less risk of running afoul of over zealous DMARC implementations. Implementations which, as I understand it, go against the DMARC standard. -- Grant. . . . unix || die smime.p7s Description: S/MIME Cryptographic Signature
Re: List of available query templates?
Yes I mean the _tags_ like given below to construct dns queries with askdns. Sorry if I was not precise enough :-) I found several examples all over the docs but nowhere a central list of those supported tags. Am 04.10.19 um 15:27 schrieb Giovanni Bechis: > On 10/4/19 3:01 PM, Bill Cole wrote: >> On 4 Oct 2019, at 3:36, Tobi wrote: >> >>> Hi list >>> >>> is there any doc where one can find a list of supported DNS query >>> templates? >> >> What does that even mean??? >> >> SpamAssassin does many different sorts of DNS query. I am unaware of any >> "template" construct in SA used for its many possible DNS queries. >> >> > I think the user is referring to rules such as: > askdns __FROM_FMBLA_NEWDOM_AUTHORDOMAIN_.fresh.fmb.la. A > /^127\.2\.0\.2$/ > > In Mail::SpamAssassin::Conf you have docs about what _AUTHORDOMAIN_ and other > tags means. > > Giovanni >
Re: List of available query templates?
On 10/4/19 3:01 PM, Bill Cole wrote: > On 4 Oct 2019, at 3:36, Tobi wrote: > >> Hi list >> >> is there any doc where one can find a list of supported DNS query >> templates? > > What does that even mean??? > > SpamAssassin does many different sorts of DNS query. I am unaware of any > "template" construct in SA used for its many possible DNS queries. > > I think the user is referring to rules such as: askdns __FROM_FMBLA_NEWDOM_AUTHORDOMAIN_.fresh.fmb.la. A /^127\.2\.0\.2$/ In Mail::SpamAssassin::Conf you have docs about what _AUTHORDOMAIN_ and other tags means. Giovanni
Re: List of available query templates?
On 4 Oct 2019, at 3:36, Tobi wrote: Hi list is there any doc where one can find a list of supported DNS query templates? What does that even mean??? SpamAssassin does many different sorts of DNS query. I am unaware of any "template" construct in SA used for its many possible DNS queries. -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Re: Rule for detecting two email addresses in From: field.
Am 04.10.19 um 01:12 schrieb Philip: > Lately I'm getting a bunch of emails that are showing up with two email > addresses in the From: field. that happen from time to time but currently I suspect the sender like to trigger a Bug in OpenDMARC to generate dmarc=pass for messages that otherwise would be classified as dmarc=reject. I'm aware, the Debian package of opendmarc was updated some weeks ago: https://www.debian.org/security/2019/dsa-4526 Andreas
Re: Rule for detecting two email addresses in From: field.
On 4-10-2019 1:12, Philip wrote: Morning List, Lately I'm getting a bunch of emails that are showing up with two email addresses in the From: field. From: "Persons Name " When you look in your mail client (Outlook, Thunderbird) it's showing only "Persons Name " Is there a way I can mark From: that has 2 email addresses in it as spam? Pro's Cons? Phil header FR_D_AT From =~ /\S+\@[\w\-\.]+.*\S+\@[\w\-\.]+/ describe FR_D_AT From has double email address? score FR_D_AT 0.1 header FR_NA_SAME From =~ /(\S+\@[\w\-\.]+).*\1/ describe FR_NA_SAME From name and address is the same email address. tflags FR_NA_SAME nice score FR_NA_SAME -0.1 meta SPOOF_EMAIL (FR_D_AT && ! FR_NA_SAME) describe SPOOF_EMAIL From name and address have different email address! score SPOOF_EMAIL 2.5 -- bOnK
Re: Rule for detecting two email addresses in From: field.
On 04-10-19 04:31, Bill Cole wrote: On 3 Oct 2019, at 20:01, Rick Cooper wrote: Philip wrote: Morning List, Lately I'm getting a bunch of emails that are showing up with two email addresses in the From: field. From: "Persons Name " When you look in your mail client (Outlook, Thunderbird) it's showing only "Persons Name " Is there a way I can mark From: that has 2 email addresses in it as spam? Pro's Cons? Phil From: =~ /^.*?<.+?\@.+?>.*?<.+\@.+?>/g Can't imagine the circumstance where such a from: format would be required I've seen it used as a perfectly reasonable workaround for the misfeature described above of many MUAs of hiding the address field in To/From/CC headers. Because many people actually want to know what the actual address is. I would disagree on the "reasonable" here. People using a mailclient should configure it as they wish. My client hides email addresses for everyone in my address book, but not for 'unknown' addresses. That is how I like it, and I don't think senders should try to enforce a workaround for this because their recipients are too stupid to configure their email client (or switch to a decent one). Anyway, the main harm is done when the email adresses in the 'addr' field and the 'name' are different, and that's detectable. Kind regards, Tom
List of available query templates?
Hi list is there any doc where one can find a list of supported DNS query templates? I mean except grep-ing through the whole source code? ;-) Cheers tobi