Re: Catching fake LinkedIn invites
May be to give some background and from there please apply what works best for you. Linkedin do DMARC.org, this means all the emails sent from Linkedin infrastructure will pass SPF (be with the mailfrom or helo strings) and be DKIM signed. Furthermore the domain present in all the strings will be aligned. Beware, MTAs on the way may change some of these characteristics. https://dmarcian.com/dmarc-inspector/linkedin.com http://engineering.linkedin.com/email/dmarc-new-tool-detect-genuine-emails There has been talk to do a DMARC like rule in spamassassin. I certainly would prefer people use the openDMARC milter, but I understand a spamassassin rule could be easier/faster to deploy. http://sourceforge.net/projects/opendmarc/ http://www.trusteddomain.org/opendmarc.html The above is my personal advice. signature.asc Description: Message signed with OpenPGP using GPGMail
Re: Catching fake LinkedIn invites
30.08.2013 12:45, Martin Gregorie kirjoitti: On Thu, 2013-08-29 at 05:42 -0700, Neil Schwartzman wrote: On Aug 29, 2013, at 4:40 AM, RW rwmailli...@googlemail.com wrote: On Thu, 29 Aug 2013 00:55:29 +0200 Michael Schaap wrote: On 29-Aug-2013 00:30, John Hardin wrote: On Wed, 28 Aug 2013, Michael Schaap wrote: Hi, I'm getting loads of fake LinkedIn invites, most of which aren't caught by SpamAssassin. Does anyone have a good SpamAssassin rule to catch those, while letting real LinkedIn invites through? Do they fail SPF or DKIM? The From: header is at linkedin dot com, but the envelope sender is a random address I'm guessing that legitimate linkedin mail has something other than a random address in its envelope sender. no need to guess The headers you've sent don't contain an envelope sender (the From header) or a From: header. What is the domain name in the Message-ID: header of a genuine LinkedIn message? Another possibility would be to reject anything that claims to be From: LinkedIn but doesn't have the appropriate domain name in its message id. Received: by 10.217.45.68 with SMTP id a46csp19989wew; Wed, 28 Aug 2013 13:57:59 -0700 (PDT) Received: from leila.iecc.com (leila6.iecc.com. [2001:470:1f07:1126:0:4c:6569:6c61]) by mx.google.com with ESMTPS id x3si106237qas.146.1969.12.31.16.00.00 (version=TLSv1 cipher=RC4-SHA bits=128/128); Wed, 28 Aug 2013 13:57:58 -0700 (PDT) Received: (qmail 12685 invoked by uid 1014); 28 Aug 2013 20:57:57 - Received: (qmail 12680 invoked from network); 28 Aug 2013 20:57:57 - Received: from mailc-fa.linkedin.com (mailc-fa.linkedin.com [199.101.162.77]) by smtp.abuse.net ([64.57.183.109]) with ESMTP via TCP port 34167/25 id 539419450; 28 Aug 2013 20:57:53 - X-Received: by 10.229.179.137 with SMTP id bq9mr10582950qcb.11.1377723478996; Wed, 28 Aug 2013 13:57:58 -0700 (PDT) Return-Path: m-pnhvq1bocym0uxg7j38mb1bv9rrmgop7tfdwzeyglxbmrduf...@bounce.linkedin.com Received-Spf: softfail (google.com: domain of transitioning m-pnhvq1bocym0uxg7j38mb1bv9rrmgop7tfdwzeyglxbmrduf...@bounce.linkedin.com does not designate 2001:470:1f07:1126:0:4c:6569:6c61 as permitted sender) client-ip=2001:470:1f07:1126:0:4c:6569:6c61; Authentication-Results: mx.google.com; spf=softfail (google.com: domain of transitioning m-pnhvq1bocym0uxg7j38mb1bv9rrmgop7tfdwzeyglxbmrduf...@bounce.linkedin.com does not designate 2001:470:1f07:1126:0:4c:6569:6c61 as permitted sender) smtp.mail=m-pnhvq1bocym0uxg7j38mb1bv9rrmgop7tfdwzeyglxbmrduf...@bounce.linkedin.com; dkim=pass header.i=@linkedin.com; dmarc=pass (p=REJECT dis=NONE) d=linkedin.com Authentication-Results: iecc.com; spf=pass spf.mailfrom=m-pnhvq1bocym0uxg7j38mb1bv9rrmgop7tfdwzeyglxbmrduf...@bounce.linkedin.com spf.helo=mailc-fa.linkedin.com; dkim=pass header.d=linkedin.com header.b=yTQxEigD; dmarc=pass header.from=linkedin.com policy=reject X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on leila.iecc.com X-Spam-Level: X-Spam-Status: No, score=-12.6 required=4.4 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,HTML_MESSAGE,RCVD_IN_DNSWL_HI,RCVD_IN_RP_CERTIFIED, RCVD_IN_RP_SAFE,RP_MATCHES_RCVD autolearn=unavailable version=3.3.2 Domainkey-Signature: q=dns; a=rsa-sha1; c=nofws; s=prod; d=linkedin.com; h=DKIM-Signature:Sender:Date:From:To:Message-ID:Subject:MIME-Version:Content-Type:X-LinkedIn-Template:X-LinkedIn-Class:X-LinkedIn-fbl; b=LeVz8j1vCA5eInVlQoy1R2cc1m/KJfCNOIy5A2oT9InYxvEtsqqPICJbTROiCnxV XhZhEtvh/z/E9qxYnqjrs8jsPNaiPoS3k/2giZoCAviri4PtQUa0ItD2SpYN3iUh Dkim-Signature: v=1; a=rsa-sha1; d=linkedin.com; s=proddkim1024; c=relaxed/relaxed; q=dns/txt; i=@linkedin.com; t=1377723459; h=From:Subject:Date:To:MIME-Version:Content-Type:X-LinkedIn-Class:X-LinkedIn-fbl: X-LinkedIn-Template; bh=M1AJY3ogQKLz5Vc1bK3tB2dbd58=; b=yTQxEigDySwE9gynJ5UlILn2G6myZ9XiHShT5BhUjukBwllSRqgBaf/7BAiDD4Ku 7OPkXtp14RZzykua0KXcIayOc+xpL2EriMQVX5mDkjbriBF5sFGK1kk+WqnGIIjk HRgzzsg2CDIY34jlet+qfM9+BiEEs3WYi+q5hmun0m0=; Sender: messages-nore...@bounce.linkedin.com Message-Id: 1271127196.48543013.1377723459176.javamail@ela4-app2520.prod Mime-Version: 1.0 Content-Type: multipart/alternative; boundary==_Part_48543007_1435785298.1377723459174 X-Linkedin-Template: anet_digest_type X-Linkedin-Class: GROUPDIGEST X-Linkedin-Fbl: m-pNHvq1bOcYM0uxG7j38mb1bv9RRMgop7tfdwzEyGlxBMrDufU1n X-Dcc-Iecc-Metrics: leila.iecc.com 1107; Body=1 Fuz1=1 Fuz2=1 I test DKIM_VALID_AU. It works with Facebook and Linked-in. -- jarif.bit signature.asc Description: OpenPGP digital signature
Re: Catching fake LinkedIn invites
On Thu, 2013-08-29 at 05:42 -0700, Neil Schwartzman wrote: On Aug 29, 2013, at 4:40 AM, RW rwmailli...@googlemail.com wrote: On Thu, 29 Aug 2013 00:55:29 +0200 Michael Schaap wrote: On 29-Aug-2013 00:30, John Hardin wrote: On Wed, 28 Aug 2013, Michael Schaap wrote: Hi, I'm getting loads of fake LinkedIn invites, most of which aren't caught by SpamAssassin. Does anyone have a good SpamAssassin rule to catch those, while letting real LinkedIn invites through? Do they fail SPF or DKIM? The From: header is at linkedin dot com, but the envelope sender is a random address I'm guessing that legitimate linkedin mail has something other than a random address in its envelope sender. no need to guess The headers you've sent don't contain an envelope sender (the From header) or a From: header. What is the domain name in the Message-ID: header of a genuine LinkedIn message? Another possibility would be to reject anything that claims to be From: LinkedIn but doesn't have the appropriate domain name in its message id. Received: by 10.217.45.68 with SMTP id a46csp19989wew; Wed, 28 Aug 2013 13:57:59 -0700 (PDT) Received: from leila.iecc.com (leila6.iecc.com. [2001:470:1f07:1126:0:4c:6569:6c61]) by mx.google.com with ESMTPS id x3si106237qas.146.1969.12.31.16.00.00 (version=TLSv1 cipher=RC4-SHA bits=128/128); Wed, 28 Aug 2013 13:57:58 -0700 (PDT) Received: (qmail 12685 invoked by uid 1014); 28 Aug 2013 20:57:57 - Received: (qmail 12680 invoked from network); 28 Aug 2013 20:57:57 - Received: from mailc-fa.linkedin.com (mailc-fa.linkedin.com [199.101.162.77]) by smtp.abuse.net ([64.57.183.109]) with ESMTP via TCP port 34167/25 id 539419450; 28 Aug 2013 20:57:53 - X-Received: by 10.229.179.137 with SMTP id bq9mr10582950qcb.11.1377723478996; Wed, 28 Aug 2013 13:57:58 -0700 (PDT) Return-Path: m-pnhvq1bocym0uxg7j38mb1bv9rrmgop7tfdwzeyglxbmrduf...@bounce.linkedin.com Received-Spf: softfail (google.com: domain of transitioning m-pnhvq1bocym0uxg7j38mb1bv9rrmgop7tfdwzeyglxbmrduf...@bounce.linkedin.com does not designate 2001:470:1f07:1126:0:4c:6569:6c61 as permitted sender) client-ip=2001:470:1f07:1126:0:4c:6569:6c61; Authentication-Results: mx.google.com; spf=softfail (google.com: domain of transitioning m-pnhvq1bocym0uxg7j38mb1bv9rrmgop7tfdwzeyglxbmrduf...@bounce.linkedin.com does not designate 2001:470:1f07:1126:0:4c:6569:6c61 as permitted sender) smtp.mail=m-pnhvq1bocym0uxg7j38mb1bv9rrmgop7tfdwzeyglxbmrduf...@bounce.linkedin.com; dkim=pass header.i=@linkedin.com; dmarc=pass (p=REJECT dis=NONE) d=linkedin.com Authentication-Results: iecc.com; spf=pass spf.mailfrom=m-pnhvq1bocym0uxg7j38mb1bv9rrmgop7tfdwzeyglxbmrduf...@bounce.linkedin.com spf.helo=mailc-fa.linkedin.com; dkim=pass header.d=linkedin.com header.b=yTQxEigD; dmarc=pass header.from=linkedin.com policy=reject X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on leila.iecc.com X-Spam-Level: X-Spam-Status: No, score=-12.6 required=4.4 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,HTML_MESSAGE,RCVD_IN_DNSWL_HI,RCVD_IN_RP_CERTIFIED, RCVD_IN_RP_SAFE,RP_MATCHES_RCVD autolearn=unavailable version=3.3.2 Domainkey-Signature: q=dns; a=rsa-sha1; c=nofws; s=prod; d=linkedin.com; h=DKIM-Signature:Sender:Date:From:To:Message-ID:Subject:MIME-Version:Content-Type:X-LinkedIn-Template:X-LinkedIn-Class:X-LinkedIn-fbl; b=LeVz8j1vCA5eInVlQoy1R2cc1m/KJfCNOIy5A2oT9InYxvEtsqqPICJbTROiCnxV XhZhEtvh/z/E9qxYnqjrs8jsPNaiPoS3k/2giZoCAviri4PtQUa0ItD2SpYN3iUh Dkim-Signature: v=1; a=rsa-sha1; d=linkedin.com; s=proddkim1024; c=relaxed/relaxed; q=dns/txt; i=@linkedin.com; t=1377723459; h=From:Subject:Date:To:MIME-Version:Content-Type:X-LinkedIn-Class:X-LinkedIn-fbl: X-LinkedIn-Template; bh=M1AJY3ogQKLz5Vc1bK3tB2dbd58=; b=yTQxEigDySwE9gynJ5UlILn2G6myZ9XiHShT5BhUjukBwllSRqgBaf/7BAiDD4Ku 7OPkXtp14RZzykua0KXcIayOc+xpL2EriMQVX5mDkjbriBF5sFGK1kk+WqnGIIjk HRgzzsg2CDIY34jlet+qfM9+BiEEs3WYi+q5hmun0m0=; Sender: messages-nore...@bounce.linkedin.com Message-Id: 1271127196.48543013.1377723459176.javamail@ela4-app2520.prod Mime-Version: 1.0 Content-Type: multipart/alternative; boundary==_Part_48543007_1435785298.1377723459174 X-Linkedin-Template: anet_digest_type X-Linkedin-Class: GROUPDIGEST X-Linkedin-Fbl: m-pNHvq1bOcYM0uxG7j38mb1bv9RRMgop7tfdwzEyGlxBMrDufU1n X-Dcc-Iecc-Metrics: leila.iecc.com 1107; Body=1 Fuz1=1 Fuz2=1
Re: Catching fake LinkedIn invites
On Fri, 30 Aug 2013 10:45:23 +0100 Martin Gregorie wrote: On Thu, 2013-08-29 at 05:42 -0700, Neil Schwartzman wrote: On Aug 29, 2013, at 4:40 AM, RW rwmailli...@googlemail.com wrote: On Thu, 29 Aug 2013 00:55:29 +0200 Michael Schaap wrote: The From: header is at linkedin dot com, but the envelope sender is a random address I'm guessing that legitimate linkedin mail has something other than a random address in its envelope sender. no need to guess The headers you've sent don't contain an envelope sender (the From header) or a From: header. Actually there is a Return-Path. And the OP said that there is a From. What is the domain name in the Message-ID: header of a genuine LinkedIn message? Another possibility would be to reject anything that claims to be From: LinkedIn but doesn't have the appropriate domain name in its message id. I was thinking of just the header and the envelope, but it wouldn't hurt to add the message-id as well: header __LINKEDIN_HEADFROM From:addr=~ /\@.*linkedin/i header __LINKEDIN_ENVFROM EnvelopeFrom =~ /linkedin/i header __LINKEDIN_MSGID Message-Id =~ /linkedin/i meta LINKEDIN_FAKED __LINKEDIN_HEADFROM ! ( __LINKEDIN_ENVFROM || __LINKEDIN_MSGID )
Re: Catching fake LinkedIn invites
On Fri, 2013-08-30 at 14:25 +0100, RW wrote: On Fri, 30 Aug 2013 10:45:23 +0100 Martin Gregorie wrote: On Thu, 2013-08-29 at 05:42 -0700, Neil Schwartzman wrote: On Aug 29, 2013, at 4:40 AM, RW rwmailli...@googlemail.com wrote: On Thu, 29 Aug 2013 00:55:29 +0200 Michael Schaap wrote: The From: header is at linkedin dot com, but the envelope sender is a random address I'm guessing that legitimate linkedin mail has something other than a random address in its envelope sender. no need to guess The headers you've sent don't contain an envelope sender (the From header) or a From: header. Actually there is a Return-Path. And the OP said that there is a From. Yes, agreed there's a Return-Path, but the message I sent, which contains the complete set of headers in the body of message I replied to, did not include an envelope From or a From: header and no Reply-to header either - this surprised me so I checked quite carefully. I was thinking of just the header and the envelope, but it wouldn't hurt to add the message-id as well: I use tests on Message-ID header to identify messages from gmail and yahoo. So far I have not had any FPs from doing this. Martin
Re: Catching fake LinkedIn invites
On Thu, 29 Aug 2013 00:55:29 +0200 Michael Schaap wrote: On 29-Aug-2013 00:30, John Hardin wrote: On Wed, 28 Aug 2013, Michael Schaap wrote: Hi, I'm getting loads of fake LinkedIn invites, most of which aren't caught by SpamAssassin. Does anyone have a good SpamAssassin rule to catch those, while letting real LinkedIn invites through? Do they fail SPF or DKIM? The From: header is at linkedin dot com, but the envelope sender is a random address I'm guessing that legitimate linkedin mail has something other than a random address in its envelope sender.
Re: Catching fake LinkedIn invites
On Aug 29, 2013, at 6:41 AM, RW rwmailli...@googlemail.com wrote: On Thu, 29 Aug 2013 00:55:29 +0200 Michael Schaap wrote: On 29-Aug-2013 00:30, John Hardin wrote: On Wed, 28 Aug 2013, Michael Schaap wrote: Hi, I'm getting loads of fake LinkedIn invites, most of which aren't caught by SpamAssassin. Does anyone have a good SpamAssassin rule to catch those, while letting real LinkedIn invites through? Do they fail SPF or DKIM? The From: header is at linkedin dot com, but the envelope sender is a random address I'm guessing that legitimate linkedin mail has something other than a random address in its envelope sender. Greylisting kills these off nicely. I have one account without greylisting enabled and I get a couple of these fake linkedin spams a week. Never seen one on any of my non-greylisted accounts.
Re: Catching fake LinkedIn invites
Michael Schaap skrev den 2013-08-28 23:54: I'm getting loads of fake LinkedIn invites, most of which aren't caught by SpamAssassin. Does anyone have a good SpamAssassin rule to catch those, while letting real LinkedIn invites through? meta FORGED_SENDER (!SPF_PASS !DKIM_VALID_AU) meta FORGED_SENDER_SOFT (!SPF_PASS || !DKIM_VALID_AU) score as you see fit to catch if its DKIM_VALID_AU then report it as spam to linkedin
Re: Catching fake LinkedIn invites
On Aug 29, 2013, at 4:40 AM, RW rwmailli...@googlemail.com wrote: On Thu, 29 Aug 2013 00:55:29 +0200 Michael Schaap wrote: On 29-Aug-2013 00:30, John Hardin wrote: On Wed, 28 Aug 2013, Michael Schaap wrote: Hi, I'm getting loads of fake LinkedIn invites, most of which aren't caught by SpamAssassin. Does anyone have a good SpamAssassin rule to catch those, while letting real LinkedIn invites through? Do they fail SPF or DKIM? The From: header is at linkedin dot com, but the envelope sender is a random address I'm guessing that legitimate linkedin mail has something other than a random address in its envelope sender. no need to guess Received: by 10.217.45.68 with SMTP id a46csp19989wew; Wed, 28 Aug 2013 13:57:59 -0700 (PDT) Received: from leila.iecc.com (leila6.iecc.com. [2001:470:1f07:1126:0:4c:6569:6c61]) by mx.google.com with ESMTPS id x3si106237qas.146.1969.12.31.16.00.00 (version=TLSv1 cipher=RC4-SHA bits=128/128); Wed, 28 Aug 2013 13:57:58 -0700 (PDT) Received: (qmail 12685 invoked by uid 1014); 28 Aug 2013 20:57:57 - Received: (qmail 12680 invoked from network); 28 Aug 2013 20:57:57 - Received: from mailc-fa.linkedin.com (mailc-fa.linkedin.com [199.101.162.77]) by smtp.abuse.net ([64.57.183.109]) with ESMTP via TCP port 34167/25 id 539419450; 28 Aug 2013 20:57:53 - X-Received: by 10.229.179.137 with SMTP id bq9mr10582950qcb.11.1377723478996; Wed, 28 Aug 2013 13:57:58 -0700 (PDT) Return-Path: m-pnhvq1bocym0uxg7j38mb1bv9rrmgop7tfdwzeyglxbmrduf...@bounce.linkedin.com Received-Spf: softfail (google.com: domain of transitioning m-pnhvq1bocym0uxg7j38mb1bv9rrmgop7tfdwzeyglxbmrduf...@bounce.linkedin.com does not designate 2001:470:1f07:1126:0:4c:6569:6c61 as permitted sender) client-ip=2001:470:1f07:1126:0:4c:6569:6c61; Authentication-Results: mx.google.com; spf=softfail (google.com: domain of transitioning m-pnhvq1bocym0uxg7j38mb1bv9rrmgop7tfdwzeyglxbmrduf...@bounce.linkedin.com does not designate 2001:470:1f07:1126:0:4c:6569:6c61 as permitted sender) smtp.mail=m-pnhvq1bocym0uxg7j38mb1bv9rrmgop7tfdwzeyglxbmrduf...@bounce.linkedin.com; dkim=pass header.i=@linkedin.com; dmarc=pass (p=REJECT dis=NONE) d=linkedin.com Authentication-Results: iecc.com; spf=pass spf.mailfrom=m-pnhvq1bocym0uxg7j38mb1bv9rrmgop7tfdwzeyglxbmrduf...@bounce.linkedin.com spf.helo=mailc-fa.linkedin.com; dkim=pass header.d=linkedin.com header.b=yTQxEigD; dmarc=pass header.from=linkedin.com policy=reject X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on leila.iecc.com X-Spam-Level: X-Spam-Status: No, score=-12.6 required=4.4 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,HTML_MESSAGE,RCVD_IN_DNSWL_HI,RCVD_IN_RP_CERTIFIED, RCVD_IN_RP_SAFE,RP_MATCHES_RCVD autolearn=unavailable version=3.3.2 Domainkey-Signature: q=dns; a=rsa-sha1; c=nofws; s=prod; d=linkedin.com; h=DKIM-Signature:Sender:Date:From:To:Message-ID:Subject:MIME-Version:Content-Type:X-LinkedIn-Template:X-LinkedIn-Class:X-LinkedIn-fbl; b=LeVz8j1vCA5eInVlQoy1R2cc1m/KJfCNOIy5A2oT9InYxvEtsqqPICJbTROiCnxV XhZhEtvh/z/E9qxYnqjrs8jsPNaiPoS3k/2giZoCAviri4PtQUa0ItD2SpYN3iUh Dkim-Signature: v=1; a=rsa-sha1; d=linkedin.com; s=proddkim1024; c=relaxed/relaxed; q=dns/txt; i=@linkedin.com; t=1377723459; h=From:Subject:Date:To:MIME-Version:Content-Type:X-LinkedIn-Class:X-LinkedIn-fbl: X-LinkedIn-Template; bh=M1AJY3ogQKLz5Vc1bK3tB2dbd58=; b=yTQxEigDySwE9gynJ5UlILn2G6myZ9XiHShT5BhUjukBwllSRqgBaf/7BAiDD4Ku 7OPkXtp14RZzykua0KXcIayOc+xpL2EriMQVX5mDkjbriBF5sFGK1kk+WqnGIIjk HRgzzsg2CDIY34jlet+qfM9+BiEEs3WYi+q5hmun0m0=; Sender: messages-nore...@bounce.linkedin.com Message-Id: 1271127196.48543013.1377723459176.javamail@ela4-app2520.prod Mime-Version: 1.0 Content-Type: multipart/alternative; boundary==_Part_48543007_1435785298.1377723459174 X-Linkedin-Template: anet_digest_type X-Linkedin-Class: GROUPDIGEST X-Linkedin-Fbl: m-pNHvq1bOcYM0uxG7j38mb1bv9RRMgop7tfdwzEyGlxBMrDufU1n X-Dcc-Iecc-Metrics: leila.iecc.com 1107; Body=1 Fuz1=1 Fuz2=1
Catching fake LinkedIn invites
Hi, I'm getting loads of fake LinkedIn invites, most of which aren't caught by SpamAssassin. Does anyone have a good SpamAssassin rule to catch those, while letting real LinkedIn invites through? Thanks, - Michael
Re: Catching fake LinkedIn invites
On Wed, 28 Aug 2013, Michael Schaap wrote: Hi, I'm getting loads of fake LinkedIn invites, most of which aren't caught by SpamAssassin. Does anyone have a good SpamAssassin rule to catch those, while letting real LinkedIn invites through? Do they fail SPF or DKIM? If they do, and the legit ones pass SPF or DKIM, then the standard solution is to add a header rule to detect that the message claims to be from that domain (e.g. using the domain part of the From or Reply-To headers), and then either give that rule some points and also define whitelist_from_auth for the domain, or meta that rule with (SPF_FAIL || DKIM_FAIL) and give the meta a some points. There were some examples of doing this for facebook within the last couple of weeks, check the list archives. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- WSJ on the Financial Stimulus package: ...today there are 700,000 fewer jobs than [the administration] predicted we would have if we had done nothing at all. --- Today: Exercise Your Rights day
Re: Catching fake LinkedIn invites
On 29-Aug-2013 00:30, John Hardin wrote: On Wed, 28 Aug 2013, Michael Schaap wrote: Hi, I'm getting loads of fake LinkedIn invites, most of which aren't caught by SpamAssassin. Does anyone have a good SpamAssassin rule to catch those, while letting real LinkedIn invites through? Do they fail SPF or DKIM? Unfortunately not, for the most part. (The From: header is at linkedin dot com, but the envelope sender is a random address, and I guess SPF and DKIM run on the envelope sender only.) If they do, and the legit ones pass SPF or DKIM, then the standard solution is to add a header rule to detect that the message claims to be from that domain (e.g. using the domain part of the From or Reply-To headers), and then either give that rule some points and also define whitelist_from_auth for the domain, or meta that rule with (SPF_FAIL || DKIM_FAIL) and give the meta a some points. There were some examples of doing this for facebook within the last couple of weeks, check the list archives. Hmm, legit ones have SPF_PASS. So I guess I could set up a rule that punishes messages “From:” linkedin which don't have SPF_PASS. I might give that a try, once I find some time to figure out how... Thanks, - Michael
Re: Catching fake LinkedIn invites
On 29-Aug-2013 00:55, Michael Schaap wrote: On 29-Aug-2013 00:30, John Hardin wrote: On Wed, 28 Aug 2013, Michael Schaap wrote: Hi, I'm getting loads of fake LinkedIn invites, most of which aren't caught by SpamAssassin. Does anyone have a good SpamAssassin rule to catch those, while letting real LinkedIn invites through? Do they fail SPF or DKIM? Unfortunately not, for the most part. (The From: header is at linkedin dot com, but the envelope sender is a random address, and I guess SPF and DKIM run on the envelope sender only.) If they do, and the legit ones pass SPF or DKIM, then the standard solution is to add a header rule to detect that the message claims to be from that domain (e.g. using the domain part of the From or Reply-To headers), and then either give that rule some points and also define whitelist_from_auth for the domain, or meta that rule with (SPF_FAIL || DKIM_FAIL) and give the meta a some points. There were some examples of doing this for facebook within the last couple of weeks, check the list archives. Hmm, legit ones have SPF_PASS. So I guess I could set up a rule that punishes messages “From:” linkedin which don't have SPF_PASS. I might give that a try, once I find some time to figure out how... No time like the present... # Punish fake LinkedIn mail header __FROM_LINKEDIN From =~ /\@linkedin\.com/i metaFROM_LINKEDIN_NO_SPF(__FROM_LINKEDIN !SPF_PASS !SPF_HELO_PASS) score FROM_LINKEDIN_NO_SPF5.0 This seems to do the trick for most of the messages. - Michael
Re: Catching fake LinkedIn invites
On Thu, 29 Aug 2013, Michael Schaap wrote: On 29-Aug-2013 00:30, John Hardin wrote: On Wed, 28 Aug 2013, Michael Schaap wrote: Hi, I'm getting loads of fake LinkedIn invites, most of which aren't caught by SpamAssassin. Does anyone have a good SpamAssassin rule to catch those, while letting real LinkedIn invites through? Do they fail SPF or DKIM? Unfortunately not, for the most part. (The From: header is at linkedin dot com, but the envelope sender is a random address, and I guess SPF and DKIM run on the envelope sender only.) If they do, and the legit ones pass SPF or DKIM, then the standard solution is to add a header rule to detect that the message claims to be from that domain (e.g. using the domain part of the From or Reply-To headers), and then either give that rule some points and also define whitelist_from_auth for the domain, or meta that rule with (SPF_FAIL || DKIM_FAIL) and give the meta a some points. There were some examples of doing this for facebook within the last couple of weeks, check the list archives. Hmm, legit ones have SPF_PASS. So I guess I could set up a rule that punishes messages “From:” linkedin which don't have SPF_PASS. I might give that a try, once I find some time to figure out how... Untested but try: whitelist_auth *@bounce.linkedin.com whitelist_auth *@linkedin.com blacklist_from *@linkedin.com The whitelist_auth will kick in on any message from @linkedin.com which passes SPF or DKIM thus will null out the bad points from the blacklist_from, and end up being neutral. Any purported linkedin.com message not getting the whitelist_auth boost will be clobbered by the blacklist_from. One caveat, a transient DNS failure might cause the SPF/DKIM to not verify thus not boosting legit linkedin messages. There is a low-power version of whitelist_auth called def_whitelist_auth which only boosts by +15 (I use it for a lot of stuff). However there isn't a def_blacklist_from so you have to use the full strength versions of both white/black list (+100/-100) to make them balance out each other. -- Dave Funk University of Iowa dbfunk (at) engineering.uiowa.eduCollege of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include std_disclaimer.h Better is not better, 'standard' is better. B{
Re: Catching fake LinkedIn invites
Unfortunately not, for the most part. (The From: header is at linkedin dot com, but the envelope sender is a random address, and I guess SPF and DKIM run on the envelope sender only.) DKIM runs on the message body. If it doesn't have a valid DKIM signature from linkedin, you can be quite sure that's not where it's from. R's, John
Re: Catching fake LinkedIn invites
On 29/08/13 13:26, Michael Schaap wrote: # Punish fake LinkedIn mail header __FROM_LINKEDIN From =~ /\@linkedin\.com/i metaFROM_LINKEDIN_NO_SPF(__FROM_LINKEDIN !SPF_PASS !SPF_HELO_PASS) score FROM_LINKEDIN_NO_SPF5.0 This seems to do the trick for most of the messages. Very dangerous - for one thing you're giving +5 to any email from a LinkedIn employee to a mailing-list - at least that should be X-Envelope-From instead of From (all the phishing emails I've seen related to this use unrelated envelope details) This is what I'm using - it will only trigger on the invite Subject line with evidence it isn't from LinkedIn header __TRMB_LINKEDIN_FROMFrom =~ /\W(linkedin)\W/i header __TRMB_LINKEDIN_RP X-Envelope-From =~ /\.linkedin\.com($|$)/i header __TRMB_LINKEDIN_INVITE Subject =~ /^Invitation to connect on LinkedIn/i body__TRMB_LINKEDIN_BODY/(^|\W)(wants to connect with you on LinkedIn)\W/i metaTRMB_LINKEDIN_SPAM (!__TRMB_LINKEDIN_RP (__TRMB_LINKEDIN_INVITE || __TRMB_LINKEDIN_FROM) __TRMB_LINKEDIN_BODY) describeTRMB_LINKEDIN_SPAM Linkedin invite email with non-linkedin sender score TRMB_LINKEDIN_SPAM 7.1 -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1