Re: Test for empty EnvelopeFrom

[David B Funk]

On Thu, 24 Sep 2015, Reindl Harald wrote:




Am 23.09.2015 um 19:24 schrieb Philip Prindeville:

Stating facts here, not giving an opinion. Not sure what’s up for debate.


if it is empty it's <> aka Null-Sender and you really don't block that 
because you violating RFC's, block sane autoreplies usng it to prevent 
mail-loops and the subject indiactes one thing; you donät really 
understand how email works


Rejecting messages based on their content PERIOD is violating the RFC’s. 
What’s your point?


do what you want - a empty envelope from is not a sign of spam


An empty envelope from by itself is not a spam sign but when combined with
other characteristics of a message can be a good spam sign.

For example almost everthing coming from outlook.com is locally generated 
messages (either new user created content or NDRs). User generated content 
has headers added to indicate that, NDRs have have headers added to indicate 
that.


So take Null-Sender && sourced from outlook.com && has client-headers && 
not-have NDR-headers is a very good spam indicator.


--
Dave Funk  University of Iowa
College of Engineering
319/335-5751   FAX: 319/384-0549   1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include 
Better is not better, 'standard' is better. B{

Re: Test for empty EnvelopeFrom

[David Jones]

>> I never said it was.
>>
>> What I said was that when it’s coming from a server that doesn’t
>> except inbound messages (and hence can’t generate bounces) THEN it’s
>> a sign of Spam.

>Since when does a server handling outbound traffic have to accept
>inbound mail?
>Any setup with more than a dozen boxes usually separates in/outbound traffic

I know of many of my customers I filter for don't send their outbound mail back
through my filters (even though I tell them to) so they could generate bounce
messages and definitely are firewalled off from the Internet on inbound TCP 25.

I am pretty sure that the majority of sending mail servers on the Internet don't
accept inbound TCP 25 connections.

Re: Test for empty EnvelopeFrom

[Axb]

On 09/24/2015 06:17 PM, Philip Prindeville wrote:


On Sep 24, 2015, at 4:12 AM, Reindl Harald 
wrote:




Am 23.09.2015 um 19:24 schrieb Philip Prindeville:

Stating facts here, not giving an opinion. Not sure what’s up for
debate.


if it is empty it's <> aka Null-Sender and you really don't
block that because you violating RFC's, block sane autoreplies
usng it to prevent mail-loops and the subject indiactes one
thing; you donät really understand how email works


Rejecting messages based on their content PERIOD is violating the
RFC’s.  What’s your point?


do what you want - a empty envelope from is not a sign of spam





I never said it was.

What I said was that when it’s coming from a server that doesn’t
except inbound messages (and hence can’t generate bounces) THEN it’s
a sign of Spam.


Since when does a server handling outbound traffic have to accept 
inbound mail?

Any setup with more than a dozen boxes usually separates in/outbound traffic

Re: Test for empty EnvelopeFrom

[Philip Prindeville]

On Sep 24, 2015, at 4:12 AM, Reindl Harald  wrote:

> 
> 
> Am 23.09.2015 um 19:24 schrieb Philip Prindeville:
>> Stating facts here, not giving an opinion. Not sure what’s up for debate.
>>> 
>>> if it is empty it's <> aka Null-Sender and you really don't block that 
>>> because you violating RFC's, block sane autoreplies usng it to prevent 
>>> mail-loops and the subject indiactes one thing; you donät really understand 
>>> how email works
>> 
>> Rejecting messages based on their content PERIOD is violating the RFC’s.  
>> What’s your point?
> 
> do what you want - a empty envelope from is not a sign of spam
> 
> 


I never said it was.

What I said was that when it’s coming from a server that doesn’t except inbound 
messages (and hence can’t generate bounces) THEN it’s a sign of Spam.

Re: Test for empty EnvelopeFrom

[Dianne Skoll]

On Thu, 24 Sep 2015 14:30:42 +
David Jones  wrote:

> I agree with you and Reindl on this point too.  I guess what I meant
> to say is usually the hardest spam to block with a null sender is
> backscatter from a normally trusted/good reputation mail server.

Yes, that can be very annoying.  Luckily, most of the big providers
AFAIK use SPF and DKIM (and even DMARC) and can reject spoofed messages
with a 5xx reply code instead of generating backscatter; since we've
published SPF and DKIM records we've seen quite a drop in the backscatter
coming our way.  What backscatter we do get is usually from domains whose
admins don't know or care about SPF, etc.

> RBLs and SA with a well-trained Bayes DB do a very good job on new
> emails with a null sender.

Yes, they do.  And Bayes is good even on some backscatter if it
includes the original message.

Regards,

Dianne.

Re: Test for empty EnvelopeFrom

[David Jones]

>
>From: Dianne Skoll 
>Sent: Thursday, September 24, 2015 9:02 AM
>To: users@spamassassin.apache.org
>Subject: Re: Test for empty EnvelopeFrom

>On Thu, 24 Sep 2015 12:21:33 +
>David Jones  wrote:

>> I agree with Reindl.  You can't block null senders or you break a lot
>> of legit emails.

>Well, if you run your own mail server, you can do whatever you like so
>long as you accept the consequences.

>I would say: A null sender is not necessarily the sign of spam, but it's
>also not necessarily the sign of ham.  We see a continuous background
>chatter of spam messages that have a null envelope sender.  And these
>are new messages, not backscatter in response to anything.

I agree with you and Reindl on this point too.  I guess what I meant to
say is usually the hardest spam to block with a null sender is backscatter
from a normally trusted/good reputation mail server.
RBLs and SA with a well-trained Bayes DB do a very good job on new
emails with a null sender.

>What *is* a very reliable spam indicator (and is a SpamAssassin rule
>DSN_NO_MIMEVERSION) is mail from a null sender that lacks a
>MIME-Version: header.  Almost all auto-generated responses have that
>header; a fair bit of null-sender spam does not.

Good info.  I checked my MailScanner logs and there are a lot of hits
on this rule along with an invalid watermark so they seem to be closely
related.  I do see a number of Yahoo.com legit DSNs that seem to be
hitting this rule (not surprised) but have a valid MS watermark.

Dave

>Regards,

>Dianne.

Re: Test for empty EnvelopeFrom

[Dianne Skoll]

On Thu, 24 Sep 2015 12:21:33 +
David Jones  wrote:

> I agree with Reindl.  You can't block null senders or you break a lot
> of legit emails.

Well, if you run your own mail server, you can do whatever you like so
long as you accept the consequences.

I would say: A null sender is not necessarily the sign of spam, but it's
also not necessarily the sign of ham.  We see a continuous background
chatter of spam messages that have a null envelope sender.  And these
are new messages, not backscatter in response to anything.

What *is* a very reliable spam indicator (and is a SpamAssassin rule
DSN_NO_MIMEVERSION) is mail from a null sender that lacks a
MIME-Version: header.  Almost all auto-generated responses have that
header; a fair bit of null-sender spam does not.

Regards,

Dianne.

Re: Test for empty EnvelopeFrom

[RW]

On Thu, 24 Sep 2015 12:21:33 +
David Jones wrote:

> 
> >From: Reindl Harald 

> >do what you want - a empty envelope from is not a sign of spam
> 
> I agree with Reindl.  You can't block null senders or you break a lot
> of legit emails.

You're agreeing with his response to a conclusion he jumped to. The OP
never said he wanted to block it, or even score it unconditionally. 
 
> There are tools out there to prevent backscatter so you can detect
> fake messages with a null sender.

It's not about backscatter, a lot of spam has no envelope sender
address. The main problem with trying to score it is not avoiding FPs on
legitimate DSNs and out-of-office replies, it's that a lot of
legitimate bulk and autogenerated email has no envelope sender address. 

Re: Test for empty EnvelopeFrom

[David Jones]

>From: Reindl Harald 
>Sent: Thursday, September 24, 2015 5:12 AM
>To: Philip Prindeville
>Cc: users@spamassassin.apache.org
>Subject: Re: Test for empty EnvelopeFrom

>Am 23.09.2015 um 19:24 schrieb Philip Prindeville:
>> Stating facts here, not giving an opinion. Not sure what’s up for debate.
>>>
>>> if it is empty it's <> aka Null-Sender and you really don't block that 
>>> because
>>> you violating RFC's, block sane autoreplies usng it to prevent mail-loops 
>>> and
>>> the subject indiactes one thing; you donät really understand how email works
>
>> Rejecting messages based on their content PERIOD is violating the RFC’s.  
>> What’s your point?

>do what you want - a empty envelope from is not a sign of spam

I agree with Reindl.  You can't block null senders or you break a lot of legit 
emails.

There are tools out there to prevent backscatter so you can detect fake messages
with a null sender.  MailScanner has this built in and works well if you send 
your
outbound messages through it.  It adds a special header that will be included
in a legit bounce message but won't exist in a fake one so you can detect them.

P.S. MailScanner can be a little tough to get going with the web interface.  
This
is a VM with everything ready to roll with a number of excellent tweaks already
done for you including the Watermarking feature to help block backscatter.

http://efa-project.org/

Re: Test for empty EnvelopeFrom

[Reindl Harald]

Am 23.09.2015 um 19:24 schrieb Philip Prindeville:

Stating facts here, not giving an opinion. Not sure what’s up for debate.


if it is empty it's <> aka Null-Sender and you really don't block that because 
you violating RFC's, block sane autoreplies usng it to prevent mail-loops and the 
subject indiactes one thing; you donät really understand how email works


Rejecting messages based on their content PERIOD is violating the RFC’s.  
What’s your point?


do what you want - a empty envelope from is not a sign of spam




signature.asc
Description: OpenPGP digital signature