Re: SPF_FAIL
On Thu, 12 Nov 2020 12:34:25 +0100 Matus UHLAR - fantomas wrote: > >On Wed, 11 Nov 2020 17:01:21 +0100 > > > >> On 11.11.20 15:41, RW wrote: > On 11.11.20 19:06, RW wrote: > >These two cases share the same "authenticated" primary reputation: > > > > Return-path: c...@example.com > > From: c...@example.com > > > > Return-path: some...@somewhereelse.com > > From: c...@example.com > > > >The benefit of this could be substantial, particularly with > >txrep_learn_bonus set. All you have to do is make sure the envelope > >sender passes SPF. > > > >To be honest I haven't verified this, but the code looks > >straightforward. $signedby gets set to the tag DKIMDOMAIN or falls > >back to the fixed string 'spf' for an SPF pass. > > sorry, I'm not into txrep much for now. > > Does it mean, that txrep correctly compares Return-Path (or any > header that is filled by envelope from), but incorrectly adds bonus > to address in From: header? When there's a valid DKIM signature TxRep identifies the main reputation with a combination of "header from" and the signing domain. It doesn't require DMARC style alignment, but that's not easily exploitable because signing with a different domain creates a new reputation. With SPF a pass is simply treated as having authenticated the "header from" regardless of the "envelope from" that was used in SPF. This allows an existing good reputation to be exploited easily - even accidentally. An improvement would be to handle SPF like DKIM, using the envelope domain like a signing domain.
Re: SPF_FAIL
On Wed, 11 Nov 2020 17:01:21 +0100 On 11.11.20 15:41, RW wrote: >Note that without a DKIM pass, SPF is easily spoofed in TxRep. is it? how does that work then? It's implicit in the next bit. >DKIM reputations are identified by a combination of header from >address and signing domain. SPF pass reputations are just identified >by header address, without incorporating the envelope domain or >requiring alignment. On 11.11.20 19:06, RW wrote: These two cases share the same "authenticated" primary reputation: Return-path: c...@example.com From: c...@example.com Return-path: some...@somewhereelse.com From: c...@example.com The benefit of this could be substantial, particularly with txrep_learn_bonus set. All you have to do is make sure the envelope sender passes SPF. To be honest I haven't verified this, but the code looks straightforward. $signedby gets set to the tag DKIMDOMAIN or falls back to the fixed string 'spf' for an SPF pass. sorry, I'm not into txrep much for now. Does it mean, that txrep correctly compares Return-Path (or any header that is filled by envelope from), but incorrectly adds bonus to address in From: header? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. WinError #98652: Operation completed successfully.
Re: SPF_FAIL
On Wed, 11 Nov 2020 17:01:21 +0100 > On 11.11.20 15:41, RW wrote: > >Note that without a DKIM pass, SPF is easily spoofed in TxRep. > > is it? how does that work then? It's implicit in the next bit. > >DKIM reputations are identified by a combination of header from > >address and signing domain. SPF pass reputations are just identified > >by header address, without incorporating the envelope domain or > >requiring alignment. These two cases share the same "authenticated" primary reputation: Return-path: c...@example.com From: c...@example.com Return-path: some...@somewhereelse.com From: c...@example.com The benefit of this could be substantial, particularly with txrep_learn_bonus set. All you have to do is make sure the envelope sender passes SPF. To be honest I haven't verified this, but the code looks straightforward. $signedby gets set to the tag DKIMDOMAIN or falls back to the fixed string 'spf' for an SPF pass.
Re: SPF_FAIL
Matus UHLAR - fantomas skrev den 2020-11-11 17:01: Martin Gregorie skrev den 2020-11-11 11:02: On Wed, 2020-11-11 at 09:52 +0100, Tobi wrote: On 11.11.20 15:41, RW wrote: Note that without a DKIM pass, SPF is easily spoofed in TxRep. is it? how does that work then? On 11.11.20 17:20, Benny Pedersen wrote: signedby tracking in awl and txrep but not signed, does just group them as not signed, it still is reputition can you please describe deeper? how is it spoofed? does it ignore SPF sometimes, and takes for correct otherwise? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Fucking windows! Bring Bill Gates! (Southpark the movie)
Re: SPF_FAIL
Matus UHLAR - fantomas skrev den 2020-11-11 17:01: Martin Gregorie skrev den 2020-11-11 11:02: > On Wed, 2020-11-11 at 09:52 +0100, Tobi wrote: On 11.11.20 15:41, RW wrote: Note that without a DKIM pass, SPF is easily spoofed in TxRep. is it? how does that work then? signedby tracking in awl and txrep but not signed, does just group them as not signed, it still is reputition
Re: SPF_FAIL
Martin Gregorie skrev den 2020-11-11 11:02: > On Wed, 2020-11-11 at 09:52 +0100, Tobi wrote: > I suppose some may find it useful to datestamp entries with the last > time mail was sent to them and remove any addresses that haven't > been sent mail for 'x' days/weeks/months/years but I've never > needed that ability. On Wed, 11 Nov 2020 11:14:05 +0100 Benny Pedersen wrote: amavisd have penpal spamassassin have txrep On 11.11.20 15:41, RW wrote: Note that without a DKIM pass, SPF is easily spoofed in TxRep. is it? how does that work then? DKIM reputations are identified by a combination of header from address and signing domain. SPF pass reputations are just identified by header address, without incorporating the envelope domain or requiring alignment. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. "To Boot or not to Boot, that's the question." [WD1270 Caviar]
Re: SPF_FAIL
On Wed, 11 Nov 2020 11:14:05 +0100 Benny Pedersen wrote: > Martin Gregorie skrev den 2020-11-11 11:02: > > On Wed, 2020-11-11 at 09:52 +0100, Tobi wrote: > > > I suppose some may find it useful to datestamp entries with the last > > time mail was sent to them and remove any addresses that haven't > > been sent mail for 'x' days/weeks/months/years but I've never > > needed that ability. > > amavisd have penpal > spamassassin have txrep Note that without a DKIM pass, SPF is easily spoofed in TxRep. DKIM reputations are identified by a combination of header from address and signing domain. SPF pass reputations are just identified by header address, without incorporating the envelope domain or requiring alignment.
Re: SPF_FAIL
Martin Gregorie skrev den 2020-11-11 11:02: On Wed, 2020-11-11 at 09:52 +0100, Tobi wrote: I suppose some may find it useful to datestamp entries with the last time mail was sent to them and remove any addresses that haven't been sent mail for 'x' days/weeks/months/years but I've never needed that ability. amavisd have penpal spamassassin have txrep it require no maintaince at all when configured but i admit txrep could need more support to this
Re: SPF_FAIL
On Wed, 2020-11-11 at 09:52 +0100, Tobi wrote: > > If I only had a ready-made list of those important domains. > > If you filter for customer domains then maybe (depending the customer > domain) adding the customer domain to spf checks is worth a look too. > That's easy: keep a database of addresses you've sent mail to and treat that as a whitelist. Should work at almost any scale and about the only essential maintenance it needs is the ability to remove addresses you no longer want to whitelist. I suppose some may find it useful to datestamp entries with the last time mail was sent to them and remove any addresses that haven't been sent mail for 'x' days/weeks/months/years but I've never needed that ability. Martin
Re: SPF_FAIL
> If I only had a ready-made list of those important domains. If you filter for customer domains then maybe (depending the customer domain) adding the customer domain to spf checks is worth a look too. On 11/11/20 6:29 AM, Victor Sudakov wrote: > John Hardin wrote: >> >>> Moreover, after reading other replies in the thread, I am even begining to >>> doubt the wizdom of rejecting hard SPF fails in the MTA (which I do in >>> some installations). >> >> "it depends". >> >> Doing that for certain domains - like, large banks - would probably be a >> good idea. By default, for all domains, not so much. > > If I only had a ready-made list of those important domains. > >
Re: SPF_FAIL
John Hardin wrote: > > > Moreover, after reading other replies in the thread, I am even begining to > > doubt the wizdom of rejecting hard SPF fails in the MTA (which I do in > > some installations). > > "it depends". > > Doing that for certain domains - like, large banks - would probably be a > good idea. By default, for all domains, not so much. If I only had a ready-made list of those important domains. -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN 2:5005/49@fidonet http://vas.tomsk.ru/ signature.asc Description: PGP signature
Re: SPF_FAIL
On Thu, 5 Nov 2020, Victor Sudakov wrote: Moreover, after reading other replies in the thread, I am even begining to doubt the wizdom of rejecting hard SPF fails in the MTA (which I do in some installations). "it depends". Doing that for certain domains - like, large banks - would probably be a good idea. By default, for all domains, not so much. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- 4 days until The 82nd anniversary of Kristallnacht - disarmament enables genocide
Re: SPF_FAIL
Matus UHLAR - fantomas wrote: > > > Victor Sudakov skrev den 2020-11-04 15:47: > > > > > > > 0.0 SPF_FAIL SPF: sender does not match SPF record (fail) > > > Benny Pedersen wrote: feel free to add into local.cf > > > score SPF_FAIL (5) (5) (5) (5) > > > > > > this will add 5 points to default score > > On 05.11.20 18:54, Victor Sudakov wrote: > > Is that sarcasm, Benny? I don't deserve it. > > > > An SPF fail is by no means a sure sign of spam. It can be some indicator > > of spamicity (as I thought), but not a decisive sign thereof. > > we are aware of that. That's the main reason SPF_FAIL score is not high. > > but you can to that and expect other rules to push score back to ham range. If I get users' complaints about false negatives and see that they could have been prevented by setting a higher score for SPF_FAIL, I'll do that. > > > Moreover, after reading other replies in the thread, I am even begining to > > doubt the wizdom of rejecting hard SPF fails in the MTA (which I do in > > some installations). > > you can still do that as policy decision. The practice of SRS is not widely adopted IMHO, so I shall prefer for SPF_FAIL to be one of the many spamicity factors, and not a decisive factor for rejection. -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN 2:5005/49@fidonet http://vas.tomsk.ru/ signature.asc Description: PGP signature
Re: SPF_FAIL
On 5 Nov 2020, at 5:52, Benny Pedersen wrote: Bill Cole skrev den 2020-11-05 04:22: On 4 Nov 2020, at 20:42, Benny Pedersen wrote: Bill Cole skrev den 2020-11-05 00:21: 1. Incorrect SPF records are not rare. Even '-all' records with some permitted IPs. envelope sender changes on nexthop Irrelevant to the problem cited, which is simply incorrect records that fail to list IPs that they should no its not, its not same domain atleast, more or less people say maillists breaks spf and we need srs to resolve it, maybe why more maillists does not have spf at all I believe that we have a language barrier, as I cannot make sense of that "sentence" and it veers off into the irrelevant issue of mailing list. I am not up to the task of trying to navigate around that barrier. I am sorry that we cannot understand each other's words. -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses) Not Currently Available For Hire
Re: SPF_FAIL
Bill Cole skrev den 2020-11-05 04:22: On 4 Nov 2020, at 20:42, Benny Pedersen wrote: Bill Cole skrev den 2020-11-05 00:21: 1. Incorrect SPF records are not rare. Even '-all' records with some permitted IPs. envelope sender changes on nexthop Irrelevant to the problem cited, which is simply incorrect records that fail to list IPs that they should On 05.11.20 11:52, Benny Pedersen wrote: no its not, its not same domain atleast, more or less people say maillists breaks spf and we need srs to resolve it, maybe why more maillists does not have spf at all I don't remember anyone saying that. Maybe you confused forwarding and mailing lists? Are you maybe thinking of how mailing list managers like Mailman or majordomo operate? postfix maillist have no spf at all, i still get dmarc pass :=) can read only accounts be solved in spamassassin maillis ?, i just say i have now added rhsoft to rpz localy dmarc can pass even if SPF does not. dmarc requires either DKIM or SPF pass, with the domain same as From:. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. - Holmes, what kind of school did you study to be a detective? - Elementary, Watkins. -- Daffy Duck & Porky Pig
Re: SPF_FAIL
Victor Sudakov skrev den 2020-11-04 15:47: > 0.0 SPF_FAIL SPF: sender does not match SPF record (fail) Benny Pedersen wrote: feel free to add into local.cf score SPF_FAIL (5) (5) (5) (5) this will add 5 points to default score On 05.11.20 18:54, Victor Sudakov wrote: Is that sarcasm, Benny? I don't deserve it. An SPF fail is by no means a sure sign of spam. It can be some indicator of spamicity (as I thought), but not a decisive sign thereof. we are aware of that. That's the main reason SPF_FAIL score is not high. but you can to that and expect other rules to push score back to ham range. Moreover, after reading other replies in the thread, I am even begining to doubt the wizdom of rejecting hard SPF fails in the MTA (which I do in some installations). you can still do that as policy decision. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. - Have you got anything without Spam in it? - Well, there's Spam egg sausage and Spam, that's not got much Spam in it.
Re: SPF_FAIL
On 05/11/2020 21:54, Victor Sudakov wrote: > An SPF fail is by no means a sure sign of spam. It can be some indicator > of spamicity (as I thought), but not a decisive sign thereof. SPF was never designed to be anti-spam, although on face value it does have that ability given that spammers impersonate domains, it is one of many tools required required in that battle. I was an early adopter of SPF, in its very very early stages, There are some rare instances in early days where SPF may break in some forwarding cases, but for well over a decade most forwarders re-write sender so its not a problem, it's never been a problem with mailing lists for me either, unlike DKIM, I've never experienced any deliverability problems due to SPF, but YMMV. Microsofts SRS however gave a lot of headaches with mailing lists and was such a flop even Microsoft advises against its use. > doubt the wizdom of rejecting hard SPF fails in the MTA Why? Because a handful of people are too clueless to keep their records up to date? They set those records in first place to prevent spoofing, they know the risks they know if they change AS's or suppliers they have to modify those records, I mean FFS, they change all other records to new IP's don't they, so frankly they get what they deserve if they can't be bothered. >> i just think default score is made for spamass milter users with do rejects >> of spam mails, but why not honner spf fail rejections, hmm If they set a softfail, they dont really care if that domains is spoofed, or it just isn't an important domain, I adjust my SA rules to force softfails as spam , I hard reject hardfails on MTA, and I also null out any and all whitelisting in SA, trust must be earned, not assumed. -- Regards, Noel Butler This Email, including attachments, may contain legally privileged information, therefore at all times remains confidential and subject to copyright protected under international law. You may not disseminate this message without the authors express written authority to do so. If you are not the intended recipient, please notify the sender then delete all copies of this message including attachments immediately. Confidentiality, copyright, and legal privilege are not waived or lost by reason of the mistaken delivery of this message.
Re: SPF_FAIL
RW wrote: > > Please don't hijack existing threads. Oh, sorry about that. -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN 2:5005/49@fidonet http://vas.tomsk.ru/
Re: SPF_FAIL
Benny Pedersen wrote: > Victor Sudakov skrev den 2020-11-04 15:47: > > > 0.0 SPF_FAIL SPF: sender does not match SPF record (fail) > > feel free to add into local.cf > > score SPF_FAIL (5) (5) (5) (5) > > this will add 5 points to default score Is that sarcasm, Benny? I don't deserve it. An SPF fail is by no means a sure sign of spam. It can be some indicator of spamicity (as I thought), but not a decisive sign thereof. Moreover, after reading other replies in the thread, I am even begining to doubt the wizdom of rejecting hard SPF fails in the MTA (which I do in some installations). > > i just think default score is made for spamass milter users with do rejects > of spam mails, but why not honner spf fail rejections, hmm -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN 2:5005/49@fidonet http://vas.tomsk.ru/ signature.asc Description: PGP signature
Re: SPF_FAIL
Bill Cole skrev den 2020-11-05 04:22: On 4 Nov 2020, at 20:42, Benny Pedersen wrote: Bill Cole skrev den 2020-11-05 00:21: 1. Incorrect SPF records are not rare. Even '-all' records with some permitted IPs. envelope sender changes on nexthop Irrelevant to the problem cited, which is simply incorrect records that fail to list IPs that they should no its not, its not same domain atleast, more or less people say maillists breaks spf and we need srs to resolve it, maybe why more maillists does not have spf at all 2. Traditional (/etc/aliases, ~/.forward, etc.) transparent forwarding breaks SPF. envelope sender changes on nexthop That is simply not true, unless one deploys extraordinary measures such as SRS. SMTP is not UUCP. oh uucp breaks spf :=) spf is breaked on original envelope sender, the nexthop sender domain can still have no spf, or spf pass or fail nothing is really breaked But in fact, it is. If you use traditional MTA-based forwarding mechanisms such as /etc/aliases and ~/.forward files, the envelope sender on an outbound message is the same as it is on the inbound message. This is why SRS was invented alongside SPF. then you forwards forward with orginal domain as sender, this is the fail then, forwarding mta should still self make valid spf for there own domain, and not include missing ips into original sender domain in envelope from Are you maybe thinking of how mailing list managers like Mailman or majordomo operate? postfix maillist have no spf at all, i still get dmarc pass :=) can read only accounts be solved in spamassassin maillis ?, i just say i have now added rhsoft to rpz localy
Fwd: Re: SPF_FAIL
many thanks for read only accounts :/ Original besked Emne: Re: SPF_FAIL Dato: 2020-11-05 09:05 Afsender: "Reindl Harald (privat)" Modtager: Benny Pedersen , users@spamassassin.apache.org Am 05.11.20 um 02:42 schrieb Benny Pedersen: Bill Cole skrev den 2020-11-05 00:21: 1. Incorrect SPF records are not rare. Even '-all' records with some permitted IPs. envelope sender changes on nexthop bullshit 2. Traditional (/etc/aliases, ~/.forward, etc.) transparent forwarding breaks SPF. envelope sender changes on nexthop bullshit nothing is really breaked you are an clueless idiot
Re: SPF_FAIL
On 4 Nov 2020, at 20:42, Benny Pedersen wrote: Bill Cole skrev den 2020-11-05 00:21: 1. Incorrect SPF records are not rare. Even '-all' records with some permitted IPs. envelope sender changes on nexthop Irrelevant to the problem cited, which is simply incorrect records that fail to list IPs that they should 2. Traditional (/etc/aliases, ~/.forward, etc.) transparent forwarding breaks SPF. envelope sender changes on nexthop That is simply not true, unless one deploys extraordinary measures such as SRS. SMTP is not UUCP. nothing is really breaked But in fact, it is. If you use traditional MTA-based forwarding mechanisms such as /etc/aliases and ~/.forward files, the envelope sender on an outbound message is the same as it is on the inbound message. This is why SRS was invented alongside SPF. Are you maybe thinking of how mailing list managers like Mailman or majordomo operate? -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses) Not Currently Available For Hire
Re: SPF_FAIL
Bill Cole skrev den 2020-11-05 00:21: 1. Incorrect SPF records are not rare. Even '-all' records with some permitted IPs. envelope sender changes on nexthop 2. Traditional (/etc/aliases, ~/.forward, etc.) transparent forwarding breaks SPF. envelope sender changes on nexthop nothing is really breaked
Re: SPF_FAIL
On 4 Nov 2020, at 9:47, Victor Sudakov wrote: > Dear Colleagues, > > Why does SpamAssassin (Debian 10, SpamAssassin 3.4.2) not count an SPF > check fail as a symptom of spam? That's what I see in the spam report: > > 0.0 SPF_FAIL SPF: sender does not match SPF record (fail) > > No spam points for an SPF fail? Technically that's 0.001, because it is used in 'meta' rules and so must not be scored at 0. With Bayes disabled it gets more weight: 0.919. Those appear to have been determined based on a "GA" rescore run some time ago. The latest network mass-check (https://ruleqa.spamassassin.org/20201031-r1883012-n/SPF_FAIL/detail) indicates that SPF_FAIL is not a very good performer on its own. > And it's even a hard fail (a "-all") in > this case. > > I can probably bump up the score for SPF_FAIL but would like to know > first why it is a 0.0 by default. This was probably someone's > well-grounded decision? Yes. 1. Incorrect SPF records are not rare. Even '-all' records with some permitted IPs. 2. Traditional (/etc/aliases, ~/.forward, etc.) transparent forwarding breaks SPF. -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses) Not Currently Available For Hire signature.asc Description: OpenPGP digital signature
Re: SPF_FAIL
Please don't hijack existing threads. On Wed, 4 Nov 2020 21:47:34 +0700 Victor Sudakov wrote: > Dear Colleagues, > > Why does SpamAssassin (Debian 10, SpamAssassin 3.4.2) not count an SPF > check fail as a symptom of spam? That's what I see in the spam > report: > > 0.0 SPF_FAIL SPF: sender does not match SPF record > (fail) > > No spam points for an SPF fail? And it's even a hard fail (a "-all") > in this case. > > I can probably bump up the score for SPF_FAIL but would like to know > first why it is a 0.0 by default. This was probably someone's > well-grounded decision? It was probably set a long time ago when the situation was worse, but even now it doesn't do well in QA: https://ruleqa.spamassassin.org/20201031-r1883012-n/SPF_FAIL/detail With an S/O of 0.651 it's barely a spam indicator on its own. If you look at the score map it's hitting a lot of ham that's not far below the threshold (at least in score set 0).
Re: SPF_FAIL
Victor Sudakov skrev den 2020-11-04 15:47: 0.0 SPF_FAIL SPF: sender does not match SPF record (fail) feel free to add into local.cf score SPF_FAIL (5) (5) (5) (5) this will add 5 points to default score i just think default score is made for spamass milter users with do rejects of spam mails, but why not honner spf fail rejections, hmm
SPF_FAIL
Dear Colleagues, Why does SpamAssassin (Debian 10, SpamAssassin 3.4.2) not count an SPF check fail as a symptom of spam? That's what I see in the spam report: 0.0 SPF_FAIL SPF: sender does not match SPF record (fail) No spam points for an SPF fail? And it's even a hard fail (a "-all") in this case. I can probably bump up the score for SPF_FAIL but would like to know first why it is a 0.0 by default. This was probably someone's well-grounded decision? -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN 2:5005/49@fidonet http://vas.tomsk.ru/ signature.asc Description: PGP signature
Re: Difficulty triggering SPF_FAIL
David B Funk wrote: Kind'a hard to add TXT records to the .in-addr.arpa zone. Maybe it's possible but I've never seen it. It's entirely possible to put any type of record in a .in-addr.arpa zone. It doesn't often make much *sense*, but it's legal syntax; a DNS zone is a DNS zone. -kgd, thinking about the .arpa zones we imported from a bought-out ISP that had MX records...
Re: Difficulty triggering SPF_FAIL
On Wed, 15 Jul 2015, @lbutlr wrote: On Jul 15, 2015, at 6:53 PM, Jeremiah Rothschild jerem...@franz.com wrote: On Wed, Jul 15, 2015 at 07:42:15PM -0500, David B Funk wrote: On Wed, 15 Jul 2015, Jeremiah Rothschild wrote: Hello, I am attempting to trigger SPF_FAIL (or SPF_HELO_FAIL) on a CentOS 6.6 box running SA 3.3.1-3. Upon funneling a message through SA, however, this is what is occurring: Jul 15 15:05:10.366 [7318] dbg: spf: checking HELO (helo=1.2.3.4, ip=5.6.7.8) Jul 15 15:05:10.366 [7318] dbg: spf: cannot check HELO of '1.2.3.4', skipping Any ideas on why the SPF plugin is not functioning as expected? Are you literally giving a HELO name of '1.2.3.4' or is that redaction-bait? That '1.2.3.4' looks like a IPv4 address, not a FQDN host name. HELO should be a host FQDN, not IP address. Ah. I didn't realize HELO had to be FQDN. Nice catch, David. Thanks! HELO does not have to be a FQDN, an IP is acceptable. o The domain name given in the EHLO command MUST be either a primary host name (a domain name that resolves to an address RR) or, if the host has no name, an address literal, as described in Section 4.1.3 and discussed further in the EHLO discussion of Section 4.1.4. OK, as far as SMTP is concerned (you're quoting one of the SMTP RFCs there), you can use an address literal for HELO but for SPF it needs to be something that has DNS zone entries so you can put TXT records in it. Kind'a hard to add TXT records to the .in-addr.arpa zone. Maybe it's possible but I've never seen it. -- Dave Funk University of Iowa dbfunk (at) engineering.uiowa.eduCollege of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include std_disclaimer.h Better is not better, 'standard' is better. B{
Re: Difficulty triggering SPF_FAIL
On Wed, Jul 15, 2015 at 07:42:15PM -0500, David B Funk wrote: On Wed, 15 Jul 2015, Jeremiah Rothschild wrote: Hello, I am attempting to trigger SPF_FAIL (or SPF_HELO_FAIL) on a CentOS 6.6 box running SA 3.3.1-3. Upon funneling a message through SA, however, this is what is occurring: Jul 15 15:05:10.366 [7318] dbg: spf: checking HELO (helo=1.2.3.4, ip=5.6.7.8) Jul 15 15:05:10.366 [7318] dbg: spf: cannot check HELO of '1.2.3.4', skipping Any ideas on why the SPF plugin is not functioning as expected? Are you literally giving a HELO name of '1.2.3.4' or is that redaction-bait? That '1.2.3.4' looks like a IPv4 address, not a FQDN host name. HELO should be a host FQDN, not IP address. Ah. I didn't realize HELO had to be FQDN. Nice catch, David. Thanks! If you are giving it a host FQDN check your DNS functionality. -- Dave Funk University of Iowa dbfunk (at) engineering.uiowa.eduCollege of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include std_disclaimer.h Better is not better, 'standard' is better. B{
Re: Difficulty triggering SPF_FAIL
On Jul 15, 2015, at 6:53 PM, Jeremiah Rothschild jerem...@franz.com wrote: On Wed, Jul 15, 2015 at 07:42:15PM -0500, David B Funk wrote: On Wed, 15 Jul 2015, Jeremiah Rothschild wrote: Hello, I am attempting to trigger SPF_FAIL (or SPF_HELO_FAIL) on a CentOS 6.6 box running SA 3.3.1-3. Upon funneling a message through SA, however, this is what is occurring: Jul 15 15:05:10.366 [7318] dbg: spf: checking HELO (helo=1.2.3.4, ip=5.6.7.8) Jul 15 15:05:10.366 [7318] dbg: spf: cannot check HELO of '1.2.3.4', skipping Any ideas on why the SPF plugin is not functioning as expected? Are you literally giving a HELO name of '1.2.3.4' or is that redaction-bait? That '1.2.3.4' looks like a IPv4 address, not a FQDN host name. HELO should be a host FQDN, not IP address. Ah. I didn't realize HELO had to be FQDN. Nice catch, David. Thanks! HELO does not have to be a FQDN, an IP is acceptable. o The domain name given in the EHLO command MUST be either a primary host name (a domain name that resolves to an address RR) or, if the host has no name, an address literal, as described in Section 4.1.3 and discussed further in the EHLO discussion of Section 4.1.4. -- Love is the triumph of imagination over intelligence. - H. L. Mencken
Re: Difficulty triggering SPF_FAIL
Jeremiah Rothschild skrev den 2015-07-16 02:53: Ah. I didn't realize HELO had to be FQDN. Nice catch, David. Thanks! http://www.postfix.org/postconf.5.html#smtp_helo_name if using postfix, if its [127.0.0.1] as helo name postfix will accept it, but reject 127.0.0.1
Difficulty triggering SPF_FAIL
Hello, I am attempting to trigger SPF_FAIL (or SPF_HELO_FAIL) on a CentOS 6.6 box running SA 3.3.1-3. Upon funneling a message through SA, however, this is what is occurring: Jul 15 15:05:10.366 [7318] dbg: spf: checking HELO (helo=1.2.3.4, ip=5.6.7.8) Jul 15 15:05:10.366 [7318] dbg: spf: cannot check HELO of '1.2.3.4', skipping Any ideas on why the SPF plugin is not functioning as expected? Many thanks, j
Re: Difficulty triggering SPF_FAIL
On Wed, 15 Jul 2015, Jeremiah Rothschild wrote: Hello, I am attempting to trigger SPF_FAIL (or SPF_HELO_FAIL) on a CentOS 6.6 box running SA 3.3.1-3. Upon funneling a message through SA, however, this is what is occurring: Jul 15 15:05:10.366 [7318] dbg: spf: checking HELO (helo=1.2.3.4, ip=5.6.7.8) Jul 15 15:05:10.366 [7318] dbg: spf: cannot check HELO of '1.2.3.4', skipping Any ideas on why the SPF plugin is not functioning as expected? Are you literally giving a HELO name of '1.2.3.4' or is that redaction-bait? That '1.2.3.4' looks like a IPv4 address, not a FQDN host name. HELO should be a host FQDN, not IP address. If you are giving it a host FQDN check your DNS functionality. -- Dave Funk University of Iowa dbfunk (at) engineering.uiowa.eduCollege of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include std_disclaimer.h Better is not better, 'standard' is better. B{
Re: What is the view re- SPF_FAIL these days?
On 1/15/2014 12:36 PM, hospice admin wrote: Hi Team, I was wondering what folks were doing with SPF_FAIL , TO_EQ_FM_SPF_FAIL and TO_EQ_FM_DOM_SPF_FAIL these days? For our (small) site, we drop on SPF_FAIL at SMTP time using python-policyd-spf, with a whitelist to bypass the check for origins that just don't get it. At least check, approximately 1.4% of inbound messages were blocked due to SPF_FAIL. I haven't had a complaint in a long time. Blocking during the SMTP session means we can just 5xx it with a message indicating why it failed. (We block around 10% of all inbound traffic using common sense rules like SPF_FAIL, anti-virus checks, malformed SMTP conversations, bad HELOs, domains that don't exist.)
Re: What is the view re- SPF_FAIL these days?
On 2014-01-15 09:36, hospice admin wrote: Hi Team, I was wondering what folks were doing with SPF_FAIL , TO_EQ_FM_SPF_FAIL and TO_EQ_FM_DOM_SPF_FAIL these days? I personally have never seen an FP with any, but understand from the reading I've done that some people do. My approach has always been to combine with DCC/Pyzor/Razor hits in a Meta rule, but we've recently started seeing mail just squeak under the fence using this approach ... particularly some of the 'nicer' Bank Spam. The temptation is to add Bayes to the Meta. Is this a bad idea, or does anyone have any better suggestions? We're running SA version 3.3.2. Sadly, upgrading to 3.4 isn't an option at this stage. I forgot about this message, I had a partial response drafted that I'd forgotten about, Thomas's reply reminded me. Some time ago I flipped SPF:FAIL to automatically quarantine rather than reject messages to allow me to perform more of a review of the rejected messages, and invariably they're either legitimate messages by someone who has an incomplete or out of date SPF record, or they're already scored as spam (I do apply a slight score to SPF failures, and a smaller one to soft failures) Most of the failures were cases where a small company listed their primary SMTP, but had messages going out on their behalf from a third party or directly from their web server or similar, usually receipts, invoices, or other automation that didn't use their primary SMTP infrastructure. When I initially performed this test and reviewed the results, I not only released the legitimate messages to users, but I also I reached out to each and every sender; most failed to respond at all (probably 80%-85%), of those that did, half had a We sent the email, it's your server's fault if you didn't get it and the other half adjusted their records. One spotted us a free license of their software for our trouble, which was nice of them. At this point, I apply a small score (and if I recall correctly, I kick off mandatory greylisting -- I don't greylist all mail, only mail with failing DNS, SPF, or where something is otherwise suspicious), and I wouldn't recommend blocking outright simply due to the fact that while SPF fails do add some value to spam blocking, it wasn't particularly significant. All of this being said, my opinion when I started was confirmed by my testing, so there might be a bias involved. I've never been a fan of SPF for rejecting mail, to me, the power of SPF and DKIM are in accepting and whitelisting legitimate mail. It's a lot easier to whitelist Anything from example.com where (SPF:PASS or DKIM:PASS) than it is to figure out the IP ranges example.com uses today and tomorrow and at this point, I all but refuse to whitelist by IP, or by domain unless there is some authentication method. -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren Are you tired of having your hands cut off by snowblowers?
What is the view re- SPF_FAIL these days?
Hi Team, I was wondering what folks were doing with SPF_FAIL , TO_EQ_FM_SPF_FAIL and TO_EQ_FM_DOM_SPF_FAIL these days? I personally have never seen an FP with any, but understand from the reading I've done that some people do. My approach has always been to combine with DCC/Pyzor/Razor hits in a Meta rule, but we've recently started seeing mail just squeak under the fence using this approach ... particularly some of the 'nicer' Bank Spam. The temptation is to add Bayes to the Meta. Is this a bad idea, or does anyone have any better suggestions? We're running SA version 3.3.2. Sadly, upgrading to 3.4 isn't an option at this stage. Thanks for your time wisdom Judy.
Re: USER_IN_WHITELIST and SPF_FAIL
John Hardin wrote: On Tue, 19 Jun 2012, Benny Pedersen wrote: Den 2012-06-19 22:39, Kevin A. McGrail skrev: I think that's the concept behind the whitelist_from_spf but some use whitelist_from, its nothing new there :=) can user_in_whitelist be changed to not have -100 as default score, or is whitelist_from planned for removements ? It's needed for whan none of the other more-strict whitelist options will work, so we can't get just rid of it. I'd suggest instead a lint warning if it is used, alerting the admin that it's discouraged and that it has problems like this and is very easy to spoof. It's well documented. From the man page: whitelist_from a...@ress.com Used to whitelist sender addresses which send mail that is often tagged (incorrectly) as spam. Use of this setting is not recommended, since it blindly trusts the message, which is routinely and easily forged by spammers and phish senders. The recommended solution is to instead use whitelist_auth or other authenticated whitelisting methods, or whitelist_from_rcvd. -- Per Jessen, Zürich (21.1°C)
Re: USER_IN_WHITELIST and SPF_FAIL
RW wrote: On Tue, 19 Jun 2012 19:14:11 -0400 Jeff Mincy wrote: From: RW rwmailli...@googlemail.com Date: Tue, 19 Jun 2012 23:43:57 +0100 If used sensibly USER_IN_WHITELIST is probably the most reliable rule we have, for the overwhelming majority of addresses it's far more accurate than spf based whitelisting. It's not always right to treat users as idiots. Huh? What you mean by used sensibly? I mean, don't use it on well-known addresses, or if you're a candidate for spear-phishing and can't be trusted not to fall for it. Don't whitelist domains unless they are extremely obscure. whitelist_from_rcvd is very reliable. Not if someone sends an email through a different mail system, I think that is what whitelist_allows_relays is intended to take care of. -- Per Jessen, Zürich (23.2°C)
Re: USER_IN_WHITELIST and SPF_FAIL
RW wrote: On Wed, 20 Jun 2012 03:25:53 +0200 Benny Pedersen wrote: Den 2012-06-20 03:09, RW skrev: The overwhelming majority of email addresses are never spoofed. seen from my mta logs off sender addresses that miss the smtp auth password here postfix dont agree with you, if sender uses something belongs to my domain i may start asking for passwords, this check is not needing spf or dkim or even dmarc tests I've no idea what that means, but what I wrote wasn't entirely clear - particularly when taken out context. What I mean is that if I whitelist a private email address, the chances of a spammer ever sending me a spam spoofing that address is very small. Happened to me twice only yesterday - somebody sent me mails appearing to come from one of my email addresses. I don't think it's as rare an event as you suggest. -- Per Jessen, Zürich (23.2°C)
Re: USER_IN_WHITELIST and SPF_FAIL
On Wed, 20 Jun 2012 11:33:49 +0200 Per Jessen wrote: RW wrote: On Wed, 20 Jun 2012 03:25:53 +0200 Benny Pedersen wrote: Den 2012-06-20 03:09, RW skrev: The overwhelming majority of email addresses are never spoofed. seen from my mta logs off sender addresses that miss the smtp auth password here postfix dont agree with you, if sender uses something belongs to my domain i may start asking for passwords, this check is not needing spf or dkim or even dmarc tests I've no idea what that means, but what I wrote wasn't entirely clear - particularly when taken out context. What I mean is that if I whitelist a private email address, the chances of a spammer ever sending me a spam spoofing that address is very small. Happened to me twice only yesterday - somebody sent me mails appearing to come from one of my email addresses. I don't think it's as rare an event as you suggest. Are you being deliberately obtuse? Of course that happens all the time, but why would one whitelist such an address?
Re: USER_IN_WHITELIST and SPF_FAIL
My suggestion was intended to minimize the effect on existing behavior. I agree, it would probably be a very good idea to allow whitelist_from to be scored differently than the other whitelist variants, and to ship it with a smaller default score, but that change is fairly disruptive. I would like to see whitelist_score_from points address which acts just like whitelist_from address, but which has a score of points rather than some fixed score. That way I could do: whitelist_from -5 f...@yahoo.com for people that post legit but spammy-looking mail to mailinglists, and get their regular mail in the right folder instead of a spam folder, but not let their account-hijacked spam bleed through like -100 would do. And also use -20 for people I know, -50 for customers, etc. pgpdwqXt7OO8j.pgp Description: PGP signature
Re: USER_IN_WHITELIST and SPF_FAIL
On 6/20/2012 8:05 AM, Greg Troxel wrote: I would like to see... As an open source project, we encourage people to submit patches and step up to coding on the project. You can really start small with one line patches and I'll do my best to support you. Regards, KAM
Re: USER_IN_WHITELIST and SPF_FAIL
On Wed, 20 Jun 2012 11:22:08 +0200 Per Jessen wrote: RW wrote: Not if someone sends an email through a different mail system, I think that is what whitelist_allows_relays is intended to take care of. If it made a difference to the case I was referring to then it would effectively turn whitelist_from_rcvd into whitelist_from for the specified addresses. I looked it up, whitelist_allows_relays is a list of addresses excluded from check_forged_in_whitelist, which is not used in the current rules.
Re: USER_IN_WHITELIST and SPF_FAIL
Den 2012-06-20 14:05, Greg Troxel skrev: That way I could do: whitelist_from -5 f...@yahoo.com AWL plugin basicly could be extended to use dkim/spf and more bound to whitelist_* so the awl score is more live calculated, with default awl its bound to 0.0.x.x/16 but it could be changed to /8 /24 /32 matching, so scores is more accurate pr sender but your way could very well extend problems or usefullness depending on with side of the screen one sits :) awl can track dkim senders, but it would be nice dkim is not alone there awl is imho dropped in spamassassin 3.4 and replaced with history plugin, i dont know what or why or even code to this plugin maybe score sets should just be extended to more then 4 colums ? score foo set1 set2 set3 set4 spf dkim just an stupid idear maybe ?
Re: USER_IN_WHITELIST and SPF_FAIL
RW wrote: On Wed, 20 Jun 2012 11:33:49 +0200 Per Jessen wrote: RW wrote: What I mean is that if I whitelist a private email address, the chances of a spammer ever sending me a spam spoofing that address is very small. Happened to me twice only yesterday - somebody sent me mails appearing to come from one of my email addresses. I don't think it's as rare an event as you suggest. Are you being deliberately obtuse? Of course that happens all the time, but why would one whitelist such an address? Because you use email to send yourself reminder notes or small files. I have addresses on several distinct systems (private, work, google, user group, ...). And I whitelist them because I do not want mail to get lost. Regards, Flemming -- Flemming Jacobsen Email: f...@batmule.dk There is nobody so irritating as somebody with less intelligence and more sense than we have. -- Don Herold
Re: USER_IN_WHITELIST and SPF_FAIL
Den 2012-06-20 18:38, Flemming Jacobsen skrev: Because you use email to send yourself reminder notes or small files. I have addresses on several distinct systems (private, work, google, user group, ...). And I whitelist them because I do not want mail to get lost. with shared imap folders nothing get lost, all that mail does not need to travel, but implementions need to be more usefull, its like forwards that breaks spf, its lie, since known forward hosts must be trusted_networks, draw back in make 0.0.0.0/0 trusted_networks it removes all domain based trustness for such problems it would be more usefull to disable dnsrbl and only check content based on body/rawbody unless one use rbl in mta
Re: USER_IN_WHITELIST and SPF_FAIL
On Wed, 20 Jun 2012 18:38:49 +0200 Flemming Jacobsen wrote: RW wrote: On Wed, 20 Jun 2012 11:33:49 +0200 Per Jessen wrote: RW wrote: What I mean is that if I whitelist a private email address, the chances of a spammer ever sending me a spam spoofing that address is very small. Happened to me twice only yesterday - somebody sent me mails appearing to come from one of my email addresses. I don't think it's as rare an event as you suggest. Are you being deliberately obtuse? Of course that happens all the time, but why would one whitelist such an address? Because you use email to send yourself reminder notes or small files. I have addresses on several distinct systems (private, work, google, user group, ...). And I whitelist them because I do not want mail to get lost. If it's an unrelated external address then it's just one address in billions and it wont be randomly spoofed.
USER_IN_WHITELIST and SPF_FAIL
Hey I finally got around to enabling SPF checks in SA. (v. 3.3.2, via spamd on FreeBSD) It appears that even though SPF checks fail (i.e. SPF_FAIL), USER_IN_WHITELIST still adds -100 points to the score. Since the sender probably is spoofed, should USER_IN_WHITELIST not be ignored/neutral (not sure of the terminology here)? Regards, Flemming Jacobsen -- Flemming Jacobsen Email: f...@batmule.dk It is hard to believe that a man is telling the truth when you know that you would lie if you were in his place. -- H. L. Mencken
Re: USER_IN_WHITELIST and SPF_FAIL
On 6/19/2012 4:21 PM, Flemming Jacobsen wrote: Hey I finally got around to enabling SPF checks in SA. (v. 3.3.2, via spamd on FreeBSD) It appears that even though SPF checks fail (i.e. SPF_FAIL), USER_IN_WHITELIST still adds -100 points to the score. Since the sender probably is spoofed, should USER_IN_WHITELIST not be ignored/neutral (not sure of the terminology here)? I think that's the concept behind the whitelist_from_spf http://spamassassin.apache.org/full/3.3.x/doc/Mail_SpamAssassin_Plugin_SPF.html Regards, KAM
Re: USER_IN_WHITELIST and SPF_FAIL
Den 2012-06-19 22:21, Flemming Jacobsen skrev: It appears that even though SPF checks fail (i.e. SPF_FAIL), USER_IN_WHITELIST still adds -100 points to the score. Since the sender probably is spoofed, should USER_IN_WHITELIST not be ignored/neutral (not sure of the terminology here)? nope, whitelist_from is stupid in the first place but since so many use it, it will properly stay forever :( imidiate fix is to: score USER_IN_WHITELIST -0.01 or meta spf fails with user_in_* (insecure)
Re: USER_IN_WHITELIST and SPF_FAIL
Den 2012-06-19 22:39, Kevin A. McGrail skrev: I think that's the concept behind the whitelist_from_spf but some use whitelist_from, its nothing new there :=) can user_in_whitelist be changed to not have -100 as default score, or is whitelist_from planned for removements ?
Re: USER_IN_WHITELIST and SPF_FAIL
On 06/19/2012 11:34 PM, Benny Pedersen wrote: Den 2012-06-19 22:39, Kevin A. McGrail skrev: I think that's the concept behind the whitelist_from_spf but some use whitelist_from, its nothing new there :=) can user_in_whitelist be changed to not have -100 as default score, or is whitelist_from planned for removements ? no no
Re: USER_IN_WHITELIST and SPF_FAIL
On Tue, 19 Jun 2012, Benny Pedersen wrote: Den 2012-06-19 22:39, Kevin A. McGrail skrev: I think that's the concept behind the whitelist_from_spf but some use whitelist_from, its nothing new there :=) can user_in_whitelist be changed to not have -100 as default score, or is whitelist_from planned for removements ? It's needed for whan none of the other more-strict whitelist options will work, so we can't get just rid of it. I'd suggest instead a lint warning if it is used, alerting the admin that it's discouraged and that it has problems like this and is very easy to spoof. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Liberals love sex ed because it teaches kids to be safe around their sex organs. Conservatives love gun education because it teaches kids to be safe around guns. However, both believe that the other's education goals lead to dangers too terrible to contemplate. --- 15 days until the 236th anniversary of the Declaration of Independence
Re: USER_IN_WHITELIST and SPF_FAIL
Den 2012-06-19 23:44, John Hardin skrev: I'd suggest instead a lint warning if it is used, alerting the admin that it's discouraged and that it has problems like this and is very easy to spoof. fair, but Flemming might choise some meta like this: meta WHITELIST_INSECURE_SPF (USER_IN_WHITELIST SPF_FAIL) score WHITELIST_INSECURE_SPF 50 but since Flemming did not provide an sample there might be other options, eg why accept spf_fail in mta ?
Re: USER_IN_WHITELIST and SPF_FAIL
From: John Hardin jhar...@impsec.org Date: Tue, 19 Jun 2012 14:44:29 -0700 (PDT) On Tue, 19 Jun 2012, Benny Pedersen wrote: Den 2012-06-19 22:39, Kevin A. McGrail skrev: I think that's the concept behind the whitelist_from_spf but some use whitelist_from, its nothing new there :=) can user_in_whitelist be changed to not have -100 as default score, or is whitelist_from planned for removements ? It's needed for whan none of the other more-strict whitelist options will work, so we can't get just rid of it. True. I'd suggest instead a lint warning if it is used, alerting the admin that it's discouraged and that it has problems like this and is very easy to spoof. How about creating a different score for whitelist_from that is separate from whitelist_from_rcvd? For example, whitelist_from could trigger USER_IN_SIMPLE_WHITELIST (or some other variation). The description of the test could include warnings about how easy it is to spoof whitelist_from. -jeff
Re: USER_IN_WHITELIST and SPF_FAIL
On Tue, 19 Jun 2012 18:02:28 -0400 Jeff Mincy wrote: From: John Hardin jhar...@impsec.org Date: Tue, 19 Jun 2012 14:44:29 -0700 (PDT) On Tue, 19 Jun 2012, Benny Pedersen wrote: Den 2012-06-19 22:39, Kevin A. McGrail skrev: I think that's the concept behind the whitelist_from_spf but some use whitelist_from, its nothing new there :=) can user_in_whitelist be changed to not have -100 as default score, or is whitelist_from planned for removements ? It's needed for whan none of the other more-strict whitelist options will work, so we can't get just rid of it. True. I'd suggest instead a lint warning if it is used, alerting the admin that it's discouraged and that it has problems like this and is very easy to spoof. How about creating a different score for whitelist_from that is separate from whitelist_from_rcvd? For example, whitelist_from could trigger USER_IN_SIMPLE_WHITELIST (or some other variation). The description of the test could include warnings about how easy it is to spoof whitelist_from. If used sensibly USER_IN_WHITELIST is probably the most reliable rule we have, for the overwhelming majority of addresses it's far more accurate than spf based whitelisting. It's not always right to treat users as idiots.
Re: USER_IN_WHITELIST and SPF_FAIL
From: RW rwmailli...@googlemail.com Date: Tue, 19 Jun 2012 23:43:57 +0100 On Tue, 19 Jun 2012 18:02:28 -0400 Jeff Mincy wrote: From: John Hardin jhar...@impsec.org Date: Tue, 19 Jun 2012 14:44:29 -0700 (PDT) On Tue, 19 Jun 2012, Benny Pedersen wrote: Den 2012-06-19 22:39, Kevin A. McGrail skrev: I think that's the concept behind the whitelist_from_spf but some use whitelist_from, its nothing new there :=) can user_in_whitelist be changed to not have -100 as default score, or is whitelist_from planned for removements ? It's needed for whan none of the other more-strict whitelist options will work, so we can't get just rid of it. True. I'd suggest instead a lint warning if it is used, alerting the admin that it's discouraged and that it has problems like this and is very easy to spoof. How about creating a different score for whitelist_from that is separate from whitelist_from_rcvd? For example, whitelist_from could trigger USER_IN_SIMPLE_WHITELIST (or some other variation). The description of the test could include warnings about how easy it is to spoof whitelist_from. If used sensibly USER_IN_WHITELIST is probably the most reliable rule we have, for the overwhelming majority of addresses it's far more accurate than spf based whitelisting. It's not always right to treat users as idiots. Huh? What you mean by used sensibly? whitelist_from_rcvd is very reliable. whitelist_from is trivial to spoof. whitelist_from_rcvd and whitelist_from both trigger USER_IN_WHITELIST. It is easy to get into trouble using whitelist_from - having a separate score just for whitelist_from would make identifying the problem easier for the user. -jeff
Re: USER_IN_WHITELIST and SPF_FAIL
On Tue, 19 Jun 2012, Jeff Mincy wrote: From: John Hardin jhar...@impsec.org I'd suggest instead a lint warning if it is used, alerting the admin that it's discouraged and that it has problems like this and is very easy to spoof. How about creating a different score for whitelist_from that is separate from whitelist_from_rcvd? For example, whitelist_from could trigger USER_IN_SIMPLE_WHITELIST (or some other variation). The description of the test could include warnings about how easy it is to spoof whitelist_from. My suggestion was intended to minimize the effect on existing behavior. I agree, it would probably be a very good idea to allow whitelist_from to be scored differently than the other whitelist variants, and to ship it with a smaller default score, but that change is fairly disruptive. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Usually Microsoft doesn't develop products, we buy products. -- Arno Edelmann, Microsoft product manager --- 15 days until the 236th anniversary of the Declaration of Independence
Re: USER_IN_WHITELIST and SPF_FAIL
On Tue, 19 Jun 2012, Flemming Jacobsen wrote: I finally got around to enabling SPF checks in SA. (v. 3.3.2, via spamd on FreeBSD) It appears that even though SPF checks fail (i.e. SPF_FAIL), USER_IN_WHITELIST still adds -100 points to the score. Since the sender probably is spoofed, should USER_IN_WHITELIST not be ignored/neutral (not sure of the terminology here)? Which whitelist is the problematic user in? whitelist_from is a naive check of the from address and is trivially easy to spoof. You should review your whitelists and, now that you have SPF working, move senders that are in authenticated domains from whitelist_from to whitelist_auth so that you take advantage of SPF (and DKIM, if you have that working as well). -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Usually Microsoft doesn't develop products, we buy products. -- Arno Edelmann, Microsoft product manager --- 15 days until the 236th anniversary of the Declaration of Independence
Re: USER_IN_WHITELIST and SPF_FAIL
On Tue, 19 Jun 2012 19:14:11 -0400 Jeff Mincy wrote: From: RW rwmailli...@googlemail.com Date: Tue, 19 Jun 2012 23:43:57 +0100 If used sensibly USER_IN_WHITELIST is probably the most reliable rule we have, for the overwhelming majority of addresses it's far more accurate than spf based whitelisting. It's not always right to treat users as idiots. Huh? What you mean by used sensibly? I mean, don't use it on well-known addresses, or if you're a candidate for spear-phishing and can't be trusted not to fall for it. Don't whitelist domains unless they are extremely obscure. whitelist_from_rcvd is very reliable. Not if someone sends an email through a different mail system, which is a scenario where Bayes is much more likely to miss-classify and an FP is most likely. It's also broken by forwarding, like spf is. whitelist_from is trivial to spoof. The overwhelming majority of email addresses are never spoofed.
Re: USER_IN_WHITELIST and SPF_FAIL
Den 2012-06-20 03:09, RW skrev: The overwhelming majority of email addresses are never spoofed. seen from my mta logs off sender addresses that miss the smtp auth password here postfix dont agree with you, if sender uses something belongs to my domain i may start asking for passwords, this check is not needing spf or dkim or even dmarc tests
Re: USER_IN_WHITELIST and SPF_FAIL
On Wed, 20 Jun 2012 03:25:53 +0200 Benny Pedersen wrote: Den 2012-06-20 03:09, RW skrev: The overwhelming majority of email addresses are never spoofed. seen from my mta logs off sender addresses that miss the smtp auth password here postfix dont agree with you, if sender uses something belongs to my domain i may start asking for passwords, this check is not needing spf or dkim or even dmarc tests I've no idea what that means, but what I wrote wasn't entirely clear - particularly when taken out context. What I mean is that if I whitelist a private email address, the chances of a spammer ever sending me a spam spoofing that address is very small.
Re: SPF_FAIL
On Thu, 2012-03-22 at 10:26 +0100, Matus UHLAR - fantomas wrote: The Domain in the From in the envelope, ameriton.com, doesn't publish an SPF Record: On 21.03.12 23:00, Piotr Kloc wrote: I know that and I wanted to add some more score when there is no SPF record its possible to do this with Spamassassin ? The only sensible use of SPF is to prevent backscatter. This seems to work well now that most domains are running SPF-aware MTAs. I don't use SPF for spam detection and can't see any benefit from doing so. Martin
Re: SPF_FAIL
I committed score 0. I posted score 1 for the example requested. Regards, KAM Michael Scheidell michael.scheid...@secnap.com wrote: I'm going to add this to the default rules with a score 0 so you can then just give it a score you want. header SPF_NONEeval:check_for_spf_none() describeSPF_NONESPF sender does not publish an SPF Record score SPF_NONE1 score of zero? or 1?
Re: SPF_FAIL
On Thu, 22 Mar 2012 11:19:04 + Martin Gregorie mar...@gregorie.org wrote: The only sensible use of SPF is to prevent backscatter. Agreed. This seems to work well now that most domains are running SPF-aware MTAs. Disagreed. I don't believe SPF has cut backscatter down by more than a few percentage points. The vast majority of Exchange installations don't even reject invalid RCPT commands (http://david.skoll.ca/blog/2010-12-29-microsoft-dumbness.html) In fact, I believe this is true even of Microsoft's Hosted Exchange offering. There is such an incredibly deep well of ignorance and stupidity among Microsoft administrators and software designers that it will take many years of hard work to improve things, if it can even be done at all. Regards, David.
Re: SPF_FAIL
Martin Gregorie wrote: On Thu, 2012-03-22 at 10:26 +0100, Matus UHLAR - fantomas wrote: The Domain in the From in the envelope, ameriton.com, doesn't publish an SPF Record: On 21.03.12 23:00, Piotr Kloc wrote: I know that and I wanted to add some more score when there is no SPF record its possible to do this with Spamassassin ? The only sensible use of SPF is to prevent backscatter. This seems to work well now that most domains are running SPF-aware MTAs. what do you mean with backscatter here? SPF usually is not part of the MTA but from any kind of milter/filter add-on I don't use SPF for spam detection and can't see any benefit from doing so. ok but you can check if the sender is legitimate (obviously this no criteria about spam yes|no) may be you should look at SID , then together with it SPF makes much more sense of course I agree that the ~ statement in the SPF record is as good as none, so no point at all but it is up to you to configure your server as you wish, to accept a not useful statement or interpret it as fail IMO, who configures SPF with ~all is showing the bird to all ... so I take the bird action also on my servers if all would do so, SPF would be taken much more serious by the ~admins and life could be a little better :) Hans -- XTrade Assessory International Facilitator BR - US - CA - DE - GB - RU - UK +55 (11) 4249. http://xtrade.matik.com.br
Re: SPF_FAIL
David F. Skoll d...@roaringpenguin.com wrote: On Thu, 22 Mar 2012 11:19:04 + Martin Gregorie mar...@gregorie.org wrote: The only sensible use of SPF is to prevent backscatter. Agreed. For the record, I am not promoting spf_none. I am simply answering questions and letting the admin make the choice. There is such an incredibly deep well of ignorance and stupidity among Microsoft administrators and software designers that it will take many years of hard work to improve things, if it can even be done at all. I will comment that this is also a pervasive security model issue. Microsoft and others argue that knowing the emails that work/don't is a security concern. I agree but believe backscatter is the bigger evil. I think Microsoft is in a damned if they do / don't. They have been beaten up for a lack of security and now people don't want it.
Re: SPF_FAIL
On Thu, 2012-03-22 at 07:45 -0400, David F. Skoll wrote: Disagreed. I don't believe SPF has cut backscatter down by more than a few percentage points. YMMV of course, but it worked for me: when I put up an SPF record backscatter, which had been a problem at the time, was dramatically reduced. Now I don't see any backscatter except for the occasional 'mailbox full' or 'out of office' message that arrives on a mailing list. I deduce that greylisting, which my ISP uses, is quite effective at dealing with backscatter too. Martin
Re: SPF_FAIL
On Thu, 22 Mar 2012 13:55:50 + Martin Gregorie mar...@gregorie.org wrote: Disagreed. I don't believe SPF has cut backscatter down by more than a few percentage points. YMMV of course, but it worked for me: when I put up an SPF record backscatter, which had been a problem at the time, was dramatically reduced. Hmm... OK. I may have been hasty. Assuming that the large providers like Google, Hotmail, and Yahoo reject SPF-failing mail during the SMTP transaction, I can see it making a measurable difference. I still stand by my opinions about the lack of competence of most Microsoft Exchange admins, though. :) Regards, David.
Re: SPF_FAIL
On 3/22/12 10:05 AM, David F. Skoll wrote: On Thu, 22 Mar 2012 13:55:50 + Martin Gregoriemar...@gregorie.org wrote: Disagreed. I don't believe SPF has cut backscatter down by more than a few percentage points. YMMV of course, but it worked for me: when I put up an SPF record backscatter, which had been a problem at the time, was dramatically reduced. Hmm... OK. I may have been hasty. Assuming that the large providers like Google, Hotmail, and Yahoo reject SPF-failing mail during the SMTP transaction, I can see it making a measurable difference. I still stand by my opinions about the lack of competence of most Microsoft Exchange admins, though. :) like ip/dns that is not 'round trip' consistent :-) host colo3.roaringpenguin.com colo3.roaringpenguin.com has address 70.38.112.54 host 70.38.112.54 54.112.38.70.in-addr.arpa domain name pointer roaringpenguin.com -- Michael Scheidell, CTO o: 561-999-5000 d: 561-948-2259 *| *SECNAP Network Security Corporation * Best Mobile Solutions Product of 2011 * Best Intrusion Prevention Product * Hot Company Finalist 2011 * Best Email Security Product * Certified SNORT Integrator __ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.spammertrap.com/ __
Re: SPF_FAIL
On Thu, 22 Mar 2012 10:09:22 -0400 Michael Scheidell michael.scheid...@secnap.com wrote: like ip/dns that is not 'round trip' consistent :-) host colo3.roaringpenguin.com colo3.roaringpenguin.com has address 70.38.112.54 host 70.38.112.54 54.112.38.70.in-addr.arpa domain name pointer roaringpenguin.com There's absolutely nothing wrong with that. Round-trip consistency means this: A_lookup(PTR_lookup(70.38.112.54)) == 70.38.112.54 which is indeed the case. There's *nothing* to say that PTR_lookup(A_lookup(some_hostname)) is necessarily some_hostname. Regards, David.
Re: SPF_FAIL
On 3/22/2012 4:19 AM, Martin Gregorie wrote: The only sensible use of SPF is to prevent backscatter. This seems to work well now that most domains are running SPF-aware MTAs. I don't use SPF for spam detection and can't see any benefit from doing so. Martin What site competent enough to use SPF is still going to be bouncing enough mail for it to matter? SPF (and other authentication methods) are very useful for whitelisting though since it brings back the ability to whitelist based on sending domain or address without fear spoofing. Similarly, it negates the need to manually track sender's IPs for whitelisting purposes. -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren
Re: SPF_FAIL
Den 2012-03-22 15:05, David F. Skoll skrev: Hmm... OK. I may have been hasty. Assuming that the large providers like Google, Hotmail, and Yahoo reject SPF-failing mail during the SMTP transaction, I can see it making a measurable difference. are you saying yahoo using spf test, but not provide spf records self on there domain ? I still stand by my opinions about the lack of competence of most Microsoft Exchange admins, though. :) +1 lets have ipv6 now instaed of hearing daily is running out of ipv4 to there custommers and cliams thay now have to take money pr ipv4, there is so no intervention to go on ipv6 will only cost more money in loosed income isp wise
Re: SPF_FAIL
On Thu, 2012-03-22 at 13:55 +, Martin Gregorie wrote: YMMV of course, but it worked for me: when I put up an SPF record backscatter, which had been a problem at the time, was dramatically reduced. Now I don't see any backscatter except for the occasional 'mailbox full' or 'out of office' message that arrives on a mailing list. +1 (big time) signature.asc Description: This is a digitally signed message part
SPF_FAIL
Hello ! I have question why Spamassasssin doesnt add the header SPF_FAIL in X-Spam-Status ? s61:~# cat sa.log |grep -i spf mar 21 22:42:40.285 [20073] dbg: config: read file /usr/share/spamassassin/25_spf.cf mar 21 22:42:40.287 [20073] dbg: config: read file /usr/share/spamassassin/60_whitelist_spf.cf mar 21 22:42:40.336 [20073] dbg: plugin: loading Mail::SpamAssassin::Plugin::SPF from @INC mar 21 22:42:40.921 [20073] dbg: plugin: did not register Mail::SpamAssassin::Plugin::SPF, already registered mar 21 22:42:42.365 [20073] dbg: spf: checking to see if the message has a Received-SPF header that we can use mar 21 22:42:42.386 [20073] dbg: spf: using Mail::SPF for SPF checks mar 21 22:42:42.386 [20073] dbg: spf: checking HELO (helo=discus, ip=82.154.150.174) mar 21 22:42:42.386 [20073] dbg: spf: cannot check HELO of 'discus', skipping mar 21 22:42:42.389 [20073] dbg: spf: already checked for Received-SPF headers, proceeding with DNS based checks mar 21 22:42:42.389 [20073] dbg: spf: found Envelope-From in first external Received header mar 21 22:42:42.389 [20073] dbg: spf: checking EnvelopeFrom (helo=discus, ip=82.154.150.174, envfrom=picturesqu...@ameriton.com) mar 21 22:42:42.390 [20073] dbg: dns: providing a callback for id: 10955/ameriton.com/SPF/IN mar 21 22:42:42.404 [20073] dbg: spf: query for picturesqu...@ameriton.com/82.154.150.174/discus: result: none, comment: , text: No applicable sender policy available mar 21 22:42:42.411 [20073] dbg: spf: def_spf_whitelist_from: already checked spf and didn't get pass, skipping whitelist check mar 21 22:42:42.413 [20073] dbg: spf: whitelist_from_spf: already checked spf and didn't get pass, skipping whitelist check mar 21 22:42:42.895 [20073] dbg: timing: total 2614 ms - init: 1502 (57.4%), parse: 1.58 (0.1%), extract_message_metadata: 82 (3.1%), poll_dns_idle: 21 (0.8%), get_uri_detail_list: 1.03 (0.0%), tests_pri_-1000: 19 (0.7%), compile_gen: 163 (6.2%), compile_eval: 55 (2.1%), tests_pri_-950: 5 (0.2%), tests_pri_-900: 6 (0.2%), tests_pri_-400: 5 (0.2%), tests_pri_0: 857 (32.8%), dkim_load_modules: 56 (2.1%), check_dkim_signature: 0.83 (0.0%), check_dkim_adsp: 150 (5.7%), check_spf: 36 (1.4%), check_pyzor: 0.40 (0.0%), tests_pri_500: 77 (3.0%) s61:~# I have in my config score SPF_FAIL 8 score SPF_SOFTFAIL 6 score SPF_NEUTRAL 4 Regards, Piotr
Re: SPF_FAIL
The message I have tested is spam and I want to add some score when the SPF failed but my X-Spam-Status looks like X-Spam-Status: No, score=4.4 required=5.0 tests=DYN_RDNS_SHORT_HELO_HTML, FSL_HELO_NON_FQDN_1,HELO_NO_DOMAIN,HTML_MESSAGE,MIME_HTML_ONLY, RCVD_IN_BRBL_LASTEXT,RCVD_IN_RP_RNBL,RCVD_IN_SORBS_DUL,RDNS_DYNAMIC, TO_EQ_FM_HTML_ONLY,UNPARSEABLE_RELAY autolearn=no version=3.3.2 X-Spam-Level: X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) after checking it with command spamassassin -D /home/admin/test.eml there is no SPF_FAIL Thank You for any help Piotr - Original Message - From: Piotr Kloc To: users@spamassassin.apache.org Sent: Wednesday, March 21, 2012 10:48 PM Subject: SPF_FAIL Hello ! I have question why Spamassasssin doesnt add the header SPF_FAIL in X-Spam-Status ? s61:~# cat sa.log |grep -i spf mar 21 22:42:40.285 [20073] dbg: config: read file /usr/share/spamassassin/25_spf.cf mar 21 22:42:40.287 [20073] dbg: config: read file /usr/share/spamassassin/60_whitelist_spf.cf mar 21 22:42:40.336 [20073] dbg: plugin: loading Mail::SpamAssassin::Plugin::SPF from @INC mar 21 22:42:40.921 [20073] dbg: plugin: did not register Mail::SpamAssassin::Plugin::SPF, already registered mar 21 22:42:42.365 [20073] dbg: spf: checking to see if the message has a Received-SPF header that we can use mar 21 22:42:42.386 [20073] dbg: spf: using Mail::SPF for SPF checks mar 21 22:42:42.386 [20073] dbg: spf: checking HELO (helo=discus, ip=82.154.150.174) mar 21 22:42:42.386 [20073] dbg: spf: cannot check HELO of 'discus', skipping mar 21 22:42:42.389 [20073] dbg: spf: already checked for Received-SPF headers, proceeding with DNS based checks mar 21 22:42:42.389 [20073] dbg: spf: found Envelope-From in first external Received header mar 21 22:42:42.389 [20073] dbg: spf: checking EnvelopeFrom (helo=discus, ip=82.154.150.174, envfrom=picturesqu...@ameriton.com) mar 21 22:42:42.390 [20073] dbg: dns: providing a callback for id: 10955/ameriton.com/SPF/IN mar 21 22:42:42.404 [20073] dbg: spf: query for picturesqu...@ameriton.com/82.154.150.174/discus: result: none, comment: , text: No applicable sender policy available mar 21 22:42:42.411 [20073] dbg: spf: def_spf_whitelist_from: already checked spf and didn't get pass, skipping whitelist check mar 21 22:42:42.413 [20073] dbg: spf: whitelist_from_spf: already checked spf and didn't get pass, skipping whitelist check mar 21 22:42:42.895 [20073] dbg: timing: total 2614 ms - init: 1502 (57.4%), parse: 1.58 (0.1%), extract_message_metadata: 82 (3.1%), poll_dns_idle: 21 (0.8%), get_uri_detail_list: 1.03 (0.0%), tests_pri_-1000: 19 (0.7%), compile_gen: 163 (6.2%), compile_eval: 55 (2.1%), tests_pri_-950: 5 (0.2%), tests_pri_-900: 6 (0.2%), tests_pri_-400: 5 (0.2%), tests_pri_0: 857 (32.8%), dkim_load_modules: 56 (2.1%), check_dkim_signature: 0.83 (0.0%), check_dkim_adsp: 150 (5.7%), check_spf: 36 (1.4%), check_pyzor: 0.40 (0.0%), tests_pri_500: 77 (3.0%) s61:~# I have in my config score SPF_FAIL 8 score SPF_SOFTFAIL 6 score SPF_NEUTRAL 4 Regards, Piotr
Re: SPF_FAIL
On 3/21/2012 5:48 PM, Piotr Kloc wrote: Hello ! I have question why Spamassasssin doesnt add the header SPF_FAIL in X-Spam-Status ? s61:~# cat sa.log |grep -i spf mar 21 22:42:40.285 [20073] dbg: config: read file /usr/share/spamassassin/25_spf.cf mar 21 22:42:40.287 [20073] dbg: config: read file /usr/share/spamassassin/60_whitelist_spf.cf mar 21 22:42:40.336 [20073] dbg: plugin: loading Mail::SpamAssassin::Plugin::SPF from @INC mar 21 22:42:40.921 [20073] dbg: plugin: did not register Mail::SpamAssassin::Plugin::SPF, already registered mar 21 22:42:42.365 [20073] dbg: spf: checking to see if the message has a Received-SPF header that we can use mar 21 22:42:42.386 [20073] dbg: spf: using Mail::SPF for SPF checks mar 21 22:42:42.386 [20073] dbg: spf: checking HELO (helo=discus, ip=82.154.150.174) mar 21 22:42:42.386 [20073] dbg: spf: cannot check HELO of 'discus', skipping mar 21 22:42:42.389 [20073] dbg: spf: already checked for Received-SPF headers, proceeding with DNS based checks mar 21 22:42:42.389 [20073] dbg: spf: found Envelope-From in first external Received header mar 21 22:42:42.389 [20073] dbg: spf: checking EnvelopeFrom (helo=discus, ip=82.154.150.174, envfrom=picturesqu...@ameriton.com mailto:envfrom=picturesqu...@ameriton.com) mar 21 22:42:42.390 [20073] dbg: dns: providing a callback for id: 10955/ameriton.com/SPF/IN mar 21 22:42:42.404 [20073] dbg: spf: query for picturesqu...@ameriton.com/82.154.150.174/discus mailto:picturesqu...@ameriton.com/82.154.150.174/discus: result: none, comment: , text: No applicable sender policy available mar 21 22:42:42.411 [20073] dbg: spf: def_spf_whitelist_from: already checked spf and didn't get pass, skipping whitelist check mar 21 22:42:42.413 [20073] dbg: spf: whitelist_from_spf: already checked spf and didn't get pass, skipping whitelist check mar 21 22:42:42.895 [20073] dbg: timing: total 2614 ms - init: 1502 (57.4%), parse: 1.58 (0.1%), extract_message_metadata: 82 (3.1%), poll_dns_idle: 21 (0.8%), get_uri_detail_list: 1.03 (0.0%), tests_pri_-1000: 19 (0.7%), compile_gen: 163 (6.2%), compile_eval: 55 (2.1%), tests_pri_-950: 5 (0.2%), tests_pri_-900: 6 (0.2%), tests_pri_-400: 5 (0.2%), tests_pri_0: 857 (32.8%), dkim_load_modules: 56 (2.1%), check_dkim_signature: 0.83 (0.0%), check_dkim_adsp: 150 (5.7%), check_spf: 36 (1.4%), check_pyzor: 0.40 (0.0%), tests_pri_500: 77 (3.0%) s61:~# I have in my config score SPF_FAIL 8 score SPF_SOFTFAIL 6 score SPF_NEUTRAL 4 Regards, Piotr The Domain in the From in the envelope, ameriton.com, doesn't publish an SPF Record: dig -t txt ameriton.com ;; QUESTION SECTION: ;ameriton.com. IN TXT ;; AUTHORITY SECTION: ameriton.com. 7200IN SOA NS53.WORLDNIC.com. namehost.WORLDNIC.com. 10914 10800 3600 604800 3600 Regards, KAM
Re: SPF_FAIL
The Domain in the From in the envelope, ameriton.com, doesn't publish an SPF Record: I know that and I wanted to add some more score when there is no SPF record its possible to do this with Spamassassin ? Piotr
Re: SPF_FAIL
Den 2012-03-21 23:00, Piotr Kloc skrev: The Domain in the From in the envelope, ameriton.com, doesn't publish an SPF Record: I know that and I wanted to add some more score when there is no SPF record its possible to do this with Spamassassin ? meta NO_SPF_ON_SENDER_DOMAIN (!SPF_PASS || !SPF_HELO_PASS) or make one for other spam conditions as you see fit
Re: SPF_FAIL
I know that and I wanted to add some more score when there is no SPF record its possible to do this with Spamassassin ? I'm not aware of a no spf record rule but the underlying plugin looks to support what you want. I think you might find that to be a poorly performing rule except in meta rules, though. I'm going to add this to the default rules with a score 0 so you can then just give it a score you want. header SPF_NONEeval:check_for_spf_none() describeSPF_NONESPF sender does not publish an SPF Record score SPF_NONE1 regards, kAM
Re: SPF_FAIL
I'm going to add this to the default rules with a score 0 so you can then just give it a score you want. I also added spf_helo_none svn commit -m 'Added a default rule for SPF_NONE that is disabled with Score 0 for administrators to activate' Sendingrules/25_spf.cf Sendingrules/50_scores.cf Transmitting file data .. Committed revision 1303613. Regards, KAM
Re: SPF_FAIL
On 3/21/12 6:19 PM, Kevin A. McGrail wrote: I know that and I wanted to add some more score when there is no SPF record its possible to do this with Spamassassin ? I'm not aware of a no spf record rule but the underlying plugin looks to support what you want. I think you might find that to be a poorly performing rule except in meta rules, though. I'm going to add this to the default rules with a score 0 so you can then just give it a score you want. header SPF_NONEeval:check_for_spf_none() describeSPF_NONESPF sender does not publish an SPF Record score SPF_NONE1 score of zero? or 1? regards, kAM -- Michael Scheidell, CTO o: 561-999-5000 d: 561-948-2259 *| *SECNAP Network Security Corporation * Best Mobile Solutions Product of 2011 * Best Intrusion Prevention Product * Hot Company Finalist 2011 * Best Email Security Product * Certified SNORT Integrator __ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.spammertrap.com/ __
Re: SPF_FAIL with SPF mechanism a?
On søn 18 apr 2010 00:55:12 CEST, John Hardin wrote Checked into my sandbox as __SPF_FULL_PASS It should appear on ruleqa in a couple of days. super, i have more rule but will wait with them -- xpoint http://www.unicom.com/pw/reply-to-harmful.html
Re: SPF_FAIL with SPF mechanism a?
On tir 13 apr 2010 16:57:26 CEST, Patrick Schmidt wrote Do SPF_FAIL hit, because of SPF_HELO_FAIL or the existing SPF record of mail.isrigb.co.uk ? i have seen SPF_PASS with a SPF_HELO_FAIL meta SPF_FULL_PASS (SPF_PASS SPF_HELO_PASS) describe SPF_FULL_PASS Meta: both spf test got pass score SPF_FULL_PASS -0.1 if one of the corpus maintainers like to add it into there rule set, then please do, John ? -- xpoint http://www.unicom.com/pw/reply-to-harmful.html
Re: SPF_FAIL with SPF mechanism a?
On Sat, 17 Apr 2010, Benny Pedersen wrote: meta SPF_FULL_PASS (SPF_PASS SPF_HELO_PASS) if one of the corpus maintainers like to add it into there rule set, then please do, John ? Checked into my sandbox as __SPF_FULL_PASS It should appear on ruleqa in a couple of days. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Ten-millimeter explosive-tip caseless, standard light armor piercing rounds. Why? --- 2 days until the 235th anniversary of The Shot Heard 'Round The World
SPF_FAIL with SPF mechanism a?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello i could use some help to understand a failed SPF check .. SPF record for Domain isrigb.co.uk is v=spf1 mx a:mail.isrigb.co.uk -all mail was send from 82.70.121.82, which points to mail.isrigb.co.uk, and FAILED? Debug Log.. http://pastebin.com/E5B1qTu5 I m using SpamAssassin version 3.3.0. Thank you for any advice! For further questions I am to you gladly at the disposal. Yours sincerely, Patrick -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.14 (GNU/Linux) iQEcBAEBAgAGBQJLxF8aAAoJEGTKneBVCP6uJ50H/29eVmXP9YsQtaD3aA61+GJE JG/wr2No0Yf+jDIlQ/SWa/Y3wHqN243KNpC1dv5v9A1bcgSY55kjTxLAQW5lwr5A 3ztAYolQz4m8W8PDU1H7PiN7XHFBe16JS/xylKFerZYfhGXYy1WnYKneP/Y99w4d Te/fMsKzOGkjyHSneJK7H8WLOSIaL/0w0/rBspiWkQQEL6FB3h1ftM9K2RvLAhWh aXg+lf70EwvAuWfOkoQoTnX0/m1jNPewdhzP38ISCxB4bi9+AjiYGt1fxa6GDGyN UdhvRuDSkl8cMsgXrItH4dVk7s/TDRnuC1j8ISApO0gNiDxe5+7Uq9welKEwi/k= =/2v3 -END PGP SIGNATURE-
Re: SPF_FAIL with SPF mechanism a?
Patrick, i could use some help to understand a failed SPF check .. SPF record for Domain isrigb.co.uk is v=spf1 mx a:mail.isrigb.co.uk -all Irrelevant. The SPF record in question is: $ host -t txt mail.isrigb.co.uk mail.isrigb.co.uk descriptive text v=spf1 mx -all mail was send from 82.70.121.82, which points to mail.isrigb.co.uk, and FAILED? Debug Log.. http://pastebin.com/E5B1qTu5 The v=spf1 mx -all does not include a:mail.isrigb.co.uk. Mark
Re: SPF_FAIL with SPF mechanism a?
On Tue, 13 Apr 2010 14:36:12 +0200 Mark Martinec mark.martinec...@ijs.si wrote: Patrick, i could use some help to understand a failed SPF check .. SPF record for Domain isrigb.co.uk is v=spf1 mx a:mail.isrigb.co.uk -all Irrelevant. The SPF record in question is: $ host -t txt mail.isrigb.co.uk mail.isrigb.co.uk descriptive text v=spf1 mx -all mail was send from 82.70.121.82, which points to mail.isrigb.co.uk, and FAILED? Debug Log.. http://pastebin.com/E5B1qTu5 The v=spf1 mx -all does not include a:mail.isrigb.co.uk. But shouldn't that be a SPF_HELO_FAIL rather than an SPF_FAIL
Re: SPF_FAIL with SPF mechanism a?
Hello RW,Hi Mark, thanks for your time. SPF_HELO_FAIL and SPF_FAIL both hit! Do SPF_FAIL hit, because of SPF_HELO_FAIL or the existing SPF record of mail.isrigb.co.uk ? RW schrieb: On Tue, 13 Apr 2010 14:36:12 +0200 Mark Martinec mark.martinec...@ijs.si wrote: Patrick, i could use some help to understand a failed SPF check .. SPF record for Domain isrigb.co.uk is v=spf1 mx a:mail.isrigb.co.uk -all Irrelevant. The SPF record in question is: $ host -t txt mail.isrigb.co.uk mail.isrigb.co.uk descriptive text v=spf1 mx -all mail was send from 82.70.121.82, which points to mail.isrigb.co.uk, and FAILED? Debug Log.. http://pastebin.com/E5B1qTu5 The v=spf1 mx -all does not include a:mail.isrigb.co.uk. But shouldn't that be a SPF_HELO_FAIL rather than an SPF_FAIL
Re: Howto stop SPF_FAIL from internal network?
On Thu, March 27, 2008 11:28, Enrico Scholz wrote: Benny Pedersen [EMAIL PROTECTED] writes: spamassassin 21 -D spf -t /tmp/msg /tmp/msg.spf.debug post the debug file https://www.cvg.de/people/ensc/spf_fail.txt info: generic: trusted_networks doesn't contain msa_networks entry '192.168.0.0/16' this is fail and disable plugins that are not installed anyway in the pre files this line here i dont like dbg: metadata: X-Spam-Relays-External: [ ip=192.168.3.24 rdns=ensc-virt.intern.sigma-chemnitz.de helo=ensc-virt.intern.sigma-chemnitz.de by=mail.cvg.de ident= envfrom= intl=0 id=m2RA9lJc010009 auth= msa=0 ] that ip can't be external :/ is the problem that you have non route ip in the wan ip nic as alias ? show me netstat -nr or ip addr show and ip route show (full debug with configuration of | $ sed '/^\(#.*\)\?$/d' ~/.spamassassin/user_prefs | internal_networks 62.153.82.30 | trusted_networks62.153.82.30 | trusted_networks192.168.8.0/23 ups ? (to wide) | trusted_networks!192.168.3.0/24 | msa_networks192.168.0.0/16 result is SPF_NEUTRAL now as I added 192.168.0.0 net to SPF entry) non route ip range makes no sense in spf Benny Pedersen Need more webspace ? http://www.servage.net/?coupon=cust37098
Re: Howto stop SPF_FAIL from internal network?
Benny Pedersen [EMAIL PROTECTED] writes: https://www.cvg.de/people/ensc/spf_fail.txt info: generic: trusted_networks doesn't contain msa_networks entry '192.168.0.0/16' this is fail You mean, that this is a bug in Spamassassin? this line here i dont like dbg: metadata: X-Spam-Relays-External: [ ip=192.168.3.24 rdns=ensc-virt.intern.sigma-chemnitz.de helo=ensc-virt.intern.sigma-chemnitz.de by=mail.cvg.de ident= envfrom= intl=0 id=m2RA9lJc010009 auth= msa=0 ] that ip can't be external :/ That's the internal/private host which sends the mail and generates the SPF_FAIL. There is no reason/way to make it external. result is SPF_NEUTRAL now as I added 192.168.0.0 net to SPF entry) non route ip range makes no sense in spf ... but seems to be the easiest way to prevent the false SPF_FAIL... Enrico
Re: Howto stop SPF_FAIL from internal network?
Benny Pedersen [EMAIL PROTECTED] writes: spamassassin 21 -D spf -t /tmp/msg /tmp/msg.spf.debug post the debug file https://www.cvg.de/people/ensc/spf_fail.txt (full debug with configuration of | $ sed '/^\(#.*\)\?$/d' ~/.spamassassin/user_prefs | internal_networks 62.153.82.30 | trusted_networks62.153.82.30 | trusted_networks192.168.8.0/23 | trusted_networks!192.168.3.0/24 | msa_networks192.168.0.0/16 result is SPF_NEUTRAL now as I added 192.168.0.0 net to SPF entry) Enrico
Re: Howto stop SPF_FAIL from internal network?
Benny Pedersen [EMAIL PROTECTED] writes: I have a problem that mails from internal (private) IPs generate SPF_FAIL hits. E.g. my configuration is | internal_networks 62.153.82.30 | internal_networks 192.168.0.0/16 | trusted_networks62.153.82.30 | trusted_networks192.168.8.0/24 ... trusted_networks !192.168.3.0/24 What would be the difference between the current | trusted_networks62.153.82.30 | trusted_networks192.168.8.0/24 ? SPF_FAIL for private network happens in both cases. perldoc Mail::SpamAssassin::Plugin::SPF see how to use authed headers for authed users 1. I do not need SMTP auth (and SPF is it not worth to change this) 2. mentioned manpage of spamassassin 3.2.4 does not contain the string 'auth' perldoc Mail::SpamAssassin::Conf see msa_ defines SPF_FAIL still happens with | msa_networks192.168.0.0/16 Enrico
Re: Howto stop SPF_FAIL from internal network?
On Wed, March 26, 2008 09:24, Enrico Scholz wrote: | msa_networks192.168.0.0/16 spamassassin 21 -D spf -t /tmp/msg /tmp/msg.spf.debug post the debug file /tmp/msg is a email where it happends Benny Pedersen Need more webspace ? http://www.servage.net/?coupon=cust37098
Re: Howto stop SPF_FAIL from internal network?
Benny Pedersen [EMAIL PROTECTED] writes: I have a problem that mails from internal (private) IPs generate SPF_FAIL hits. E.g. my configuration is | internal_networks 62.153.82.30 | internal_networks 192.168.0.0/16 | | trusted_networks62.153.82.30 | trusted_networks192.168.8.0/24 192.168.3.0/24 ... is not trusted Enrico
Re: Howto stop SPF_FAIL from internal network?
Benny Pedersen [EMAIL PROTECTED] writes: internal and trusted should be all ips you have access to but not open to the whole world Documentation about trusted_networks says something else: A trusted host could conceivably relay spam, but will not originate it, and will not forge header data. Clients in 192.168.3.0/24 net are ordinary user machines potentially infected by spam bots (-- originating spam and forging header data) and must not be in 'trusted_networks' hence. Enrico
Re: Howto stop SPF_FAIL from internal network?
Benny Pedersen [EMAIL PROTECTED] writes: internal and trusted should be all ips you have access to but not open to the whole world On 25.03.08 10:46, Enrico Scholz wrote: Documentation about trusted_networks says something else: A trusted host could conceivably relay spam, but will not originate it, and will not forge header data. Clients in 192.168.3.0/24 net are ordinary user machines potentially infected by spam bots (-- originating spam and forging header data) and must not be in 'trusted_networks' hence. neither in internal_networks as I already pointed out ;) only your mail infrastructure (e.g. MX backups, SMTP filters etc) should be in internal_networks. fix this and then see what SPF checks will produce -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Despite the cost of living, have you noticed how popular it remains?
Re: Howto stop SPF_FAIL from internal network?
Matus UHLAR - fantomas [EMAIL PROTECTED] writes: only your mail infrastructure (e.g. MX backups, SMTP filters etc) should be in internal_networks. fix this and then see what SPF checks will produce citing from [EMAIL PROTECTED]: ok; fixed it by removing the 192.168.0.0/16 from 'internal_networks'. But problem still persists that senders from the private 192.168.0.0/16 network are tagged with SPF_FAIL. Enrico
RE: Howto stop SPF_FAIL from internal network?
ok; fixed it by removing the 192.168.0.0/16 from 'internal_networks'. But problem still persists that senders from the private 192.168.0.0/16 network are tagged with SPF_FAIL. Enrico Having watched the thread and not fully recalling every post... I have not checked this, yet has anyone looked in the SPF code areas to see if private network space is handled differently? Again, I have not. Otherwise, do some private dns, some special MTA handling, or whatever and be done with it. Just don't let the private network dns leak to the public nets. There are several dozen reasonable solutions to this, isn't there? - rh