Re: Spoofed Domain

On 9 Aug 2016, at 17:56, Anthony Hoppe wrote: My first thought is to increase the weight of SPF_FAIL, but I'm not sure what unintended consequences this may create? There are a substantial number of domains with overly-restrictive SPF. There are also still transparent forwarders out there

Re: Spoofed Domain

On 2016-08-10 01:22, Anthony Hoppe wrote: Our mail setup (Zimbra) uses postfix. http://www.impsec.org/~jhardin/antispam/milter-regex.conf and postfix support milters

Re: Spoofed Domain

Our mail setup (Zimbra) uses postfix. - Original Message - From: "John Hardin" To: "SpamAssassin" Sent: Tuesday, August 9, 2016 4:20:22 PM Subject: Re: Spoofed Domain On Tue, 9 Aug 2016, Anthony Hoppe wrote: > Though I think I'd

Re: Spoofed Domain

On Tue, 9 Aug 2016, Anthony Hoppe wrote: Though I think I'd rather just reject...that seems to make more sense. I'll need to do some research on how to reject messages with a from and to domain of my domain that match that are being sent from an external network. What's your MTA? Here's

Re: Spoofed Domain

On Wed, 10 Aug 2016, Benny Pedersen wrote: On 2016-08-10 00:23, John Hardin wrote: You could score a meta of SPF_FAIL + return-path in your domain as a poison pill, but as others have said, these shouldn't make it all the way to SA. waste of time, mta stage should not accept local

Re: Spoofed Domain

On 2016-08-10 00:23, John Hardin wrote: You could score a meta of SPF_FAIL + return-path in your domain as a poison pill, but as others have said, these shouldn't make it all the way to SA. waste of time, mta stage should not accept local domains as sender on port 25, simple, it does not

Re: Spoofed Domain

Hmm. Tagging the message is an option. Though I think I'd rather just reject...that seems to make more sense. I'll need to do some research on how to reject messages with a from and to domain of my domain that match that are being sent from an external network. In theory, these messages should

Re: Spoofed Domain

You could "tag" messages though that originate externally, claim to be From and destined To domain. I've thought of doing that locally. You know, alter the Subject line with [PHISH?] or something like that. However SPF is really a terrible tool. By design it operates on the envelope, which

Re: Spoofed Domain

On Tue, 9 Aug 2016, Anthony Hoppe wrote: Someone out there has decided to spoof our domain and send us spam. My first thought was that SPF checks were not working, but in analyzing the headers of a message one of our users received SPF_FAIL is triggering, but the weight is very low. My first

Re: Spoofed Domain

When you say SPF is not a good tool for filtering, do you mean that it shouldn't be used at all? Or if SPF_FAIL is triggered that an email should be rejected altogether? From: "Vincent Fox" To: "Anthony Hoppe" , "SpamAssassin"

Re: Spoofed Domain

SPF is not a good tool for filtering IMO. Scoring? Why score them? If you get to the SpamAssassin layer with this you've already failed. Reject! We use ClamAV Foxhole databases, to severely restrict attachment types. Combined with a little bit of greet_pause, and a ton of greylist penalty

Re: Spoofed Domain

Hmm, that's not a bad idea for this particular instance. I may do that. From: "Rob McEwen" To: "SpamAssassin" Sent: Tuesday, August 9, 2016 3:01:57 PM Subject: Re: Spoofed Domain On 8/9/2016 5:56 PM, Anthony Hoppe wrote: > Here are

Re: Spoofed Domain

On 8/9/2016 5:56 PM, Anthony Hoppe wrote: Here are the headers as an example: http://pastebin.com/bnU0npLR This particular email has a macro-enabled Word document attached, but I don't want to assume this will be the case every time. Any tips/tricks/suggestions would be greatly appreciated! I

Spoofed Domain

Hello All, Although I've been a member of this list for a while, I'm still very much a n00b when it comes to SpamAssassin. So please keep that in mind when you read my message (don't hurt me!)... :-) Someone out there has decided to spoof our domain and send us spam. My first thought was

Re: A plugin to legitimate email when SPF and DKIM missing

On Tue, 9 Aug 2016, li...@rhsoft.net wrote: Am 09.08.2016 um 18:08 schrieb Kevin Golding: Based on what you're trying to do: man dig don't help, see below or depending on your resolver possibly: man drill don't help, see below Whilst I agree it is slightly more effort to set-up

Re: A plugin to legitimate email when SPF and DKIM missing

Am 09.08.2016 um 18:08 schrieb Kevin Golding: Based on what you're trying to do: man dig don't help, see below or depending on your resolver possibly: man drill don't help, see below Whilst I agree it is slightly more effort to set-up whitelisting by looking up the details first it

Re: R: R: R: A plugin to legitimate email when SPF and DKIM missing

On Tue, 09 Aug 2016 16:43:50 +0100, Nicola Piazzi wrote: WHITELIST_FROM_RCVD require to know mailserver name Take this example : whitelist_from_rcvd *@axkit.org sergeant.org We want to accept all domain axkit.org and we are sure that is not spoofing

R: R: R: A plugin to legitimate email when SPF and DKIM missing

WHITELIST_FROM_RCVD require to know mailserver name Take this example : whitelist_from_rcvd *@axkit.org sergeant.org We want to accept all domain axkit.org and we are sure that is not spoofing when it come from names that end with domain sergeant.org But if I have only email address I

Re: A plugin to legitimate email when SPF and DKIM missing

Am 09.08.2016 um 17:39 schrieb RW: On Tue, 9 Aug 2016 15:19:08 + Nicola Piazzi top-posted: I dont know if you want to find a solution of if you want to say why i am searching one. Reason is this : I have SPF_PASS, a variable that tell me that who send is proprietary of that domain I KNOW

Re: R: R: A plugin to legitimate email when SPF and DKIM missing

On Tue, 9 Aug 2016 15:19:08 + Nicola Piazzi top-posted: > I dont know if you want to find a solution of if you want to say why > i am searching one. Reason is this : > I have SPF_PASS, a variable that tell me that who send is proprietary > of that domain I KNOW PERFECTLY THAT SOMEONE CAN TELL

R: R: A plugin to legitimate email when SPF and DKIM missing

I dont know if you want to find a solution of if you want to say why i am searching one. Reason is this : I have SPF_PASS, a variable that tell me that who send is proprietary of that domain I KNOW PERFECTLY THAT SOMEONE CAN TELL SPAM WITH A PURCHASED REGULAR NON SPOOFED DOMAIN But I can

Re: R: A plugin to legitimate email when SPF and DKIM missing

> On Tue, 9 Aug 2016 08:45:54 + > Nicola Piazzi wrote: > >> whitelist_from_rcvd is intended to legitimate a single somain, >> specifiing domain by domain >> >> I need something that tell me that check all incoming email and say >> if the originating ip (or class c) is the same of mx record >>

Re: R: A plugin to legitimate email when SPF and DKIM missing

On Tue, 9 Aug 2016 08:45:54 + Nicola Piazzi wrote: > whitelist_from_rcvd is intended to legitimate a single somain, > specifiing domain by domain > > I need something that tell me that check all incoming email and say > if the originating ip (or class c) is the same of mx record > > This

Re: R: R: A plugin to legitimate email when SPF and DKIM missing

Please keep list mail on the list. Direct replies unless stated as OFFLIST are not welcome. On 08/09/2016 10:51 AM, Nicola Piazzi wrote: Hi, I dont want to specify some names I need a rule that tell me if an email was sent using the same ip of the domain mx record So I am sure that the email

Re: R: A plugin to legitimate email when SPF and DKIM missing

FTR: you can also do whitelist_from_rcvd *@* gruppocomet.it or whitelist_from_rcvd *@*.it gruppocomet.it or variations of... On 08/09/2016 10:45 AM, Nicola Piazzi wrote: whitelist_from_rcvd is intended to legitimate a single somain, specifiing domain by domain I need something that tell me

R: A plugin to legitimate email when SPF and DKIM missing

whitelist_from_rcvd is intended to legitimate a single somain, specifiing domain by domain I need something that tell me that check all incoming email and say if the originating ip (or class c) is the same of mx record This can be intended like an SPF_PASS when people doesn t set spf at all.

Re: A plugin to legitimate email when SPF and DKIM missing

On Tue, 09 Aug 2016 09:10:06 +0100, Nicola Piazzi wrote: Hi A lot of time we receive mail that are SPF NONE and have no DKIM Il will be useful a little plugin that be able to give another chance to legitimate these emails A lot of servers use the same machine

A plugin to legitimate email when SPF and DKIM missing

Hi A lot of time we receive mail that are SPF NONE and have no DKIM Il will be useful a little plugin that be able to give another chance to legitimate these emails A lot of servers use the same machine to send and receive emails, Plugin must read sender domain and search if the IP used to send