Re: The real spoofing issue (was Re: How to get spam assassin to detect spoofed mails as SPF is clearly useless)

--On October 18, 2016 at 02:06:38 -0400 Ruga wrote: > > > ... unless you're applying DMARC, which says the "From:" should instead "align" with something other than the author of the message in some cases. --Joseph Brennan

Re: The real spoofing issue (was Re: How to get spam assassin to detect spoofed mails as SPF is clearly useless)

On Tue, 18 Oct 2016 02:06:38 -0400 Ruga wrote: > < does not belong to the author(s) of the message.>> A Quoted-String phrase is NOT a mailbox. It's just a quoted string that is not subject to any further interpretation. Regards, Dianne.

Re: The real spoofing issue (was Re: How to get spam assassin to detect spoofed mails as SPF is clearly useless)

On October 18, 2016 2:09:37 AM EDT, Ruga wrote: >RFC 2822 and 5322 are in the "Standards Track". >RFC 822 is still the standard. Interesting, but the example is still RFC-compliant, even with 822. Regards, Dianne.

Re: The real spoofing issue (was Re: How to get spam assassin to detect spoofed mails as SPF is clearly useless)

On October 18, 2016 2:27:09 AM EDT, Ruga wrote: >Yes, you can prefix a quoted string to the actual address. No, the >quoted string is not part of the address. Indeed. >There are two approaches here: one is to defend the spammer's abuse of >the standard (intended to trick the average Joe into b

Re: The real spoofing issue (was Re: How to get spam assassin to detect spoofed mails as SPF is clearly useless)

The following rules look for a From label which looks to have an email address looks for this type of spoofed address The following would be valid, for example: From: "p...@domain.com" http://ruleqa.spamassassin.org/20161017-r1765221-n/T_PDS_FR

Re: The real spoofing issue (was Re: How to get spam assassin to detect spoofed mails as SPF is clearly useless)

Yes, you can prefix a quoted string to the actual address. No, the quoted string is not part of the address. There are two approaches here: one is to defend the spammer's abuse of the standard (intended to trick the average Joe into believing they have received mail from someone else), and the

Re: The real spoofing issue (was Re: How to get spam assassin to detect spoofed mails as SPF is clearly useless)

RFC 2822 and 5322 are in the "Standards Track". RFC 822 is still the standard. On Tue, Oct 18, 2016 at 2:52 AM, Dianne Skoll <'d...@roaringpenguin.com'> wrote: On October 17, 2016 7:11:29 PM EDT, Ruga wrote: >rfc 822 (the actual standard): Are you serious? RFC 822 is decades obsolete, long sinc

Re: The real spoofing issue (was Re: How to get spam assassin to detect spoofed mails as SPF is clearly useless)

<> On Tue, Oct 18, 2016 at 1:25 AM, Paul Stead <'paul.st...@zeninternet.co.uk'> wrote: On 17/10/16 23:52, Ruga wrote: https://tools.ietf.org/html/rfc5322#section-3.6.2 from = "From:" mailbox-list CRLF ... https://tools.ietf.org/html/rfc5322#section-3.4 ... ---8<--- mailbox = name-addr / a

Re: The real spoofing issue (was Re: How to get spam assassin to detect spoofed mails as SPF is clearly useless)

On Mon, 17 Oct 2016 19:11:29 -0400 Ruga wrote: > rfc 822 (the actual standard): Which as I mentioned is obsolete, but I'll play with you... > authentic = "From" ":" mailbox ; Single author / ... > mailbox = addr-spec ; simple address / phrase route-addr > addr-spec = local-part "@" domain And

Re: The real spoofing issue (was Re: How to get spam assassin to detect spoofed mails as SPF is clearly useless)

On October 17, 2016 7:11:29 PM EDT, Ruga wrote: >rfc 822 (the actual standard): Are you serious? RFC 822 is decades obsolete, long since superseded by 2822 and then by 5322. Regards, Dianne.

Re: The real spoofing issue (was Re: How to get spam assassin to detect spoofed mails as SPF is clearly useless)

On 17/10/16 23:52, Ruga wrote: https://tools.ietf.org/html/rfc5322#section-3.6.2 from= "From:" mailbox-list CRLF ... https://tools.ietf.org/html/rfc5322#section-3.4 ... ---8<--- mailbox = name-addr / addr-spec name-addr = [display-name] angle-addr

Re: The real spoofing issue (was Re: How to get spam assassin to detect spoofed mails as SPF is clearly useless)

rfc 822 (the actual standard): authentic = "From" ":" mailbox ; Single author / ... mailbox = addr-spec ; simple address / phrase route-addr addr-spec = local-part "@" domain On Tue, Oct 18, 2016 at 12:52 AM, Ruga <'r...@protonmail.com'> wrote: https://tools.ietf.org/html/rfc5322#section-3.6.

Re: The real spoofing issue (was Re: How to get spam assassin to detect spoofed mails as SPF is clearly useless)

https://tools.ietf.org/html/rfc5322#section-3.6.2 On Mon, Oct 17, 2016 at 2:18 AM, Dianne Skoll <'d...@roaringpenguin.com'> wrote: On Sun, 16 Oct 2016 18:08:20 -0400 Ruga wrote: > In my servers, the above string is not RFC compliant, > and therefore the whole mail is automatically > rejected

Re: How to get spam assassin to detect spoofed mails as SPF is clearly useless

On 10/15/2016 12:53 PM, Matus UHLAR - fantomas wrote: and immediately after implementing, those people and organizations would be surprised they block mail they should not block (see above). No, it wouldn't block mail. It would add a bit to the score. If there are other spam signs, it mig

Re: The real spoofing issue (was Re: How to get spam assassin to detect spoofed mails as SPF is clearly useless)

>one could argue if From:Name and From:Addr have differing domains its >forged ? One could argue that, but one could not argue that my sample From: header is not RFC-compliant. Last I checked, Yahoo Groups rewrote the From: header in exactly that manner. Furthermore, the Quoted-String part of

Re: The real spoofing issue (was Re: How to get spam assassin to detect spoofed mails as SPF is clearly useless)

On 2016-10-17 02:18, Dianne Skoll wrote: From: "Dianne Skoll " is absolutely 100% RFC-compliant. lets break test it :) If you feel it is not, please cite the RFC that's violated, including the specific section being violated. one could argue if From:Name and From:Addr have differing doma

Re: The real spoofing issue (was Re: How to get spam assassin to detect spoofed mails as SPF is clearly useless)

On 16 Oct 2016, at 18:08, Ruga wrote: From: "Dianne Skoll " In my servers, the above string is not RFC compliant, Are you writing your own RFC's? That's cool: the IETF could do with some competition. Where are you publishing them and accepting comments? The IETF's RFC5322 includes this A

Re: The real spoofing issue (was Re: How to get spam assassin to detect spoofed mails as SPF is clearly useless)

On Sun, 16 Oct 2016 18:08:20 -0400 Ruga wrote: > In my servers, the above string is not RFC compliant, > and therefore the whole mail is automatically > rejected as SPAM. Your servers fail in RFC comprehension. The message header: From: "Dianne Skoll " is absolutely 100% RFC-compliant. I

Re: The real spoofing issue (was Re: How to get spam assassin to detect spoofed mails as SPF is clearly useless)

> From: "Dianne Skoll " In my servers, the above string is not RFC compliant, and therefore the whole mail is automatically rejected as SPAM.

The real spoofing issue (was Re: How to get spam assassin to detect spoofed mails as SPF is clearly useless)

Oh, and one more thing... Even if there were a magic bullet to absolutely detect forged From: addresses and forged envelope senders... it would not help with phishing attacks and spoofing. That's because every email reader I've ever used shows neither the From: address nor the envelope sender by

Re: How to get spam assassin to detect spoofed mails as SPF is clearly useless

On Sat, 15 Oct 2016 17:33:00 +0200 Petr Bena wrote: > What exactly were you trying to tell me? I'm trying to tell you that unless we throw out SMTP, there is *no way* to detect spoofed email. That's because SMTP allows for "legitimate" spoofing (AKA mailing lists) which makes it impossible to f

Re: How to get spam assassin to detect spoofed mails as SPF is clearly useless

On 10/15/16 20:56, David Jones wrote: > > >What I was hoping for was, that as someone who does bother checking, to > > >find out a solution that would help me prevent from receiving spoofed > >e-mails, because as I mentioned multiple times SPF, DKIM, and DMARC is > >not able to do that. I am lookin

Re: How to get spam assassin to detect spoofed mails as SPF is clearly useless

On 15 Oct 2016, at 14:50, Petr Bena wrote: I was looking to accomplish something similar, but seems that SA can't do that and there are probably no open source plugins or postfix hooks that allow this (so far). This class of problem is one reason to pick MIMEDefang as your tool for integratin

Re: How to get spam assassin to detect spoofed mails as SPF is clearly useless

On 10/15/16 20:35, Antony Stone wrote: > On Saturday 15 October 2016 at 20:30:25, Axb wrote: > >> On 10/15/2016 08:13 PM, Petr Bena wrote: >>> What I was hoping for was, that as someone who does bother checking, to >>> find out a solution that would help me prevent from receiving spoofed >>> e-mail

Re: How to get spam assassin to detect spoofed mails as SPF is clearly useless

On 15 Oct 2016, at 14:13, Petr Bena wrote: That would obviously work and blocked hackers from spoofing, No, it would not do so. It's clear that you didn't bother reading Dianne Skoll's message and considering or testing her counter-example. but as you said, it would also break some other s

Re: How to get spam assassin to detect spoofed mails as SPF is clearly useless

>Thanks for that, I will do that, another thing that comes to my mind: >if my mail server sign every single e-mail with DKIM, that e-mail >should be signed even if it's redistributed by mailing list daemon >or not? I see my own e-mails here and e-mails of some other people >in this list to be D

Re: How to get spam assassin to detect spoofed mails as SPF is clearly useless

Hello, What I was hoping for was, that as someone who does bother checking, to find out a solution that would help me prevent from receiving spoofed e-mails, because as I mentioned multiple times SPF, DKIM, and DMARC is not able to do that. I am looking for a way how to detect that e-mail is spoof

Re: How to get spam assassin to detect spoofed mails as SPF is clearly useless

On 15.10.16 21:08, Petr Bena wrote: > if my mail server sign every single e-mail with DKIM, that e-mail should > be signed even if it's redistributed by mailing list daemon or not? Sadly, there are mailing list admins who think it wise to have subject lines or message bodies modified, e.g. by add

Re: How to get spam assassin to detect spoofed mails as SPF is clearly useless

>What I was hoping for was, that as someone who does bother checking, to >find out a solution that would help me prevent from receiving spoofed >e-mails, because as I mentioned multiple times SPF, DKIM, and DMARC is >not able to do that. I am looking for a way how to detect that e-mail is >spoofed

Re: How to get spam assassin to detect spoofed mails as SPF is clearly useless

On 10/15/2016 08:35 PM, Antony Stone wrote: On Saturday 15 October 2016 at 20:30:25, Axb wrote: On 10/15/2016 08:13 PM, Petr Bena wrote: What I was hoping for was, that as someone who does bother checking, to find out a solution that would help me prevent from receiving spoofed e-mails The

Re: How to get spam assassin to detect spoofed mails as SPF is clearly useless

On 15.10.16 20:13, Petr Bena wrote: > One of solutions that I proposed is an optional SA plugin that would > treat the email found in "From:" header as envelope sender and check > against that, raising the score or doing something if it failed. A sending mail on behalf of B does not automatically

Re: How to get spam assassin to detect spoofed mails as SPF is clearly useless

On Saturday 15 October 2016 at 20:30:25, Axb wrote: > On 10/15/2016 08:13 PM, Petr Bena wrote: > > > > What I was hoping for was, that as someone who does bother checking, to > > find out a solution that would help me prevent from receiving spoofed > > e-mails > There is no publicly available Sp

Re: How to get spam assassin to detect spoofed mails as SPF is clearly useless

On 10/15/2016 08:13 PM, Petr Bena wrote: Hello, What I was hoping for was, that as someone who does bother checking, to find out a solution that would help me prevent from receiving spoofed e-mails, because as I mentioned multiple times SPF, DKIM, and DMARC is not able to do that. I am looking f

Re: How to get spam assassin to detect spoofed mails as SPF is clearly useless

On 15.10.16 17:33, Petr Bena wrote: > I started this discussion stating the fact that SPF, DKIM and DMARC > don't prevent people from being able to spoof your email address. These mechanisms are not meant to prevent spoofing (and they can't), just to make it easier to detect spoofing on the recei

Re: How to get spam assassin to detect spoofed mails as SPF is clearly useless

I don't understand your point. I started this discussion stating the fact that SPF, DKIM and DMARC don't prevent people from being able to spoof your email address. And you tell me that I don't understand email security because SPF, DKIM and DMARC don't prevent people from being able to spoof my e

Re: How to get spam assassin to detect spoofed mails as SPF is clearly useless

On 15 Oct 2016, at 11:33, Petr Bena wrote: I don't understand your point. I started this discussion stating the fact that SPF, DKIM and DMARC don't prevent people from being able to spoof your email address. And you tell me that I don't understand email security because SPF, DKIM and DMARC don

Re: How to get spam assassin to detect spoofed mails as SPF is clearly useless

On 10/15/2016 1:51 PM, Matus UHLAR - fantomas wrote: I can immediately guess this rule would need way too many exceptions to be useful. And when anyone in the world subscribed to any list, it would need an exception. On 15.10.16 15:35, Petr Bena wrote: Nope, the exception would go for a whole

Re: How to get spam assassin to detect spoofed mails as SPF is clearly useless

Nope, the exception would go for a whole mailing list, not for every of its users. Anyway given that this would be optional plugin for sa, it would be only used by people / organizations who care about authenticity of the message sender and these that would be OK with the fact that mail address

Re: How to get spam assassin to detect spoofed mails as SPF is clearly useless

On 10/15/2016 04:57 PM, Dianne Skoll wrote: On Sat, 15 Oct 2016 15:35:25 +0200 Petr Bena wrote: Believe me, there are people or organizations who would happily exchange ability to use mailing lists within some domain for guarantee that their emails can't be spoofed in no way (at least within t

Re: How to get spam assassin to detect spoofed mails as SPF is clearly useless

On Sat, 15 Oct 2016 15:35:25 +0200 Petr Bena wrote: > Believe me, there are people or organizations who would happily > exchange ability to use mailing lists within some domain for > guarantee that their emails can't be spoofed in no way (at least > within their own domain). You seriously don't

Re: How to get spam assassin to detect spoofed mails as SPF is clearly useless

On Fri, 14 Oct 2016 23:24:21 +0200 Petr Bena wrote: > How does DKIM prevent others from spoofing your mail address? People > will still receive unsigned e-mails that look like they were sent by > you even if they were not. DKIM by iself does not. DKIM plus DMARC sort-of does. (I say "sort-of"

Re: How to get spam assassin to detect spoofed mails as SPF is clearly useless

On 14.10.16 16:26, Bowie Bailey wrote: On the other hand, SA is a points-based system. If you checked SPF based on the From header, you could then whitelist known list servers and other exceptions and add a point or so to the rest. If you set the score at 0.001 and monitored the non-spam hits

Re: How to get spam assassin to detect spoofed mails as SPF is clearly useless

Exactly this. Also I don't understand why mailing lists /have to/ work this way. I know it's long-time established standard just like e-mails, but flawed and people are abusing it, because it's extremely easy to do that. Mailing list daemon doesn't have to pretend that e-mail was sent by me or so

Re: How to get spam assassin to detect spoofed mails as SPF is clearly useless

On 14 Oct 2016, at 17:24, Petr Bena wrote: Also I don't understand why mailing lists /have to/ work this way. I know it's long-time established standard just like e-mails, but flawed and people are abusing it, because it's extremely easy to do that. Welcome to the Internet: where almost every

Re: How to get spam assassin to detect spoofed mails as SPF is clearly useless

On 14.10.16 23:24, Petr Bena wrote: > I know that this would break existing standards (which are flawed by > design TBH), but why not at least make this as an optional feature? You said it yourself: because it would break existing standards. That's reason enough not to mess with things. The desig

Re: How to get spam assassin to detect spoofed mails as SPF is clearly useless

On 2016-10-14 23:24, Petr Bena wrote: P.S. this is extremely easy to implement from programmer point of view, all you need to do is take existing SPF plugin and just have it verify SPF against e-mail that is in From header. It's probably a change of few lines of code for someone who knows perl

How to get spam assassin to detect spoofed mails as SPF is clearly useless

Hello, I created this BT https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7360 to implement SPF-like checks on From: sender as well in addition to envelope sender (if they differ). It was rejected as invalid because SPF specs are different. That is probably true, but it doesn't change the fact

Re: How to get spam assassin to detect spoofed mails as SPF is clearly useless

On 10/14/2016 3:43 PM, Kris Deugau wrote: Petr Bena wrote: Is there any way to get spam assassin to actually figure out that e-mail is spoofed even if it's obviously easy to figure out? Consider the case of, oh, say, this message. Or virtually every other interactive mailing list on the Intern

Re: How to get spam assassin to detect spoofed mails as SPF is clearly useless

On 2016-10-14 21:24, Petr Bena wrote: I created this BT https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7360 to implement SPF-like checks on From: sender as well in addition to envelope sender (if they differ). It was rejected as invalid because SPF specs are different. Authentication-Resul

Re: How to get spam assassin to detect spoofed mails as SPF is clearly useless

On Fri, 14 Oct 2016 21:24:08 +0200 Petr Bena wrote: > That is probably true, but it doesn't change the fact that SPF specs > as they are make SPF completely useless. It also doesn't change the fact that running SPF on the From: header domain is completely wrong and will break all kinds of things

Re: How to get spam assassin to detect spoofed mails as SPF is clearly useless

Petr Bena wrote: > Is there any way to get spam assassin to actually figure out that e-mail > is spoofed even if it's obviously easy to figure out? Consider the case of, oh, say, this message. Or virtually every other interactive mailing list on the Internet. Were you to do an SPF check on the F