Re: DKIM absence
> On May 2, 2023, at 8:27 AM, Philip Prindeville > wrote: > > Is there a way to add scoring that says, "If the sending domain has DKIM > records, but there's no DKIM signature on this message, then attach a high > score to it?" > > We seem to attach negative scores when DKIM is present and valid, but what > about the opposite direction? > > If it's absent, but it shouldn't be? > If there’s no dkim signature, you can’t check for dkim records in dns. The selector for a dkim signature is arbitrary - there’s no one dns lookup you can do to see all possible dkim records for a domain. You can use ADSP - it’s old and I don’t know how many domains have ADSP records these days, but it lets a domain specify that all mail must be dkim signed to be considered valid. We tell our customers to add an ADSP record, and we use it when checking their incoming mail to help identify forgeries. I don’t know that it helps much with mail from non-customers, though. I’ll have to check and see how often our rules hit for that.
Whitelisting based on IP address of last external relay
We have some users who would like to whitelist email based on the IP address of the last external relay. This is primarily for times like when messages are being sent from some webform they trust, or from internal systems. My first thought was to simply add that IP to "trusted_networks" in their per-user configuration, thinking that "ALL_TRUSTED" would hit, and the shortcircuit rule would fire and just let it in. But of course, some of the messages pass through other relays first, so ALL_TRUSTED isn't firing. One message that hit had these meta headers added (identifiable info changed, of course). > X-Spam-Relays-Trusted: [ ip=1.2.3.4 rdns= helo=server.domain.com by= mail.us.com ident= envfrom= intl=0 id=3d8csD48f2UkYp auth= msa=0 ] > X-Spam-Relays-Untrusted: [ ip=10.0.20.81 rdns= helo=int-WWW01 by= server.domain.com ident= envfrom= intl=0 id= auth= msa=0 ] > X-Spam-Relays-Internal: > X-Spam-Relays-External: [ ip=1.2.3.4 rdns= helo=server.domain.com by= mail.us.com ident= envfrom= intl=0 id=3d8csD48f2UkYp auth= msa=0 ] [ ip=10.0.20.81 rdns= helo=int-WWW01 by=server.domain.com ident= envfrom= intl=0 id= auth= msa=0 ] In this case, I suppose we could add all reserved address blocks to trusted_networks globally..but that doesn't seem like such a great idea. And it won't help when there's some intermediate relay with a public IP address... The other option would be to require that the user list all the other relays in there, but we would really prefer something more simple: allow them to whitelist if the last external relay is in the trusted list. So...is there a rule or an idea on how to determine if the last external relay is also trusted? Or are we going to need to write a plugin? And if anyone thinks that there's a real problem with this whole thing, please let me know. Am I missing something obvious that's going to cause problems if we whitelist based on the IP address of the last external relay? Thanks-
Re: "Pill" spams
On Mon, Apr 9, 2012 at 3:33 PM, Alex wrote: > +1 for these. I've seen a ton of these, and the only protection I have > is a local URIBL I've built for the many new domains that haven't yet > been added to the public URIBLs. > > Yours don't have any spamassassin/amavisd headers. How are you processing > these? I grabbed a few before they are being processed. They're running through spamassassin. Anybody got any ideas? These are driving me crazy!
Re: "Pill" spams
On Tue, Apr 10, 2012 at 7:08 AM, Bowie Bailey wrote: > That sounds like it might be good rule-fodder. "subject", "Subject", > and "SUBJECT" are possibly valid, but the other funky capitalizations > might be worth a few points. And how would one write a rule for that? It's not a header rule that matches the content of the Subject header line, but the initial "SubjeCT" itself. And how to do the proper regex match? Any other ideas on these pill spams? What are they scoring for anyone else?
"Pill" spams
Getting a bunch of these, and I'm getting very low scores, using the latest spamassassin rules, and the most common third-party rulesets. Also using spamhaus, investment and other DNSBLs, but my users seem to be getting these before the urls are making their way into those DNSBLs. The subject is about various types of pills, and I do note that the Subject line header is often in mixed case - not just the subject itself, but even the word "subject" - it might be "SubjeCT" or "subjeCT" or "SUBJect", but I don't see a rule for anything like this. There's almost always a link and then a bit of random text. Here are three examples: http://pastebin.com/ycvfX5Np http://pastebin.com/ApdN9V0W http://pastebin.com/bcUggrC6 Can anyone offer any help?