Re: Rule for detecting two email addresses in From: field.
On 10/4/19 12:22 PM, A. Schulze wrote: Hi Grant, Maybe we're talking about different things :-) Based on your description, I believe we are talking about different things. Thank you for the clarification. The OpenDMARC bug could be triggered by this RFC5322.From: From: user , user I seem to recall that it is within RFC spec to have multiple addresses in the From: header. I would assume that all would need to pass DMARC alignment tests for the message to also pass DMARC alignment tests. This would likely be difficult to do if the From: addresses are part of separate domains, especially if they are from separate organizations. Mallory could send a message which authenticates as badguy.example but OpenDMARC report "dmarc=pass domain=yahoo.example" That's fixed with https://github.com/trusteddomainproject/OpenDMARC/pull/48/commits/f6b615e345037408b88b2ffd1acd03239af8a858 That seems like a problem. I'm glad that it was fixed. But back to SA: there is a difference between this comma separated list and the display name containing a second address ... Agreed. I still think that the MUA has some culpability in both cases; multiple addresses in one From: header and multiple From: headers. -- Grant. . . . unix || die smime.p7s Description: S/MIME Cryptographic Signature
Re: Facebook notifications sent from dynamic address
I noticed the same thing this morning. This is new for me as of yesterday. They appear legit, but they get caught up in my filters for the dyn ip "appearance". From: Kenneth Porter Sent: Saturday, October 5, 2019 10:05 AM To: users@spamassassin.apache.org Subject: Facebook notifications sent from dynamic address (Nothing wrong with SA. Just an FYI about a popular service that abuses the Internet and SA catches it.) I noticed one of my notifications from Facebook today got tagged by SA. Here's the two that put it over: 3.9 HELO_DYNAMIC_IPADDR2 Relay HELO'd using suspicious hostname (IP addr 2) 1.5 RCVD_IN_SORBS_WEB RBL: SORBS: sender is an abusable web server [66.220.155.138 listed in dnsbl.sorbs.net] Here's the offending header: Received: from 66-220-155-138.mail-mail.facebook.com (66-220-155-138.mail-mail.facebook.com [66.220.155.138]) So who do I bitch at? I've never found any good way to complain to Facebook.
Facebook notifications sent from dynamic address
(Nothing wrong with SA. Just an FYI about a popular service that abuses the Internet and SA catches it.) I noticed one of my notifications from Facebook today got tagged by SA. Here's the two that put it over: 3.9 HELO_DYNAMIC_IPADDR2 Relay HELO'd using suspicious hostname (IP addr 2) 1.5 RCVD_IN_SORBS_WEB RBL: SORBS: sender is an abusable web server [66.220.155.138 listed in dnsbl.sorbs.net] Here's the offending header: Received: from 66-220-155-138.mail-mail.facebook.com (66-220-155-138.mail-mail.facebook.com [66.220.155.138]) So who do I bitch at? I've never found any good way to complain to Facebook.