Re: The real spoofing issue (was Re: How to get spam assassin to detect spoofed mails as SPF is clearly useless)

[Joseph Brennan]

--On October 18, 2016 at 02:06:38 -0400 Ruga  wrote:
> 
> >
 

... unless you're applying DMARC, which says the "From:" should instead
"align" with something other than the author of the message in some cases.

--Joseph Brennan

Re: The real spoofing issue (was Re: How to get spam assassin to detect spoofed mails as SPF is clearly useless)

[Dianne Skoll]

On Tue, 18 Oct 2016 02:06:38 -0400
Ruga  wrote:

> < does not belong to the author(s) of the message.>>

A Quoted-String phrase is NOT a mailbox.  It's just a quoted string
that is not subject to any further interpretation.

Regards,

Dianne.

Re: The real spoofing issue (was Re: How to get spam assassin to detect spoofed mails as SPF is clearly useless)

[Dianne Skoll]

On October 18, 2016 2:09:37 AM EDT, Ruga  wrote:
>RFC 2822 and 5322 are in the "Standards Track".
>RFC 822 is still the standard.

Interesting, but the example is still RFC-compliant, even with 822.

Regards, 

Dianne. 

Re: The real spoofing issue (was Re: How to get spam assassin to detect spoofed mails as SPF is clearly useless)

[Dianne Skoll]

On October 18, 2016 2:27:09 AM EDT, Ruga  wrote:
>Yes, you can prefix a quoted string to the actual address. No, the
>quoted string is not part of the address.

Indeed.

>There are two approaches here: one is to defend the spammer's abuse of
>the standard (intended to trick the average Joe into believing they
>have received mail from someone else), and the other is to read the
>standard

I think you are the one with reading comprehension problems if you are still 
implying my example violates the standard.

Regards,

Dianne.

Re: The real spoofing issue (was Re: How to get spam assassin to detect spoofed mails as SPF is clearly useless)

[Paul Stead]

The following rules look for a From label which looks to have an email address 
looks for this type of spoofed address

The following would be valid, for example:

From: "p...@domain.com" 


http://ruleqa.spamassassin.org/20161017-r1765221-n/T_PDS_FROM_2_EMAILS/detail

http://ruleqa.spamassassin.org/20161017-r1765221-n/T_FROM_2_EMAILS/detail - 
similar to above with less metas

They both seem to hit more ham than spam on the Corpus


Paul

On 18/10/16 07:27, Ruga wrote:
Yes, you can prefix a quoted string to the actual address. No, the quoted 
string is not part of the address.

There are two approaches here: one is to defend the spammer's abuse of the 
standard (intended to trick the average Joe into believing they have received 
mail from someone else), and the other is to read the standard


On Tue, Oct 18, 2016 at 4:02 AM, Dianne Skoll 
<'d...@roaringpenguin.com'> wrote:
On Mon, 17 Oct 2016 19:11:29 -0400
Ruga  wrote:


rfc 822 (the actual standard):


Which as I mentioned is obsolete, but I'll play with you...


authentic = "From" ":" mailbox ; Single author / ...
mailbox = addr-spec ; simple address / phrase route-addr
addr-spec = local-part "@" domain


And you left out the BNF of "phrase", didn't you? Tsk tsk!

You can't pick and choose pieces of RFCs, you know. They come as a package
deal.

TL;DR, the header:

From: "Dianne Skoll " 


is absolutely compliant with RFC-822 and its successors, RFC-2822 and
RFC-5322.

Regards,

Dianne.

--
Paul Stead
Systems Engineer
Zen Internet

Re: The real spoofing issue (was Re: How to get spam assassin to detect spoofed mails as SPF is clearly useless)

[Ruga]

Yes, you can prefix a quoted string to the actual address. No, the quoted 
string is not part of the address.

There are two approaches here: one is to defend the spammer's abuse of the 
standard (intended to trick the average Joe into believing they have received 
mail from someone else), and the other is to read the standard


On Tue, Oct 18, 2016 at 4:02 AM, Dianne Skoll <'d...@roaringpenguin.com'> wrote:
On Mon, 17 Oct 2016 19:11:29 -0400
Ruga  wrote:

> rfc 822 (the actual standard):

Which as I mentioned is obsolete, but I'll play with you...

> authentic = "From" ":" mailbox ; Single author / ...
> mailbox = addr-spec ; simple address / phrase route-addr
> addr-spec = local-part "@" domain

And you left out the BNF of "phrase", didn't you? Tsk tsk!

You can't pick and choose pieces of RFCs, you know. They come as a package
deal.

TL;DR, the header:

From: "Dianne Skoll " 

is absolutely compliant with RFC-822 and its successors, RFC-2822 and
RFC-5322.

Regards,

Dianne.

Re: The real spoofing issue (was Re: How to get spam assassin to detect spoofed mails as SPF is clearly useless)

[Ruga]

RFC 2822 and 5322 are in the "Standards Track".
RFC 822 is still the standard.


On Tue, Oct 18, 2016 at 2:52 AM, Dianne Skoll <'d...@roaringpenguin.com'> wrote:
On October 17, 2016 7:11:29 PM EDT, Ruga  wrote:
>rfc 822 (the actual standard):

Are you serious? RFC 822 is decades obsolete, long since superseded by 2822 and 
then by 5322.

Regards,

Dianne.

Re: The real spoofing issue (was Re: How to get spam assassin to detect spoofed mails as SPF is clearly useless)

[Ruga]

<>


On Tue, Oct 18, 2016 at 1:25 AM, Paul Stead <'paul.st...@zeninternet.co.uk'> 
wrote:




On 17/10/16 23:52, Ruga wrote:

https://tools.ietf.org/html/rfc5322#section-3.6.2
from = "From:" mailbox-list CRLF ... 
https://tools.ietf.org/html/rfc5322#section-3.4 ... ---8<--- mailbox = 
name-addr / addr-spec name-addr = [display-name] angle-addr display-name = 
phrase mailbox-list = (mailbox *("," mailbox)) / obs-mbox-list Normally, a 
mailbox is composed of two parts: (1) an optional display name that indicates 
the name of the recipient (which can be a person or a system) that could be 
displayed to the user of a mail application, and (2) an addr-spec address 
enclosed in angle brackets ("<" and ">"). There is an alternate simple form of 
a mailbox where the addr-spec address appears alone, without the recipient's 
name or the angle brackets. The Internet addr-spec address is described in 
[section 3.4.1](https://tools.ietf.org/html/rfc5322#section-3.4.1).
--
Paul Stead
Systems Engineer
Zen Internet

Re: The real spoofing issue (was Re: How to get spam assassin to detect spoofed mails as SPF is clearly useless)

[Dianne Skoll]

On Mon, 17 Oct 2016 19:11:29 -0400
Ruga  wrote:

> rfc 822 (the actual standard):

Which as I mentioned is obsolete, but I'll play with you...

> authentic = "From" ":" mailbox ; Single author / ...
> mailbox = addr-spec ; simple address  / phrase route-addr
> addr-spec = local-part "@" domain

And you left out the BNF of "phrase", didn't you?  Tsk tsk!

You can't pick and choose pieces of RFCs, you know.  They come as a package
deal.

TL;DR, the header:

   From:  "Dianne Skoll " 

is absolutely compliant with RFC-822 and its successors, RFC-2822 and
RFC-5322.

Regards,

Dianne.

Re: The real spoofing issue (was Re: How to get spam assassin to detect spoofed mails as SPF is clearly useless)

[Dianne Skoll]

On October 17, 2016 7:11:29 PM EDT, Ruga  wrote:
>rfc 822 (the actual standard):

Are you serious?  RFC 822 is decades obsolete, long since superseded by 2822 
and then by 5322.

Regards,

Dianne.

Re: The real spoofing issue (was Re: How to get spam assassin to detect spoofed mails as SPF is clearly useless)

[Paul Stead]

On 17/10/16 23:52, Ruga wrote:

https://tools.ietf.org/html/rfc5322#section-3.6.2



  from=   "From:" mailbox-list CRLF

...
https://tools.ietf.org/html/rfc5322#section-3.4
...

---8<---
  mailbox =   name-addr / addr-spec

  name-addr   =   [display-name] angle-addr

  display-name=   phrase

  mailbox-list=   (mailbox *("," mailbox)) / obs-mbox-list


  Normally, a mailbox is composed of two parts: (1) an optional display
  name that indicates the name of the recipient (which can be a person
  or a system) that could be displayed to the user of a mail
  application, and (2) an addr-spec address enclosed in angle brackets
  ("<" and ">").  There is an alternate simple form of a mailbox where
  the addr-spec address appears alone, without the recipient's name or
  the angle brackets.  The Internet addr-spec address is described in
  section 3.4.1.

--
Paul Stead
Systems Engineer
Zen Internet

Re: The real spoofing issue (was Re: How to get spam assassin to detect spoofed mails as SPF is clearly useless)

[Ruga]

rfc 822 (the actual standard):

authentic = "From" ":" mailbox ; Single author / ...
mailbox = addr-spec ; simple address  / phrase route-addr
addr-spec = local-part "@" domain



On Tue, Oct 18, 2016 at 12:52 AM, Ruga <'r...@protonmail.com'> wrote:

https://tools.ietf.org/html/rfc5322#section-3.6.2




On Mon, Oct 17, 2016 at 2:18 AM, Dianne Skoll <'d...@roaringpenguin.com'> wrote:
On Sun, 16 Oct 2016 18:08:20 -0400
Ruga  wrote:

> In my servers, the above string is not RFC compliant,
> and therefore the whole mail is automatically
> rejected as SPAM.

Your servers fail in RFC comprehension. The message header:

From: "Dianne Skoll " 

is absolutely 100% RFC-compliant.

If you feel it is not, please cite the RFC that's violated, including
the specific section being violated.

Regards,

Dianne.

Re: The real spoofing issue (was Re: How to get spam assassin to detect spoofed mails as SPF is clearly useless)

[Ruga]

https://tools.ietf.org/html/rfc5322#section-3.6.2




On Mon, Oct 17, 2016 at 2:18 AM, Dianne Skoll <'d...@roaringpenguin.com'> wrote:
On Sun, 16 Oct 2016 18:08:20 -0400
Ruga  wrote:

> In my servers, the above string is not RFC compliant,
> and therefore the whole mail is automatically
> rejected as SPAM.

Your servers fail in RFC comprehension. The message header:

From: "Dianne Skoll " 

is absolutely 100% RFC-compliant.

If you feel it is not, please cite the RFC that's violated, including
the specific section being violated.

Regards,

Dianne.

Re: The real spoofing issue (was Re: How to get spam assassin to detect spoofed mails as SPF is clearly useless)

[Dianne Skoll]

>one could argue if From:Name and From:Addr have differing domains its 
>forged ?

One could argue that, but one could not argue that my sample From: header is 
not RFC-compliant.

Last I checked, Yahoo Groups rewrote the From: header in exactly that manner.

Furthermore, the Quoted-String part of the header can be almost anything you 
like, so there's no concept of From:Name having a domain.  I leave it as an 
exercise for the reader to devise a From:Name that sort of looks like it 
contains an email address but is unparseable as such.

Regards, 

Dianne

Re: The real spoofing issue (was Re: How to get spam assassin to detect spoofed mails as SPF is clearly useless)

[Benny Pedersen]

On 2016-10-17 02:18, Dianne Skoll wrote:


From: "Dianne Skoll " 

is absolutely 100% RFC-compliant.


lets break test it :)


If you feel it is not, please cite the RFC that's violated, including
the specific section being violated.


one could argue if From:Name and From:Addr have differing domains its 
forged ?

Re: The real spoofing issue (was Re: How to get spam assassin to detect spoofed mails as SPF is clearly useless)

[Bill Cole]

On 16 Oct 2016, at 18:08, Ruga wrote:


From: "Dianne Skoll " 


In my servers, the above string is not RFC compliant,


Are you writing your own RFC's? That's cool: the IETF could do with some 
competition. Where are you publishing them and accepting comments?


The IETF's RFC5322 includes this ABNF ultimately specifying the From 
header:


   local-part  =   dot-atom / quoted-string / obs-local-part

   domain  =   dot-atom / domain-literal / obs-domain

   domain-literal  =   [CFWS] "[" *([FWS] dtext) [FWS] "]" [CFWS]

   dtext   =   %d33-90 /  ; Printable US-ASCII
   %d94-126 / ;  characters not including
   obs-dtext  ;  "[", "]", or "\"

   qtext   =   %d33 / ; Printable US-ASCII
   %d35-91 /  ;  characters not including
   %d93-126 / ;  "\" or the quote character
   obs-qtext

   quoted-pair =   ("\" (VCHAR / WSP)) / obs-qp

   qcontent=   qtext / quoted-pair

   quoted-string   =   [CFWS]
   DQUOTE *([FWS] qcontent) [FWS] DQUOTE
   [CFWS]

   word=   atom / quoted-string


   phrase  =   1*word / obs-phrase

   display-name=   phrase

   angle-addr  =   [CFWS] "<" addr-spec ">" [CFWS] /
   obs-angle-addr

   name-addr   =   [display-name] angle-addr

   addr-spec   =   local-part "@" domain

   mailbox =   name-addr / addr-spec

   mailbox-list=   (mailbox *("," mailbox)) / obs-mbox-list

   from=   "From:" mailbox-list CRLF

It seems to me that Dianne's example is entirely legal as a From header, 
essentially because you can put almost anything inside a quoted-string. 
You'll note that I've left out all the still-legal 'obs-*' component 
specs because you do not need them in this case. Note that RFC5322 did 
not expand what is allowed in a From header.

Re: The real spoofing issue (was Re: How to get spam assassin to detect spoofed mails as SPF is clearly useless)

[Dianne Skoll]

On Sun, 16 Oct 2016 18:08:20 -0400
Ruga  wrote:

> In my servers, the above string is not RFC compliant,
> and therefore the whole mail is automatically
> rejected as SPAM.

Your servers fail in RFC comprehension.  The message header:

   From: "Dianne Skoll " 

is absolutely 100% RFC-compliant.

If you feel it is not, please cite the RFC that's violated, including
the specific section being violated.

Regards,

Dianne.

Re: The real spoofing issue (was Re: How to get spam assassin to detect spoofed mails as SPF is clearly useless)

[Ruga]

> From: "Dianne Skoll " 


In my servers, the above string is not RFC compliant,
and therefore the whole mail is automatically
rejected as SPAM.