Re: Whitelisting DKIM-signed domains

2017-10-07 Thread Benny Pedersen 

Rupert Gallagher skrev den 2017-10-08 00:55:

Whitelisting DKIM-signed domains is a bad idea for at least two
reasons: mass-mailing services, and spammers who send from real
addresses of people whose passwords were easy to guess.


so report spam to dnswl ?

Re: Whitelisting DKIM-signed domains

2017-10-07 Thread Georg Faerber 
On 17-10-07 18:55:35, Rupert Gallagher wrote:
> Whitelisting DKIM-signed domains is a bad idea for at least two
> reasons: mass-mailing services, and spammers who send from real
> addresses of people whose passwords were easy to guess.

I second this.

Cheers,
Georg


signature.asc
Description: Digital signature

Re: Whitelisting DKIM-signed domains

2017-10-07 Thread Rupert Gallagher 
Whitelisting DKIM-signed domains is a bad idea for at least two reasons: 
mass-mailing services, and spammers who send from real addresses of people 
whose passwords were easy to guess.

Sent from ProtonMail Mobile

On Sat, Oct 7, 2017 at 11:41 PM, Matthias Leisi  wrote:

> Last week at the 41st M3AAWG meeting in Toronto there was considerable 
> interest in domain-based whitelisting information when I presented the 
> dnswl.org project. Obviously, this needs to be authenticated, and that’s what 
> we have DKIM for.
>
> We created an experimental list dwl.dnswl.org (subject to change without 
> prior notice yaddayadda, with minimal infrastructure etc - don’t use it in 
> production yet!), which works like a regular domain- or hostname-based 
> blacklist would. More details are here https://www.dnswl.org/?p=311, but in a 
> nutshell that’s how it could be implemented in SpamAssassin (put it in your 
> local.cf or in some similarly convenient place):
>
> ifplugin Mail::SpamAssassin::Plugin::AskDNS
>
> askdns DNSWL_DWL_HI _DKIMDOMAIN_.dwl.dnswl.org A /^127.d+.d+.3/
> tflags DNSWL_DWL_HI nice net
> describe DNSWL_DWL_HI dwl.dnswl.org high trust
> score DNSWL_DWL_HI -5
>
> askdns DNSWL_DWL_MED _DKIMDOMAIN_.dwl.dnswl.org A /^127.d+.d+.2/
> tflags DNSWL_DWL_MED nice net
> describe DNSWL_DWL_MED dwl.dnswl.org medium trust
> score DNSWL_DWL_MED -2
>
> askdns DNSWL_DWL_LOW _DKIMDOMAIN_.dwl.dnswl.org A /^127.d+.d+.1/
> tflags DNSWL_DWL_LOW nice net
> describe DNSWL_DWL_LOW dwl.dnswl.org low trust
> score DNSWL_DWL_LOW -1
>
> askdns DNSWL_DWL_NONE _DKIMDOMAIN_.dwl.dnswl.org A /^127.d+.d+.0/
> tflags DNSWL_DWL_NONE nice net
> describe DNSWL_DWL_NONE dwl.dnswl.org listed, but no particular trust 
> information available
> score DNSWL_DWL_NONE -0.1
>
> endif # Mail::SpamAssassin::Plugin::AskDNS
>
> Note that this only works on DKIM-signed domains (DKIM_VALID).
>
> Any inputs or thoughts are highly appreciated.
>
> — Matthias, for the dnswl.org project

Re: Whitelisting DKIM-signed domains

2017-10-07 Thread RW 
On Sat, 7 Oct 2017 15:12:42 -0700 (PDT)
John Hardin wrote:

> On Sat, 7 Oct 2017, Matthias Leisi wrote:
> 
> > Note that this only works on DKIM-signed domains (DKIM_VALID).  
> 
> ...then shouldn't those negatively-scored rules be meta'd with &&
> DKIM_VALID?

It's doing lookups on domains extracted from valid signatures.

Re: Whitelisting DKIM-signed domains

2017-10-07 Thread John Hardin 

On Sat, 7 Oct 2017, Matthias Leisi wrote:


Note that this only works on DKIM-signed domains (DKIM_VALID).


...then shouldn't those negatively-scored rules be meta'd with && DKIM_VALID?


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  The most glaring example of the cognitive dissonance on the left
  is the concept that human beings are inherently good, yet at the
  same time cannot be trusted with any kind of weapon, unless the
  magic fairy dust of government authority gets sprinkled upon them.
   -- Moshe Ben-David
---
 191 days since the first commercial re-flight of an orbital booster (SpaceX)

Whitelisting DKIM-signed domains

2017-10-07 Thread Matthias Leisi 
Last week at the 41st M3AAWG meeting in Toronto there was considerable interest 
in domain-based whitelisting information when I presented the dnswl.org 
project. Obviously, this needs to be authenticated, and that’s what we have 
DKIM for. 

We created an experimental list dwl.dnswl.org (subject to change without prior 
notice yaddayadda, with minimal infrastructure etc - don’t use it in production 
yet!), which works like a regular domain- or hostname-based blacklist would. 
More details are here https://www.dnswl.org/?p=311 
, but in a nutshell that’s how it could be 
implemented in SpamAssassin (put it in your local.cf or in some similarly 
convenient place):

ifplugin Mail::SpamAssassin::Plugin::AskDNS

askdns DNSWL_DWL_HI _DKIMDOMAIN_.dwl.dnswl.org A /^127\.\d+\.\d+\.3/
tflags DNSWL_DWL_HI nice net
describe DNSWL_DWL_HI dwl.dnswl.org high trust
score DNSWL_DWL_HI -5

askdns DNSWL_DWL_MED _DKIMDOMAIN_.dwl.dnswl.org A /^127\.\d+\.\d+\.2/
tflags DNSWL_DWL_MED nice net
describe DNSWL_DWL_MED dwl.dnswl.org medium trust
score DNSWL_DWL_MED -2

askdns DNSWL_DWL_LOW _DKIMDOMAIN_.dwl.dnswl.org A /^127\.\d+\.\d+\.1/
tflags DNSWL_DWL_LOW nice net
describe DNSWL_DWL_LOW dwl.dnswl.org low trust
score DNSWL_DWL_LOW -1

askdns DNSWL_DWL_NONE _DKIMDOMAIN_.dwl.dnswl.org A /^127\.\d+\.\d+\.0/
tflags DNSWL_DWL_NONE nice net
describe DNSWL_DWL_NONE dwl.dnswl.org listed, but no particular trust 
information available
score DNSWL_DWL_NONE -0.1

endif # Mail::SpamAssassin::Plugin::AskDNS

Note that this only works on DKIM-signed domains (DKIM_VALID).

Any inputs or thoughts are highly appreciated. 

— Matthias, for the dnswl.org project

Re: USER_IN_WHITELIST shortcircuits VBOUNCE, please help...

2017-10-07 Thread RW 
On Sat, 7 Oct 2017 07:27:00 -0700 (MST)
djkraz wrote:

> I have a user that is getting thousands of backscatter a minute for a
> couple days now.  I've tried everything I can find on the web to get
> vbounce working with no luck as the user is obviously in the
> whitelist since they exist on the server.  

USER_IN_WHITELIST is based on the sender address, and for backscatter
that's going to be on a series of random third-party domains. It seems
very unlikely that this is affecting backscatter - unless you've
whitelisted everything.  

SpamAssassin doesn't short-circuit by default, so if  VBOUNCE is
short-circuited by anything then it must be down to you own settings.

Re: USER_IN_WHITELIST shortcircuits VBOUNCE, please help...

2017-10-07 Thread John Hardin 

On Sat, 7 Oct 2017, Antony Stone wrote:


On Saturday 07 October 2017 at 16:27:00, djkraz wrote:


I have a user that is getting thousands of backscatter a minute for a
couple days now.  I've tried everything I can find on the web to get
vbounce working with no luck as the user is obviously in the whitelist
since they exist on the server.  I've tried setting the priority of
vbounce higher but it doesn't seem to make any difference.  Does anyone
have any experience in resolving this?  FYI, I'm running Exchange 2013 on
Win2kR2 with Exchange Server Toolbox.  Thanks in advance!


Put an example (full headers as minimum, body not really important for this I
think) on pastebin or similar, post the link here and also show us your
vbounce settings so we can have an opinion.


The body of a bounce can be critical, if it has things like a SMTP status 
message or trace. Please provide a complete backscatter message.


Also: where and how exactly is vbounce hooked into Exchange? Or does 
"Exchange Server Toolkbox" answer that question? (Pardon my ignorance 
here.)


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Ignorance is no excuse for a law.
---
 191 days since the first commercial re-flight of an orbital booster (SpaceX)

Re: USER_IN_WHITELIST shortcircuits VBOUNCE, please help...

2017-10-07 Thread Antony Stone 
On Saturday 07 October 2017 at 16:27:00, djkraz wrote:

> I have a user that is getting thousands of backscatter a minute for a
> couple days now.  I've tried everything I can find on the web to get
> vbounce working with no luck as the user is obviously in the whitelist
> since they exist on the server.  I've tried setting the priority of
> vbounce higher but it doesn't seem to make any difference.  Does anyone
> have any experience in resolving this?  FYI, I'm running Exchange 2013 on
> Win2kR2 with Exchange Server Toolbox.  Thanks in advance!

Put an example (full headers as minimum, body not really important for this I 
think) on pastebin or similar, post the link here and also show us your 
vbounce settings so we can have an opinion.


Antony.

-- 
I wasn't sure about having a beard at first, but then it grew on me.

   Please reply to the list;
 please *don't* CC me.

USER_IN_WHITELIST shortcircuits VBOUNCE, please help...

2017-10-07 Thread djkraz 
I have a user that is getting thousands of backscatter a minute for a couple
days now.  I've tried everything I can find on the web to get vbounce
working with no luck as the user is obviously in the whitelist since they
exist on the server.  I've tried setting the priority of vbounce higher but
it doesn't seem to make any difference.  Does anyone have any experience in
resolving this?  FYI, I'm running Exchange 2013 on Win2kR2 with Exchange
Server Toolbox.  Thanks in advance!



--
Sent from: http://spamassassin.1065346.n5.nabble.com/SpamAssassin-Users-f3.html