Re: Spoofed from address but matched my whitelist -- please clarify
Kelson wrote: How did you whitelist borland.com? Did you use... whitelist_from whitelist_from_rcvd whitelist_from_dkim whitelist_from_spf ...etc? If you just used whitelist_from, it doesn't do any verification. It's a last-ditch option for cases where more reliable methods aren't possible. So that would just subtract 100 points from anything claiming to be from borland.com. As for the DomainKeys header, it looks like your SA installation didn't even check it, since I don't see any DKIM or DomainKeys rules in the list of rules that fired. Do you have either the DKIM or DomainKeys plugin enabled? I'll ask my ISP (nac.net) about both of those points. Thanks for the hints. -- MGD
RE: Spoofed from address but matched my whitelist -- please clarify
whitelist_from_rcvd [EMAIL PROTECTED] borland.com will probably do what you want. Although Borland doesn't publish an SPF, you find all their MXs have borland.com rDNS. You'd have to watch it a while to see if you miss any legitimate Borland email that's not via a borland.com server. Dan -Original Message- From: Martin G. Diehl [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 02, 2007 3:31 PM To: users@spamassassin.apache.org Subject: Spoofed from address but matched my whitelist -- please clarify Greetings, I have a piece of SPAM with an obviously spoofed (obvious to me, that is) from address ... but didn't get flagged as SPAM. The message claims to originate from borland.com borland.com has IP 63.175.76.152 The message actually originates from napfehfu 86.60.37.183 borland.com is listed in my whitelist. My questions ... (1) Shouldn't this message have been flagged as SPAM? (2) Is the DomainKey-Signature also spoofed or fake? (3) Which headers (types of from addresses) are compared to my whitelist? Some of the significant header lines (I reversed the sequence) > DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=south.disappoint; d=borland.com; > b=GfpMxmdJQIBAeYlLWrgcDOJbZZJXiYVEpoeUbVUmwMrmrQbfMFvNqqczKSjQWxIoppVlOJSHMQ iZhlik; > From: "Abbey Delisa" <[EMAIL PROTECTED]> > Received: from unknown (HELO napfehfu) (86.60.37.183) > by rbl-mx.nac.net with SMTP; 1 May 2007 16:42:53 - > Received: from 86.60.37.183 by mx2.oct.nac.net (envelope-from <[EMAIL PROTECTED]>, uid 0) with qmail-scanner-1.25 > (clamdscan: 0.88.3/2095. f-prot: 4.6.6/3.16.14. spamassassin: 3.1.0. > Clear:RC:0(86.60.37.183):. Here are all of the headers ... === > X-UIDL: 1178037793.M276441P78860.mx2.oct.nac.net > X-Mozilla-Status: > X-Mozilla-Status2: > Return-Path: <[EMAIL PROTECTED]> > Delivered-To: [EMAIL PROTECTED] > X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) on spamd1.oct > X-Spam-Level: > X-Spam-PrefsFile: nac.net/mdiehl > X-Spam-Status: No, score=-77.8 required=4.7 tests=HTML_FONT_BIG=0.256, > HTML_MESSAGE=0.001,MIME_HTML_ONLY=0.001,RAZOR2_CF_RANGE_51_100=0.5, > RAZOR2_CF_RANGE_E4_51_100=1.5,RAZOR2_CF_RANGE_E8_51_100=1.5, > RAZOR2_CHECK=0.5,RCVD_IN_SORBS_DUL=1.988,TW_ZW=0.077, > URIBL_AB_SURBL=3.306,URIBL_BLACK=3,URIBL_JP_SURBL=3.36, > URIBL_OB_SURBL=2.617,URIBL_SC_SURBL=3.6,USER_IN_WHITELIST=-100 > autolearn=disabled version=3.1.7 > Received: (qmail 78558 invoked by uid 0); 1 May 2007 16:42:54 - > Received: from 86.60.37.183 by mx2.oct.nac.net (envelope-from <[EMAIL PROTECTED]>, uid 0) with qmail-scanner-1.25 > (clamdscan: 0.88.3/2095. f-prot: 4.6.6/3.16.14. spamassassin: 3.1.0. > Clear:RC:0(86.60.37.183):. > Processed in 0.524071 secs); 01 May 2007 16:42:54 - > X-Qmail-Scanner-Mail-From: [EMAIL PROTECTED] via mx2.oct.nac.net > X-Qmail-Scanner-Rcpt-To: [EMAIL PROTECTED],[EMAIL PROTECTED],[EMAIL PROTECTED] > X-Qmail-Scanner: 1.25 (Clear:RC:0(86.60.37.183):. Processed in 0.524071 secs) > X-Qmail-Scanner-NAC-Block-Zips: 1 > X-Qmail-Scanner-NAC-Redirect-This: 0 > X-Qmail-Scanner-NAC-Redirect-To: > X-Qmail-Scanner-NAC-Scanners-Run: clamdscan_scanner fprot_scanner > Received: from unknown (HELO napfehfu) (86.60.37.183) > by rbl-mx.nac.net with SMTP; 1 May 2007 16:42:53 - > To: <[EMAIL PROTECTED]> > Date: Tue, 01 May 2007 09:42:45 -0800 > From: "Abbey Delisa" <[EMAIL PROTECTED]> > Message-ID: <[EMAIL PROTECTED]> > DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=south.disappoint; d=borland.com; > b=GfpMxmdJQIBAeYlLWrgcDOJbZZJXiYVEpoeUbVUmwMrmrQbfMFvNqqczKSjQWxIoppVlOJSHMQ iZhlik; > User-Agent: Mozilla Thunderbird 1.5 (Windows/20060111) > X-Accept-Language: en-us, en > MIME-Version: 1.0 > Subject: SPECIAL PHARMACY DISCOUNT, you pay & we ship, no question asked, established by reputable Canadian Doctor qizwx > Content-Type: text/html; > charset="iso-8859-1" > Content-Transfer-Encoding: 7bit === Thanks for any and all comments, help, or advice. -- MGD
Re: Spoofed from address but matched my whitelist -- please clarify
How did you whitelist borland.com? Did you use... whitelist_from whitelist_from_rcvd whitelist_from_dkim whitelist_from_spf ...etc? If you just used whitelist_from, it doesn't do any verification. It's a last-ditch option for cases where more reliable methods aren't possible. So that would just subtract 100 points from anything claiming to be from borland.com. As for the DomainKeys header, it looks like your SA installation didn't even check it, since I don't see any DKIM or DomainKeys rules in the list of rules that fired. Do you have either the DKIM or DomainKeys plugin enabled? -- Kelson Vibber SpeedGate Communications
Re: Spoofed from address but matched my whitelist -- please clarify
Since you whitelisted all mail from the domain in question it got a negative score of -100 If you remove that score it jumps to over 23 points, which would have marked it as spam The fact that borland's A record may point to another IP is irrelevant. You have no way of knowing which IPs are permitted to send mail from borland.com as they haven't published an SPF record. -- Mr Michele Neylon Blacknight Solutions Hosting & Colocation, Brand Protection http://www.blacknight.ie/ http://blog.blacknight.ie/ Tel. 1850 927 280 Intl. +353 (0) 59 9183072 UK: 0870 163 0607 Direct Dial: +353 (0)59 9183090 Fax. +353 (0) 1 4811 763
Spoofed from address but matched my whitelist -- please clarify
Greetings, I have a piece of SPAM with an obviously spoofed (obvious to me, that is) from address ... but didn't get flagged as SPAM. The message claims to originate from borland.com borland.com has IP 63.175.76.152 The message actually originates from napfehfu 86.60.37.183 borland.com is listed in my whitelist. My questions ... (1) Shouldn't this message have been flagged as SPAM? (2) Is the DomainKey-Signature also spoofed or fake? (3) Which headers (types of from addresses) are compared to my whitelist? Some of the significant header lines (I reversed the sequence) > DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=south.disappoint; d=borland.com; > b=GfpMxmdJQIBAeYlLWrgcDOJbZZJXiYVEpoeUbVUmwMrmrQbfMFvNqqczKSjQWxIoppVlOJSHMQiZhlik; > From: "Abbey Delisa" <[EMAIL PROTECTED]> > Received: from unknown (HELO napfehfu) (86.60.37.183) > by rbl-mx.nac.net with SMTP; 1 May 2007 16:42:53 - > Received: from 86.60.37.183 by mx2.oct.nac.net (envelope-from <[EMAIL PROTECTED]>, uid 0) with qmail-scanner-1.25 > (clamdscan: 0.88.3/2095. f-prot: 4.6.6/3.16.14. spamassassin: 3.1.0. > Clear:RC:0(86.60.37.183):. Here are all of the headers ... === X-UIDL: 1178037793.M276441P78860.mx2.oct.nac.net X-Mozilla-Status: X-Mozilla-Status2: Return-Path: <[EMAIL PROTECTED]> Delivered-To: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) on spamd1.oct X-Spam-Level: X-Spam-PrefsFile: nac.net/mdiehl X-Spam-Status: No, score=-77.8 required=4.7 tests=HTML_FONT_BIG=0.256, HTML_MESSAGE=0.001,MIME_HTML_ONLY=0.001,RAZOR2_CF_RANGE_51_100=0.5, RAZOR2_CF_RANGE_E4_51_100=1.5,RAZOR2_CF_RANGE_E8_51_100=1.5, RAZOR2_CHECK=0.5,RCVD_IN_SORBS_DUL=1.988,TW_ZW=0.077, URIBL_AB_SURBL=3.306,URIBL_BLACK=3,URIBL_JP_SURBL=3.36, URIBL_OB_SURBL=2.617,URIBL_SC_SURBL=3.6,USER_IN_WHITELIST=-100 autolearn=disabled version=3.1.7 Received: (qmail 78558 invoked by uid 0); 1 May 2007 16:42:54 - Received: from 86.60.37.183 by mx2.oct.nac.net (envelope-from <[EMAIL PROTECTED]>, uid 0) with qmail-scanner-1.25 (clamdscan: 0.88.3/2095. f-prot: 4.6.6/3.16.14. spamassassin: 3.1.0. Clear:RC:0(86.60.37.183):. Processed in 0.524071 secs); 01 May 2007 16:42:54 - X-Qmail-Scanner-Mail-From: [EMAIL PROTECTED] via mx2.oct.nac.net X-Qmail-Scanner-Rcpt-To: [EMAIL PROTECTED],[EMAIL PROTECTED],[EMAIL PROTECTED] X-Qmail-Scanner: 1.25 (Clear:RC:0(86.60.37.183):. Processed in 0.524071 secs) X-Qmail-Scanner-NAC-Block-Zips: 1 X-Qmail-Scanner-NAC-Redirect-This: 0 X-Qmail-Scanner-NAC-Redirect-To: X-Qmail-Scanner-NAC-Scanners-Run: clamdscan_scanner fprot_scanner Received: from unknown (HELO napfehfu) (86.60.37.183) by rbl-mx.nac.net with SMTP; 1 May 2007 16:42:53 - To: <[EMAIL PROTECTED]> Date: Tue, 01 May 2007 09:42:45 -0800 From: "Abbey Delisa" <[EMAIL PROTECTED]> Message-ID: <[EMAIL PROTECTED]> DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=south.disappoint; d=borland.com; b=GfpMxmdJQIBAeYlLWrgcDOJbZZJXiYVEpoeUbVUmwMrmrQbfMFvNqqczKSjQWxIoppVlOJSHMQiZhlik; User-Agent: Mozilla Thunderbird 1.5 (Windows/20060111) X-Accept-Language: en-us, en MIME-Version: 1.0 Subject: SPECIAL PHARMACY DISCOUNT, you pay & we ship, no question asked, established by reputable Canadian Doctor qizwx Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: 7bit === Thanks for any and all comments, help, or advice. -- MGD
