Re: Direct download phish

[Pedro David Marco]

 Hi Alex, 
There is a plugin that may help in here...
https://spamassassin.apache.org/full/3.4.x/doc/Mail_SpamAssassin_Plugin_URIDetail.html

so a rule like this as a first protoype may help:
uri_detail      FAKE_URL_FILE_TYPE       text =~ /\.pdf\b/i          cleaned =~ 
/\.(zip|docx)\b/i



Regards/Saludos,
-PedroD

Direct download phish

[Alex]

Hi, I received an email that was tagged as spam for other reasons, but
I'd like to write a rule that catches the attempt to present a ZIP as
a PDF file.

href="https://securesite.fdsit.net/uu/Propuesta-estrategia.zip;
rel="noopener noreferrer" 

Re: T_DKIM_INVALID false positives with Gmail

[Kevin A. McGrail]

No, because DKIM is verifying the unmodified header/body (more complicated
than that).

--
Kevin A. McGrail
Asst. Treasurer & VP Fundraising, Apache Software Foundation
Chair Emeritus Apache SpamAssassin Project
https://www.linkedin.com/in/kmcgrail - 703.798.0171

On Mon, Mar 19, 2018 at 11:55 AM, Sebastian Arcus 
wrote:

> On 19/03/18 15:53, Bill Cole wrote:
>
>> On 19 Mar 2018, at 11:29, Sebastian Arcus wrote:
>>
>> I've been seeing a number of false positives recently from T_DKIM_INVALID
>>> with Gmail emails. Are some Gmail servers misconfigured, or could something
>>> be going on at my end? The DKIM record which is flagged as invalid is below:
>>>
>>> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com;
>>> s=20161025; h=mime-version:from:date:message-id:subject:to;bh=8wlgvdpEOm
>>> UO2ugslPxRkFYA/ZThwu2bWy5VmlR76ug=;
>>> b=gRcnOIzmENqS8a91mSdETdXvyH6df7u0tSwsadk6CMD0KtAbzuM3ojHW+kPEo7AB1i
>>>  vnbCDc/vsR6H7pP0k3hZmF7z/dAaeZWD4RVzqM+Fv70oHy4af64j+fGSekOCM9o4ShRQ
>>> Vk3KyF+69sKTK3rRWEnfrcgi/pN2DJWDvrIBRjmFOZYKNVN+8elaVM9DOO7tEMLYuw7T
>>> +sVaUMNt8MuPxRhrskJYOIxK8zzkcJHYV+1TuWJuqZAHRVwgnDWX7q3Wx0GwrX+3lKpm
>>> 3A1+F5dBVjH4dXvdfIESm5XpV8b9uBn9daGWrUgkR+PB23XsL9QkxEqCRXdgII3FRxtQ
>>> Ps6A==
>>>
>>
>> There are LOTS of ways to break a DKIM signature. Whether that one is
>> broken can't be checked and how it might have been broken can't be guessed
>> at without the full *unmodified* headers and body of the message.
>>
>
> I use Exim to pass stuff directly to SA. Could I attach the DKIM header in
> a text file and send it to the list?
>

Re: T_DKIM_INVALID false positives with Gmail

[Sebastian Arcus]

On 19/03/18 15:53, Bill Cole wrote:

On 19 Mar 2018, at 11:29, Sebastian Arcus wrote:

I've been seeing a number of false positives recently from 
T_DKIM_INVALID with Gmail emails. Are some Gmail servers 
misconfigured, or could something be going on at my end? The DKIM 
record which is flagged as invalid is below:


DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; 
d=googlemail.com; s=20161025; 
h=mime-version:from:date:message-id:subject:to;bh=8wlgvdpEOmUO2ugslPxRkFYA/ZThwu2bWy5VmlR76ug=; 

b=gRcnOIzmENqS8a91mSdETdXvyH6df7u0tSwsadk6CMD0KtAbzuM3ojHW+kPEo7AB1i 
 vnbCDc/vsR6H7pP0k3hZmF7z/dAaeZWD4RVzqM+Fv70oHy4af64j+fGSekOCM9o4ShRQ
Vk3KyF+69sKTK3rRWEnfrcgi/pN2DJWDvrIBRjmFOZYKNVN+8elaVM9DOO7tEMLYuw7T 
+sVaUMNt8MuPxRhrskJYOIxK8zzkcJHYV+1TuWJuqZAHRVwgnDWX7q3Wx0GwrX+3lKpm 
   3A1+F5dBVjH4dXvdfIESm5XpV8b9uBn9daGWrUgkR+PB23XsL9QkxEqCRXdgII3FRxtQ

Ps6A==


There are LOTS of ways to break a DKIM signature. Whether that one is 
broken can't be checked and how it might have been broken can't be 
guessed at without the full *unmodified* headers and body of the message.


I use Exim to pass stuff directly to SA. Could I attach the DKIM header 
in a text file and send it to the list?

Re: T_DKIM_INVALID false positives with Gmail

[Bill Cole]

On 19 Mar 2018, at 11:29, Sebastian Arcus wrote:

I've been seeing a number of false positives recently from 
T_DKIM_INVALID with Gmail emails. Are some Gmail servers 
misconfigured, or could something be going on at my end? The DKIM 
record which is flagged as invalid is below:


DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; 
d=googlemail.com; s=20161025; 
h=mime-version:from:date:message-id:subject:to;bh=8wlgvdpEOmUO2ugslPxRkFYA/ZThwu2bWy5VmlR76ug=;
b=gRcnOIzmENqS8a91mSdETdXvyH6df7u0tSwsadk6CMD0KtAbzuM3ojHW+kPEo7AB1i   
 vnbCDc/vsR6H7pP0k3hZmF7z/dAaeZWD4RVzqM+Fv70oHy4af64j+fGSekOCM9o4ShRQ
Vk3KyF+69sKTK3rRWEnfrcgi/pN2DJWDvrIBRjmFOZYKNVN+8elaVM9DOO7tEMLYuw7T   
+sVaUMNt8MuPxRhrskJYOIxK8zzkcJHYV+1TuWJuqZAHRVwgnDWX7q3Wx0GwrX+3lKpm   
   3A1+F5dBVjH4dXvdfIESm5XpV8b9uBn9daGWrUgkR+PB23XsL9QkxEqCRXdgII3FRxtQ

Ps6A==


There are LOTS of ways to break a DKIM signature. Whether that one is 
broken can't be checked and how it might have been broken can't be 
guessed at without the full *unmodified* headers and body of the 
message.

Re: T_DKIM_INVALID false positives with Gmail

[Kevin A. McGrail]

What glue are you using for SA?

DKIM is pretty fragile depending on the signature and implementation.  One
\n\r changed to \n for example which some SMTP transports will do can cause
a failure.

I pretty much consider DKIM a 100% if it works and generally worthless if
it fails technology right now BUT should get better as people realize they
can't muck with things mid transport.

Regards,
KAM

--
Kevin A. McGrail
Asst. Treasurer & VP Fundraising, Apache Software Foundation
Chair Emeritus Apache SpamAssassin Project
https://www.linkedin.com/in/kmcgrail - 703.798.0171

On Mon, Mar 19, 2018 at 11:29 AM, Sebastian Arcus 
wrote:

> I've been seeing a number of false positives recently from T_DKIM_INVALID
> with Gmail emails. Are some Gmail servers misconfigured, or could something
> be going on at my end? The DKIM record which is flagged as invalid is below:
>
> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com;
> s=20161025; h=mime-version:from:date:message-id:subject:to;bh=8wlgvdpEOm
> UO2ugslPxRkFYA/ZThwu2bWy5VmlR76ug=;
> b=gRcnOIzmENqS8a91mSdETdXvyH6df7u0tSwsadk6CMD0KtAbzuM3ojHW+kPEo7AB1i
> vnbCDc/vsR6H7pP0k3hZmF7z/dAaeZWD4RVzqM+Fv70oHy4af64j+fGSekOCM9o4ShRQ
> Vk3KyF+69sKTK3rRWEnfrcgi/pN2DJWDvrIBRjmFOZYKNVN+8elaVM9DOO7tEMLYuw7T
>  +sVaUMNt8MuPxRhrskJYOIxK8zzkcJHYV+1TuWJuqZAHRVwgnDWX7q3Wx0GwrX+3lKpm
>   3A1+F5dBVjH4dXvdfIESm5XpV8b9uBn9daGWrUgkR+PB23XsL9QkxEqCRXdgII3FRxtQ
> Ps6A==
>

T_DKIM_INVALID false positives with Gmail

[Sebastian Arcus]

I've been seeing a number of false positives recently from 
T_DKIM_INVALID with Gmail emails. Are some Gmail servers misconfigured, 
or could something be going on at my end? The DKIM record which is 
flagged as invalid is below:


DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; 
s=20161025; 
h=mime-version:from:date:message-id:subject:to;bh=8wlgvdpEOmUO2ugslPxRkFYA/ZThwu2bWy5VmlR76ug=; 

b=gRcnOIzmENqS8a91mSdETdXvyH6df7u0tSwsadk6CMD0KtAbzuM3ojHW+kPEo7AB1i 
   vnbCDc/vsR6H7pP0k3hZmF7z/dAaeZWD4RVzqM+Fv70oHy4af64j+fGSekOCM9o4ShRQ 

Vk3KyF+69sKTK3rRWEnfrcgi/pN2DJWDvrIBRjmFOZYKNVN+8elaVM9DOO7tEMLYuw7T 
  +sVaUMNt8MuPxRhrskJYOIxK8zzkcJHYV+1TuWJuqZAHRVwgnDWX7q3Wx0GwrX+3lKpm 
 3A1+F5dBVjH4dXvdfIESm5XpV8b9uBn9daGWrUgkR+PB23XsL9QkxEqCRXdgII3FRxtQ

Ps6A==