Re: Possible spam sign

[RW]

On Tue, 8 Dec 2020 10:18:28 -0800
Loren Wilton wrote:

> I just received a spam with this interesting From address:
> 
> From: "VA Rate Guide" 
> 
> 
> I wonder if it is worth checking for mail from more than one sender
> at once?

Multiple senders in "From" headers is rare, but RFC compliant.

What you have there isn't syntactically correct; the address aren't
properly separated by commas.

Re: Possible spam sign

[John Hardin]

On Tue, 8 Dec 2020, Loren Wilton wrote:


That probably should have hit at least one scored base rule:

  https://ruleqa.spamassassin.org/?rule=%2FFROM_2_


Nope. I think my rules are up to date, but maybe not.


Feel free to pastebin it and I'll take a look.


https://drive.google.com/file/d/1WQ0Mm1iUsKhTj51mFJwwehuTatSm8Nux/view?usp=sharing


That was scanned by SA? Are the SA scan results buried in the 
X-VadeSecure-Cause header somehow?


It's too long to hit FROM_2_EMAILS_SHORT, and the longer message rules 
that it hits (__HTML_LENGTH_1024_1536 and __PDS_HTML_LENGTH_2048) are 
ham-only combos in the masscheck corpus.


I've added some new rules for masscheck eval based on it.

--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.org pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Journalism is about covering important stories.
  With a pillow, until they stop moving.   -- David Burge
---
 7 days until Bill of Rights day

Re: Possible spam sign

[Loren Wilton]

That probably should have hit at least one scored base rule:

  https://ruleqa.spamassassin.org/?rule=%2FFROM_2_


Nope. I think my rules are up to date, but maybe not.


Feel free to pastebin it and I'll take a look.


https://drive.google.com/file/d/1WQ0Mm1iUsKhTj51mFJwwehuTatSm8Nux/view?usp=sharing

Re: Possible spam sign

[Luis E. Muñoz]

On 8 Dec 2020, at 12:47, Grant Taylor wrote:

I think that the strict RFC specification does allow for multiple 
senders, but I don't remember how it's done and it's so rare that I'd 
accept the false positive.


Yes to both.

-lem

Re: Possible spam sign

[Grant Taylor]

On 12/8/20 11:18 AM, Loren Wilton wrote:

I just received a spam with this interesting From address:

From: "VA Rate Guide" 
 


Ew.

I wonder if it is worth checking for mail from more than one sender at 
once?


The BOFH in me would be tempted to add one point for each extra @.

I think that the strict RFC specification does allow for multiple 
senders, but I don't remember how it's done and it's so rare that I'd 
accept the false positive.




--
Grant. . . .
unix || die



smime.p7s
Description: S/MIME Cryptographic Signature

Re: Possible spam sign

[Benny Pedersen]

Loren Wilton skrev den 2020-12-08 19:18:

I just received a spam with this interesting From address:

From: "VA Rate Guide"


I wonder if it is worth checking for mail from more than one sender at 
once?


Received: from [47.140.131.2] (helo=watson1)
by elasmtp-curtail.atl.sa.earthlink.net with esmtpa (Exim 4)
(envelope-from )
id 1kmhZF-0002TY-Oh
for users@spamassassin.apache.org; Tue, 08 Dec 2020 13:18:29 -0500

clear text sasl password ?

if from: header have more domains to block, then block it :=)

Re: Possible spam sign

[John Hardin]

On Tue, 8 Dec 2020, Loren Wilton wrote:


That probably should have hit at least one scored base rule:

  https://ruleqa.spamassassin.org/?rule=%2FFROM_2_


Nope. I think my rules are up to date, but maybe not.


Feel free to pastebin it and I'll take a look.


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.org pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  People think they're trading chaos for order [by ceding more and
  more power to the Government], but they're just trading normal
  human evil for the really dangerous organized kind of evil, the
  kind that simply does not give a shit. Only bureaucrats can give
  you true evil. -- Larry Correia
---
 7 days until Bill of Rights day

Re: Possible spam sign

[Loren Wilton]

That probably should have hit at least one scored base rule:

  https://ruleqa.spamassassin.org/?rule=%2FFROM_2_


Nope. I think my rules are up to date, but maybe not.

Re: Possible spam sign

[John Hardin]

On Tue, 8 Dec 2020, Loren Wilton wrote:


I just received a spam with this interesting From address:

From: "VA Rate Guide" 


I wonder if it is worth checking for mail from more than one sender at once?


That probably should have hit at least one scored base rule:

  https://ruleqa.spamassassin.org/?rule=%2FFROM_2_



--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.org pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  The fetters imposed on liberty at home have ever been forged out
  of the weapons provided for defense against real, pretended, or
  imaginary dangers from abroad.   -- James Madison, 1799
---
 7 days until Bill of Rights day

Possible spam sign

[Loren Wilton]

I just received a spam with this interesting From address:

From: "VA Rate Guide" 



I wonder if it is worth checking for mail from more than one sender at once?

   Loren

Re: Best Possible Way To Block Phish/Malware URL

[Raymond Dijkxhoorn]

Hai!


That isn't only Phishtank data...


+1



and using that data in that particular way hardly scales to bigger setups


data could be stored in DB_File just like GeoIP2, that saves ram imho


Treansferring the complete set over and over might now be the best way of 
doing the distribution of datasets like that...


I agree with Alex, sets like that should be rdldnsd based to make it 
scalable imho.



FTR: GoogleSafeBrowsing is not free for all, anymore



that explains low hitratio ? :=)


 :-)

Bye, Raymond

Re: Best Possible Way To Block Phish/Malware URL

[Axb]

On 7/7/20 2:57 PM, Benny Pedersen wrote:

Axb skrev den 2020-07-07 14:46:


That isn't only Phishtank data...


+1


and using that data in that particular way hardly scales to bigger setups


data could be stored in DB_File just like GeoIP2, that saves ram imho


rblnsd is the way to go:
- you can control TTL
- its scales to millions of minions
- it's cheap in terms of RAM and cycles
- low maintenance
- does not add load to clients.

Re: Best Possible Way To Block Phish/Malware URL

[Benny Pedersen]

Axb skrev den 2020-07-07 14:46:


That isn't only Phishtank data...


+1

and using that data in that particular way hardly scales to bigger 
setups


data could be stored in DB_File just like GeoIP2, that saves ram imho


FTR: GoogleSafeBrowsing is not free for all, anymore


that explains low hitratio ? :=)

Re: Best Possible Way To Block Phish/Malware URL

[Raymond Dijkxhoorn]

Hai!


I Tried GoogleSafeBrowsing but not helping much as it has very low
detection ratio.



is another reporting problem

whatever that may mean


if all phishes is reported to google then safebrowsing would be more 
usefull



FTR: GoogleSafeBrowsing is not free for all, anymore


If i recall correctly the ClamAV support for that also was stopped months 
ago. Due toi exactly that.


bye, Raymond

Re: Best Possible Way To Block Phish/Malware URL

[Axb]

On 7/7/20 2:39 PM, Benny Pedersen wrote:

Axb skrev den 2020-07-07 13:23:


domains listed in Phishtank are picked up by SURBL


and rbldnsd support a fix of this 
https://www.isc.org/blogs/qname-minimization-and-privacy/


i have disabled it in bind9


Phishtank signatures in SpamAssassin?


https://spamassassin.apache.org/full/3.4.x/doc/Mail_SpamAssassin_Plugin_Phishing.txt 




you probably mean ClamAV


no


That isn't only Phishtank data...
and using that data in that particular way hardly scales to bigger setups




I Tried GoogleSafeBrowsing but not helping much as it has very low
detection ratio.

is another reporting problem

whatever that may mean


if all phishes is reported to google then safebrowsing would be more 
usefull


FTR: GoogleSafeBrowsing is not free for all, anymore

Re: Best Possible Way To Block Phish/Malware URL

[Benny Pedersen]

Axb skrev den 2020-07-07 13:23:


domains listed in Phishtank are picked up by SURBL


and rbldnsd support a fix of this 
https://www.isc.org/blogs/qname-minimization-and-privacy/


i have disabled it in bind9


Phishtank signatures in SpamAssassin?


https://spamassassin.apache.org/full/3.4.x/doc/Mail_SpamAssassin_Plugin_Phishing.txt


you probably mean ClamAV


no


I Tried GoogleSafeBrowsing but not helping much as it has very low
detection ratio.

is another reporting problem

whatever that may mean


if all phishes is reported to google then safebrowsing would be more 
usefull

Re: Best Possible Way To Block Phish/Malware URL

[Axb]

On 7/7/20 1:20 PM, Benny Pedersen wrote:

KADAM, SIDDHESH skrev den 2020-07-07 13:13:


Can anybody suggest me a best possible way to block phish/malware url
from body of an email using spamassassin.


report to https://phishtank.com/ 1 step :=)

next is to use https://sanesecurity.com/ with phishtank signatures

using phishtank signatures in spamassassin needs more ram


domains listed in Phishtank are picked up by SURBL

Phishtank signatures in SpamAssassin?  you probably mean ClamAV


I Tried GoogleSafeBrowsing but not helping much as it has very low
detection ratio.


is another reporting problem 

whatever that may mean

Re: Best Possible Way To Block Phish/Malware URL

[Benny Pedersen]

KADAM, SIDDHESH skrev den 2020-07-07 13:13:


Can anybody suggest me a best possible way to block phish/malware url
from body of an email using spamassassin.


report to https://phishtank.com/ 1 step :=)

next is to use https://sanesecurity.com/ with phishtank signatures

using phishtank signatures in spamassassin needs more ram


I Tried GoogleSafeBrowsing but not helping much as it has very low
detection ratio.


is another reporting problem

Re: Best Possible Way To Block Phish/Malware URL

[Axb]

On 7/7/20 1:13 PM, KADAM, SIDDHESH wrote:

Guys,

Can anybody suggest me a best possible way to block phish/malware url from body
of an email using spamassassin.

I Tried GoogleSafeBrowsing but not helping much as it has very low detection 
ratio.

Regards,
Siddhesh


iirc  "ramprasad at NETCORE.CO.IN"  should be able to help you.

Best Possible Way To Block Phish/Malware URL

[KADAM, SIDDHESH]

  
  
Guys,
Can anybody suggest me a best possible way
to block phish/malware url from body of an email using
spamassassin. 
  
I Tried GoogleSafeBrowsing but not helping
much as it has very low detection ratio. 
  
Regards,
Siddhesh
  


  

Re: possible FORGED_GMAIL_RCVD false positive

[Matus UHLAR - fantomas]

On Wed, 18 Sep 2019 12:29:43 +0200
Matus UHLAR - fantomas wrote:
> I have received following spam:
>
> https://pastebin.com/SkvkVWik
>
> This hits FORGED_GMAIL_RCVD although the message came from google mail
> servers.
>
> According to HeaderEval.pm, message apparently misses
> X-Google-Smtp-Source header
>
> is there any reason to expect that header in mail from gmail?



On Wed, Sep 18, 2019 at 08:40:55PM +0100, RW wrote:

It seems to always be there. The posts on the list have it, and I sent
some test messages from webmail and the Android app.


On 19.09.19 08:30, Giovanni Bechis wrote:

both headers should be there, anyway the fp has been fixed in r1867159.
Giovanni


I have other two examples without that one header, received from google.com
servers and both missing X-Google-Smtp-Source.

Is there source for this information or is it just based on observation?

However, yes, looking at that change, FP should be fixed. The downside is
that it needs update to SA, not just SA rules.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
WinError #98652: Operation completed successfully.

Re: possible FORGED_GMAIL_RCVD false positive

[Giovanni Bechis]

On Wed, Sep 18, 2019 at 08:40:55PM +0100, RW wrote:
> On Wed, 18 Sep 2019 12:29:43 +0200
> Matus UHLAR - fantomas wrote:
> 
> > Hello,
> > 
> > I have received following spam:
> > 
> > https://pastebin.com/SkvkVWik
> > 
> > This hits FORGED_GMAIL_RCVD although the message came from google mail
> > servers.
> > 
> > According to HeaderEval.pm, message apparently misses
> > X-Google-Smtp-Source header
> > 
> > is there any reason to expect that header in mail from gmail?
> 
> It seems to always be there. The posts on the list have it, and I sent
> some test messages from webmail and the Android app.
both headers should be there, anyway the fp has been fixed in r1867159.
 Giovanni


signature.asc
Description: PGP signature

Re: possible FORGED_GMAIL_RCVD false positive

[RW]

On Wed, 18 Sep 2019 12:29:43 +0200
Matus UHLAR - fantomas wrote:

> Hello,
> 
> I have received following spam:
> 
> https://pastebin.com/SkvkVWik
> 
> This hits FORGED_GMAIL_RCVD although the message came from google mail
> servers.
> 
> According to HeaderEval.pm, message apparently misses
> X-Google-Smtp-Source header
> 
> is there any reason to expect that header in mail from gmail?

It seems to always be there. The posts on the list have it, and I sent
some test messages from webmail and the Android app.

possible FORGED_GMAIL_RCVD false positive

[Matus UHLAR - fantomas]

Hello,

I have received following spam:

https://pastebin.com/SkvkVWik

This hits FORGED_GMAIL_RCVD although the message came from google mail
servers.

According to HeaderEval.pm, message apparently misses X-Google-Smtp-Source
header

is there any reason to expect that header in mail from gmail?
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Linux is like a teepee: no Windows, no Gates and an apache inside...

Re: Filtering at border routers: Is it possible?

[Matus UHLAR - fantomas]

On 25 Mar 2019, at 09:49, Matus UHLAR - fantomas  wrote:

I can't see anywhere how smtps could mean multicast audio.


On 25.03.19 22:27, @lbutlr wrote:

That may have been a different use for port 465? I was operating from memory.


different use, but it was not called ssmtp. 
what I want to say is that smtps always meant ssl'ed smtp.



I wasn't trying to do a ton of research on this. The point is 465 was a MSFT 
thing


actually no. They used previously defined smtps. Yes, they used it after it
was deprecated, but in compatible way.


that they did ignoring the specs, as they loved to do (see breaking
kerberos and many other examples), but that there is a new RFC for the use
of port 465 as a submissions port (as opposed to the port 587 submission
port).


I've been using 465 with enforced authentication on many servers for years.

never heard about source-specific multicast (SSM) until now...

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Atheism is a non-prophet organization. 

Re: Filtering at border routers: Is it possible?

[Bill Cole]

On 26 Mar 2019, at 0:27, @lbutlr wrote:

That may have been a different use for port 465? I was operating from 
memory.


Cisco SSM. See 
https://www.cisco.com/c/en/us/td/docs/ios/12_2/ip/configuration/guide/fipr_c/1cfssm.pdf


--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Available For Hire: https://linkedin.com/in/billcole

Re: Filtering at border routers: Is it possible?

On 25 Mar 2019, at 09:49, Matus UHLAR - fantomas  wrote:
> I can't see anywhere how smtps could mean multicast audio.

That may have been a different use for port 465? I was operating from memory.

I wasn't trying to do a ton of research on this. The point is 465 was a MSFT 
thing that they did ignoring the specs, as they loved to do (see breaking 
kerberos and many other examples), but that there is a new RFC for the use of 
port 465 as a submissions port (as opposed to the port 587 submission port).



-- 
Competent? How are we going to compete with that?

Re: Filtering at border routers: Is it possible?

[Dave Warren]

On 2019-03-22 21:43, Grant Taylor wrote:

On 3/22/19 7:01 PM, Dave Warren wrote:
To me, the big one is this: It sets your users up for failure. If a 
user configures their client on a network that allows unrestricted 
port 25 access and later moves (temporarily or permanently) to a 
network that does restrict port 25, they'll get an error and you'll 
get a support ticket.


Valid as that is, that is addressing a client issue, not a server issue.


It isn't really a server or client issue, rather, it is a user issue and 
a technical support issue.



You'll save yourself a lot of hassle if you get clients set up right 
from the start rather than fixing user configurations after the fact.


Agreed.  But configuring clients to use port 587 or 465 does not 
preclude allowing SMTP Authentication on port 25.


This isn't really true.

By rejecting authentication on port 25 upfront you force clients to be 
configured properly from the start whereas when you allow authentication 
on port 25 a client will often guess at port 25, see that it works and 
the user will not reconfigure anything despite what the instructions 
recommend.



One other consideration, although this is more opinion than fact: In 
my experience users/clients that still default to port 25 often don't 
default to STARTTLS and therefore will transmit an unencrypted 
password at least once (even if you refuse it and instruct them to 
authenticate, the damage could already have been done). Forcing 465 is 
the only way to ensure that this can't happen, but clients that 
default to 587 are far more likely to default to using encryption.


There is another way.  You can configure the server to not offer SMTP 
Authentication until after encryption is established with STARTTLS.


That doesn't work because some (poorly written) clients blindly throw 
authentication commands hoping to get a response.


This is an admittedly minor issue as it would require an attacker in a 
MITM position to have a chance at intercepting it, but it is still less 
than ideal.

Re: Filtering at border routers: Is it possible?

[Matus UHLAR - fantomas]

And didn't Microsoft start using it for their non-standard email in Windows 95?

I'm not sure how non-standard Microsoft's use of SMTP-over-TLS (SMTPS /
TCP port 465) is.  The closest thing I remember to non-standard nature
was that they were atypical in their choice of preferring SMTP-over-TLS
verses the more common MSA port combined with STARTTLS.  But as far as I
know, SMTP-over-TLS / SMTPS / TCP port 465 is standard.



On 3/24/19 1:00 PM, @lbutlr wrote:

Is now. Was not then. Was not for many many years. TFC 8314 is very recent.


Also, smtps and SMTPS are not, oddly, then same thing.



On 24 Mar 2019, at 13:16, Grant Taylor  wrote:

Okay, what do you think the difference is in "smtps" and "SMTPS"?


On 24.03.19 18:45, @lbutlr wrote:

The details escape me,. but they are different. I think the ;lowercase one is 
the multicast audio .

Oh, look, Wikip[edia has some details.




I can't see anywhere how smtps could mean multicast audio.

the only difference I can see was that smtps was originally designed for use
by MTAs (but afaik it never was really used as such), while now it's
designed by use for MUAs, but it's mostly the same protocol.

in fact, many people used it for MUAs most of the time, especially clients
like outlook express and outlook <2007 that couldn't to STARTTLS on port
other than 25

However, it wasn't very different from port 25, at least until
authentication become widely used by clients and/or enforced (which can't be
in receiving on port 25 of mail servers).

So, it wasn't M$ only crutch, I'd more say it's another example of what
microsoft took and used their own icompatible way (how typical for them),
which is compatible now.

Finally, I hope we have discussed this and can finish this thread :)
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
42.7 percent of all statistics are made up on the spot. 

Re: Filtering at border routers: Is it possible?

[@lbutlr]

On 24 Mar 2019, at 19:06, Reindl Harald  wrote:
> well, given all that technical bullshit you are talking on several lists
> at least for 5 years better shut up...

I asked you to stop emailing me directly, so stop emailing me directly.



-- 
Well I've seen the Heart of Darkness/Read the writing on the wall/and the
voice out in the desert/Was the voice out in the hall

Re: Filtering at border routers: Is it possible?

[Grant Taylor]

On 3/24/19 6:45 PM, @lbutlr wrote:

Which I posted a few messages upthread.


ACK

Is now. Was not then. Was not for many many years. TFC 8314 is very 
recent.


I think we may be talking about two different things.  I'm talking about 
the protocol that went over the port.  I think you are talking about the 
at-the-time standardization status of the port number.


I don't really care what IANA / IETF / et al. think of the port's 
status.  I'm going by the fact that the industry at large tended to 
think of three main ports:


 · SMTP on TCP port 25
 · SMTPS / submissions on TCP port 465
 · submission on TCP port 587

At least the ports that the SMTP protocol was used.

The details escape me,. but they are different. I think the ;lowercase 
one is the multicast audio .


Ah.  I wasn't aware of that nuance.  I thought you were eluding to 
something like the difference between SMTP and submission.  IMHO both of 
which use SMTP, all be it for different client bases and purposes.



Oh, look, Wikipedia has some details.




ACK



--
Grant. . . .
unix || die



smime.p7s
Description: S/MIME Cryptographic Signature

Re: Filtering at border routers: Is it possible?

[Bill Cole]

On 22 Mar 2019, at 20:37, Grant Taylor wrote:

What is wrong with having SMTP Authentication on the MTA port as an 
/option/?


It creates unnecessary attack surface (i.e. one more place a stolen 
credentioal works.)

It creates error-prone complexity in the configuration.

--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Available For Hire: https://linkedin.com/in/billcole

Re: Filtering at border routers: Is it possible?

[LuKreme]

On Mar 24, 2019, at 18:51, Reindl Harald  wrote:
>> Am 25.03.19 um 01:45 schrieb @lbutlr:
>>> On 24 Mar 2019, at 13:12, Grant Taylor  wrote:
>>> Okay, what do you think the difference is in "smtps" and "SMTPS"?
>> 
>> Oh, look, Wikip[edia has some details.
>> 
>> 
> IDIOT

Stop replying to me, ok? In fact, never email me again.

> When describing the IANA service registration, the official
> capitalization is "smtps". When describing the network protocol, the
> capitalization "SMTPS" is often used (similar to how HTTPS is capitalized)

No, try reading for comprehension. Lowercase describes a server to server 
connection.

-- 
My main job is trying to come up with new and innovative and effective ways to 
reject even more mail. I'm up to about 97% now.

Re: Filtering at border routers: Is it possible?

[@lbutlr]

On 24 Mar 2019, at 13:12, Grant Taylor  wrote:
> That changed within the last couple of years.  Check out RFC 8314.

Which I posted a few messages upthread.

On 24 Mar 2019, at 13:16, Grant Taylor  wrote:
> On 3/24/19 1:00 PM, @lbutlr wrote:
>> And didn't Microsoft start using it for their non-standard email in Windows 
>> 95?
> 
> I'm not sure how non-standard Microsoft's use of SMTP-over-TLS (SMTPS / TCP 
> port 465) is.  The closest thing I remember to non-standard nature was that 
> they were atypical in their choice of preferring SMTP-over-TLS verses the 
> more common MSA port combined with STARTTLS.  But as far as I know, 
> SMTP-over-TLS / SMTPS / TCP port 465 is standard.

Is now. Was not then. Was not for many many years. TFC 8314 is very recent.

>> Also, smtps and SMTPS are not, oddly, then same thing.
> 
> Okay, what do you think the difference is in "smtps" and "SMTPS"?

The details escape me,. but they are different. I think the ;lowercase one is 
the multicast audio .

Oh, look, Wikip[edia has some details.





-- 
MS Word still hasn't caught up -- it has more bells and whistles, but not as
many pistons and cylinders. -- Steve Hayes

Re: Filtering at border routers: Is it possible?

[Grant Taylor]

On 3/24/19 1:00 PM, @lbutlr wrote:

And didn't Microsoft start using it for their non-standard email in Windows 95?


I'm not sure how non-standard Microsoft's use of SMTP-over-TLS (SMTPS / 
TCP port 465) is.  The closest thing I remember to non-standard nature 
was that they were atypical in their choice of preferring SMTP-over-TLS 
verses the more common MSA port combined with STARTTLS.  But as far as I 
know, SMTP-over-TLS / SMTPS / TCP port 465 is standard.


Please correct me if I'm wrong.


Also, smtps and SMTPS are not, oddly, then same thing.


Okay, what do you think the difference is in "smtps" and "SMTPS"?

At first blush, the only difference I see is case.  What am I missing?



--
Grant. . . .
unix || die



smime.p7s
Description: S/MIME Cryptographic Signature

Re: Filtering at border routers: Is it possible?

[Grant Taylor]

On 3/24/19 12:23 PM, Matus UHLAR - fantomas wrote:
In early 1997, the Internet Assigned Numbers Authority registered port 
465 for smtps.[2] Late 1998 this was revoked when STARTTLS was 
standardized.[3]


That changed within the last couple of years.  Check out RFC 8314.

Link - Cleartext Considered Obsolete: Use of Transport Layer Security 
(TLS) for Email Submission and Access

 - https://tools.ietf.org/html/rfc8314

TL;DR:  SMTPS / TCP port 465 is back on the books.  All be it with a 
weird sordid history.




--
Grant. . . .
unix || die



smime.p7s
Description: S/MIME Cryptographic Signature

Re: Filtering at border routers: Is it possible?

[@lbutlr]

> On 24 Mar 2019, at 12:23, Matus UHLAR - fantomas  wrote:
> 
>> On 23 Mar 2019, at 14:03, Rupert Gallagher  wrote:
>>> I was royally pissed when they introduced port 587 and deprecated port 465. 
>>> Port 587 is an RFC mandated security loophole. Port 465 is golden.
> 
> On 23.03.19 21:13, @lbutlr wrote:
>> Port 465 was a not-standard MSFT crutch, ut is now used for SMTPS and is 
>> fully supported.
> 
> i did think the same, but:
> 
> In early 1997, the Internet Assigned Numbers Authority registered port 465 
> for smtps.[2] Late 1998 this was revoked when STARTTLS was standardized.[3]

And didn't Microsoft start using it for their non-standard email in Windows 95?

Also, smtps and SMTPS are not, oddly, then same thing.


-- 
Up the airy mountains, down the rushy glen... From ghosties and bogles
and long-leggity beasties... My mother said I never should... We dare
not go a-hunting for fear... And things that go bump... Play with the
fairies in the wood... --Lords and Ladies

Re: Filtering at border routers: Is it possible?

[Matus UHLAR - fantomas]

On 23 Mar 2019, at 14:03, Rupert Gallagher  wrote:

I was royally pissed when they introduced port 587 and deprecated port 465. 
Port 587 is an RFC mandated security loophole. Port 465 is golden.


On 23.03.19 21:13, @lbutlr wrote:

Port 465 was a not-standard MSFT crutch, ut is now used for SMTPS and is fully 
supported.


i did think the same, but:

In early 1997, the Internet Assigned Numbers Authority registered port 465 for 
smtps.[2] Late 1998 this was revoked when STARTTLS was standardized.[3]

[2] http://lists.w3.org/Archives/Public/ietf-tls/1997JanMar/0079.html
[3] 
https://web.archive.org/web/20150603202057/http://www.imc.org/ietf-apps-tls/mail-archive/msg00204.html





--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I just got lost in thought. It was unfamiliar territory. 

Re: Filtering at border routers: Is it possible?

[@lbutlr]

On 23 Mar 2019, at 23:06, RALPH HAUSER  wrote:
> STOP EMAILING ME! TAKE ME OFF OF THIS!

No.

You are the only person who can unsubscribe yourself from the list.

In the headers of *EVERY SINGLE* message there are these lines.

list-help: 
list-unsubscribe: 
List-Post: 
List-Id: 

Well-designed mail clients will use these headers to allow you to easily 
(usually with a single tap or click) unsubscribe from the list.

Also, when you SUBSCRIBED to the list, you were given instructions on how to 
unsubscribe.

So, help yourself instead of whining for someone else to take car of you.


-- 
We all need help with our feelings. Otherwise, we bottle them up, and
before you know it powerful laxatives are involved.

Re: Filtering at border routers: Is it possible?

[RALPH HAUSER]

STOP EMAILING ME! TAKE ME OFF OF THIS!

> On Mar 22, 2019, at 10:04 PM, John Hardin  wrote:
> 
>> On Fri, 22 Mar 2019, Benny Pedersen wrote:
>> 
>> John Hardin skrev den 2019-03-22 22:23:
>> 
 Instead of taking on the job of filtering email for all of your clients 
 (this, to me, will open up a can of worms), why not set a policy that port 
 25 is blocked by default and customers must request for it to be unblocked?
>>> +1
>> 
>> custommers wish for port 25 open relay ?
> 
> huh?
> 
> -- 
> John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
> jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
> key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
> ---
>  ...wind turbines are not meant to actually be an efficient way to
>  supply the power grid, rather they're prayer wheels for New Age
>  iBuddhists, their whirring blades drawing white guilt from the
>  atmosphere and pumping it safely underground.-- Tam
> ---
> 722 days since the first commercial re-flight of an orbital booster (SpaceX)

Re: Filtering at border routers: Is it possible?

[@lbutlr]

On 23 Mar 2019, at 14:03, Rupert Gallagher  wrote:
> I disagree with Kevin on port 587, because it is vulnerable to mitm attacks. 

You're going too needy too back that up with actual facts.

> I was royally pissed when they introduced port 587 and deprecated port 465. 
> Port 587 is an RFC mandated security loophole. Port 465 is golden. 

Port 465 was a not-standard MSFT crutch, ut is now used for SMTPS and is fully 
supported.

It will break some oddball multicast audio that was little used, bu that is not 
a problem for hardly anyone.


When a TCP connection is established for the "submissions" service (default 
port 465), a TLS handshake begins immediately.  Clients MUSTimplement the 
certificate validation mechanism described in [RFC7817].  Once the TLS session 
is established, Message Submission protocol data [RFC6409] is exchanged as TLS 
application data for the remainder of the TCP connection.


-- 
Get in there you big furry oaf! I don't care what you smell!

Re: Filtering at border routers: Is it possible?

[Grant Taylor]

On 3/23/19 2:03 PM, Rupert Gallagher wrote:
I was royally pissed when they introduced port 587 and deprecated port 
465. Port 587 is an RFC mandated security loophole. Port 465 is golden.


TCP port 465 has retroactively been returned to official status.  It has 
two uses, SMTPS, and something else (I believe) not email related.


But 465 is an official thing again.



--
Grant. . . .
unix || die



smime.p7s
Description: S/MIME Cryptographic Signature

RE: Filtering at border routers: Is it possible?

[Giovanni Bechis]

Il 23 marzo 2019 12:53:52 CET, Giovanni Bechis  ha scritto:
>Il 22 marzo 2019 21:31:40 CET, bruno.carva...@xervers.pt ha scritto:
>>Thank you all for your suggestions.
>>I will follow the path of using a whitelist and block everyone.
>>I can track the IPs, but i taught i could put in place something (like
>>OVH by example) do (If their system detects spam being sent, the port
>>on that ip is automatically blocked and the client alerted).
>>
>>Cheers
>>
>>
>>Bruno Carvalho (CEO xervers) | +41 79 884 00 44
>> Please consider the environment before printing this email
>>
>>
>>
>>
>>-Mensagem original-
>>De: Benny Pedersen  
>>Enviada: sexta-feira, 22 de março de 2019 20:55
>>Para: users@spamassassin.apache.org
>>Assunto: Re: Filtering at border routers: Is it possible?
>>
>>Anthony Hoppe skrev den 2019-03-22 18:23:
>>> Not knowing the details of your environment...
>>> 
>>> Instead of taking on the job of filtering email for all of your 
>>> clients (this, to me, will open up a can of worms), why not set a 
>>> policy that port 25 is blocked by default and customers must request
>
>>> for it to be unblocked?
>>
>>dont relay mail from port 25, mails there is final recipient only, not
>>forwared
>>
>>> You can then build a list of who may be using your services to send 
>>> mail and better track if/when undesirable mail is sent from your 
>>> network?
>>
>>ask custommers to use port 587 or 465 as common pratice
>>
>>but do require sasl auth on this ports, reject all else
>>
>>sadly i see mtas try to use 587, and 465, i like to know with book
>thay
>>read
>
>Hi,
>this is what OVH does (article in french, sorry):
>https://www.numerama.com/magazine/26297-ovh-copie-et-analyse-tous-les-e-mails-sortant-de-ses-serveurs.html
>  Giovanni

In short you should duplicate outbound smtp traffic to a dedicated box that 
will analyze traffic and drop all emails.
This can be done with amavisd and SA.
Then you should do some accounting and you should find the correct way to 
integrate this with your corporate firewalls to block offending ip addresses.
 Giovanni

Re: Filtering at border routers: Is it possible?

[Rupert Gallagher]

I reject tons of spam from OVH. So much that I am banning whole CIDRs. Whatever 
they do, it's not working.

On Sat, Mar 23, 2019 at 12:53, Giovanni Bechis  wrote

> Hi,
> this is what OVH does (article in french, sorry):
> https://www.numerama.com/magazine/26297-ovh-copie-et-analyse-tous-les-e-mails-sortant-de-ses-serveurs.html
> Giovanni

Re: Filtering at border routers: Is it possible?

[Rupert Gallagher]

I agree with Benny on port 25.

I disagree with Kevin on port 587, because it is vulnerable to mitm attacks.

I was royally pissed when they introduced port 587 and deprecated port 465. 
Port 587 is an RFC mandated security loophole. Port 465 is golden.

On Sat, Mar 23, 2019 at 03:01, Kevin A. McGrail  wrote:

> On 3/22/2019 9:44 PM, Noel Butler wrote:
>
>> On 23/03/2019 05:54, Benny Pedersen wrote:
>>
>>> dont relay mail from port 25, mails there is final recipient only, not 
>>> forwared
>>
>> you ave not been taking your medication again Benny
>
> Noel, please.  The personal attacks aren't in keeping with our code of 
> conduct.  Please don't email them to the list.
>
> IMO and I believe the RFCs back me up, Port 25 should only be used for local 
> recipients.  Port 587, submissions would be appropriate for submissions 
> requiring other delivery methods and should be protected with SMTP AUTH, for 
> example.  That would certainly be best practice, well supported and easy to 
> add TLS to address.
>
> Getting back to the original question: Yes, you can scan outbound mail for 
> spam and block it.  There are a number of ways to do that.  We also do a LOT 
> with MIMEDefang, LDAP & IPTables, & Access files to extend the edge of the 
> network to the board to avoid backscatter, DDoS attacks, etc.  I've published 
> a lot of stuff about this before and happy to give pointers again.
>
> But in short, setup an SMTP host that allows rely by IP from all your servers 
> behind it and set those servers to use the SMTP host as a smarthost.  On the 
> smarthost, you can use amavisd-new and drop/redir mail that is considered 
> spam.  More complex solutions are available with alerting, rate limiting, etc.
>
> Regards,
>
> KAM
>
> --
> Kevin A. McGrail
> Member, Apache Software Foundation
> Chair Emeritus Apache SpamAssassin Project
> https://www.linkedin.com/in/kmcgrail
> - 703.798.0171

RE: Filtering at border routers: Is it possible?

[Giovanni Bechis]

Il 22 marzo 2019 21:31:40 CET, bruno.carva...@xervers.pt ha scritto:
>Thank you all for your suggestions.
>I will follow the path of using a whitelist and block everyone.
>I can track the IPs, but i taught i could put in place something (like
>OVH by example) do (If their system detects spam being sent, the port
>on that ip is automatically blocked and the client alerted).
>
>Cheers
>
>
>Bruno Carvalho (CEO xervers) | +41 79 884 00 44
> Please consider the environment before printing this email
>
>
>
>
>-Mensagem original-
>De: Benny Pedersen  
>Enviada: sexta-feira, 22 de março de 2019 20:55
>Para: users@spamassassin.apache.org
>Assunto: Re: Filtering at border routers: Is it possible?
>
>Anthony Hoppe skrev den 2019-03-22 18:23:
>> Not knowing the details of your environment...
>> 
>> Instead of taking on the job of filtering email for all of your 
>> clients (this, to me, will open up a can of worms), why not set a 
>> policy that port 25 is blocked by default and customers must request 
>> for it to be unblocked?
>
>dont relay mail from port 25, mails there is final recipient only, not
>forwared
>
>> You can then build a list of who may be using your services to send 
>> mail and better track if/when undesirable mail is sent from your 
>> network?
>
>ask custommers to use port 587 or 465 as common pratice
>
>but do require sasl auth on this ports, reject all else
>
>sadly i see mtas try to use 587, and 465, i like to know with book thay
>read

Hi,
this is what OVH does (article in french, sorry):
https://www.numerama.com/magazine/26297-ovh-copie-et-analyse-tous-les-e-mails-sortant-de-ses-serveurs.html
  Giovanni

Re: Filtering at border routers: Is it possible?

[Matus UHLAR - fantomas]

On 3/22/19 7:01 PM, Dave Warren wrote:
To me, the big one is this: It sets your users up for failure. If a 
user configures their client on a network that allows unrestricted 
port 25 access and later moves (temporarily or permanently) to a 
network that does restrict port 25, they'll get an error and you'll 
get a support ticket.


On 22.03.19 21:43, Grant Taylor wrote:

Valid as that is, that is addressing a client issue, not a server issue.


it's better to prvent client issues immediately, when configurig MUA, than
later when client is on a vacstion across the world.

You'll save yourself a lot of hassle if you get clients set up right 
from the start rather than fixing user configurations after the 
fact.


Agreed.  But configuring clients to use port 587 or 465 does not 
preclude allowing SMTP Authentication on port 25.


One other consideration, although this is more opinion than fact: In 
my experience users/clients that still default to port 25 often 
don't default to STARTTLS and therefore will transmit an unencrypted 
password at least once (even if you refuse it and instruct them to 
authenticate, the damage could already have been done). Forcing 465 
is the only way to ensure that this can't happen, but clients that 
default to 587 are far more likely to default to using encryption.


There is another way.  You can configure the server to not offer SMTP 
Authentication until after encryption is established with STARTTLS.


postfix option smtpd_tls_auth_only (default no - I wonder why) does this.
However, if you are able to force clients using alternative ports, it's
better to disable auth at port 25 at all.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
A day without sunshine is like, night.

Re: Filtering at border routers: Is it possible?

[@lbutlr]

On 22 Mar 2019, at 13:00, Matt V  wrote:

>   

WHY⁉️

Don't do this, it is just hostile.



-- 
The Force can have a strong influence on a weak mind.

Re: Filtering at border routers: Is it possible?

[John Hardin]

On Fri, 22 Mar 2019, Benny Pedersen wrote:


John Hardin skrev den 2019-03-22 22:23:

Instead of taking on the job of filtering email for all of your clients 
(this, to me, will open up a can of worms), why not set a policy that port 
25 is blocked by default and customers must request for it to be 
unblocked?


+1


custommers wish for port 25 open relay ?


huh?

--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  ...wind turbines are not meant to actually be an efficient way to
  supply the power grid, rather they're prayer wheels for New Age
  iBuddhists, their whirring blades drawing white guilt from the
  atmosphere and pumping it safely underground.-- Tam
---
 722 days since the first commercial re-flight of an orbital booster (SpaceX)

Re: Filtering at border routers: Is it possible?

[Grant Taylor]

On 3/22/19 8:01 PM, Kevin A. McGrail wrote:
Noel, please.  The personal attacks aren't in keeping with our code of 
conduct.  Please don't email them to the list.


+1

Let's keep things professional.

IMO and I believe the RFCs back me up, Port 25 should only be used for 
local recipients.  Port 587, submissions would be appropriate for 
submissions requiring other delivery methods and should be protected 
with SMTP AUTH, for example.  That would certainly be best practice, 
well supported and easy to add TLS to address.


I agree in spirit.  But I know that port 25 is used for a lot more than 
just local delivery.  Various forms of mail routing come to mind.  To 
the best of my knowledge, all the ESPs that offer ingress filtering 
receive email on port 25 and send it to clients private email servers on 
port 25 too.  Then there are scanning appliances that can be self hosted 
that do the same thing.


Getting back to the original question: Yes, you can scan outbound mail 
for spam and block it.  There are a number of ways to do that.  We also 
do a LOT with MIMEDefang, LDAP & IPTables, & Access files to extend the 
edge of the network to the board to avoid backscatter, DDoS attacks, 
etc.  I've published a lot of stuff about this before and happy to give 
pointers again.


Yes, it is possible to do.  But if the OP is running a co-location 
facility and offering connectivity for clients to host their own servers 
on the Internet, I think s/he should NOT be interfering with their SMTP 
flows.


But in short, setup an SMTP host that allows rely by IP from all your 
servers behind it and set those servers to use the SMTP host as a 
smarthost.  On the smarthost, you can use amavisd-new and drop/redir 
mail that is considered spam.  More complex solutions are available with 
alerting, rate limiting, etc.


I think this type of configuration is great when all of the server are 
under one company / administration.  I.e. enterprise, university, what 
have you.  But I don't think this is proper for a Co-Lo facility.


I am willing to accept a default block that has an easy process to 
remove the block.  Anything else and I'd take my business elsewhere.


If the OP is running a Co-Lo facility, I would advise SWIP and / or RWHOIS.



--
Grant. . . .
unix || die



smime.p7s
Description: S/MIME Cryptographic Signature

Re: Filtering at border routers: Is it possible?

[Grant Taylor]

On 3/22/19 7:01 PM, Dave Warren wrote:
To me, the big one is this: It sets your users up for failure. If a user 
configures their client on a network that allows unrestricted port 25 
access and later moves (temporarily or permanently) to a network that 
does restrict port 25, they'll get an error and you'll get a support 
ticket.


Valid as that is, that is addressing a client issue, not a server issue.

You'll save yourself a lot of hassle if you get clients set up right 
from the start rather than fixing user configurations after the fact.


Agreed.  But configuring clients to use port 587 or 465 does not 
preclude allowing SMTP Authentication on port 25.


One other consideration, although this is more opinion than fact: In my 
experience users/clients that still default to port 25 often don't 
default to STARTTLS and therefore will transmit an unencrypted password 
at least once (even if you refuse it and instruct them to authenticate, 
the damage could already have been done). Forcing 465 is the only way to 
ensure that this can't happen, but clients that default to 587 are far 
more likely to default to using encryption.


There is another way.  You can configure the server to not offer SMTP 
Authentication until after encryption is established with STARTTLS.




--
Grant. . . .
unix || die



smime.p7s
Description: S/MIME Cryptographic Signature

Re: Filtering at border routers: Is it possible?

[Benny Pedersen]

Noel Butler skrev den 2019-03-23 02:44:


you ave not been taking your medication again Benny


it keeps me awake atleast :)

its weekend and i was borring creating gentoo ebuild for pymilter 1.0.2, 
repoman -d full is happy, so i am aswell

Re: Filtering at border routers: Is it possible?

[Kevin A. McGrail]

On 3/22/2019 9:44 PM, Noel Butler wrote:
>
> On 23/03/2019 05:54, Benny Pedersen wrote:
>
>>
>> dont relay mail from port 25, mails there is final recipient only,
>> not forwared
>>  
>  
>
> you ave not been taking your medication again Benny
>
Noel, please.  The personal attacks aren't in keeping with our code of
conduct.  Please don't email them to the list.

IMO and I believe the RFCs back me up, Port 25 should only be used for
local recipients.  Port 587, submissions would be appropriate for
submissions requiring other delivery methods and should be protected
with SMTP AUTH, for example.  That would certainly be best practice,
well supported and easy to add TLS to address.

Getting back to the original question: Yes, you can scan outbound mail
for spam and block it.  There are a number of ways to do that.  We also
do a LOT with MIMEDefang, LDAP & IPTables, & Access files to extend the
edge of the network to the board to avoid backscatter, DDoS attacks,
etc.  I've published a lot of stuff about this before and happy to give
pointers again. 

But in short, setup an SMTP host that allows rely by IP from all your
servers behind it and set those servers to use the SMTP host as a
smarthost.  On the smarthost, you can use amavisd-new and drop/redir
mail that is considered spam.  More complex solutions are available with
alerting, rate limiting, etc.

Regards,

KAM


-- 
Kevin A. McGrail
Member, Apache Software Foundation
Chair Emeritus Apache SpamAssassin Project
https://www.linkedin.com/in/kmcgrail - 703.798.0171

Re: Filtering at border routers: Is it possible?

[Noel Butler]

On 23/03/2019 05:54, Benny Pedersen wrote:

> dont relay mail from port 25, mails there is final recipient only, not 
> forwared

you ave not been taking your medication again Benny

-- 
Kind Regards, 

Noel Butler 

This Email, including any attachments, may contain legally 
privileged
information, therefore remains confidential and subject to copyright
protected under international law. You may not disseminate, discuss, or
reveal, any part, to anyone, without the authors express written
authority to do so. If you are not the intended recipient, please notify
the sender then delete all copies of this message including attachments,
immediately. Confidentiality, copyright, and legal privilege are not
waived or lost by reason of the mistaken delivery of this message. Only
PDF [1] and ODF [2] documents accepted, please do not send proprietary
formatted documents 

 

Links:
--
[1] http://www.adobe.com/
[2] http://en.wikipedia.org/wiki/OpenDocument

Re: Filtering at border routers: Is it possible?

[Dave Warren]

On 2019-03-22 18:37, Grant Taylor wrote:

On 3/22/19 3:23 PM, Benny Pedersen wrote:

you only need sasl auth


You should do the SMTP Authentication across STARTTLS to protect 
credentials.


do not enable sasl auth on port 25, if it lists AUTH on port 25 ehlo, 
you will need to remove  it in postfix main.cf


enable sasl auth only on port 465 and 587


What is wrong with having SMTP Authentication on the MTA port as an 
/option/?


To me, the big one is this: It sets your users up for failure. If a user 
configures their client on a network that allows unrestricted port 25 
access and later moves (temporarily or permanently) to a network that 
does restrict port 25, they'll get an error and you'll get a support ticket.


You'll save yourself a lot of hassle if you get clients set up right 
from the start rather than fixing user configurations after the fact.


One other consideration, although this is more opinion than fact: In my 
experience users/clients that still default to port 25 often don't 
default to STARTTLS and therefore will transmit an unencrypted password 
at least once (even if you refuse it and instruct them to authenticate, 
the damage could already have been done). Forcing 465 is the only way to 
ensure that this can't happen, but clients that default to 587 are far 
more likely to default to using encryption.

Re: Filtering at border routers: Is it possible?

[Dave Warren]

On 2019-03-22 18:39, Grant Taylor wrote:

On 3/22/19 3:29 PM, Benny Pedersen wrote:

custommers wish for port 25 open relay ?


Having unfettered access to send traffic to TCP port 25 is /not/ the 
same thing as an open relay.


Especially if you are a host with your clients running self-managed 
servers and you therefore cannot guess at what software they might run.


I like the idea of restricting port 25 access by default although it 
should be easy to unblock -- The point isn't to annoy customers, just to 
reduce the odds of a compromised website/script being able to spew spam.


I also wouldn't offer unblocking of port 25 under a free trial, I would 
instead suggest offering a very generous refund policy for the same 
duration as a trial if your business model offers free trials. I don't 
know if this is still the case, but in the past spammers would sign up 
using free or ultra-cheap services to get a few days worth of spamming 
out of an account.

Re: Filtering at border routers: Is it possible?

[Grant Taylor]

On 3/22/19 3:29 PM, Benny Pedersen wrote:

custommers wish for port 25 open relay ?


Having unfettered access to send traffic to TCP port 25 is /not/ the 
same thing as an open relay.




--
Grant. . . .
unix || die



smime.p7s
Description: S/MIME Cryptographic Signature

Re: Filtering at border routers: Is it possible?

[Grant Taylor]

On 3/22/19 3:23 PM, Benny Pedersen wrote:

you only need sasl auth


You should do the SMTP Authentication across STARTTLS to protect 
credentials.


do not enable sasl auth on port 25, if it lists AUTH on port 25 ehlo, 
you will need to remove  it in postfix main.cf


enable sasl auth only on port 465 and 587


What is wrong with having SMTP Authentication on the MTA port as an 
/option/?


Sure, /requiring/ SMTP Authentication on an inbound MX is a bad idea and 
a non-starter.


But I don't think there's any reason why it can't be there as an option. 
 I just tested and confirmed that Gmail will deliver perfectly fine 
with the AUTH option presented after EHLO.



all else is insane


Why is having the SMTP Auth option insane on an MTA?



--
Grant. . . .
unix || die



smime.p7s
Description: S/MIME Cryptographic Signature

Re: Filtering at border routers: Is it possible?

[Grant Taylor]

On 3/22/19 1:54 PM, Benny Pedersen wrote:

dont relay mail from port 25,


What do you mean by that?

Are you talking about the TCP connection originating from port 25?  Or 
something else?


Also, why not?


mails there is final recipient only, not forwared


I disagree.

I see people forward old university email (comes into university system 
on port 25) to somewhere else (again port 25), which is then forwarded a 
2nd time to the final destination (again port 25).



ask custommers to use port 587 or 465 as common pratice


Yes, a common practice.  But far from a requirement.



--
Grant. . . .
unix || die



smime.p7s
Description: S/MIME Cryptographic Signature

Re: Filtering at border routers: Is it possible?

[Benny Pedersen]

John Hardin skrev den 2019-03-22 22:23:

Instead of taking on the job of filtering email for all of your 
clients (this, to me, will open up a can of worms), why not set a 
policy that port 25 is blocked by default and customers must request 
for it to be unblocked?


+1


custommers wish for port 25 open relay ?

Re: RE: Filtering at border routers: Is it possible?

[Rupert Gallagher]

I think you are in for a lot of pain. This is the view from my seat. If my 
company has a client that sends spam using my IP, then my IP earns a bad 
reputation and is blacklisted. Therefore, my other clients are blacklisted too, 
even if they do not send spam. If I do not solve the problem, then I will loose 
all of my clients and go bankrupt, eventually.

As a businessman with complaining clients, I must hire a *professional* 
consultant who gets under my skin and finally tells me what my problem *is* and 
how to solve it.

None of us in this list can bear responsibility for your decisions.

Out of curiosity, did you look up for potential consultants? How much did they 
ask for wearing your problem?

On Fri, Mar 22, 2019 at 21:31,  wrote:

> Thank you all for your suggestions.
> I will follow the path of using a whitelist and block everyone.
> I can track the IPs, but i taught i could put in place something (like OVH by 
> example) do (If their system detects spam being sent, the port on that ip is 
> automatically blocked and the client alerted).
>
> Cheers
>
> Bruno Carvalho (CEO xervers) | +41 79 884 00 44
>  Please consider the environment before printing this email
>
> -Mensagem original-
> De: Benny Pedersen 
> Enviada: sexta-feira, 22 de março de 2019 20:55
> Para: users@spamassassin.apache.org
> Assunto: Re: Filtering at border routers: Is it possible?
>
> Anthony Hoppe skrev den 2019-03-22 18:23:
>> Not knowing the details of your environment...
>>
>> Instead of taking on the job of filtering email for all of your
>> clients (this, to me, will open up a can of worms), why not set a
>> policy that port 25 is blocked by default and customers must request
>> for it to be unblocked?
>
> dont relay mail from port 25, mails there is final recipient only, not 
> forwared
>
>> You can then build a list of who may be using your services to send
>> mail and better track if/when undesirable mail is sent from your
>> network?
>
> ask custommers to use port 587 or 465 as common pratice
>
> but do require sasl auth on this ports, reject all else
>
> sadly i see mtas try to use 587, and 465, i like to know with book thay read

Re: Filtering at border routers: Is it possible?

[John Hardin]

On Fri, 22 Mar 2019, Anthony Hoppe wrote:


Not knowing the details of your environment...

Instead of taking on the job of filtering email for all of your clients 
(this, to me, will open up a can of worms), why not set a policy that 
port 25 is blocked by default and customers must request for it to be 
unblocked?


+1

--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Are you a mildly tech-literate politico horrified by the level of
  ignorance demonstrated by lawmakers gearing up to regulate online
  technology they don't even begin to grasp? Cool. Now you have a
  tiny glimpse into a day in the life of a gun owner.   -- Sean Davis
---
 722 days since the first commercial re-flight of an orbital booster (SpaceX)

Re: Filtering at border routers: Is it possible?

[Benny Pedersen]

bruno.carva...@xervers.pt skrev den 2019-03-22 21:31:

Thank you all for your suggestions.
I will follow the path of using a whitelist and block everyone.
I can track the IPs, but i taught i could put in place something (like
OVH by example) do (If their system detects spam being sent, the port
on that ip is automatically blocked and the client alerted).


whitelist ?

you only need sasl auth

do not enable sasl auth on port 25, if it lists AUTH on port 25 ehlo, 
you will need to remove  it in postfix main.cf


enable sasl auth only on port 465 and 587

all else is insane

RE: Filtering at border routers: Is it possible?

[bruno.carvalho]

Thank you all for your suggestions.
I will follow the path of using a whitelist and block everyone.
I can track the IPs, but i taught i could put in place something (like OVH by 
example) do (If their system detects spam being sent, the port on that ip is 
automatically blocked and the client alerted).

Cheers


Bruno Carvalho (CEO xervers) | +41 79 884 00 44
 Please consider the environment before printing this email




-Mensagem original-
De: Benny Pedersen  
Enviada: sexta-feira, 22 de março de 2019 20:55
Para: users@spamassassin.apache.org
Assunto: Re: Filtering at border routers: Is it possible?

Anthony Hoppe skrev den 2019-03-22 18:23:
> Not knowing the details of your environment...
> 
> Instead of taking on the job of filtering email for all of your 
> clients (this, to me, will open up a can of worms), why not set a 
> policy that port 25 is blocked by default and customers must request 
> for it to be unblocked?

dont relay mail from port 25, mails there is final recipient only, not forwared

> You can then build a list of who may be using your services to send 
> mail and better track if/when undesirable mail is sent from your 
> network?

ask custommers to use port 587 or 465 as common pratice

but do require sasl auth on this ports, reject all else

sadly i see mtas try to use 587, and 465, i like to know with book thay read

Re: Filtering at border routers: Is it possible?

[Benny Pedersen]

Anthony Hoppe skrev den 2019-03-22 18:23:

Not knowing the details of your environment...

Instead of taking on the job of filtering email for all of your
clients (this, to me, will open up a can of worms), why not set a
policy that port 25 is blocked by default and customers must request
for it to be unblocked?


dont relay mail from port 25, mails there is final recipient only, not 
forwared



You can then build a list of who may be using your services to send
mail and better track if/when undesirable mail is sent from your
network?


ask custommers to use port 587 or 465 as common pratice

but do require sasl auth on this ports, reject all else

sadly i see mtas try to use 587, and 465, i like to know with book thay 
read

Re: Filtering at border routers: Is it possible?

[Grant Taylor]

On 3/22/19 10:59 AM, Bruno Carvalho wrote:

Hello Folks.


Hi,

I've just joined this list, i didn't read all rules yet (just some), so 
bare with me if my question is misplaced.


Welcome.

I own a small datacenter with 4 uplinks. And i received complains that 
some of my clients are using my services for sending spam.


If I were you, I would ask for more details and / or examples of said spam.

I wanted to know if it is possible to setup spamassassin on a VPS or 
someting and have the port 25 redirected to it from border routers.


No, yes, and no you shouldn't.

No, SpamAssassin by itself can't receive SMTP traffic.

Yes, you can set something up to receive the (redirected) SMTP traffic, 
send it through SpamAssassin, and send clean email out to the world.


(IMHO)  No, you should not do this.  -  If I were a (COLO) customer of 
yours and implemented a policy like this, I'd be quite hot under the 
collar and looking to move my services ASAP.  -  Communications between 
you and your customers can help this.



Important note: I don't know what domains are hosted inside my network.


Depending on what your service is, this may be okay, or this may be a 
Bad Thing™.  IMHO it's okay if a COLO doesn't know the domains that are 
hosted by it's customers.  I think it's a Bad Thing™ if they are your 
own servers for your own business and you don't know what domains you host.



What i know is that 98% of the spam sent is using port 25.


I'm somewhat surprised it's not higher.  I say this because by 
standards, MTAs receive email on TCP port 25.  So I'd be surprised if 
there is anything measurable coming in over something other than port 25.


So, if someone knows a way to filter the mail traffic and block outbound 
spam, i will be thankfull.


I question if it's your responsibility to filter the traffic.  Instead, 
I think you should get information about your internal IPs from the 
people reporting the spam and deal with this as a COLO customer that is 
perpetuating abusive activity and deal with it accordingly.


If you really have no idea what IPs are sending SMTP traffic, I would 
highly recommend something like NetFlow so that you can get information 
about the IPs that are sending SMTP traffic in your network.




--
Grant. . . .
unix || die



smime.p7s
Description: S/MIME Cryptographic Signature

Re: Filtering at border routers: Is it possible?

[Matt V]

M3AAWG has a BCP for hosting providers, you might find some valuable 
ideas within it on how to address your issues:


https://www.m3aawg.org/sites/default/files/document/M3AAWG_Hosting_Abuse_BCPs-2015-03.pdf

Cheers,

Matt


On 2019-03-22 12:59 p.m., Bruno Carvalho wrote:


Hello Folks.

I've just joined this list, i didn't read all rules yet (just some), 
so bare with me if my question is misplaced.


I own a small datacenter with 4 uplinks. And i received complains that 
some of my clients are using my services for sending spam.
I wanted to know if it is possible to setup spamassassin on a VPS or 
someting and have the port 25 redirected to it from border routers.


Important note: I don't know what domains are hosted inside my network.

What i know is that 98% of the spam sent is using port 25.

So, if someone knows a way to filter the mail traffic and block 
outbound spam, i will be thankfull.


Regards

--
XRV 

Bruno Carvalho (CEO xervers) | +41 79 884 00 44
P Please consider the environment before printing this email

Visit our website <https://www.xervers.pt>
Facebook <https://www.facebook.com/xervers/>Twitter 
<https://twitter.com/xervers>



--
~
MATT VERNHOUT

Re: Filtering at border routers: Is it possible?

[@lbutlr]

On 22 Mar 2019, at 10:59, Bruno Carvalho  wrote:
> So, if someone knows a way to filter the mail traffic and block outbound 
> spam, i will be thankfull.

tl;dr this is not a problem for SpamAssassin to fix.

All outbound mail from anyone in your datacenter running a mail server will 
have to go out on port 25. If you are having spam problems you should be able 
to track exactly who is doing that and shut them down. Trying to filter out 
spam is not the solution as spam filtering is not perfect.

Don't host spammers.

If your datacenter is setup so that you cannot track the spammers down and kick 
them off, then you have far more serious problems.

Or, block port 25 outbound.


-- 
I used to work in a fire hydrant factory. You couldn't park anywhere near the 
place.

Re: Filtering at border routers: Is it possible?

[Anthony Hoppe]

Not knowing the details of your environment... 

Instead of taking on the job of filtering email for all of your clients (this, 
to me, will open up a can of worms), why not set a policy that port 25 is 
blocked by default and customers must request for it to be unblocked? 

You can then build a list of who may be using your services to send mail and 
better track if/when undesirable mail is sent from your network? 

Just a thought. 

~ Anthony 

> From: "Bruno Carvalho" 
> To: "SpamAssassin" 
> Sent: Friday, March 22, 2019 9:59:56 AM
> Subject: Filtering at border routers: Is it possible?

> Hello Folks.

> I've just joined this list, i didn't read all rules yet (just some), so bare
> with me if my question is misplaced.

> I own a small datacenter with 4 uplinks. And i received complains that some of
> my clients are using my services for sending spam.
> I wanted to know if it is possible to setup spamassassin on a VPS or someting
> and have the port 25 redirected to it from border routers.

> Important note: I don't know what domains are hosted inside my network.

> What i know is that 98% of the spam sent is using port 25.

> So, if someone knows a way to filter the mail traffic and block outbound 
> spam, i
> will be thankfull.

> Regards
> --



> Bruno Carvalho (CEO xervers) | +41 79 884 00 44
> P Please consider the environment before printing this email  [
> https://www.xervers.pt/ ]
> [ https://www.facebook.com/xervers/ ] [ https://twitter.com/xervers ]

Filtering at border routers: Is it possible?

[Bruno Carvalho]

Hello Folks. 

I've just joined this list, i didn't read all rules yet (just some), so
bare with me if my question is misplaced. 

I own a small datacenter with 4 uplinks. And i received complains that
some of my clients are using my services for sending spam.
I wanted to know if it is possible to setup spamassassin on a VPS or
someting and have the port 25 redirected to it from border routers. 

Important note: I don't know what domains are hosted inside my network. 

What i know is that 98% of the spam sent is using port 25. 

So, if someone knows a way to filter the mail traffic and block outbound
spam, i will be thankfull. 

Regards

-- 

Bruno Carvalho (CEO xervers) | +41 79 884 00 44
P Please consider the environment before printing this email [1]
 [2] [3] 

 

Links:
--
[1] https://www.xervers.pt
[2] https://www.facebook.com/xervers/
[3] https://twitter.com/xervers

Re: Is $THIS possible?

[Grant Taylor]

Hi Giovanni,

On 11/27/2018 12:56 AM, Giovanni Bechis wrote:
I do not know if it's viable for your own use but amavisd penpal feature 
could be an option (https://www.ijs.si/software/amavisd/#features-spam) It 
creates a redis database where it correlates outbound msg-id and replies 
so it can subtract score if an email msg it's a reply to a known sender.

Intriguing.  I'll have to check that out.

It sounds like it's conceptually similar to a stateful firewall for 
email.  As in if there is known email conversation state (akin to 
connection state) then a (small?) value is deducted from the spam score. 
 Thus meaning messages that might be flagged as spam on their own might 
pass through unmodified if they are part of an ongoing conversation.


Very interesting.

Thank you for sharing amavisd penpal with me.  :-)



--
Grant. . . .
unix || die



smime.p7s
Description: S/MIME Cryptographic Signature

Re: Is $THIS possible?

[Giovanni Bechis]

On 11/26/18 11:10 PM, Grant Taylor wrote:
> On 11/26/2018 02:33 PM, Martin Gregorie wrote:
>> I think that fear is unfounded
> 
> Please don't mistake my laziness as fear.  I simply am not motivated enough 
> to construct a solution that will harvest outgoing recipient addresses.
> 
I do not know if it's viable for your own use but amavisd penpal feature could 
be an option (https://www.ijs.si/software/amavisd/#features-spam)
It creates a redis database where it correlates outbound msg-id and replies so 
it can subtract score if an email msg it's a reply to a known sender.

 Giovanni


> I might be interested and motivated enough to (eventually) construct 
> something to check against an LDAP address book.  —  I've been pontificating 
> creating an LDAP address book anyway.  So if something else can make use of 
> it, all the better.  Especially if said something else is directly related to 
> email (filtering).
> 
>> IOW, if you build a whitelist containing just the addresses your outgoing 
>> mail is addressed to and periodically trim it to retain only addresses that 
>> stuff has been sent to in the last 24 months years I predict that your list 
>> size will stabilise despite user churn simply because most people's address 
>> lists don't change much from year to year.
> 
> That all makes sense and I tend to agree with it.  It's just not what I'm 
> currently pontificating doing.
> 
>> And, of course, mail concerning online purchases is 99% incoming, so the 
>> addresses on it will never get into this type of whitelist.
> 
> I initially think the same thing about address books.  But some MUAs have an 
> option (maybe on by default) that automatically add senders and / or outgoing 
> recipients to their address book.  I prefer to manually manage my address 
> book.  —  But that's just me and I do realize that I'm odd like that.
> 
> 
> 

Re: Is $THIS possible?

[Grant Taylor]

On 11/26/2018 02:33 PM, Martin Gregorie wrote:

I think that fear is unfounded


Please don't mistake my laziness as fear.  I simply am not motivated 
enough to construct a solution that will harvest outgoing recipient 
addresses.


I might be interested and motivated enough to (eventually) construct 
something to check against an LDAP address book.  —  I've been 
pontificating creating an LDAP address book anyway.  So if something 
else can make use of it, all the better.  Especially if said something 
else is directly related to email (filtering).


IOW, if you build a whitelist containing just the addresses your outgoing 
mail is addressed to and periodically trim it to retain only addresses 
that stuff has been sent to in the last 24 months years I predict 
that your list size will stabilise despite user churn simply because 
most people's address lists don't change much from year to year.


That all makes sense and I tend to agree with it.  It's just not what 
I'm currently pontificating doing.


And, of course, mail concerning online purchases is 99% incoming, so 
the addresses on it will never get into this type of whitelist.


I initially think the same thing about address books.  But some MUAs 
have an option (maybe on by default) that automatically add senders and 
/ or outgoing recipients to their address book.  I prefer to manually 
manage my address book.  —  But that's just me and I do realize that I'm 
odd like that.




--
Grant. . . .
unix || die



smime.p7s
Description: S/MIME Cryptographic Signature

Re: Is $THIS possible?

[Martin Gregorie]

On Mon, 2018-11-26 at 12:38 -0700, Grant Taylor wrote:
> I agree with your logic.  But I don't know if I want to organically
> grow the list based on outgoing email recipients.  I think I'd rather
> use the contents of address books.  (Obviously something needs to get
> said address book data from MUAs to the server where it can use it.)
> 
I think that fear is unfounded unless your user population has a fairly
high turnover. Mine is static: my database is a mail archive with just
myself as user, so has an absolutely stable user base. I use a view to
generate the address whitelist by selecting only the addresses that
I've sent mail to so, for instance this automatically deselects almost
all the addresses in mass mailing I've received. The current stats are:

messages archived:189997 
all addresses: 15936
whitelisted addresses: 10919

I don't normally keep stats on the whitelist sixe but I do watch the
other two and have noticed that the whole address list has stayed at
around 15,000 entries for several years, which is fairly amazing
considering the number of 'mass mailings' I get from friends and around
Xmas.

IOW, if you build a whitelist containing just the addresses your
outgoing mail is addressed to and periodically trim it to retain only
addresses that stuff has been sent to in the last 24 months years I
predict that your list size will stabilise despite user churn simply
because most people's address lists don't change much from year to
year. And, of course, mail concerning online purchases is 99% incoming,
so the addresses on it will never get into this type of whitelist.
 
Martin



> > Other points:
> > 
> > - if each address entry carries the date mail was last sent to it 
> > you'll have an easy way to purge the list of addresses that nobody 
> > has corresponded with in, say, the last two years: this 'time to
> > live' 
> > is long enough to deal with annual subscriptions, etc.
> > 
> > - you'll also need a tool for removing spammers that got on because
> > a 
> > user clicked 'send' without reading a message carefully enough to
> > see 
> > that it was spam
> 
> I understand your points.  But I think your point's merit depends on
> the 
> organic / automatic growth from outgoing email.  Which I'm not
> wanting 
> to do at this time.
> 
> > I've had this sort of system running for about 10 years now, using 
> > PostgreSQL as the database. By and large this looks after itself
> > without 
> > needing more than sporadic maintenance, usually when PostgreSQL has
> > a 
> > major upgrade every year or two. But then PostgreSQL is designed to
> > be 
> > self maintaining apart from making periodic backups. I do these
> > weekly.
> 
> ACK
> 
> I wonder if I could leverage LDAP instead of a (more) traditional
> SQL 
> database.  That way the same data set might be used for more than
> just 
> this purpose.  It might even be possible to use the LDAP address book
> as 
> the data source for this.  }:-)
> 
> I suspect I could just as easily have something dynamically update
> the 
> LDAP address book as I could an SQL database.  Granted, the
> mechanics 
> would be different, but it could still be done.
> 
> Thank you for confirming that (something along the lines of) $THIS
> is 
> possible.
> 
> 
> 

Re: Is $THIS possible?

[Grant Taylor]

On 11/26/2018 06:08 AM, Martin Gregorie wrote:
Write yourself a plugin which looks up a database table of known 
addresses. Thats not hard if you know a bit of Perl,


ACK

though the list of incoming addresses sounds too simplistic to be much 
use: how would it distinguish between spammers and non-spammers?


My idea is to use the number of recognized vs unrecognized addresses in 
the To: & CC: headers as a signal of how likely the message is to be 
spam.  (This is where I was considering adding something to the spam 
score for each unrecognized address.)


Instead, consider populating the database with addresses that your users 
have sent mail to because by and large these will not be spammers.


I agree with your logic.  But I don't know if I want to organically grow 
the list based on outgoing email recipients.  I think I'd rather use the 
contents of address books.  (Obviously something needs to get said 
address book data from MUAs to the server where it can use it.)



Other points:

- if each address entry carries the date mail was last sent to it 
you'll have an easy way to purge the list of addresses that nobody 
has corresponded with in, say, the last two years: this 'time to live' 
is long enough to deal with annual subscriptions, etc.


- you'll also need a tool for removing spammers that got on because a 
user clicked 'send' without reading a message carefully enough to see 
that it was spam


I understand your points.  But I think your point's merit depends on the 
organic / automatic growth from outgoing email.  Which I'm not wanting 
to do at this time.


I've had this sort of system running for about 10 years now, using 
PostgreSQL as the database. By and large this looks after itself without 
needing more than sporadic maintenance, usually when PostgreSQL has a 
major upgrade every year or two. But then PostgreSQL is designed to be 
self maintaining apart from making periodic backups. I do these weekly.


ACK

I wonder if I could leverage LDAP instead of a (more) traditional SQL 
database.  That way the same data set might be used for more than just 
this purpose.  It might even be possible to use the LDAP address book as 
the data source for this.  }:-)


I suspect I could just as easily have something dynamically update the 
LDAP address book as I could an SQL database.  Granted, the mechanics 
would be different, but it could still be done.


Thank you for confirming that (something along the lines of) $THIS is 
possible.




--
Grant. . . .
unix || die



smime.p7s
Description: S/MIME Cryptographic Signature

Re: Is $THIS possible?

[Henrik K]

On Mon, Nov 26, 2018 at 01:08:04PM +, Martin Gregorie wrote:
>
> Instead, consider populating the database with addresses that your
> users have sent mail to because by and large these will not be
> spammers.

If using postfix, one could use my postpals tool for this too..

http://mailfud.org/postpals/

Re: Is $THIS possible?

[Martin Gregorie]

On Sun, 2018-11-25 at 20:54 -0700, Grant Taylor wrote:
> Ultimately I'd like to have a (hashed) list addresses that I
> recognize and add (0.1?) to the spam score for each unknown address.
> 
Write yourself a plugin which looks up a database table of known
addresses. Thats not hard if you know a bit of Perl, though the list of
incoming addresses sounds too simplistic to be much use: how would it
distinguish between spammers and non-spammers?

Instead, consider populating the database with addresses that your
users have sent mail to because by and large these will not be
spammers. Other points:
 
- if each address entry carries the date mail was last sent to it
  you'll have an easy way to purge the list of addresses that nobody
  has corresponded with in, say, the last two years: this 'time to
  live' is long enough to deal with annual subscriptions, etc.

- you'll also need a tool for removing spammers that got on because a
  user clicked 'send' without reading a message carefully enough to
  see that it was spam

I've had this sort of system running for about 10 years now, using
PostgreSQL as the database. By and large this looks after itself
without needing more than sporadic maintenance, usually when PostgreSQL
has a major upgrade every year or two. But then PostgreSQL is designed
to be self maintaining apart from making periodic backups. I do these
weekly.


Martin

Is $THIS possible?

[Grant Taylor]

Is it possible to have per recipient rules (when running spamd & 
spamass-milter) that read a (hashed) list of addresses?


I'm pontificating creating tests against To: / CC: addresses to see how 
many of them I've added to a list.


Ultimately I'd like to have a (hashed) list addresses that I recognize 
and add (0.1?) to the spam score for each unknown address.


Is anything like this possible with SpamAssassin?  Or do I need to back 
up and refactor my problem / solution?




--
Grant. . . .
unix || die



smime.p7s
Description: S/MIME Cryptographic Signature

Re: Strict/Relaxed DKIM alignment possible with SA?

[RW]

On Sun, 7 May 2017 13:08:03 +0200
Matus UHLAR - fantomas wrote:

> On 07.05.17 12:46, Thore Boedecker wrote:
> >I have played around with it and SA is not performing actual SPF
> >queries/validations due to the use of spampd on localhost as a
> >proxy.  

SA needs a trusted internal received header to be present at the time
of the scan. If it's missing you will break a lot more than SPF.
 
> that's why I recommended trying policyd-spf on valhalla.nano-srv.net
> - it could be able to push Received-SPF: header SA could use after...
> 

But be aware that a Received-SPF header can only be used if SA finds it
above a trusted received header.

Re: Strict/Relaxed DKIM alignment possible with SA?

[Robert Schetterer]

Am 07.05.2017 um 13:08 schrieb Matus UHLAR - fantomas:
>>> > > On 07.05.17 00:46, Thore Boedecker wrote:
>>> > > > Thanks for all the great advice so far.
>>> > > >
>>> > > > Currently I'm playing around with opendkim->opendmarc->amavisd
>>> on my
>>> > > > testserver.
>>> > > >
>>> > > > My current postfix setup is using spampd as proxy and thus any
>>> > > > opendkim/opendmarc milters won't work in cojunction.
>>>
>>> > > > I've been planning to switch to amavis and use it as a milter for
>>> > > > quite some time now so maybe I should get on with it.
>>> [...]
>>> > > > Compiling opendmarc against libspf2 makes the opendmarc
>>> internal SPF
>>> > > > checker functional and now the SA SPF checks (triggered by
>>> amavis) are
>>> > > > firing as well.
>>>
>>> > On 07.05.17 - 11:46, Matus UHLAR - fantomas wrote:
>>> > > I would like to note that SPF can be used without openDMARC, and
>>> imho should
>>> > > work in SA itself.
>>> > >
>>> > > Did you (try to) make SPF working on valhalla.nano-srv.net?
>>>
>>> On 07.05.17 12:05, Thore Boedecker wrote:
>>> > It seems that I simply forgot the load the SPF module in my
>>> > spamassassin config.
>>> >
>>> > A few test mails from different servers are now hitting at least
>>> > the SPF_HELO_PASS rule but nothing else so far.
> 
>> On 07.05.17 - 12:27, Matus UHLAR - fantomas wrote:
>>> try running spamassassin -D on a mail, if you get something like:
>>>
>>> May  6 22:38:47.009 [30327] dbg: spf: relayed through one or more
>>> trusted
>>> relays, cannot use header-based Envelope-From, skipping
>>>
>>> it may be caused by postfix forwarding mail via localhost
>>> - it's better to know if spampd (or later amavisd) can work around that.
>>>
>>> SPF_PASS, SPF_NEUTRAL, SPF_NONE, SPF_SOFTFAIL and SPF_FAIL will indicate
>>> that SPF works as expected.
> 
> On 07.05.17 12:46, Thore Boedecker wrote:
>> I have played around with it and SA is not performing actual SPF
>> queries/validations due to the use of spampd on localhost as a proxy.
> 
> that's why I recommended trying policyd-spf on valhalla.nano-srv.net
> - it could be able to push Received-SPF: header SA could use after...
> 
>> The only way around this, that I know of, would be to switch to amavis
>> as it can be used as a milter.
>> Or is there a way to make SA work as a milter in postfix?
> 
> spamass-milter should be supported.

works perfect since years

> I run amavisd-milter on one machine.
> 



Best Regards
MfG Robert Schetterer

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG, 80333 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

Re: Strict/Relaxed DKIM alignment possible with SA?

[Matus UHLAR - fantomas]

> > On 07.05.17 00:46, Thore Boedecker wrote:
> > > Thanks for all the great advice so far.
> > >
> > > Currently I'm playing around with opendkim->opendmarc->amavisd on my
> > > testserver.
> > >
> > > My current postfix setup is using spampd as proxy and thus any
> > > opendkim/opendmarc milters won't work in cojunction.

> > > I've been planning to switch to amavis and use it as a milter for
> > > quite some time now so maybe I should get on with it.
[...]
> > > Compiling opendmarc against libspf2 makes the opendmarc internal SPF
> > > checker functional and now the SA SPF checks (triggered by amavis) are
> > > firing as well.

> On 07.05.17 - 11:46, Matus UHLAR - fantomas wrote:
> > I would like to note that SPF can be used without openDMARC, and imho should
> > work in SA itself.
> >
> > Did you (try to) make SPF working on valhalla.nano-srv.net?

On 07.05.17 12:05, Thore Boedecker wrote:
> It seems that I simply forgot the load the SPF module in my
> spamassassin config.
>
> A few test mails from different servers are now hitting at least
> the SPF_HELO_PASS rule but nothing else so far.



On 07.05.17 - 12:27, Matus UHLAR - fantomas wrote:

try running spamassassin -D on a mail, if you get something like:

May  6 22:38:47.009 [30327] dbg: spf: relayed through one or more trusted
relays, cannot use header-based Envelope-From, skipping

it may be caused by postfix forwarding mail via localhost
- it's better to know if spampd (or later amavisd) can work around that.

SPF_PASS, SPF_NEUTRAL, SPF_NONE, SPF_SOFTFAIL and SPF_FAIL will indicate
that SPF works as expected.


On 07.05.17 12:46, Thore Boedecker wrote:

I have played around with it and SA is not performing actual SPF
queries/validations due to the use of spampd on localhost as a proxy.


that's why I recommended trying policyd-spf on valhalla.nano-srv.net
- it could be able to push Received-SPF: header SA could use after...


The only way around this, that I know of, would be to switch to amavis
as it can be used as a milter.
Or is there a way to make SA work as a milter in postfix?


spamass-milter should be supported.
I run amavisd-milter on one machine.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"Where do you want to go to die?" [Microsoft]

Re: Strict/Relaxed DKIM alignment possible with SA?

[Thore Boedecker]

On 07.05.17 - 12:27, Matus UHLAR - fantomas wrote:
> > > On 07.05.17 00:46, Thore Boedecker wrote:
> > > > Thanks for all the great advice so far.
> > > >
> > > > Currently I'm playing around with opendkim->opendmarc->amavisd on my
> > > > testserver.
> > > >
> > > > My current postfix setup is using spampd as proxy and thus any
> > > > opendkim/opendmarc milters won't work in cojunction.
> 
> > > > I've been planning to switch to amavis and use it as a milter for
> > > > quite some time now so maybe I should get on with it.
> [...]
> > > > Compiling opendmarc against libspf2 makes the opendmarc internal SPF
> > > > checker functional and now the SA SPF checks (triggered by amavis) are
> > > > firing as well.
> 
> > On 07.05.17 - 11:46, Matus UHLAR - fantomas wrote:
> > > I would like to note that SPF can be used without openDMARC, and imho 
> > > should
> > > work in SA itself.
> > > 
> > > Did you (try to) make SPF working on valhalla.nano-srv.net?
> 
> On 07.05.17 12:05, Thore Boedecker wrote:
> > It seems that I simply forgot the load the SPF module in my
> > spamassassin config.
> > 
> > A few test mails from different servers are now hitting at least
> > the SPF_HELO_PASS rule but nothing else so far.
> 
> try running spamassassin -D on a mail, if you get something like:
> 
> May  6 22:38:47.009 [30327] dbg: spf: relayed through one or more trusted
> relays, cannot use header-based Envelope-From, skipping
> 
> it may be caused by postfix forwarding mail via localhost
> - it's better to know if spampd (or later amavisd) can work around that.
> 
> SPF_PASS, SPF_NEUTRAL, SPF_NONE, SPF_SOFTFAIL and SPF_FAIL will indicate
> that SPF works as expected.

I have played around with it and SA is not performing actual SPF
queries/validations due to the use of spampd on localhost as a proxy.
The only way around this, that I know of, would be to switch to amavis
as it can be used as a milter.
Or is there a way to make SA work as a milter in postfix?

> 
> -- 
> Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
> Warning: I wish NOT to receive e-mail advertising to this address.
> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> REALITY.SYS corrupted. Press any key to reboot Universe.

-- 


signature.asc
Description: PGP signature

Re: Strict/Relaxed DKIM alignment possible with SA?

[Matus UHLAR - fantomas]

On 07.05.17 00:46, Thore Boedecker wrote:
> Thanks for all the great advice so far.
>
> Currently I'm playing around with opendkim->opendmarc->amavisd on my
> testserver.
>
> My current postfix setup is using spampd as proxy and thus any
> opendkim/opendmarc milters won't work in cojunction.



> I've been planning to switch to amavis and use it as a milter for
> quite some time now so maybe I should get on with it.

[...]

> Compiling opendmarc against libspf2 makes the opendmarc internal SPF
> checker functional and now the SA SPF checks (triggered by amavis) are
> firing as well.



On 07.05.17 - 11:46, Matus UHLAR - fantomas wrote:

I would like to note that SPF can be used without openDMARC, and imho should
work in SA itself.

Did you (try to) make SPF working on valhalla.nano-srv.net?


On 07.05.17 12:05, Thore Boedecker wrote:

It seems that I simply forgot the load the SPF module in my
spamassassin config.

A few test mails from different servers are now hitting at least
the SPF_HELO_PASS rule but nothing else so far.


try running spamassassin -D on a mail, if you get something like:

May  6 22:38:47.009 [30327] dbg: spf: relayed through one or more trusted
relays, cannot use header-based Envelope-From, skipping

it may be caused by postfix forwarding mail via localhost
- it's better to know if spampd (or later amavisd) can work around that.

SPF_PASS, SPF_NEUTRAL, SPF_NONE, SPF_SOFTFAIL and SPF_FAIL will indicate
that SPF works as expected.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
REALITY.SYS corrupted. Press any key to reboot Universe.

Re: Strict/Relaxed DKIM alignment possible with SA?

[Thore Boedecker]

On 07.05.17 - 11:46, Matus UHLAR - fantomas wrote:
> On 07.05.17 00:46, Thore Boedecker wrote:
> > Thanks for all the great advice so far.
> > 
> > Currently I'm playing around with opendkim->opendmarc->amavisd on my
> > testserver.
> > 
> > My current postfix setup is using spampd as proxy and thus any
> > opendkim/opendmarc milters won't work in cojunction.
> > 
> > I've been planning to switch to amavis and use it as a milter for
> > quite some time now so maybe I should get on with it.
> > 
> > So far it's working quite nice, took some time to get all services
> > working together but for now it's running without errors.
> > 
> > Compiling opendmarc against libspf2 makes the opendmarc internal SPF
> > checker functional and now the SA SPF checks (triggered by amavis) are
> > firing as well.
> 
> I would like to note that SPF can be used without openDMARC, and imho should
> work in SA itself.
> 
> Did you (try to) make SPF working on valhalla.nano-srv.net?

It seems that I simply forgot the load the SPF module in my
spamassassin config.

A few test mails from different servers are now hitting at least
the SPF_HELO_PASS rule but nothing else so far.

> 
> 
> > On 06.05.17 - 22:54, Matus UHLAR - fantomas wrote:
> > > Also, the mail SHOULD hit SPF_* rule, if the SPF plugin is loaded, but 
> > > there's none.
> > > 
> > > maybe because:
> > > 
> > > May  6 22:19:09.740 [30047] dbg: spf: relayed through one or more trusted 
> > > relays, cannot use header-based Envelope-From, skipping
> > > 
> > > ... caused by Received: line containing localhost. the OP should set up 
> > > spf
> > > policyd on valhalla.nano-srv.net...
> 
> 
> > > For now the main problem at receiver's side seems to be missing SPF 
> > > results.
> 
> -- 
> Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
> Warning: I wish NOT to receive e-mail advertising to this address.
> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> Boost your system's speed by 500% - DEL C:\WINDOWS\*.*

-- 


signature.asc
Description: PGP signature

Re: Strict/Relaxed DKIM alignment possible with SA?

[Matus UHLAR - fantomas]

On 07.05.17 00:46, Thore Boedecker wrote:

Thanks for all the great advice so far.

Currently I'm playing around with opendkim->opendmarc->amavisd on my
testserver.

My current postfix setup is using spampd as proxy and thus any
opendkim/opendmarc milters won't work in cojunction.

I've been planning to switch to amavis and use it as a milter for
quite some time now so maybe I should get on with it.

So far it's working quite nice, took some time to get all services
working together but for now it's running without errors.

Compiling opendmarc against libspf2 makes the opendmarc internal SPF
checker functional and now the SA SPF checks (triggered by amavis) are
firing as well.


I would like to note that SPF can be used without openDMARC, and imho should
work in SA itself.

Did you (try to) make SPF working on valhalla.nano-srv.net? 




On 06.05.17 - 22:54, Matus UHLAR - fantomas wrote:

Also, the mail SHOULD hit SPF_* rule, if the SPF plugin is loaded, but there's 
none.

maybe because:

May  6 22:19:09.740 [30047] dbg: spf: relayed through one or more trusted 
relays, cannot use header-based Envelope-From, skipping

... caused by Received: line containing localhost. the OP should set up spf
policyd on valhalla.nano-srv.net...




For now the main problem at receiver's side seems to be missing SPF results.


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Boost your system's speed by 500% - DEL C:\WINDOWS\*.*

Re: Strict/Relaxed DKIM alignment possible with SA?

[Thore Boedecker]

Thanks for all the great advice so far.

Currently I'm playing around with opendkim->opendmarc->amavisd on my
testserver.

My current postfix setup is using spampd as proxy and thus any
opendkim/opendmarc milters won't work in cojunction.

I've been planning to switch to amavis and use it as a milter for
quite some time now so maybe I should get on with it.

So far it's working quite nice, took some time to get all services
working together but for now it's running without errors.

Compiling opendmarc against libspf2 makes the opendmarc internal SPF
checker functional and now the SA SPF checks (triggered by amavis) are
firing as well.


Cheers o/

On 06.05.17 - 22:54, Matus UHLAR - fantomas wrote:
> > > On 06.05.17 15:49, Thore Boedecker wrote:
> > > > After looking at the headers it became clear what the issue was:
> > > > 
> > > > It seems that Yahoo (at least yahoo.co.jp) is allowing emails from
> > > > @gmail.com senders to be sent through their servers.
> 
> > From: Matus UHLAR - fantomas 
> > > @gmail.com From: and envelope from. Sender: was yahoo...
> 
> On 06.05.17 17:55, David Jones wrote:
> > The headers imply that this was sent from the Yahoo webmail
> > interface which must allow users to setup an "identity" like
> > Thunderbird does that allows custom From: and Return-Path:
> > headers.  They shouldn't allow this in their webmail interface.
> 
> They should not, but this has nothing to do with the DKIM itself.
> 
> 
> > BTW, their webmail interface should also add an X-Originating-IP:
> > header of the client so we could tell which country it was sent
> > from.  I bet it wasn't Japan.
> 
> Received: header should do that as well:
> 
> Received: from [37.130.224.21] by web101313.mail.kks.yahoo.co.jp via HTTP;
>   Sat, 06 May 2017 21:41:47 JST
> 
> Hosting Services Inc, GB
> 
> I did test SA run and it did parse the header.
> 
> > > > The funny thing is, that there is a @gmail.com address in both the
> > > > 'From:' and 'Return-Path:' headers, but a @yahoo.com address in the
> > > > 'Reply-To:' and 'Sender:' headers.
> > > > Somehow Yahoo sees no problem in that and is happy to DKIM sign those
> > > > emails with a correct *Yahoo* signature.
> > 
> > > I wonder why didn't THE mail hit SPF_SOFTFAIL, since it was supposed to...
> > 
> > The email didn't go through a Google mail server and the envelope-from
> > was yahoo.co.jp so SPF should have passed based on IP 183.79.57.110.
> 
> Return-Path: 
> 
> that's not yahoo address (Return-Path is set to envelope from by MTAs).
> 
> Also, the mail SHOULD hit SPF_* rule, if the SPF plugin is loaded, but 
> there's none.
> 
> maybe because:
> 
> May  6 22:19:09.740 [30047] dbg: spf: relayed through one or more trusted 
> relays, cannot use header-based Envelope-From, skipping
> 
> ... caused by Received: line containing localhost. the OP should set up spf
> policyd on valhalla.nano-srv.net...
> 
> 
> > > yes: while we can agree that gmail.com is not yahoo's domain, how can DKIM
> > > validator know?
> > 
> > Yahoo should stop allowing their webmail interface to control the From:
> > and Return-Path: headers.  I bet this spammer tried to send the email out
> > from Google which blocked it so this is a way to abuse the Yahoo mail 
> > servers
> > that are not good at blocking the outbound spam.
> 
> I doubt Return-Path was set by the sending user, I believe it was set from
> envelope from.
> 
> I'm listening if you can proove the opposite.
> 
> > > I don't think this problem lies at DKIM verification, more on
> > > trustworthinedd of yahoo who signs such mail,
> > > and the fact of missing SPF checks that I pointed out above.
> > 
> > DKIM does authentication and this email was from Yahoo.  Note no
> > DKIM_VALID_AU since the From: header was gmail.com.
> 
> > > that is in fact change in requirements on DKIM itself...
> > 
> > I bet as we see DMARC gain traction like SPF has this will force these
> > major mail hosting providers like Yahoo to shape up.  Right now they are
> > so big that we can't make them act responsibly.  Yahoo should start 
> > rejecting
> > email that is sent through them like this to prevent spammers abusing them.
> > 
> > Google is slowly turning up the heat with DMARC which forces the Internet
> > to implement it.  I know this is a pain but I went through this pain a few 
> > years
> > ago and now I am glad to see Google using their influence for good.  In a 
> > few
> > more years all of our spam filtering will be better because of this.
> 
> Still - this this is not a problem of DKIM itself and comparing DKIM domain
> with envelope from will not fix that - it will only break other forwards.
> 
> For now the main problem at receiver's side seems to be missing SPF results.
> 
> -- 
> Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
> Warning: I wish NOT to receive e-mail advertising to this address.
> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu 

Re: Strict/Relaxed DKIM alignment possible with SA?

[David Jones]

From: Alex 

>I'm just adding 1.5 points when DMARC tests fail and the policy is to
>reject. Is it safe to block them completely?

I am rejecting with OpenDMARC when the sender's DMARC record
has p=reject.  This is what they asked for so I am doing it.

I have run into on case where a sender who's primary business is
to send emails setup DMARC with p=reject then used dmarcian.com
to help them with their implementation.  They were not DKIM signing
and their SPF record was wrong.  They blamed me for blocking their
email saying they didn't have any other reports of this happening
for any other customer.  My response was to show them their own
DNS setting said to reject the email so my filters were doing exactly
that.

This sender should be getting some fancy reports and a dashboard
or something from dmarcian.com showing all of the failures but I
guess they are ignoring the reports.

>And why aren't DMARC tests part of the stock SA yet?

Someone needs to write a DMARC plugin for SA.

http://search.cpan.org/dist/Mail-DMARC/

Re: Strict/Relaxed DKIM alignment possible with SA?

[Matus UHLAR - fantomas]

On 06.05.17 15:49, Thore Boedecker wrote:

After looking at the headers it became clear what the issue was:

It seems that Yahoo (at least yahoo.co.jp) is allowing emails from
@gmail.com senders to be sent through their servers.



From: Matus UHLAR - fantomas 

@gmail.com From: and envelope from. Sender: was yahoo...


On 06.05.17 17:55, David Jones wrote:

The headers imply that this was sent from the Yahoo webmail
interface which must allow users to setup an "identity" like
Thunderbird does that allows custom From: and Return-Path:
headers.  They shouldn't allow this in their webmail interface.


They should not, but this has nothing to do with the DKIM itself.



BTW, their webmail interface should also add an X-Originating-IP:
header of the client so we could tell which country it was sent
from.  I bet it wasn't Japan.


Received: header should do that as well:

Received: from [37.130.224.21] by web101313.mail.kks.yahoo.co.jp via HTTP;
Sat, 06 May 2017 21:41:47 JST

Hosting Services Inc, GB

I did test SA run and it did parse the header.


The funny thing is, that there is a @gmail.com address in both the
'From:' and 'Return-Path:' headers, but a @yahoo.com address in the
'Reply-To:' and 'Sender:' headers.
Somehow Yahoo sees no problem in that and is happy to DKIM sign those
emails with a correct *Yahoo* signature.



I wonder why didn't THE mail hit SPF_SOFTFAIL, since it was supposed to...


The email didn't go through a Google mail server and the envelope-from
was yahoo.co.jp so SPF should have passed based on IP 183.79.57.110.


Return-Path: 

that's not yahoo address (Return-Path is set to envelope from by MTAs).

Also, the mail SHOULD hit SPF_* rule, if the SPF plugin is loaded, but there's 
none.

maybe because:

May  6 22:19:09.740 [30047] dbg: spf: relayed through one or more trusted 
relays, cannot use header-based Envelope-From, skipping

... caused by Received: line containing localhost. 
the OP should set up spf policyd on valhalla.nano-srv.net...




yes: while we can agree that gmail.com is not yahoo's domain, how can DKIM
validator know?


Yahoo should stop allowing their webmail interface to control the From:
and Return-Path: headers.  I bet this spammer tried to send the email out
from Google which blocked it so this is a way to abuse the Yahoo mail servers
that are not good at blocking the outbound spam.


I doubt Return-Path was set by the sending user, I believe it was set from
envelope from.

I'm listening if you can proove the opposite.


I don't think this problem lies at DKIM verification, more on
trustworthinedd of yahoo who signs such mail,
and the fact of missing SPF checks that I pointed out above.


DKIM does authentication and this email was from Yahoo.  Note no
DKIM_VALID_AU since the From: header was gmail.com.



that is in fact change in requirements on DKIM itself...


I bet as we see DMARC gain traction like SPF has this will force these
major mail hosting providers like Yahoo to shape up.  Right now they are
so big that we can't make them act responsibly.  Yahoo should start rejecting
email that is sent through them like this to prevent spammers abusing them.

Google is slowly turning up the heat with DMARC which forces the Internet
to implement it.  I know this is a pain but I went through this pain a few years
ago and now I am glad to see Google using their influence for good.  In a few
more years all of our spam filtering will be better because of this.


Still - this this is not a problem of DKIM itself and comparing DKIM domain
with envelope from will not fix that - it will only break other forwards.

For now the main problem at receiver's side seems to be missing SPF results.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
M$ Win's are shit, do not use it !

Re: Strict/Relaxed DKIM alignment possible with SA?

[Alex]

Hi,

On Sat, May 6, 2017 at 10:10 AM, David Jones  wrote:
> From: Thore Boedecker 
>
>>Hello folks,
>
>>over the last couple of months I have received some nasty spam,
>>delivered by the Yahoo mail servers.
>
>>After looking at the headers it became clear what the issue was:
>
> Please post the email in pastebin.com or something so we can
> help.
>
>>It seems that Yahoo (at least yahoo.co.jp) is allowing emails from
>>@gmail.com senders to be sent through their servers.
>>The funny thing is, that there is a @gmail.com address in both the
>>'From:' and 'Return-Path:' headers, but a @yahoo.com address in the
>>'Reply-To:' and 'Sender:' headers.
>>Somehow Yahoo sees no problem in that and is happy to DKIM sign those
>>emails with a correct *Yahoo* signature.
>
>>Over on my side, the receiving end of these emails, there is my
>>spamassassin. SA discovers the DKIM signature and is able to validate
>>this signature against the Yahoo server which is totally undesirable
>>in my opinion.
>
> DKIM is only meant to authenticate that the emails did come from
> a Yahoo server.  It has nothing to do with authorization which is what
> you are looking for.  SPF handles authorization so these emails should
> have a SPF_FAIL rule hit that we can confirm once we see it in
> pastebin.com.
>
>>Maybe strict DKIM alignment is not always the best choice, because
>>sometimes the emails are signed by different servers without sharing
>>one signing key for the entire domain.
>
>>So is there any way to make SA perform at least a relaxed DKIM
>>alignment check on the headers so that the DKIM signature domain has
>>to belong to the 'From:' address?
>
> This is done by DMARC.  Currently you have to implement something
> like OpenDMARC in your MTA and then add custom rules that use the
> headers added specifically by your MTA (yourserverhere).
>
> header  DMARC_PASS  Authentication-Results =~ /yourserverhere; 
> dmarc=pass/
> describeDMARC_PASS  DMARC check passed
> score   DMARC_PASS  -0.01
>
> header  DMARC_FAIL  Authentication-Results =~ /yourserverhere; 
> dmarc=fail/
> describeDMARC_FAIL  DMARC check failed
> score   DMARC_FAIL  0.01
>
> header  DMARC_NONE  Authentication-Results =~ /yourserverhere; 
> dmarc=none/
> describeDMARC_NONE  DMARC check neutral
> score   DMARC_NONE  0.01

RW posted some rules around this time last year:

https://www.mail-archive.com/users@spamassassin.apache.org/msg95643.html

How is this different/better? We have openDMARC running on one of our
systems, but that's for your own mail. How does it work with SA?

Re: Strict/Relaxed DKIM alignment possible with SA?

[Alex]

Hi,

>>>So is there any way to make SA perform at least a relaxed DKIM
>>>alignment check on the headers so that the DKIM signature domain has
>>>to belong to the 'From:' address?
>
>>every domain using yahoo mail servers would have to delegate DKIM to
>>yahoo and yahoo would need to sign under all those domains.
>>the same applies about any domain that does DKIM signing (e.g. gmail)
>
> Interestingly, _dmarc.yahoo.com TXT record has "p=reject" which would
> have caused a DMARC fail with a bounce.  Looks like this spammer noticed
> that yahoo.co.jp does not have a DMARC record which allowed them to
> send this spam even to recipients with DMARC checks enabled and honoring
> "p=reject" like my mails filters do.

I'm just adding 1.5 points when DMARC tests fail and the policy is to
reject. Is it safe to block them completely?

And why aren't DMARC tests part of the stock SA yet?

>>that is in fact change in requirements on DKIM itself...
>
> I bet as we see DMARC gain traction like SPF has this will force these
> major mail hosting providers like Yahoo to shape up.  Right now they are
> so big that we can't make them act responsibly.  Yahoo should start rejecting
> email that is sent through them like this to prevent spammers abusing them.
>
> Google is slowly turning up the heat with DMARC which forces the Internet
> to implement it.  I know this is a pain but I went through this pain a few 
> years
> ago and now I am glad to see Google using their influence for good.  In a few
> more years all of our spam filtering will be better because of this.

What does this mean for forwarded mail? I see there's already an
exception for mailing list mail in the SA rules. We have a mail system
with a few hundred users, virtually all of which forward their mail
through to gmail or another freemail account. It has an entry in the
top-level SPF record, but it rejects lots of mail from external
senders due to the originating sender's SPF policy.

Re: Strict/Relaxed DKIM alignment possible with SA?

[David Jones]

From: Matus UHLAR - fantomas 
    
>On 06.05.17 15:49, Thore Boedecker wrote:
>>After looking at the headers it became clear what the issue was:
>>
>>It seems that Yahoo (at least yahoo.co.jp) is allowing emails from
>>@gmail.com senders to be sent through their servers.

>@gmail.com From: and envelope from. Sender: was yahoo...

The headers imply that this was sent from the Yahoo webmail
interface which must allow users to setup an "identity" like
Thunderbird does that allows custom From: and Return-Path:
headers.  They shouldn't allow this in their webmail interface.

BTW, their webmail interface should also add an X-Originating-IP:
header of the client so we could tell which country it was sent
from.  I bet it wasn't Japan.

>>The funny thing is, that there is a @gmail.com address in both the
>>'From:' and 'Return-Path:' headers, but a @yahoo.com address in the
>>'Reply-To:' and 'Sender:' headers.
>>Somehow Yahoo sees no problem in that and is happy to DKIM sign those
>>emails with a correct *Yahoo* signature.

>I wonder why didn't THE mail hit SPF_SOFTFAIL, since it was supposed to...

The email didn't go through a Google mail server and the envelope-from
was yahoo.co.jp so SPF should have passed based on IP 183.79.57.110.

>>Over on my side, the receiving end of these emails, there is my
>>spamassassin. SA discovers the DKIM signature and is able to validate
>>this signature against the Yahoo server which is totally undesirable
>>in my opinion.

>>Maybe strict DKIM alignment is not always the best choice, because
>>sometimes the emails are signed by different servers without sharing
>>one signing key for the entire domain.

>yes: while we can agree that gmail.com is not yahoo's domain, how can DKIM
>validator know?

Yahoo should stop allowing their webmail interface to control the From:
and Return-Path: headers.  I bet this spammer tried to send the email out
from Google which blocked it so this is a way to abuse the Yahoo mail servers
that are not good at blocking the outbound spam.

>I don't think this problem lies at DKIM verification, more on
>trustworthinedd of yahoo who signs such mail, 
>and the fact of missing SPF checks that I pointed out above.

DKIM does authentication and this email was from Yahoo.  Note no
DKIM_VALID_AU since the From: header was gmail.com.

>>So is there any way to make SA perform at least a relaxed DKIM
>>alignment check on the headers so that the DKIM signature domain has
>>to belong to the 'From:' address?

>every domain using yahoo mail servers would have to delegate DKIM to
>yahoo and yahoo would need to sign under all those domains.
>the same applies about any domain that does DKIM signing (e.g. gmail)

Interestingly, _dmarc.yahoo.com TXT record has "p=reject" which would
have caused a DMARC fail with a bounce.  Looks like this spammer noticed
that yahoo.co.jp does not have a DMARC record which allowed them to
send this spam even to recipients with DMARC checks enabled and honoring
"p=reject" like my mails filters do.

>that is in fact change in requirements on DKIM itself...

I bet as we see DMARC gain traction like SPF has this will force these 
major mail hosting providers like Yahoo to shape up.  Right now they are
so big that we can't make them act responsibly.  Yahoo should start rejecting
email that is sent through them like this to prevent spammers abusing them.

Google is slowly turning up the heat with DMARC which forces the Internet
to implement it.  I know this is a pain but I went through this pain a few years
ago and now I am glad to see Google using their influence for good.  In a few
more years all of our spam filtering will be better because of this.

Re: Strict/Relaxed DKIM alignment possible with SA?

[Matus UHLAR - fantomas]

On 06.05.17 15:49, Thore Boedecker wrote:

After looking at the headers it became clear what the issue was:

It seems that Yahoo (at least yahoo.co.jp) is allowing emails from
@gmail.com senders to be sent through their servers.


@gmail.com From: and envelope from. Sender: was yahoo...


The funny thing is, that there is a @gmail.com address in both the
'From:' and 'Return-Path:' headers, but a @yahoo.com address in the
'Reply-To:' and 'Sender:' headers.
Somehow Yahoo sees no problem in that and is happy to DKIM sign those
emails with a correct *Yahoo* signature.


I wonder why didn't THE mail hit SPF_SOFTFAIL, since it was supposed to...


Over on my side, the receiving end of these emails, there is my
spamassassin. SA discovers the DKIM signature and is able to validate
this signature against the Yahoo server which is totally undesirable
in my opinion.



Maybe strict DKIM alignment is not always the best choice, because
sometimes the emails are signed by different servers without sharing
one signing key for the entire domain.


yes: while we can agree that gmail.com is not yahoo's domain, how can DKIM
validator know?

I don't think this problem lies at DKIM verification, more on
trustworthinedd of yahoo who signs such mail, 
and the fact of missing SPF checks that I pointed out above.



So is there any way to make SA perform at least a relaxed DKIM
alignment check on the headers so that the DKIM signature domain has
to belong to the 'From:' address?


every domain using yahoo mail servers would have to delegate DKIM to
yahoo and yahoo would need to sign under all those domains.
the same applies about any domain that does DKIM signing (e.g. gmail)

that is in fact change in requirements on DKIM itself...

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I'm not interested in your website anymore.
If you need cookies, bake them yourself.

Re: Strict/Relaxed DKIM alignment possible with SA?

[Matus UHLAR - fantomas]

On Sat, 6 May 2017 15:49:08 +0200
Thore Boedecker wrote:

Over on my side, the receiving end of these emails, there is my
spamassassin. SA discovers the DKIM signature and is able to validate
this signature against the Yahoo server which is totally undesirable
in my opinion.



From: RW 

SPF requires the mail to be sent out through designated hosts. A DKIM
pass for the correct domain means that the email passed through a host
with access to the signing key. DKIM provides better authorization than
SPF.


On 06.05.17 15:47, David Jones wrote:

RW is correct.  This email did not go through a Google mail server.  Looks
like the sender is using a mail client to send through Yahoo with the
intention to get someone to reply back to a gmail.com address.

Does anyone think it would be beneficial to extend the FreeMail plugin
to detect these headers having different sender and reply-to FREEMAIL
domains?


what does Sender: header give us in addition to envelope from?
this mail already hit FREEMAIL_REPLYTO

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
We are but packets in the Internet of life (userfriendly.org)

Re: Strict/Relaxed DKIM alignment possible with SA?

[David Jones]

From: RW 
    
>On Sat, 6 May 2017 15:49:08 +0200
>Thore Boedecker wrote:

>> Over on my side, the receiving end of these emails, there is my
>> spamassassin. SA discovers the DKIM signature and is able to validate
>> this signature against the Yahoo server which is totally undesirable
>> in my opinion.

>SPF requires the mail to be sent out through designated hosts. A DKIM
>pass for the correct domain means that the email passed through a host
>with access to the signing key. DKIM provides better authorization than
>SPF.
 
RW is correct.  This email did not go through a Google mail server.  Looks
like the sender is using a mail client to send through Yahoo with the
intention to get someone to reply back to a gmail.com address.

Does anyone think it would be beneficial to extend the FreeMail plugin
to detect these headers having different sender and reply-to FREEMAIL
domains?

You need to properly train your Bayes since this email hit BAYES_00.  This
email was BCC'd which is another clue of spam in conjunction with the
FREEMAIL hits.

I bump up these FREEMAIL scores based on the masscheck results I saw
in the past:
score FREEMAIL_FROM 1.2
score FREEMAIL_REPLYTO 4.2
score FREEMAIL_REPLYTO_END_DIGIT 1.2

Disclaimer: Adjust these scores to your liking as I have an SA block at 6.0.

Dave

Re: Strict/Relaxed DKIM alignment possible with SA?

[RW]

On Sat, 6 May 2017 15:49:08 +0200
Thore Boedecker wrote:

> Over on my side, the receiving end of these emails, there is my
> spamassassin. SA discovers the DKIM signature and is able to validate
> this signature against the Yahoo server which is totally undesirable
> in my opinion.


It doesn't score anything at all:

  DKIM_SIGNED=0.1,DKIM_VALID=-0.1

and DKIM_VALID doesn't mean much anyway, any spammer can make that hit
if they can add their own header to the spam. It didn't hit
DKIM_VALID_AU.

On Sat, 6 May 2017 14:10:12 +
David Jones wrote:

> DKIM is only meant to authenticate that the emails did come from
> a Yahoo server.  It has nothing to do with authorization which is what
> you are looking for.  SPF handles authorization so these emails should
> have a SPF_FAIL rule hit that we can confirm once we see it in
> pastebin.com. 


SPF requires the mail to be sent out through designated hosts. A DKIM
pass for the correct domain means that the email passed through a host
with access to the signing key. DKIM provides better authorization than
SPF.

Re: Strict/Relaxed DKIM alignment possible with SA?

[Dominic Benson]

> On 6 May 2017, at 14:49, Thore Boedecker  wrote:
> 
> Hello folks,
> 
> over the last couple of months I have received some nasty spam,
> delivered by the Yahoo mail servers.
> 
> After looking at the headers it became clear what the issue was:
> 
> It seems that Yahoo (at least yahoo.co.jp) is allowing emails from
> @gmail.com senders to be sent through their servers.
> The funny thing is, that there is a @gmail.com address in both the
> 'From:' and 'Return-Path:' headers, but a @yahoo.com address in the
> 'Reply-To:' and 'Sender:' headers.
> Somehow Yahoo sees no problem in that and is happy to DKIM sign those
> emails with a correct *Yahoo* signature.

This is correct - Sender is a perfectly acceptable address header for DKIM and 
is consistent with the semantics of the user taking responsibility for the 
sending of the message.

Re: Strict/Relaxed DKIM alignment possible with SA?

[Thore Boedecker]

Thanks David for the first hints in the right direction and yes you
are right, I'm looking for some sort of DMARC integration into SA.

I have uploaded the mail here:

https://paste.foxxx0.de/wZjcT/


Thore

On 06.05.17 - 14:10, David Jones wrote:
> From: Thore Boedecker 
>     
> >Hello folks,
> 
> >over the last couple of months I have received some nasty spam,
> >delivered by the Yahoo mail servers.
> 
> >After looking at the headers it became clear what the issue was:
> 
> Please post the email in pastebin.com or something so we can
> help.
> 
> >It seems that Yahoo (at least yahoo.co.jp) is allowing emails from
> >@gmail.com senders to be sent through their servers.
> >The funny thing is, that there is a @gmail.com address in both the
> >'From:' and 'Return-Path:' headers, but a @yahoo.com address in the
> >'Reply-To:' and 'Sender:' headers.
> >Somehow Yahoo sees no problem in that and is happy to DKIM sign those
> >emails with a correct *Yahoo* signature.
> 
> >Over on my side, the receiving end of these emails, there is my
> >spamassassin. SA discovers the DKIM signature and is able to validate
> >this signature against the Yahoo server which is totally undesirable
> >in my opinion.
> 
> DKIM is only meant to authenticate that the emails did come from
> a Yahoo server.  It has nothing to do with authorization which is what
> you are looking for.  SPF handles authorization so these emails should
> have a SPF_FAIL rule hit that we can confirm once we see it in
> pastebin.com. 
> 
> >Maybe strict DKIM alignment is not always the best choice, because
> >sometimes the emails are signed by different servers without sharing
> >one signing key for the entire domain.
> 
> >So is there any way to make SA perform at least a relaxed DKIM
> >alignment check on the headers so that the DKIM signature domain has
> >to belong to the 'From:' address?
> 
> This is done by DMARC.  Currently you have to implement something
> like OpenDMARC in your MTA and then add custom rules that use the
> headers added specifically by your MTA (yourserverhere).
> 
> headerDMARC_PASS  Authentication-Results =~ 
> /yourserverhere; dmarc=pass/
> describe  DMARC_PASS  DMARC check passed
> score DMARC_PASS  -0.01
> 
> headerDMARC_FAIL  Authentication-Results =~ 
> /yourserverhere; dmarc=fail/
> describe  DMARC_FAIL  DMARC check failed
> score DMARC_FAIL  0.01
> 
> headerDMARC_NONE  Authentication-Results =~ 
> /yourserverhere; dmarc=none/
> describe  DMARC_NONE  DMARC check neutral
> score DMARC_NONE  0.01
> 
> Dave

-- 


signature.asc
Description: PGP signature

Re: Strict/Relaxed DKIM alignment possible with SA?

[David Jones]

From: Thore Boedecker 
    
>Hello folks,

>over the last couple of months I have received some nasty spam,
>delivered by the Yahoo mail servers.

>After looking at the headers it became clear what the issue was:

Please post the email in pastebin.com or something so we can
help.

>It seems that Yahoo (at least yahoo.co.jp) is allowing emails from
>@gmail.com senders to be sent through their servers.
>The funny thing is, that there is a @gmail.com address in both the
>'From:' and 'Return-Path:' headers, but a @yahoo.com address in the
>'Reply-To:' and 'Sender:' headers.
>Somehow Yahoo sees no problem in that and is happy to DKIM sign those
>emails with a correct *Yahoo* signature.

>Over on my side, the receiving end of these emails, there is my
>spamassassin. SA discovers the DKIM signature and is able to validate
>this signature against the Yahoo server which is totally undesirable
>in my opinion.

DKIM is only meant to authenticate that the emails did come from
a Yahoo server.  It has nothing to do with authorization which is what
you are looking for.  SPF handles authorization so these emails should
have a SPF_FAIL rule hit that we can confirm once we see it in
pastebin.com. 

>Maybe strict DKIM alignment is not always the best choice, because
>sometimes the emails are signed by different servers without sharing
>one signing key for the entire domain.

>So is there any way to make SA perform at least a relaxed DKIM
>alignment check on the headers so that the DKIM signature domain has
>to belong to the 'From:' address?

This is done by DMARC.  Currently you have to implement something
like OpenDMARC in your MTA and then add custom rules that use the
headers added specifically by your MTA (yourserverhere).

header  DMARC_PASS  Authentication-Results =~ /yourserverhere; 
dmarc=pass/
describeDMARC_PASS  DMARC check passed
score   DMARC_PASS  -0.01

header  DMARC_FAIL  Authentication-Results =~ /yourserverhere; 
dmarc=fail/
describeDMARC_FAIL  DMARC check failed
score   DMARC_FAIL  0.01

header  DMARC_NONE  Authentication-Results =~ /yourserverhere; 
dmarc=none/
describeDMARC_NONE  DMARC check neutral
score   DMARC_NONE  0.01

Dave

Strict/Relaxed DKIM alignment possible with SA?

[Thore Boedecker]

Hello folks,

over the last couple of months I have received some nasty spam,
delivered by the Yahoo mail servers.

After looking at the headers it became clear what the issue was:

It seems that Yahoo (at least yahoo.co.jp) is allowing emails from
@gmail.com senders to be sent through their servers.
The funny thing is, that there is a @gmail.com address in both the
'From:' and 'Return-Path:' headers, but a @yahoo.com address in the
'Reply-To:' and 'Sender:' headers.
Somehow Yahoo sees no problem in that and is happy to DKIM sign those
emails with a correct *Yahoo* signature.

Over on my side, the receiving end of these emails, there is my
spamassassin. SA discovers the DKIM signature and is able to validate
this signature against the Yahoo server which is totally undesirable
in my opinion.

Maybe strict DKIM alignment is not always the best choice, because
sometimes the emails are signed by different servers without sharing
one signing key for the entire domain.

So is there any way to make SA perform at least a relaxed DKIM
alignment check on the headers so that the DKIM signature domain has
to belong to the 'From:' address?

Any hints or suggestions are much appreciated.


Cheers,
Thore

-- 


signature.asc
Description: PGP signature

Re: Dealing with huge URLs and timeouts (possible evasion technique?)

[Axb]

On 09/26/2016 07:49 AM, Pedro David Marco wrote:

Hi,
When  SA 3.4.1 analyzes emails with large random URIs... like this:
http://track.parceiroshl.com.br/sessionredir/5745f9d44d45e448d1c7997b/aHR0cHM6Ly9yZWRpci5sb21hZGVlLmNvbS9sLzQ5NDY0ZDM2NDc2YTYzNmYzODZmNGY2YjQ1NTA2ZjU1NzA0ODY5NzAzMjY3NGU3MTc1NzI1MTRkNmQ1NTJmNTk3MzM3Mzg2Yjc3NjM3NDY5NDg0YjMxNzA0NDRmMzc2MTc0MzU2NTQxNzg0NTM3NmY1MDU0NzE3MTU4NGI2MzU5NmY2YjQzNmM1NzU5Njg1NzQ1NDg0NDMyMmY0ZTU0NGU3NDQ0Mzg3NjYxMzg3MDMyNmU0NzUzNzg2NDM2NTgzOTc0NzA3OTczNmU3Njc4NzU2NTU3NGYyYjRkNDM2ODZhNGE0MTQ4NGUyZjQ1MmY2MzJmNDI1Nzc3MzM0YzY5NmEzMTY0NjU2ZTRmMmI1NTY4NGQ2Mjc2NTcyYjc0NmM0ZDRkN2E3MzU3Njk0MzQzNGQzODc3NmIzMzVhNTk1MjY2Nzc0Zjc3NTk2ZDQ3NDM3MjZmNjE0MTYyMzI1MzU4NGM2YjZkNGQ2NTcyNzA2MTJmNjk0YTMwMzI2MjUyNzk0ODQxN2E0MzZlNDI0ZDM1NGY2NjdhNjU1YTQxNGE0OTRjNzA3MjM2NDQ0ZTZkNDQ2YTRiNzM2NDU2NmI0YTRmNTE1Mjc3MzI0YTRjNzkzNjczMzc0Zjc5NDMzNTYxNDI3NjZiNjU3MDcyNzE2YjQ5NzE1NTYxNDUyZjQyNjk0ODQyNDE0ZDUxNzkzMjc3NzM0YjY0NzYzMjQ4NjUzOTRlNzA0MjZhMmY3MTcyNzgyYjRmNWE0ODJmNjM2MzRmNzQ0ZTYyNGM3MDYzNjE1MzY5NTQ0ZDc4NjU3MjcxNGI3YTRkNDE3NzcyMzc2ZjY0NGE0YTczNjc1MTc3NDUzMjY1MzA0NTZjNGU1NTJmNmQ0MjQzNzQzMDY4Njc0ZDU2NDk2OTc0NjEzOTU0NjE2MjQyNGY1NDQyMmY0ZjQ3Njk0OTZmNTkzNDU5MmI1MzY3NmI0ZTQyNjYzNTZkNzU0OTRmMzk1NzQ2NTU3YTVhMzk3OTM2NTc2ZTQ1NzA0ZDc2Nzg2YzRmNjM3NDc0NjgzNDM4NmY0YzU0N2E0MTc1NmIzOTc2N2E2ODcxMzU0ODc3M2QzZA/9348/9348/1/prbr.

timeout errors appear...
in debug mode i get:

 info: check: exceeded time limit in 
Mail::SpamAssassin::Plugin::Check::_uri_tests_0, skipping further tests
Ok, it makes sense, since parsing such a huge random string is a pain on the 
neck

Making SA ignore such URLs may be an option but it would be clearly an easy SA 
URL analysis evasion technique for spammers so...what do you thing?? how to 
deal with this?? what to do?

May i ask you for your opinions and feedback, please...??'
Thanks!


This is not normal behaviour.

Please pastebin original message (with redacted recipient addr) so we 
can test against other systems