Re: New whitelisting trick using from and spf

2017-03-07 Thread RW
On Tue, 7 Mar 2017 09:12:00 -0500 Dianne Skoll wrote: > SPF chose to use envelope sender not because it's more reliable, but > (I suspect) so as not to break mailing lists. More likely because the original intent was to reject as early as possible.

Re: New whitelisting trick using from and spf

2017-03-07 Thread Dianne Skoll
On Tue, 7 Mar 2017 00:04:59 + David Jones wrote: > >Er... well.  The envelope-from is not any more trustworthy than > >the header From:.  But it *is* the thing the SPF spec say to check, > >and *not* the header From:. > It should be way more trustworthy since it is where

Re: New whitelisting trick using from and spf

2017-03-06 Thread Marc Perkel
On 03/06/17 15:22, David Jones wrote: From: Marc Perkel <supp...@junkemailfilter.com> Sent: Monday, March 6, 2017 11:05 AM To: users@spamassassin.apache.org Subject: Re: New whitelisting trick using from and spf do you mean the header From: address? because anyone doing SPF does spf

Re: New whitelisting trick using from and spf

2017-03-06 Thread David Jones
>From: Dianne Skoll <d...@roaringpenguin.com> >Sent: Monday, March 6, 2017 5:40 PM >To: users@spamassassin.apache.org >Subject: Re: New whitelisting trick using from and spf   >On Mon, 6 Mar 2017 23:22:00 + >David Jones <djo...@ena.com> wrote: >> Not

Re: New whitelisting trick using from and spf

2017-03-06 Thread Dianne Skoll
On Mon, 6 Mar 2017 23:22:00 + David Jones wrote: [...] > Not good. SPF should be checked against the envelope-from > address which is more trustworthy. Er... well. The envelope-from is not any more trustworthy than the header From:. But it *is* the thing the SPF spec say

Re: New whitelisting trick using from and spf

2017-03-06 Thread David Jones
>From: Marc Perkel <supp...@junkemailfilter.com> >Sent: Monday, March 6, 2017 11:05 AM >To: users@spamassassin.apache.org >Subject: Re: New whitelisting trick using from and spf >> do you mean the header From: address? >> >> because anyone doing SPF do

Re: New whitelisting trick using from and spf

2017-03-06 Thread Marc Perkel
On 03/06/17 04:19, Matus UHLAR - fantomas wrote: On 05.03.17 10:38, Marc Perkel wrote: Well, new to me. Maybe others have thought of this. Many domains send nothing but good email and if you whitelist them based on FCRDNS all is good. Been doing that. But ... Many domains send nothing

Re: New whitelisting trick using from and spf

2017-03-06 Thread Charles Sprickman
> On Mar 6, 2017, at 12:58 PM, David B Funk > wrote: > > On Mon, 6 Mar 2017, Alan Hodgson wrote: > >>> It seems it should be easy to setup “If mail claims to be From: PayPal.com >>> and is not from PayPal, score +100” but it is not. >> >> This is what DMARC is

Re: New whitelisting trick using from and spf

2017-03-06 Thread Dianne Skoll
On Mon, 6 Mar 2017 11:58:25 -0600 (CST) David B Funk wrote: > But that won't help you when the scammers set the user visible from > as "acco...@paypai.com" or some other variant (with the actual > address part as or something else. I recall

Re: New whitelisting trick using from and spf

2017-03-06 Thread Alan Hodgson
On Monday 06 March 2017 11:58:25 David B Funk wrote: > On Mon, 6 Mar 2017, Alan Hodgson wrote: > >> It seems it should be easy to setup “If mail claims to be From: > >> PayPal.com > >> and is not from PayPal, score +100” but it is not. > > > > This is what DMARC is for. > > > > Run opendmarc as

Re: New whitelisting trick using from and spf

2017-03-06 Thread David B Funk
On Mon, 6 Mar 2017, Alan Hodgson wrote: It seems it should be easy to setup “If mail claims to be From: PayPal.com and is not from PayPal, score +100” but it is not. This is what DMARC is for. Run opendmarc as a milter and reject failures. Or score later on DMARC failure, even if just

Re: New whitelisting trick using from and spf

2017-03-06 Thread Alan Hodgson
> It seems it should be easy to setup “If mail claims to be From: PayPal.com > and is not from PayPal, score +100” but it is not. This is what DMARC is for. Run opendmarc as a milter and reject failures. Or score later on DMARC failure, even if just selectively for highly phished domains.

Re: New whitelisting trick using from and spf

2017-03-06 Thread Dianne Skoll
On Sun, 5 Mar 2017 10:38:09 -0800 Marc Perkel wrote: > If the from address is whitelisted AND the SPF of the from address is > good - I pass the email. And that's exactly how SPF is supposed to work. You shouldn't whitelist domains willy-nilly because they can be

Re: New whitelisting trick using from and spf

2017-03-06 Thread @lbutlr
On 2017-03-06 (04:45 MST), David Jones <djo...@ena.com> wrote: > >> From: @lbutlr <krem...@kreme.com> >> Sent: Monday, March 6, 2017 5:24 AM >> To: users@spamassassin.apache.org >> Subject: Re: New whitelisting trick using from and spf > >

Re: New whitelisting trick using from and spf

2017-03-06 Thread Matus UHLAR - fantomas
Spam/phishing emails pretending to be from Paypal won't have an envelope-from of *@paypal.com which is why you didn't get the desired effect.  You rarely use the blacklist_from only when there is very dumb senders that you want to block that don't matter - "blacklist_from" also bpocks

Re: New whitelisting trick using from and spf

2017-03-06 Thread Matus UHLAR - fantomas
On 05.03.17 10:38, Marc Perkel wrote: Well, new to me. Maybe others have thought of this. Many domains send nothing but good email and if you whitelist them based on FCRDNS all is good. Been doing that. But ... Many domains send nothing but good email and they send through reputable email

Re: New whitelisting trick using from and spf

2017-03-06 Thread David Jones
>From: Reindl Harald <h.rei...@thelounge.net> >Sent: Monday, March 6, 2017 5:58 AM >To: David Jones; @; users@spamassassin.apache.org >Subject: Re: New whitelisting trick using from and spf   >Am 06.03.2017 um 12:45 schrieb David Jones: >>> From: @lbutlr <kr

Re: New whitelisting trick using from and spf

2017-03-06 Thread David Jones
>From: @lbutlr <krem...@kreme.com> >Sent: Monday, March 6, 2017 5:24 AM >To: users@spamassassin.apache.org >Subject: Re: New whitelisting trick using from and spf   >On 2017-03-05 (18:59 MST), David Jones <djo...@ena.com> wrote: >> >> whitelist_auth does

Re: New whitelisting trick using from and spf

2017-03-06 Thread @lbutlr
On 2017-03-05 (18:59 MST), David Jones wrote: > > whitelist_auth does this against SPF_PASS and DKIM_VALID_AU I tired to do something along these lines at some point in the past by adding some lines to my local.cf like these: blacklist_from *@amazon.com whitelist_auth

Re: New whitelisting trick using from and spf

2017-03-05 Thread David Jones
>From: Marc Perkel <supp...@junkemailfilter.com> >Sent: Sunday, March 5, 2017 12:38 PM >To: users@spamassassin.apache.org >Subject: New whitelisting trick using from and spf   >Well, new to me. Maybe others have thought of this. Been doing this for a couple of years now.

New whitelisting trick using from and spf

2017-03-05 Thread Marc Perkel
Well, new to me. Maybe others have thought of this. Many domains send nothing but good email and if you whitelist them based on FCRDNS all is good. Been doing that. But ... Many domains send nothing but good email and they send through reputable email sender services which are mostly good