Re: [mailop] Spamhaus SBL listing fonts.googleapis.com
On Wed, 7 Feb 2024, at 08:32, Lichtinger, Bernhard via mailop wrote: The IP addresses for "fonts.googleapis.com" are: 142.250.217.106 2607:f8b0:400a:800::200a The IPs of "fonts.googleapis.com" got listed on SBL because these IPs are also used to serve "firebasestorage.googleapis.com". Last time i checked the IPs with https://check.spamhaus.org/ it told me the listing was because of malware hosted on some "firebasestorage.googleapis.com" URLs. Thanks for pointing this out. Already yesterday I came to the conclusion that the whole thing is essentially related to how the Spamhaus' DQS plugin for SpamAssassin operates. My bug report, though, was quickly closed saying it was a "a listing issue". Understandably, such issues are not disputed in the dqs plugin issue tracker. In the meantime, your reply, Bernhard, helped me understand better what's going on. So, I added a comment, also crediting you, re-iterating that the core problem is not that (presumably not all but) some IPs are SBL listed: https://github.com/spamhaus/spamassassin-dqs/issues/68#issuecomment-1932189548 -- -- Andreas :-) ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Spamhaus SBL listing fonts.googleapis.com
> > The IP addresses for "fonts.googleapis.com" are: > 142.250.217.106 > 2607:f8b0:400a:800::200a The IPs of "fonts.googleapis.com" got listed on SBL because these IPs are also used to serve "firebasestorage.googleapis.com". Last time i checked the IPs with https://check.spamhaus.org/ it told me the listing was because of malware hosted on some "firebasestorage.googleapis.com" URLs. -- regards, Bernhard Lichtinger Leibniz-Rechenzentrum Boltzmannstr. 1, D-85748 Garching ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Spamhaus SBL listing fonts.googleapis.com
> It appears that Andreas Schamanek via mailop said: > > > >Hi mailops, > > > >Thought some might be interested, though those affected sure already > >know: > > > >On January 25 I was alerted to false positives due to Spamhaus SBL > >listing IP addresses of fonts.googleapis.com. The IP addresses for "fonts.googleapis.com" are: 142.250.217.106 2607:f8b0:400a:800::200a > Are those IPs supposed to send mail? If not, why would an SBL listing, even > a mistaken one, matter? I did some digging, and this is what I found with regard to a few of Google's domain names (since Andreas Schamanek's original query to this mailing list didn't mention any of the senders' domain names): 1. the SPF record for "googleapis.com" hard fails everything (so I wouldn't be expecting any eMails from addresses at googleapis.com): SPF policy analysis --> hardfail with -all https://www.openspf.ca/tools/analyze-spf.perl?z=googleapis.com 2. the SPF record for "google.com" doesn't allow mail from the aforementioned IPv4 address of 142.250.217.106, but it does allow mail from the IPv6 address 2607:f8b0:400a:800::200a: SPF policy analysis --> pass for 2607:f8b0:4000::/36 https://www.openspf.ca/tools/analyze-spf.perl?z=google.com 3. the SPF record for "gmail.com" yields the same inclusion as for "google.com" (which is not surprising), and gives a pass only for the IPv6 address: SPF policy analysis --> pass for 2607:f8b0:4000::/36 https://www.openspf.ca/tools/analyze-spf.perl?z=gmail.com So, it doesn't seem to matter about eMail from fonts.googleapis.com (there's no SPF record for this third-level "fonts") as there obviously shouldn't be any coming from that domain name at either the second-level (as per policy) or the third-level (as per an educated guess based on the fact that Google publishes SPF records). SPF policy test -- soft fail (yellow) for "fonts.googleapis.com" https://www.openspf.ca/why.perl?id=nobody%40fonts.googleapis.com=142.250.217.106 SPF policy test -- hard fail (red) for "googleapis.com" https://www.openspf.ca/why.perl?id=nobody%40googleapis.com=142.250.217.106 As for eMail from other domains on those IP addresses, it's difficult to say, but since both the IPv4 and IPv6 addresses mentioned are owned by Google (according to WHOIS queries), I think it's reasonable to assume that, for their main domain names, Google doesn't intend to send eMail from the IPv4 address and may have included the IPv6 address as a side-effect of being concise by specifying larger netblocks in their SPF records. (Of course, for more certainty it would be prudent to ask Google's NOC directly.) -- Postmaster - postmas...@inter-corporate.com Randolf Richardson, CNA - rand...@inter-corporate.com Inter-Corporate Computer & Network Services, Inc. Vancouver, Beautiful British Columbia, Canada https://www.inter-corporate.com/ ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Spamhaus SBL listing fonts.googleapis.com
On 2024-02-06 at 21:52 +0100, Andreas Schamanek wrote: > Thanks, that's the aspect my foggy brain missed. It only matters for > those who check URIs, especially if found in the body, or more > precisely the IPs of the hostnames of these URIs. > > (...) > > So, I still got questions :) like why did these IPs end up on SBL in > the first place, and why does Spamhaus check against them? Since you noticed this, you must be receiving emails containing urls to fonts.googleapis.com (most probably inside some CSS rule to explicitly set an specific typeface). Just like whoever is sending you this, some spammers will be doing the same. And thus, fonts.googleapis.com ends up listed. I see little reason to hotlink a font in an email, but either those doing that care a lot about the typeface, or they are blindly copying their website CSS which contains those urls. Checking of the urls included in the mail was probably intended for linkable urls (and, maybe, images), but if the email contains more urls, checking them is one more point that can be used on the war of discerning ham from spam. I think there is a spamassassin setting you could use so that fonts.googleapis.com bypass the filter. Regards ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Spamhaus SBL listing fonts.googleapis.com
On Tue, 6 Feb 2024, at 15:24, John Levine via mailop wrote: On January 25 I was alerted to false positives due to Spamhaus SBL listing IP addresses of fonts.googleapis.com. Are those IPs supposed to send mail? If not, why would an SBL listing, even a mistaken one, matter? Thanks, that's the aspect my foggy brain missed. It only matters for those who check URIs, especially if found in the body, or more precisely the IPs of the hostnames of these URIs. That's what their SpamAssassin Plugin for DQS does, cf. https://github.com/spamhaus/spamassassin-dqs Rules URIBL_SBL_A and SH_BODYURI_REVERSE_SBL cause a very high rate of FPs (with default settings). The descriptions are Contains URL's A record listed in the Spamhaus SBL blocklist [URIs: fonts.googleapis.com] The corresponding A record of an URI contained in the body is listed in SBL [142.250.74.202] So, I still got questions :) like why did these IPs end up on SBL in the first place, and why does Spamhaus check against them? -- -- Andreas :-) ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Spamhaus SBL listing fonts.googleapis.com
It appears that Andreas Schamanek via mailop said: > >Hi mailops, > >Thought some might be interested, though those affected sure already >know: > >On January 25 I was alerted to false positives due to Spamhaus SBL >listing IP addresses of fonts.googleapis.com. Are those IPs supposed to send mail? If not, why would an SBL listing, even a mistaken one, matter? R's, John ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
