Re: SPF failure very low score
On Mon, 12 Aug 2013, Bowie Bailey wrote: On 8/12/2013 2:48 PM, John Hardin wrote: On Mon, 12 Aug 2013, Quanah Gibson-Mount wrote: > --On Friday, August 09, 2013 12:42 AM +0200 Benny Pedersen wrote: > > > > >body __BODY_FACEBOOK /Facebook/ > >meta __FORGED_SENDER (!SPF_PASS && !DKIM_VALID_AU) > >meta FORGED_FACEBOOK_BODY (__BODY_FACEBOOK && __FORGED_SENDER) > > > >maybe it could be more specific, just not tested it, but why accept > >forged ? > Thanks, that is helpful. So I assume then I would do something like: > > score FORGED_FACEBOOK_BODY 3.0 > > to give it a high SPAM score. ...so you want to punish any email that discusses Facebook and does not pass SPF *AND* DKIM? Regardless of where the message is (or claims to be) from? Actually, __FORGED_SENDER only fires if the message fails *both* SPF and DKIM. (not A) and (not B) == not (A or B) D'oh! But this is still a check for message *discussing* Facebook and not messages specifically *from* Facebook. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- It's easy to be noble with other people's money. -- John McKay, _The Welfare State: No Mercy for the Middle Class_ --- 3 days until the 68th anniversary of the end of World War II
Re: SPF failure very low score
On 8/12/2013 2:48 PM, John Hardin wrote: On Mon, 12 Aug 2013, Quanah Gibson-Mount wrote: --On Friday, August 09, 2013 12:42 AM +0200 Benny Pedersen wrote: body __BODY_FACEBOOK /Facebook/ meta __FORGED_SENDER (!SPF_PASS && !DKIM_VALID_AU) meta FORGED_FACEBOOK_BODY (__BODY_FACEBOOK && __FORGED_SENDER) maybe it could be more specific, just not tested it, but why accept forged ? Thanks, that is helpful. So I assume then I would do something like: score FORGED_FACEBOOK_BODY 3.0 to give it a high SPAM score. ...so you want to punish any email that discusses Facebook and does not pass SPF *AND* DKIM? Regardless of where the message is (or claims to be) from? Actually, __FORGED_SENDER only fires if the message fails *both* SPF and DKIM. (not A) and (not B) == not (A or B) But this is still a check for message *discussing* Facebook and not messages specifically *from* Facebook. -- Bowie
Re: SPF failure very low score
On Mon, 12 Aug 2013, Quanah Gibson-Mount wrote: --On Friday, August 09, 2013 12:42 AM +0200 Benny Pedersen wrote: Quanah Gibson-Mount skrev den 2013-08-08 23:22: > I would love to see your rules here so I can see how you did it. I > don't see if/and in the SA docs on rules. body __BODY_FACEBOOK /Facebook/ meta __FORGED_SENDER (!SPF_PASS && !DKIM_VALID_AU) meta FORGED_FACEBOOK_BODY (__BODY_FACEBOOK && __FORGED_SENDER) maybe it could be more specific, just not tested it, but why accept forged ? Thanks, that is helpful. So I assume then I would do something like: score FORGED_FACEBOOK_BODY 3.0 to give it a high SPAM score. ...so you want to punish any email that discusses Facebook and does not pass SPF *AND* DKIM? Regardless of where the message is (or claims to be) from? This is not a *Facebook forgery* rule, this is a *"Facebook"* + *forgery* rule. For it to be a *facebook forgery* rule you'd need to look in the message headers to see whether the message claims to be from the facebook domain, or do more selective body text matching to see if the body is trying to make the reader think the message is from Facebook. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Health Care _is_ a right - the government has no business keeping you from getting it. But forcing somebody else to pay for your health care at gunpoint (i.e. through taxation) is _not_ a right. --- 3 days until the 68th anniversary of the end of World War II
Re: SPF failure very low score
--On Friday, August 09, 2013 12:42 AM +0200 Benny Pedersen wrote: Quanah Gibson-Mount skrev den 2013-08-08 23:22: I would love to see your rules here so I can see how you did it. I don't see if/and in the SA docs on rules. body __BODY_FACEBOOK /Facebook/ meta __FORGED_SENDER (!SPF_PASS && !DKIM_VALID_AU) meta FORGED_FACEBOOK_BODY (__BODY_FACEBOOK && __FORGED_SENDER) maybe it could be more specific, just not tested it, but why accept forged ? Thanks, that is helpful. So I assume then I would do something like: score FORGED_FACEBOOK_BODY 3.0 to give it a high SPAM score. --Quanah -- Quanah Gibson-Mount Lead Engineer Zimbra, Inc Zimbra :: the leader in open source messaging and collaboration
Re: New spam rule for specific content
On Mon, 12 Aug 2013, Kris Deugau wrote: Amir 'CG' Caspi wrote: My main feeling is that if anyone is sending HTML email with LOTS of stuff commented out, that email is almost certainly spam. Ham HTML email would probably be done with more care. *snigger* Take a look at the raw source from a message sent with Outlook (especially one with "stationery") and say that again... I've had to heavily alter or outright discard a number of otherwise useful rules along the lines discussed in this thread due to Outlook FPs. This was my worry, too. In a word: "Microsoft" -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Liberals love sex ed because it teaches kids to be safe around their sex organs. Conservatives love gun education because it teaches kids to be safe around guns. However, both believe that the other's education goals lead to dangers too terrible to contemplate. --- 3 days until the 68th anniversary of the end of World War II
Re: New spam rule for specific content
Amir 'CG' Caspi wrote: > My main feeling is that if anyone is > sending HTML email with LOTS of stuff commented out, that email is > almost certainly spam. Ham HTML email would probably be done with more > care. *snigger* Take a look at the raw source from a message sent with Outlook (especially one with "stationery") and say that again... I've had to heavily alter or outright discard a number of otherwise useful rules along the lines discussed in this thread due to Outlook FPs. -kgd