Re: FORGED_GMAIL_RCVD and USER_IN_DEF_SPF_WL
On 11/04/2018, 22:57, "Alex" wrote: > The envelope sender is > 3ue3owhmjamkzhabyuuhahsbe.qpzhvnthps.jvtytilzadlzalyu@trix.bounces.google.com > and the SPF-relevant relay IP is 209.85.223.199, so SPF passes. That's good > enough for def_whitelist_auth. trix.bounces.google.com - this seems to be email from Google forms Paul -- Paul Stead Senior Engineer (Tools & Technology) Zen Internet Direct: 01706 902018 Web: zen.co.uk Winner of 'Services Company of the Year' at the UK IT Industry Awards This message is private and confidential. If you have received this message in error, please notify us and remove it from your system. Zen Internet Limited may monitor email traffic data to manage billing, to handle customer enquiries and for the prevention and detection of fraud. We may also monitor the content of emails sent to and/or from Zen Internet Limited for the purposes of security, staff training and to monitor quality of service. Zen Internet Limited is registered in England and Wales, Sandbrook Park, Sandbrook Way, Rochdale, OL11 1RY Company No. 03101568 VAT Reg No. 686 0495 01
Re: FORGED_GMAIL_RCVD and USER_IN_DEF_SPF_WL
Hi, >> Hi, this message seems suspicious to me (appears to be some type of >> survey), but I don't understand how it was whitelisted when google.com >> is not listed among def_whitelist_from_dkim (or at least shouldn't be) > > Note that google.com has historically been reserved for Google corporate > mail, NOT GMail. Hence these rules exist in the default rules: > > 60_whitelist_auth.cf:def_whitelist_auth *@*.google.com > 60_whitelist_dkim.cf:def_whitelist_from_dkim > googlealerts-nore...@google.com > 60_whitelist_dkim.cf:# def_whitelist_from_dkim *@google.com I inadvertently wrote dkim in my previous email, but meant SPF of course. I also somehow missed the first whitelist entry above when I searched before posting. Perhaps I saw the third and stopped. Thanks David for your offer to review. > The envelope sender is > 3ue3owhmjamkzhabyuuhahsbe.qpzhvnthps.jvtytilzadlzalyu@trix.bounces.google.com > and the SPF-relevant relay IP is 209.85.223.199, so SPF passes. That's good > enough for def_whitelist_auth. > > Messages of this sort make an irrefutable argument for removing the general > pass given to Google in the default ruleset, as it is clearly based on a use > model of the domain which no longer is true. Yes, I agree. That concerned me. If it's intended for only Google corporate, how did this message get sent?
Re: FORGED_GMAIL_RCVD and USER_IN_DEF_SPF_WL
On 11 Apr 2018, at 15:28 (-0400), Alex wrote: Hi, this message seems suspicious to me (appears to be some type of survey), but I don't understand how it was whitelisted when google.com is not listed among def_whitelist_from_dkim (or at least shouldn't be) Note that google.com has historically been reserved for Google corporate mail, NOT GMail. Hence these rules exist in the default rules: 60_whitelist_auth.cf:def_whitelist_auth *@*.google.com 60_whitelist_dkim.cf:def_whitelist_from_dkim googlealerts-nore...@google.com 60_whitelist_dkim.cf:# def_whitelist_from_dkim *@google.com https://pastebin.com/raw/h1370F1F I'd appreciate any clarification on what's going on here... The envelope sender is 3ue3owhmjamkzhabyuuhahsbe.qpzhvnthps.jvtytilzadlzalyu@trix.bounces.google.com and the SPF-relevant relay IP is 209.85.223.199, so SPF passes. That's good enough for def_whitelist_auth. Messages of this sort make an irrefutable argument for removing the general pass given to Google in the default ruleset, as it is clearly based on a use model of the domain which no longer is true. -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses) Currently Seeking Steady Work: https://linkedin.com/in/billcole
Re: FORGED_GMAIL_RCVD and USER_IN_DEF_SPF_WL
Alex skrev den 2018-04-11 21:28: Hi, this message seems suspicious to me (appears to be some type of survey), but I don't understand how it was whitelisted when google.com is not listed among def_whitelist_from_dkim (or at least shouldn't be) https://pastebin.com/raw/h1370F1F I'd appreciate any clarification on what's going on here... X-Spam-Status: No, score=-6.39 tagged_above=-200 required=4.8 tests=[FORGED_GMAIL_RCVD=1, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.1, RELAYCOUNTRY_US=0.01, SHORTCIRCUIT=-0.0001, SPF_PASS=-0.001, USER_IN_DEF_SPF_WL=-7.5] autolearn=disabled want more info then disable SHORTCIRCUIT plugin and retest
Re: FORGED_GMAIL_RCVD and USER_IN_DEF_SPF_WL
On 04/11/2018 02:28 PM, Alex wrote: Hi, this message seems suspicious to me (appears to be some type of survey), but I don't understand how it was whitelisted when google.com is not listed among def_whitelist_from_dkim (or at least shouldn't be) https://pastebin.com/raw/h1370F1F I'd appreciate any clarification on what's going on here... The hit in your pastebin example is hitting USER_IN_DEF_SPF_WL (not DKIM). I am not able to verify what my SA instance would have hit since it's been redacted. If you want to send me the exact email off list I can run it and see what hits I get. -- David Jones
