Re: amazonses.com doubble dkim sign
On Tue, 10 Nov 2020, Benny Pedersen wrote: DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=n4atlko3yvgxyqpwp7palysab6occe3l; d=fing.com; t=1604971038; h=From:To:Message-ID:Subject:MIME-Version:Content-Type:Date; bh=0LT5Ztzk2B+Ecm2NPRzroGl6fTFNX9TpP6X0036qmf4=; b=Rtc9ieWPMuaNZ9iRZPZMEfuGj7pnaXu6TPjT9px08NGKZt0+rbCLyz083FG3djhk UTdHNgkEc6xGCCRN0JzbrdYaHWptG2U42qOYEajdE59uuR/Ucy+rGJA8Vr2roe/Ssvm jYWosu47Ndl6M56u9m3aNpAuBOgNmQHWoMVyWXZU= DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=shh3fegwg5fppqsuzphvschd53n6ihuv; d=amazonses.com; t=1604971038; h=From:To:Message-ID:Subject:MIME-Version:Content-Type:Date:Feedback-ID; bh=0LT5Ztzk2B+Ecm2NPRzroGl6fTFNX9TpP6X0036qmf4=; b=lihzmRF2B+mUjB1E89LLJ8JkbpbQQIpnPd5JtQjAGB5uSurBWfv6VrGHgbCy2O1e q7AWlXPTcwdca5K4iB0pormV/lgvfZV+kgwfSrLPlgWBwlB9hRi2TCsFhT9v9tbEm1b dZBXrPRFO9r+uDtLfR6OgaOtXq7RjMiAUqcDBm0k= From: Fing Alert why ? Two signatures, one for the 'From:' address (message creator) and one for the issuing SMTP system. Look at the signing domain (the 'd=D.N' part) to see who the creator of a given signature is. There's nothing to prevent each system in the SMTP hand-off chain from adding their own signature, provided they do nothing to invalidate earlier signatures. More than two is unusual/overkill, but it's not uncommon to see two. -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-05491256 Seamans Center, 103 S Capitol St. Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
amazonses.com doubble dkim sign
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=n4atlko3yvgxyqpwp7palysab6occe3l; d=fing.com; t=1604971038; h=From:To:Message-ID:Subject:MIME-Version:Content-Type:Date; bh=0LT5Ztzk2B+Ecm2NPRzroGl6fTFNX9TpP6X0036qmf4=; b=Rtc9ieWPMuaNZ9iRZPZMEfuGj7pnaXu6TPjT9px08NGKZt0+rbCLyz083FG3djhk UTdHNgkEc6xGCCRN0JzbrdYaHWptG2U42qOYEajdE59uuR/Ucy+rGJA8Vr2roe/Ssvm jYWosu47Ndl6M56u9m3aNpAuBOgNmQHWoMVyWXZU= DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=shh3fegwg5fppqsuzphvschd53n6ihuv; d=amazonses.com; t=1604971038; h=From:To:Message-ID:Subject:MIME-Version:Content-Type:Date:Feedback-ID; bh=0LT5Ztzk2B+Ecm2NPRzroGl6fTFNX9TpP6X0036qmf4=; b=lihzmRF2B+mUjB1E89LLJ8JkbpbQQIpnPd5JtQjAGB5uSurBWfv6VrGHgbCy2O1e q7AWlXPTcwdca5K4iB0pormV/lgvfZV+kgwfSrLPlgWBwlB9hRi2TCsFhT9v9tbEm1b dZBXrPRFO9r+uDtLfR6OgaOtXq7RjMiAUqcDBm0k= From: Fing Alert why ?
Re: Per-user prefs and rules
Matus UHLAR - fantomas skrev den 2020-11-09 14:43: no, amavis processes all mail under single user, usually "amavis". user prefs in sql is still supported in spamassassin even for system users in the host and amavisd have usermaps to sa_users, so its all supported but the gaviat is more that users must make there own user_prefs file with rule to have or let the server admin let hem be global with score 0 so its global disabled, then users in sql can change scores for that rule to be enabled pr user hope this is good enoug, more flexiblity needs perl code changes
Re: Per-user prefs and rules
Alex skrev den 2020-11-09 14:37: https://cwiki.apache.org/confluence/display/SPAMASSASSIN/UsingSQL create pr user rules, set the scores default to 0 in sql, then change scorees pr user, easy :=) and amavisd have sa_userprefs maps to sa_user, its just not that easy to make work as intended
Re: Spamssassin seems to append .com TLD to uri link domains found
On 11/9/20 3:18 PM, RW wrote: > When you say FP do you mean that ch.com was listed in a domain > blocklist? yes, the "ch.com" was listed in one of the domain blocklists. And as the customer used his own domain "www.ch" as footer it got caught by the lookup for "ch.com" which seems to be a chinese news page or something like that. Its hard to explain to a customer that a URI domain he did not use in the message lead to a hit on blocklists lookup ;-) Cheers tobi
Re: Spamssassin seems to append .com TLD to uri link domains found
On Mon, 9 Nov 2020 08:26:59 +0100 Tobi wrote: > John, > > > Because I think that suppressing that behavior for valid TLDs would > > be > an appropriate modification to avoid potential URIBL FPs > > fully agree. SA should not append .com if the domain has a valid tld > and a domain label. Only domains of the form "" and "www." are affected. In my experience corporate TLDs like "amazon" aren't getting used as single label domains on websites, and if they were the .com version would probably be the same site anyway. The second form is very rare, and I doubt links like that are widely used in email as they look suspicious. >We know of at least one FP related to "www.ch" > when (the expanded version) "ch.com" was checked on uribl lists. When you say FP do you mean that ch.com was listed in a domain blocklist? On the whole domain names of the form .com are going to be expensive, so they aren't likely to be owned directly by mainstream spammers. If the .com domain points to a hacked server, the firefox trick could be used to extend the useful life of the hack until both domains are listed. I think there's a case to be made either way.
Re: Per-user prefs and rules
On 09.11.20 08:37, Alex wrote: I'm aware of the ability to store user prefs in mysql, like whether to use bayes or razor, but is it possible to have rules on a per-user basis with SA 3.4.4 and amavis? no, amavis processes all mail under single user, usually "amavis". you probably could make maavis/MTA feed each mail through separate filter so they can use per-user settings. I realize I could write a meta rule that combines a rule with a recipient address, for example, but ideally I'd like to have a separate per-user list of rules. The real motivation for doing this is to be able to block mail from a specific TLD or domain or country on a per-user or per-domain basis. Perhaps there's another way to do this? In amavis directly? https://cwiki.apache.org/confluence/display/SPAMASSASSIN/UsingSQL -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Due to unexpected conditions Windows 2000 will be released in first quarter of year 1901
Per-user prefs and rules
Hi, I'm aware of the ability to store user prefs in mysql, like whether to use bayes or razor, but is it possible to have rules on a per-user basis with SA 3.4.4 and amavis? I realize I could write a meta rule that combines a rule with a recipient address, for example, but ideally I'd like to have a separate per-user list of rules. The real motivation for doing this is to be able to block mail from a specific TLD or domain or country on a per-user or per-domain basis. Perhaps there's another way to do this? In amavis directly? https://cwiki.apache.org/confluence/display/SPAMASSASSIN/UsingSQL
Re: Crap getting through
On Mon, 9 Nov 2020 12:44:04 + RW wrote: > On Sun, 8 Nov 2020 19:49:20 -0500 > Rob McEwen wrote: > > > Daryl, > > > > Can you please post a copy of the raw email message - with headers > > - perhaps with your own user's email address (and name?) masked out > > (change to "") > > It's best to leave it syntactically correct and with self-consistent > obfuscation, so it can be run though SA without having to be edited a > send time. second time
Re: Crap getting through
On Sun, 8 Nov 2020 19:49:20 -0500 Rob McEwen wrote: > Daryl, > > Can you please post a copy of the raw email message - with headers - > perhaps with your own user's email address (and name?) masked out > (change to "") It's best to leave it syntactically correct and with self-consistent obfuscation, so it can be run though SA without having to be edited a send time.
Re: Crap getting through
On 09.11.20 05:07, Daryl Rose wrote: Sorry, I deleted it right away. I normally delete that crap as soon as it comes in. I'll remember to keep it next time I get something so I can post the headers. i keep spam ans phishes in special mail directories for later examination On Sun, Nov 8, 2020 at 6:49 PM Rob McEwen wrote: Can you please post a copy of the raw email message - with headers - perhaps with your own user's email address (and name?) masked out (change to "") - to pastebin, or to a similar site - then reply here with the link. It is difficult to give specific suggestions without having the raw underlying text of the message (w/headers). But please try to avoid pasting that directly to this list. Thanks! On 11/8/2020 5:00 PM, Daryl Rose wrote: I'm getting obvious phishing attempts. This one was made to look like it was from Wells Fargo with an obvious spoofed email address. However, when I examined the headers, the From Address was this garbage: *=?utf-8?B?V+G7hWxsc+G4nmFyZ28gQmFuaw==?= * this is not garbage, this is mime-encoded string: *WễllsḞargo Bank * ...and that is a garbage. But should be quite easily catched. I received another one that was meant to be an Amazon Prime Membership failure. How can I block these? The last time I inquired about phishing, it was suggested to install KAM, which I did, but this crap is still getting through. Any other suggestions? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I feel like I'm diagonally parked in a parallel universe.
Re: Crap getting through
Sorry, I deleted it right away. I normally delete that crap as soon as it comes in. I'll remember to keep it next time I get something so I can post the headers. Daryl On Sun, Nov 8, 2020 at 6:49 PM Rob McEwen wrote: > Daryl, > > Can you please post a copy of the raw email message - with headers - > perhaps with your own user's email address (and name?) masked out (change > to "") - to pastebin, or to a similar site - then reply here with > the link. It is difficult to give specific suggestions without having the > raw underlying text of the message (w/headers). But please try to avoid > pasting that directly to this list. Thanks! > > Rob McEwen > > > On 11/8/2020 5:00 PM, Daryl Rose wrote: > > I'm getting obvious phishing attempts. This one was made to look like it > was from Wells Fargo with an obvious spoofed email address. However, when > I examined the headers, the From Address was this garbage: > *=?utf-8?B?V+G7hWxsc+G4nmFyZ28gQmFuaw==?= * > > I received another one that was meant to be an Amazon Prime Membership > failure. How can I block these? The last time I inquired about phishing, > it was suggested to install KAM, which I did, but this crap is still > getting through. Any other suggestions? > > Thank you. > > Daryl > > > > > -- > Rob McEwen, invaluement > >
Re: free tlds considered as freemail ?
Dan Malm skrev den 2020-11-09 10:31: I just consider free tlds spam (at least some of them): thanks, will try to add it to rule set i have here, ly tld is the one i like to add, you have it outside of freemail so this is what i will maybe change it to, so it just being freemail rule hits not more custom rule names as it will be with what you do i mean if the tld is free, can the domain name be non free then ?
Re: free tlds considered as freemail ?
On 2020-11-09 09:10, Benny Pedersen wrote: > maybe if it could be done in freemail ? > > is it inccorect bark to bark on ? > > i write it to get some debate on it, not to begin implementing anything yet I just consider free tlds spam (at least some of them): header DAM_SOMETLD_ARE_WORSE_TLD_FROM From:addr =~ /\.(tk|ml|ga|cf|gq)$/i describeDAM_SOMETLD_ARE_WORSE_TLD_FROM Free TLD Abuse score DAM_SOMETLD_ARE_WORSE_TLD_FROM 5 uri DAM_SOMETLD_ARE_WORSE_TLD_URI /\.(tk|ml|ga|cf|gq)($|\/)/i describeDAM_SOMETLD_ARE_WORSE_TLD_URI Free TLD Abuse score DAM_SOMETLD_ARE_WORSE_TLD_URI 1.5 -- BR/Mvh. Dan Malm, Systems Engineer, One.com pEpkey.asc Description: application/pgp-keys
free tlds considered as freemail ?
maybe if it could be done in freemail ? is it inccorect bark to bark on ? i write it to get some debate on it, not to begin implementing anything yet