Re: Forged yahoo and mass mailers
I have a few messages that have been incorrectly tagged because the sender used their yahoo address as the sender, but used a mass mailer ( contactbeacon.com) to send their newsletter for them. Apparently this is enough for it to hit FORGED_YAHOO_RCVD and L_UNVERIFIED_YAHOO, causing it to be marked as spam. Is there something I'm missing, or is there a better way to do this to avoid the FPs in the future? The problem probably has something to do with Yahoo! (and AOL) publishing strict DMARC records. So anything From: a @yahoo.com (or @aol.com) address that isnt' coming from a Yahoo! (or AOL) mail server is required to be blocked according to DMARC. The mass mailer needs to change the From: address to be something @contactbeacon.com and use the Reply-to: for the email address they want replies to go to. Certainly anything sent From: a @yahoo.com address but from a contactbeacon.com server will be rejected by mail systems that implement DMARC checking, such as Yahoo!, AOL, and more. Anthony -- www.fonant.com - Quality web sites Tel. 01903 867 810 Fonant Ltd is registered in England and Wales, company No. 7006596 Registered office: Amelia House, Crescent Road, Worthing, West Sussex, BN11 1QR
Re: Forged yahoo and mass mailers
On 6/8/2014 10:49 PM, Alex wrote: I have a few messages that have been incorrectly tagged because the sender used their yahoo address as the sender, but used a mass mailer (contactbeacon.com http://contactbeacon.com) to send their newsletter for them. Apparently this is enough for it to hit FORGED_YAHOO_RCVD and L_UNVERIFIED_YAHOO, causing it to be marked as spam. Is there something I'm missing, or is there a better way to do this to avoid the FPs in the future? People with Yahoo! accounts (and AOL) and any other senders that have a DMARC policy of reject/quarantine need to use either A) a mailing list sender that has modified their process for DMARC or B) not use those accounts. See http://www.pcworld.com/article/2141120/yahoo-email-antispoofing-policy-breaks-mailing-lists.html Regards, KAM
Re: Forged yahoo and mass mailers
Hi, is enough for it to hit FORGED_YAHOO_RCVD and L_UNVERIFIED_YAHOO, causing it to be marked as spam. Scores of 1.63 and 2.5 respectively, according to your sample. With a total score of 6.995, it is the latter one pushing it over the 5.0 threshold, not the first one. Moreover, the responsible rule is NOT stock SA. The obvious L local prefix should be a clear hint. You defined it as from yahoo, but not DKIM valid. For amusement, search google for UNVERIFIED_YAHOO (and insist you really mean it literally with the underscore rather than two words). Yahoo uses DKIM and this wasn't signed. Funnily enough, that's a quote from a bug report back April 2007. Actually the OP closing its own report as not a bug. This was a set of rules created by Mark back in 2011. Thanks for not flaming me. Is there something I'm missing, or is there a better way to do this to avoid the FPs in the future? If by doing this you mean writing a safer variant of your local rule, you should have (a) clearly stated it's a local rule, and (b) pasted the complete current version of that local rule. By making us chase your local rules in archives, all you'll get is fingers pointing at your own, local rule. I never intended to do that. I completely forgot this was a local rule. I've disabled it for now, pending any words of wisdom on improving it from those more knowledgeable than myself. header __L_ML1 Precedence =~ m{\b(list|bulk)\b}i header __L_ML2 exists:List-Id header __L_ML3 exists:List-Post header __L_ML4 exists:Mailing-List header __L_HAS_SNDR exists:Sender meta __L_VIA_ML__L_ML1 || __L_ML2 || __L_ML3 || __L_ML4 || __L_HAS_SNDR header __L_FROM_Y1 From:addr =~ m{[@.]yahoo\.com$}i header __L_FROM_Y2 From:addr =~ m{\@yahoo\.com\.(ar|br|cn|hk|mx|my|ph|sg)$}i header __L_FROM_Y3 From:addr =~ m{\@yahoo\.co\.(id|in|jp|nz|th|uk)$}i header __L_FROM_Y4 From:addr =~ m{\@yahoo\.(ca|cn|de|dk|es|fr|gr|ie|it|pl|ru|se)$}i meta __L_FROM_YAHOO __L_FROM_Y1 || __L_FROM_Y2 || __L_FROM_Y3 || __L_FROM_Y4 header __L_FROM_GMAIL From:addr =~ m{\@gmail\.com$}i meta L_UNVERIFIED_YAHOO !DKIM_VALID !DKIM_VALID_AU __L_FROM_YAHOO !__L_VIA_ML priority L_UNVERIFIED_YAHOO 500 scoreL_UNVERIFIED_YAHOO 2.5 meta L_UNVERIFIED_GMAIL !DKIM_VALID !DKIM_VALID_AU __L_FROM_GMAIL !__L_VIA_ML priority L_UNVERIFIED_GMAIL 500 scoreL_UNVERIFIED_GMAIL 2.5 Thanks, Alex
Re: Forged yahoo and mass mailers
Hi, On Mon, Jun 9, 2014 at 11:27 AM, Kevin A. McGrail kmcgr...@pccc.com wrote: On 6/8/2014 10:49 PM, Alex wrote: I have a few messages that have been incorrectly tagged because the sender used their yahoo address as the sender, but used a mass mailer ( contactbeacon.com) to send their newsletter for them. Apparently this is enough for it to hit FORGED_YAHOO_RCVD and L_UNVERIFIED_YAHOO, causing it to be marked as spam. Is there something I'm missing, or is there a better way to do this to avoid the FPs in the future? People with Yahoo! accounts (and AOL) and any other senders that have a DMARC policy of reject/quarantine need to use either A) a mailing list sender that has modified their process for DMARC or B) not use those accounts. See http://www.pcworld.com/article/2141120/yahoo-email-antispoofing-policy-breaks-mailing-lists.html Great information, thanks so much guys. It looks like it would be better to reject the p=reject DKIM at SMTP time, no? Thanks, Alex
Re: Forged yahoo and mass mailers
On Mon, 2014-06-09 at 21:40 -0400, Alex wrote: For amusement, search google for UNVERIFIED_YAHOO (and insist you really mean it literally with the underscore rather than two words). This was a set of rules created by Mark back in 2011. Thanks for not flaming me. Heh. ;) Sorry, but I kind of expect some due diligence, in particular by long time and experienced community members. Coming across blatantly obvious cases of local rules being complained about to misfire might make me snappy. Think about it this way: In order to help you, my first step is to find out details about those rules (grep stock cf files) and their respective score (your sample). You provided an exemplary, flawless sample. Why did you not have a look at the rules' sources? By making us chase your local rules in archives, all you'll get is fingers pointing at your own, local rule. I never intended to do that. I completely forgot this was a local rule. I've disabled it for now, pending any words of wisdom on improving it from those more knowledgeable than myself. The rule itself was not that bad. Actually, as Kevin and Anthony pointed out, Yahoo even expressly states in their DMARC records you should never have genuinely received those messages, nor accepted them. Yahoo classifies it forged. It is the mass mailer's and its client's fault. (Back to the cheap part. Doing mass mailings but don't own your own domain? Accepting and actually using free-mailer address as sender? Even worse, failing to get the note about Yahoo DMARC policy in that business?) -- char *t=\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Forged yahoo and mass mailers
Hi, This was a set of rules created by Mark back in 2011. Thanks for not flaming me. Heh. ;) Sorry, but I kind of expect some due diligence, in particular by long time and experienced community members. Coming across blatantly obvious cases of local rules being complained about to misfire might make me snappy. Think about it this way: In order to help you, my first step is to find out details about those rules (grep stock cf files) and their respective score (your sample). You provided an exemplary, flawless sample. Why did you not have a look at the rules' sources? It really was a temporary lapse. I'm now managing so much, and thought for sure it was an SA rule since I didn't immediately recognize it. Also, my local rules all begin with LOC_, or immediately recognizable KAM_ or AXB_. The rule itself was not that bad. Actually, as Kevin and Anthony pointed out, Yahoo even expressly states in their DMARC records you should never have genuinely received those messages, nor accepted them. Yahoo classifies it forged. It is the mass mailer's and its client's fault. (Back to the cheap part. Doing mass mailings but don't own your own domain? Accepting and actually using free-mailer address as sender? Even worse, failing to get the note about Yahoo DMARC policy in that business?) Great points. I've found the rule's hit a very large amount of ham, even some that's been whitelisted. Investigating a bit further, it appears to hit quite a few messages that indeed pass through yahoo.com. I've included one such example set of headers here: http://pastebin.com/XiHpRbJb However, it doesn't have the p=reject DKIM auth statement, so I don't yet fully understand how it all works. It hit DKIM_SIGNED but not DKIM_VALID, and in fact hit T_DKIM_INVALID. Thanks, Alex
Forged yahoo and mass mailers
Hi guys, I have a few messages that have been incorrectly tagged because the sender used their yahoo address as the sender, but used a mass mailer ( contactbeacon.com) to send their newsletter for them. Apparently this is enough for it to hit FORGED_YAHOO_RCVD and L_UNVERIFIED_YAHOO, causing it to be marked as spam. Is there something I'm missing, or is there a better way to do this to avoid the FPs in the future? Here's a sample. http://pastebin.com/hvGD9haK Thanks, Alex
Re: Forged yahoo and mass mailers
On Sun, 2014-06-08 at 22:49 -0400, Alex wrote: I have a few messages that have been incorrectly tagged because the sender used their yahoo address as the sender, but used a mass mailer (contactbeacon.com) to send their newsletter for them. Apparently this Which is a particularly bad (to avoid the term cheap) way of sending mass mailings. is enough for it to hit FORGED_YAHOO_RCVD and L_UNVERIFIED_YAHOO, causing it to be marked as spam. Scores of 1.63 and 2.5 respectively, according to your sample. With a total score of 6.995, it is the latter one pushing it over the 5.0 threshold, not the first one. Moreover, the responsible rule is NOT stock SA. The obvious L local prefix should be a clear hint. You defined it as from yahoo, but not DKIM valid. For amusement, search google for UNVERIFIED_YAHOO (and insist you really mean it literally with the underscore rather than two words). Yahoo uses DKIM and this wasn't signed. Funnily enough, that's a quote from a bug report back April 2007. Actually the OP closing its own report as not a bug. Is there something I'm missing, or is there a better way to do this to avoid the FPs in the future? If by doing this you mean writing a safer variant of your local rule, you should have (a) clearly stated it's a local rule, and (b) pasted the complete current version of that local rule. By making us chase your local rules in archives, all you'll get is fingers pointing at your own, local rule. -- char *t=\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}