Re: Forged yahoo and mass mailers

2014-06-09 Thread Anthony Cartmell 
I have a few messages that have been incorrectly tagged because the  
sender

used their yahoo address as the sender, but used a mass mailer (
contactbeacon.com) to send their newsletter for them. Apparently this is
enough for it to hit FORGED_YAHOO_RCVD and L_UNVERIFIED_YAHOO, causing it
to be marked as spam.

Is there something I'm missing, or is there a better way to do this to
avoid the FPs in the future?


The problem probably has something to do with Yahoo! (and AOL) publishing  
strict DMARC records. So anything From: a @yahoo.com (or @aol.com)  
address that isnt' coming from a Yahoo! (or AOL) mail server is required  
to be blocked according to DMARC.


The mass mailer needs to change the From: address to be something  
@contactbeacon.com and use the Reply-to: for the email address they want  
replies to go to. Certainly anything sent From: a @yahoo.com address but  
from a contactbeacon.com server will be rejected by mail systems that  
implement DMARC checking, such as Yahoo!, AOL, and more.


Anthony
--
www.fonant.com - Quality web sites
Tel. 01903 867 810
Fonant Ltd is registered in England and Wales, company No. 7006596
Registered office: Amelia House, Crescent Road, Worthing, West Sussex,  
BN11 1QR

Re: Forged yahoo and mass mailers

2014-06-09 Thread Kevin A. McGrail 

On 6/8/2014 10:49 PM, Alex wrote:
I have a few messages that have been incorrectly tagged because the 
sender used their yahoo address as the sender, but used a mass mailer 
(contactbeacon.com http://contactbeacon.com) to send their 
newsletter for them. Apparently this is enough for it to hit 
FORGED_YAHOO_RCVD and L_UNVERIFIED_YAHOO, causing it to be marked as spam.


Is there something I'm missing, or is there a better way to do this to 
avoid the FPs in the future?
People with Yahoo! accounts (and AOL) and any other senders that have a 
DMARC policy of reject/quarantine need to use either A) a mailing list 
sender that has modified their process for DMARC or B) not use those 
accounts.


See 
http://www.pcworld.com/article/2141120/yahoo-email-antispoofing-policy-breaks-mailing-lists.html


Regards,
KAM

Re: Forged yahoo and mass mailers

2014-06-09 Thread Alex 
Hi,

  is enough for it to hit FORGED_YAHOO_RCVD and L_UNVERIFIED_YAHOO,
  causing it to be marked as spam.

 Scores of 1.63 and 2.5 respectively, according to your sample. With a
 total score of 6.995, it is the latter one pushing it over the 5.0
 threshold, not the first one.

 Moreover, the responsible rule is NOT stock SA. The obvious L local
 prefix should be a clear hint. You defined it as from yahoo, but not
 DKIM valid.

 For amusement, search google for UNVERIFIED_YAHOO (and insist you really
 mean it literally with the underscore rather than two words).

 Yahoo uses DKIM and this wasn't signed. Funnily enough, that's a quote
 from a bug report back April 2007. Actually the OP closing its own
 report as not a bug.

This was a set of rules created by Mark back in 2011. Thanks for not
flaming me.

  Is there something I'm missing, or is there a better way to do this to
  avoid the FPs in the future?

 If by doing this you mean writing a safer variant of your local rule,
 you should have  (a) clearly stated it's a local rule, and  (b) pasted
 the complete current version of that local rule.

 By making us chase your local rules in archives, all you'll get is
 fingers pointing at your own, local rule.

I never intended to do that. I completely forgot this was a local rule.
I've disabled it for now, pending any words of wisdom on improving it from
those more knowledgeable than myself.

header __L_ML1   Precedence =~ m{\b(list|bulk)\b}i
header __L_ML2   exists:List-Id
header __L_ML3   exists:List-Post
header __L_ML4   exists:Mailing-List
header __L_HAS_SNDR  exists:Sender
meta   __L_VIA_ML__L_ML1 || __L_ML2 || __L_ML3 || __L_ML4 ||
__L_HAS_SNDR
header __L_FROM_Y1   From:addr =~ m{[@.]yahoo\.com$}i
header __L_FROM_Y2   From:addr =~
m{\@yahoo\.com\.(ar|br|cn|hk|mx|my|ph|sg)$}i
header __L_FROM_Y3   From:addr =~ m{\@yahoo\.co\.(id|in|jp|nz|th|uk)$}i
header __L_FROM_Y4   From:addr =~
m{\@yahoo\.(ca|cn|de|dk|es|fr|gr|ie|it|pl|ru|se)$}i
meta   __L_FROM_YAHOO __L_FROM_Y1 || __L_FROM_Y2 || __L_FROM_Y3 ||
__L_FROM_Y4
header __L_FROM_GMAIL From:addr =~ m{\@gmail\.com$}i
meta L_UNVERIFIED_YAHOO  !DKIM_VALID  !DKIM_VALID_AU 
__L_FROM_YAHOO  !__L_VIA_ML
priority L_UNVERIFIED_YAHOO  500
scoreL_UNVERIFIED_YAHOO  2.5
meta L_UNVERIFIED_GMAIL  !DKIM_VALID  !DKIM_VALID_AU 
__L_FROM_GMAIL  !__L_VIA_ML
priority L_UNVERIFIED_GMAIL  500
scoreL_UNVERIFIED_GMAIL  2.5

Thanks,
Alex

Re: Forged yahoo and mass mailers

2014-06-09 Thread Alex 
Hi,

On Mon, Jun 9, 2014 at 11:27 AM, Kevin A. McGrail kmcgr...@pccc.com wrote:

  On 6/8/2014 10:49 PM, Alex wrote:

  I have a few messages that have been incorrectly tagged because the
 sender used their yahoo address as the sender, but used a mass mailer (
 contactbeacon.com) to send their newsletter for them. Apparently this is
 enough for it to hit FORGED_YAHOO_RCVD and L_UNVERIFIED_YAHOO, causing it
 to be marked as spam.

 Is there something I'm missing, or is there a better way to do this to
 avoid the FPs in the future?

 People with Yahoo! accounts (and AOL) and any other senders that have a
 DMARC policy of reject/quarantine need to use either A) a mailing list
 sender that has modified their process for DMARC or B) not use those
 accounts.

 See
 http://www.pcworld.com/article/2141120/yahoo-email-antispoofing-policy-breaks-mailing-lists.html


Great information, thanks so much guys. It looks like it would be better to
reject the p=reject DKIM at SMTP time, no?

Thanks,
Alex

Re: Forged yahoo and mass mailers

2014-06-09 Thread Karsten Bräckelmann 
On Mon, 2014-06-09 at 21:40 -0400, Alex wrote:
  For amusement, search google for UNVERIFIED_YAHOO (and insist you really
  mean it literally with the underscore rather than two words).

 This was a set of rules created by Mark back in 2011. Thanks for not
 flaming me.

Heh. ;)

Sorry, but I kind of expect some due diligence, in particular by long
time and experienced community members. Coming across blatantly obvious
cases of local rules being complained about to misfire might make me
snappy.

Think about it this way: In order to help you, my first step is to find
out details about those rules (grep stock cf files) and their respective
score (your sample). You provided an exemplary, flawless sample. Why did
you not have a look at the rules' sources?


  By making us chase your local rules in archives, all you'll get is
  fingers pointing at your own, local rule.
 
 I never intended to do that. I completely forgot this was a local
 rule. I've disabled it for now, pending any words of wisdom on
 improving it from those more knowledgeable than myself.

The rule itself was not that bad. Actually, as Kevin and Anthony pointed
out, Yahoo even expressly states in their DMARC records you should never
have genuinely received those messages, nor accepted them. Yahoo
classifies it forged.

It is the mass mailer's and its client's fault. (Back to the cheap
part. Doing mass mailings but don't own your own domain? Accepting and
actually using free-mailer address as sender? Even worse, failing to get
the note about Yahoo DMARC policy in that business?)


-- 
char *t=\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4;
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1:
(c=*++x); c128  (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}

Re: Forged yahoo and mass mailers

2014-06-09 Thread Alex 
Hi,

 This was a set of rules created by Mark back in 2011. Thanks for not

  flaming me.

 Heh. ;)

 Sorry, but I kind of expect some due diligence, in particular by long
 time and experienced community members. Coming across blatantly obvious
 cases of local rules being complained about to misfire might make me
 snappy.

 Think about it this way: In order to help you, my first step is to find
 out details about those rules (grep stock cf files) and their respective
 score (your sample). You provided an exemplary, flawless sample. Why did
 you not have a look at the rules' sources?

It really was a temporary lapse. I'm now managing so much, and thought for
sure it was an SA rule since I didn't immediately recognize it. Also, my
local rules all begin with LOC_, or immediately recognizable KAM_ or AXB_.

 The rule itself was not that bad. Actually, as Kevin and Anthony pointed
 out, Yahoo even expressly states in their DMARC records you should never
 have genuinely received those messages, nor accepted them. Yahoo
 classifies it forged.

 It is the mass mailer's and its client's fault. (Back to the cheap
 part. Doing mass mailings but don't own your own domain? Accepting and
 actually using free-mailer address as sender? Even worse, failing to get
 the note about Yahoo DMARC policy in that business?)

Great points. I've found the rule's hit a very large amount of ham, even
some that's been whitelisted. Investigating a bit further, it appears to
hit quite a few messages that indeed pass through yahoo.com. I've included
one such example set of headers here:

http://pastebin.com/XiHpRbJb

However, it doesn't have the p=reject DKIM auth statement, so I don't yet
fully understand how it all works. It hit DKIM_SIGNED but not DKIM_VALID,
and in fact hit T_DKIM_INVALID.

Thanks,
Alex

Forged yahoo and mass mailers

2014-06-08 Thread Alex 
Hi guys,

I have a few messages that have been incorrectly tagged because the sender
used their yahoo address as the sender, but used a mass mailer (
contactbeacon.com) to send their newsletter for them. Apparently this is
enough for it to hit FORGED_YAHOO_RCVD and L_UNVERIFIED_YAHOO, causing it
to be marked as spam.

Is there something I'm missing, or is there a better way to do this to
avoid the FPs in the future?

Here's a sample.
http://pastebin.com/hvGD9haK

Thanks,
Alex

Re: Forged yahoo and mass mailers

2014-06-08 Thread Karsten Bräckelmann 
On Sun, 2014-06-08 at 22:49 -0400, Alex wrote:
 I have a few messages that have been incorrectly tagged because the
 sender used their yahoo address as the sender, but used a mass mailer
 (contactbeacon.com) to send their newsletter for them. Apparently this

Which is a particularly bad (to avoid the term cheap) way of sending
mass mailings.

 is enough for it to hit FORGED_YAHOO_RCVD and L_UNVERIFIED_YAHOO,
 causing it to be marked as spam.

Scores of 1.63 and 2.5 respectively, according to your sample. With a
total score of 6.995, it is the latter one pushing it over the 5.0
threshold, not the first one.

Moreover, the responsible rule is NOT stock SA. The obvious L local
prefix should be a clear hint. You defined it as from yahoo, but not
DKIM valid.

For amusement, search google for UNVERIFIED_YAHOO (and insist you really
mean it literally with the underscore rather than two words).


Yahoo uses DKIM and this wasn't signed. Funnily enough, that's a quote
from a bug report back April 2007. Actually the OP closing its own
report as not a bug.


 Is there something I'm missing, or is there a better way to do this to
 avoid the FPs in the future?

If by doing this you mean writing a safer variant of your local rule,
you should have  (a) clearly stated it's a local rule, and  (b) pasted
the complete current version of that local rule.

By making us chase your local rules in archives, all you'll get is
fingers pointing at your own, local rule.


-- 
char *t=\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4;
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1:
(c=*++x); c128  (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}