Re: false positives by FREEMAIL_FORGED_REPLYTO

[Axb]

On 04/24/2014 04:23 PM, John Hardin wrote:
On Thu, 24 Apr 2014, Axb wrote:
On 04/24/2014 02:20 PM, Michael Storz wrote:
 Am 2014-04-24 13:27, schrieb Axb:
>  On 04/24/2014 01:22 PM, Michael Storz wrote:
> >  Am 2014-04-24 12:58, schrieb Axb:
> > >  On 04/24/2014 12:52 PM, Michael Storz wrote:
> > > >  Since Yahoo and AOL have moved to a DMARC policy of reject,
mail
> > > >  senders
> > > >  are changing the way they are sending their emails. Instead of
> > > >  using the
> > > >  email address of an user in RFC5322.From they use their own
> > > >  address
> > > >  and
> > > >  put the address of the user in the Reply-To field.
> > > >  FREEMAIL_FORGED_REPLYTO fires on these emails and produce false
> > > >  positives.
> > > > > > > >   From examples taken from log lines of amavisd:
> > > > > > > >  From:
GIVENNAME_SURNAME_via_LinkedIn_<mem...@linkedin.com>
> > > >  (dkim:AUTHOR)
> > > >  From: NAME_via_Dropbox_<no-re...@dropbox.com> (dkim:AUTHOR)
> > > > > > > >  Since more and more such emails will occur, for
example all web > > > >  forms
> > > >  will send their emails in this way, the rule does not make
sense
> > > >  anymore.
> > > > > > > > >  good thing you can lower the score if that rule
can cause FPs on its
> > >  own.
> > > > > > >  Sure, that's what I have done already.
> > > > >  The rule does what it was designed to.
> > > >  Well, if we want to do hairsplitting, then the answer is no:
it is not
> >  forged anymore, therefore the name is wrong ;-)
> >  pls pastebin a sample msg including full headers.

 http://pastebin.com/fSj4azex (will expire in one week)

 since I had to change personal information of my customer, evaluaton of
 DKIM will fail. But FREEMAIL_FORGED_REPLYTO will still fire.

the rule does the right thing..

#  header FREEMAIL_FROM eval:check_freemail_from(['regex'])
# #     Checks all possible "from" headers to see if sender is freemail.
#     Uses SA all_from_addrs() function (includes 'Resent-From', 'From',
#     'EnvelopeFrom' etc).

Linkedin have chosen to modify the From: ... let's avoid the DMARC
/Y!/AOL discussion here - there's enough noise about it all over the
places.

for once I have to agree with Benny that some ppl may want to

whitelist_from_dkim *@linkedin.com
and maybe others.

To lower the score or modify the rule would make it loose its teeth
and it is very valuable outside the edge cases which tamper with the
From:

add a meta with DKIM_VALID to subtract some points?

possibly, though not something I'd want to impose on everybody, per 
default. eg: not everybody finds linkedin.com so cozy that they want to 
WL :)