Re: welcomelist_auth and SPF

2022-12-19 Thread Matus UHLAR - fantomas 

On 16.12.22 15:18, Alex wrote:

This GoDaddy/M365 quarantined email passes SPF, but despite now adding it
to my welcomelist, it is still marked as spam.

https://pastebin.com/VpPmgGN4


On 19.12.22 09:54, Matus UHLAR - fantomas wrote:

* 6.0 KAM_ZWNJ Use of null characters indicates a goal to elude scanners

try finding out why this matches:

meta KAM_ZWNJ(__KAM_ZWNJ1 + (__KAM_ZWNJ2 >= 16) >= 2)
body __KAM_ZWNJ2 /(?:\x9D|\xe2\x80\x8c)/
scoreKAM_ZWNJ6.0


I haven't found anything about 9D character, but the other:

https://www.utf8-chartable.de/unicode-utf8-table.pl?start=8192=128

U+200C  ‌   e2 80 8cZERO WIDTH NON-JOINER



Only when I create a welcomelist_from_rcvd does it get delivered.


what exactly did you add to your welcomelist that did not work?


The sender's SPF record includes the sending IP (40.107.96.128) in the
secureserver.net entry, and SPF_PASS is hit.

-0.0 SPF_HELO_PASS  SPF: HELO matches SPF record
-0.0 SPF_PASS   SPF: sender matches SPF record

There's also a FP on KAM_ZWNJ, or at the least is not a malicious email
intended to elude anything.

Can someone help me understand what's happening here?


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
How does cat play with mouse? cat /dev/mouse

Re: welcomelist_auth and SPF

2022-12-19 Thread Matus UHLAR - fantomas 

On 16.12.22 15:18, Alex wrote:

This GoDaddy/M365 quarantined email passes SPF, but despite now adding it
to my welcomelist, it is still marked as spam.

https://pastebin.com/VpPmgGN4


 * 6.0 KAM_ZWNJ Use of null characters indicates a goal to elude scanners

try finding out why this matches:

meta KAM_ZWNJ(__KAM_ZWNJ1 + (__KAM_ZWNJ2 >= 16) >= 2)
body __KAM_ZWNJ2 /(?:\x9D|\xe2\x80\x8c)/
scoreKAM_ZWNJ6.0



Only when I create a welcomelist_from_rcvd does it get delivered.


what exactly did you add to your welcomelist that did not work?


The sender's SPF record includes the sending IP (40.107.96.128) in the
secureserver.net entry, and SPF_PASS is hit.

-0.0 SPF_HELO_PASS  SPF: HELO matches SPF record
-0.0 SPF_PASS   SPF: sender matches SPF record

There's also a FP on KAM_ZWNJ, or at the least is not a malicious email
intended to elude anything.

Can someone help me understand what's happening here?


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Support bacteria - they're the only culture some people have.

RE: welcomelist_auth and SPF

2022-12-17 Thread Marc 
> 
> 
> Yes, GoDaddy is shit, but should that mean there's no expectation of
> being able to add it to a trusted senders list for individual senders?

of course 

whitelist_from *@christmasball.com

or you add some header 

header  TREE_WHITELISTX-Tree =~ /\bwhitelisted\b/
score   TREE_WHITELIST-50

> I'm now more curious why it says SPF_PASSed, yet my welcomelist entry
> didn't work to keep it from being marked as spam.

SPF pass is just a result that gets processed in the general result. The 
general result decides if a message is marked as spam. 

> Whether or not it's listed on the valli blocklists should also be
> irrelevant - that GoDaddy is shit is the exact reason why I'm trying to
> add this (unsuccessfully) to the welcomelist.

Maybe you have a version that still is racist? ;)

Re: welcomelist_auth and SPF

2022-12-16 Thread Noel Butler 

On 17/12/2022 08:35, Marc wrote:


The sender's SPF record includes the sending IP (40.107.96.128) in the
secureserver.net   entry, and SPF_PASS is 
hit.


Without even checking anything I can already remember that this 
secureserver.net is shit. I have blocked whole ranges of them, they 
send spam, try passwords etc. I have the impression that there is 
nothing secure about secureserver and everything seems to be hacked 
there.


s/secureserver/google/

s/secureserver/amazon/

s /secureserver/microsoft/

s /secureserver/ ... /

I often have gmail accounts hit our honeypots, to the point that I now 
deliberately take a week or more to clear the google smtp of the day off 
the list, each time, I take longer and longer to remove - just like 
other providers


and I currently have a large chunk of google/amazon/MS/linode/D.O/...  
cloud ranges blocked.


My point is, they are all the same and if someone wishes to whitelist 
them, that's the risk they take, they are answerable to their users, not 
to you, me or anyone else.


--
Regards,
Noel Butler

This Email, including attachments, may contain legally privileged 
information, therefore at all times remains confidential and subject to 
copyright protected under international law. You may not disseminate 
this message without the authors express written authority to do so.   
If you are not the intended recipient, please notify the sender then 
delete all copies of this message including attachments immediately. 
Confidentiality, copyright, and legal privilege are not waived or lost 
by reason of the mistaken delivery of this message.

Re: welcomelist_auth and SPF

2022-12-16 Thread Alex 
Hi,

On Fri, Dec 16, 2022 at 5:35 PM Marc  wrote:

> > The sender's SPF record includes the sending IP (40.107.96.128) in the
> > secureserver.net   entry, and SPF_PASS is hit.
> >
>
> Without even checking anything I can already remember that this
> secureserver.net is shit. I have blocked whole ranges of them, they send
> spam, try passwords etc. I have the impression that there is nothing secure
> about secureserver and everything seems to be hacked there.
>
> You will always have false positives, and probably even more in the
> future, there is going to be more and more networks trying to mix spam with
> legitimate email.
> For this you have to create some way to unmark / whitelist email addresses.
>

Yes, GoDaddy is shit, but should that mean there's no expectation of being
able to add it to a trusted senders list for individual senders?

I'm now more curious why it says SPF_PASSed, yet my welcomelist entry
didn't work to keep it from being marked as spam.

Whether or not it's listed on the valli blocklists should also be
irrelevant - that GoDaddy is shit is the exact reason why I'm trying to add
this (unsuccessfully) to the welcomelist.

RE: welcomelist_auth and SPF

2022-12-16 Thread Marc 
> The sender's SPF record includes the sending IP (40.107.96.128) in the
> secureserver.net   entry, and SPF_PASS is hit.
> 

Without even checking anything I can already remember that this 
secureserver.net is shit. I have blocked whole ranges of them, they send spam, 
try passwords etc. I have the impression that there is nothing secure about 
secureserver and everything seems to be hacked there.

You will always have false positives, and probably even more in the future, 
there is going to be more and more networks trying to mix spam with legitimate 
email. 
For this you have to create some way to unmark / whitelist email addresses.

Re: welcomelist_auth and SPF

2022-12-16 Thread Benny Pedersen 

Alex skrev den 2022-12-16 21:18:


https://pastebin.com/VpPmgGN4



-0.0 SPF_HELO_PASS  SPF: HELO matches SPF record
-0.0 SPF_PASS   SPF: sender matches SPF record


netblocks are authorized
505,425 individual IPv4 addresses

i think so many spamming ips is very spammy !

https://multirbl.valli.org/lookup/40.107.96.128.html 11 blacklisted 
rbls, 8 welcome listed, still good prof imho not ham mail



There's also a FP on KAM_ZWNJ, or at the least is not a malicious
email intended to elude anything.


start removing fp rule sets if its not what you want :)


Can someone help me understand what's happening here?


need non modified sample if more help is wanted