Re: R: R: R: A plugin to legitimate email when SPF and DKIM missing
On 09.08.16 15:43, Nicola Piazzi wrote: WHITELIST_FROM_RCVD require to know mailserver name Take this example : whitelist_from_rcvd *@axkit.org sergeant.org We want to accept all domain axkit.org and we are sure that is not spoofing when it come from names that end with domain sergeant.org But if I have only email address I cant write a line like this, I don't know mailserver domain yes, that's what whitelist_from_dkim, whitelist_from_spf and whitelist_auth and their lightened def_ variants do. you don't need to know mail servers' name, just the domain. however: people do spam from gmail and through gmail servers. Also many others. one needs to be very careful about whitelist (even def_whitelist) -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Fucking windows! Bring Bill Gates! (Southpark the movie)
R: [SOLVED] R: A plugin to legitimate email when SPF and DKIM missing
I usually doesnt use whitelisting so much I wrote a couple of scripts that can be put in cron They read my sql log, extract message id and create whitelist rules based on reply on your sender id Thay match 55% of incoming clean mail at now for me Download and read more here https://forum.efa-project.org/viewtopic.php?f=14&t=1769 Nicola Piazzi CED - Sistemi COMET s.p.a. Via Michelino, 105 - 40127 Bologna - Italia Tel. +39 051.6079.293 Cell. +39 328.21.73.470 Web: www.gruppocomet.it -Messaggio originale- Da: li...@rhsoft.net [mailto:li...@rhsoft.net] Inviato: mercoledì 10 agosto 2016 12:14 A: users@spamassassin.apache.org Oggetto: Re: [SOLVED] R: A plugin to legitimate email when SPF and DKIM missing Am 10.08.2016 um 12:00 schrieb Nicola Piazzi: > > I wrote this simple plugin, mxpf > This plugin search B class of sender Ip Address and try to match B > class of any Ip of mx records of declared domain So when it match is > very difficolut that sender is a spoofed domain, you can use MXPF_PASS > to combine with other rules in addition to SPF_PASS > > 1) Unpack mxpf.cf and mxpf.pm under /etc/mail/spamassassin dir > 2) put your score in mxpf.cf > > Download here : > > https://forum.efa-project.org/viewtopic.php?f=14&t=1777 that looks really good on piece missing - something like "whitelist_mx" working the same way as "whilelist_auth" to combine it with shortcicuit to complement whitelist by spf with that for senders you trust but don't have SPF/DKIM for whitelist_auth whitelist_mx sen...@domain.tld whitelist_mx *@domain.tld
Re: [SOLVED] R: A plugin to legitimate email when SPF and DKIM missing
Am 10.08.2016 um 12:00 schrieb Nicola Piazzi: I wrote this simple plugin, mxpf This plugin search B class of sender Ip Address and try to match B class of any Ip of mx records of declared domain So when it match is very difficolut that sender is a spoofed domain, you can use MXPF_PASS to combine with other rules in addition to SPF_PASS 1) Unpack mxpf.cf and mxpf.pm under /etc/mail/spamassassin dir 2) put your score in mxpf.cf Download here : https://forum.efa-project.org/viewtopic.php?f=14&t=1777 that looks really good on piece missing - something like "whitelist_mx" working the same way as "whilelist_auth" to combine it with shortcicuit to complement whitelist by spf with that for senders you trust but don't have SPF/DKIM for whitelist_auth whitelist_mx sen...@domain.tld whitelist_mx *@domain.tld
[SOLVED] R: A plugin to legitimate email when SPF and DKIM missing
I wrote this simple plugin, mxpf This plugin search B class of sender Ip Address and try to match B class of any Ip of mx records of declared domain So when it match is very difficolut that sender is a spoofed domain, you can use MXPF_PASS to combine with other rules in addition to SPF_PASS 1) Unpack mxpf.cf and mxpf.pm under /etc/mail/spamassassin dir 2) put your score in mxpf.cf Download here : https://forum.efa-project.org/viewtopic.php?f=14&t=1777 Nicola Piazzi CED - Sistemi COMET s.p.a. Via Michelino, 105 - 40127 Bologna - Italia Tel. +39 051.6079.293 Cell. +39 328.21.73.470 Web: www.gruppocomet.it -Messaggio originale- Da: John Hardin [mailto:jhar...@impsec.org] Inviato: martedì 9 agosto 2016 23:04 A: users@spamassassin.apache.org Oggetto: Re: A plugin to legitimate email when SPF and DKIM missing On Tue, 9 Aug 2016, li...@rhsoft.net wrote: > > Am 09.08.2016 um 18:08 schrieb Kevin Golding: >> Based on what you're trying to do: >> >> man dig > > don't help, see below > >> or depending on your resolver possibly: >> >> man drill > > don't help, see below > >> Whilst I agree it is slightly more effort to set-up whitelisting by >> looking up the details first it would still be far more resource >> efficient on your servers > > that don't catch the problem if the MX changes that you need to > permanently watch your "whitelist_from_rcvd" and maintain them So script it. Write a script that reads a list of domain names, does digs to get those domains' MX hosts, and writes whitelist_from_rcvd rules for them to a local config file. Run that every night as part of your scheduled sa-update script. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- The question of whether people should be allowed to harm themselves is simple. They *must*. -- Charles Murray --- 6 days until the 71st anniversary of the end of World War II
Re: R: R: R: A plugin to legitimate email when SPF and DKIM missing
On Tue, 09 Aug 2016 16:43:50 +0100, Nicola Piazzi wrote: WHITELIST_FROM_RCVD require to know mailserver name Take this example : whitelist_from_rcvd *@axkit.org sergeant.org We want to accept all domain axkit.org and we are sure that is not spoofing when it come from names that end with domain sergeant.org But if I have only email address I cant write a line like this, I don't know mailserver domain Based on what you're trying to do: man dig or depending on your resolver possibly: man drill Whilst I agree it is slightly more effort to set-up whitelisting by looking up the details first it would still be far more resource efficient on your servers. Personally I tend to just read the headers of a received mail since that tends to give a very big clue as to what the pattern will be. If they can't send a single message through without whitelisting there are probably bigger worries that the easiest way to maintain such records. Again, it is admittedly slightly more effort to set-up but it still reduces the overheard of a DNS query to check the MX every time and allows senders to utilise different inbound and outbound servers (also mails through websites and third party companies). However to th best of my knowledge the short answer to your original question is: "No, there's nothing (publicly) available to do what you want to do. You'll need to code it yourself or use some of the alternatives that have been suggested". I think most of us wouldn't use such a plugin since it is so easy to optimise that process by doing a single DNS query at set-up rather than checking the MX of every incoming email.
R: R: R: A plugin to legitimate email when SPF and DKIM missing
WHITELIST_FROM_RCVD require to know mailserver name Take this example : whitelist_from_rcvd *@axkit.org sergeant.org We want to accept all domain axkit.org and we are sure that is not spoofing when it come from names that end with domain sergeant.org But if I have only email address I cant write a line like this, I don't know mailserver domain Nicola Piazzi CED - Sistemi COMET s.p.a. Via Michelino, 105 - 40127 Bologna - Italia Tel. +39 051.6079.293 Cell. +39 328.21.73.470 Web: www.gruppocomet.it -Messaggio originale- Da: RW [mailto:rwmailli...@googlemail.com] Inviato: martedì 9 agosto 2016 17:39 A: users@spamassassin.apache.org Oggetto: Re: R: R: A plugin to legitimate email when SPF and DKIM missing On Tue, 9 Aug 2016 15:19:08 + Nicola Piazzi top-posted: > I dont know if you want to find a solution of if you want to say why i > am searching one. Reason is this : > I have SPF_PASS, a variable that tell me that who send is proprietary > of that domain I KNOW PERFECTLY THAT SOMEONE CAN TELL SPAM WITH A > PURCHASED REGULAR NON SPOOFED DOMAIN But I can combine SPF_PASS with a > list of email address, for example, but not all put SPF in dns, so > with MX I have another chance I'm confused now because "combine SPF_PASS with a list of email address" sounds like whitelisting, which is something you implied you didn't want to do when whitelist_from_rcvd was mentioned.
Re: R: R: A plugin to legitimate email when SPF and DKIM missing
On Tue, 9 Aug 2016 15:19:08 + Nicola Piazzi top-posted: > I dont know if you want to find a solution of if you want to say why > i am searching one. Reason is this : > I have SPF_PASS, a variable that tell me that who send is proprietary > of that domain I KNOW PERFECTLY THAT SOMEONE CAN TELL SPAM WITH A > PURCHASED REGULAR NON SPOOFED DOMAIN But I can combine SPF_PASS with > a list of email address, for example, but not all put SPF in dns, so > with MX I have another chance I'm confused now because "combine SPF_PASS with a list of email address" sounds like whitelisting, which is something you implied you didn't want to do when whitelist_from_rcvd was mentioned.
R: R: A plugin to legitimate email when SPF and DKIM missing
I dont know if you want to find a solution of if you want to say why i am searching one. Reason is this : I have SPF_PASS, a variable that tell me that who send is proprietary of that domain I KNOW PERFECTLY THAT SOMEONE CAN TELL SPAM WITH A PURCHASED REGULAR NON SPOOFED DOMAIN But I can combine SPF_PASS with a list of email address, for example, but not all put SPF in dns, so with MX I have another chance Nicola Piazzi CED - Sistemi COMET s.p.a. Via Michelino, 105 - 40127 Bologna - Italia Tel. +39 051.6079.293 Cell. +39 328.21.73.470 Web: www.gruppocomet.it -Messaggio originale- Da: Merijn van den Kroonenberg [mailto:mer...@web2all.nl] Inviato: martedì 9 agosto 2016 16:41 A: users@spamassassin.apache.org Oggetto: Re: R: A plugin to legitimate email when SPF and DKIM missing > On Tue, 9 Aug 2016 08:45:54 + > Nicola Piazzi wrote: > >> whitelist_from_rcvd is intended to legitimate a single somain, >> specifiing domain by domain >> >> I need something that tell me that check all incoming email and say >> if the originating ip (or class c) is the same of mx record >> >> This can be intended like an SPF_PASS when people doesn t set spf at >> all. > > I think the reason that he mentioned whitelist_from_rcvd is that the > absence of SPF or DKIM doesn't score anything in any of the default > scoresets. > In fact SPF or DKIM does not tell us anything about spammy (or hammy) ness. Spammers use spf and dkim too. The usefulness of DKIM and SPF is in combination with *specific* domains. So your mx check would also be only useful in combination with *specific* domains. And when you are doing specfic domains then you could just do whitelist_from_rcvd. So I am not sure what your intention is with this MX check. Would you score senders who fail it? Or would you blindly reward (whitelist) servers who match the MX subnet?
Re: R: A plugin to legitimate email when SPF and DKIM missing
> On Tue, 9 Aug 2016 08:45:54 + > Nicola Piazzi wrote: > >> whitelist_from_rcvd is intended to legitimate a single somain, >> specifiing domain by domain >> >> I need something that tell me that check all incoming email and say >> if the originating ip (or class c) is the same of mx record >> >> This can be intended like an SPF_PASS when people doesn t set spf at >> all. > > I think the reason that he mentioned whitelist_from_rcvd is that the > absence of SPF or DKIM doesn't score anything in any of the default > scoresets. > In fact SPF or DKIM does not tell us anything about spammy (or hammy) ness. Spammers use spf and dkim too. The usefulness of DKIM and SPF is in combination with *specific* domains. So your mx check would also be only useful in combination with *specific* domains. And when you are doing specfic domains then you could just do whitelist_from_rcvd. So I am not sure what your intention is with this MX check. Would you score senders who fail it? Or would you blindly reward (whitelist) servers who match the MX subnet?
Re: R: A plugin to legitimate email when SPF and DKIM missing
On Tue, 9 Aug 2016 08:45:54 + Nicola Piazzi wrote: > whitelist_from_rcvd is intended to legitimate a single somain, > specifiing domain by domain > > I need something that tell me that check all incoming email and say > if the originating ip (or class c) is the same of mx record > > This can be intended like an SPF_PASS when people doesn t set spf at > all. I think the reason that he mentioned whitelist_from_rcvd is that the absence of SPF or DKIM doesn't score anything in any of the default scoresets.
Re: R: R: A plugin to legitimate email when SPF and DKIM missing
Please keep list mail on the list. Direct replies unless stated as OFFLIST are not welcome. On 08/09/2016 10:51 AM, Nicola Piazzi wrote: Hi, I dont want to specify some names I need a rule that tell me if an email was sent using the same ip of the domain mx record So I am sure that the email come from a server owned by the proprietary of the domain like spf check do Nicola Piazzi CED - Sistemi COMET s.p.a. Via Michelino, 105 - 40127 Bologna – Italia Tel. +39 051.6079.293 Cell. +39 328.21.73.470 Web: www.gruppocomet.it -Messaggio originale- Da: Axb [mailto:axb.li...@gmail.com] Inviato: martedì 9 agosto 2016 10:48 A: users@spamassassin.apache.org Oggetto: Re: R: A plugin to legitimate email when SPF and DKIM missing FTR: you can also do whitelist_from_rcvd *@* gruppocomet.it or whitelist_from_rcvd *@*.it gruppocomet.it or variations of... On 08/09/2016 10:45 AM, Nicola Piazzi wrote: whitelist_from_rcvd is intended to legitimate a single somain, specifiing domain by domain I need something that tell me that check all incoming email and say if the originating ip (or class c) is the same of mx record This can be intended like an SPF_PASS when people doesn t set spf at all. Nicola Piazzi CED - Sistemi COMET s.p.a. Via Michelino, 105 - 40127 Bologna - Italia Tel. +39 051.6079.293 Cell. +39 328.21.73.470 Web: www.gruppocomet.it -Messaggio originale- Da: Kevin Golding [mailto:k...@caomhin.org] Inviato: martedì 9 agosto 2016 10:28 A: users@spamassassin.apache.org Oggetto: Re: A plugin to legitimate email when SPF and DKIM missing On Tue, 09 Aug 2016 09:10:06 +0100, Nicola Piazzi wrote: Hi A lot of time we receive mail that are SPF NONE and have no DKIM Il will be useful a little plugin that be able to give another chance to legitimate these emails A lot of servers use the same machine to send and receive emails, Plugin must read sender domain and search if the IP used to send to us is one of the MX record list for domain This is not intended to exclude other cases, but intended to have a chance to recognize that is not a spoofed email only We can think to use not the ip but the C class to get much more hits For example someone sent from 199.56.23.5 and have mx record 199.56.23.9 can be legitimate because both come from 199.56.23 Have someone something like this ? Not quite, but assuming you're looking at using it for whitelisting purposes you can use: whitelist_from_rcvd *@gruppocommet.it gruppocommet.it That says that any mail sent with a @gruppocommet.it address that is received from a host with an rDNS matching gruppocommet.it will be whitelisted. It's rather effective and efficient. https://spamassassin.apache.org/full/3.4.x/doc/Mail_SpamAssassin_Conf. html#whitelist_and_blacklist_options may tell you more.
Re: R: A plugin to legitimate email when SPF and DKIM missing
FTR: you can also do whitelist_from_rcvd *@* gruppocomet.it or whitelist_from_rcvd *@*.it gruppocomet.it or variations of... On 08/09/2016 10:45 AM, Nicola Piazzi wrote: whitelist_from_rcvd is intended to legitimate a single somain, specifiing domain by domain I need something that tell me that check all incoming email and say if the originating ip (or class c) is the same of mx record This can be intended like an SPF_PASS when people doesn t set spf at all. Nicola Piazzi CED - Sistemi COMET s.p.a. Via Michelino, 105 - 40127 Bologna - Italia Tel. +39 051.6079.293 Cell. +39 328.21.73.470 Web: www.gruppocomet.it -Messaggio originale- Da: Kevin Golding [mailto:k...@caomhin.org] Inviato: martedì 9 agosto 2016 10:28 A: users@spamassassin.apache.org Oggetto: Re: A plugin to legitimate email when SPF and DKIM missing On Tue, 09 Aug 2016 09:10:06 +0100, Nicola Piazzi wrote: Hi A lot of time we receive mail that are SPF NONE and have no DKIM Il will be useful a little plugin that be able to give another chance to legitimate these emails A lot of servers use the same machine to send and receive emails, Plugin must read sender domain and search if the IP used to send to us is one of the MX record list for domain This is not intended to exclude other cases, but intended to have a chance to recognize that is not a spoofed email only We can think to use not the ip but the C class to get much more hits For example someone sent from 199.56.23.5 and have mx record 199.56.23.9 can be legitimate because both come from 199.56.23 Have someone something like this ? Not quite, but assuming you're looking at using it for whitelisting purposes you can use: whitelist_from_rcvd *@gruppocommet.it gruppocommet.it That says that any mail sent with a @gruppocommet.it address that is received from a host with an rDNS matching gruppocommet.it will be whitelisted. It's rather effective and efficient. https://spamassassin.apache.org/full/3.4.x/doc/Mail_SpamAssassin_Conf.html#whitelist_and_blacklist_options may tell you more.
R: A plugin to legitimate email when SPF and DKIM missing
whitelist_from_rcvd is intended to legitimate a single somain, specifiing domain by domain I need something that tell me that check all incoming email and say if the originating ip (or class c) is the same of mx record This can be intended like an SPF_PASS when people doesn t set spf at all. Nicola Piazzi CED - Sistemi COMET s.p.a. Via Michelino, 105 - 40127 Bologna - Italia Tel. +39 051.6079.293 Cell. +39 328.21.73.470 Web: www.gruppocomet.it -Messaggio originale- Da: Kevin Golding [mailto:k...@caomhin.org] Inviato: martedì 9 agosto 2016 10:28 A: users@spamassassin.apache.org Oggetto: Re: A plugin to legitimate email when SPF and DKIM missing On Tue, 09 Aug 2016 09:10:06 +0100, Nicola Piazzi wrote: > Hi > A lot of time we receive mail that are SPF NONE and have no DKIM Il > will be useful a little plugin that be able to give another chance to > legitimate these emails A lot of servers use the same machine to send > and receive emails, Plugin must read sender domain and search if the > IP used to send to us is one of the MX record list for domain This is > not intended to exclude other cases, but intended to have a chance to > recognize that is not a spoofed email only We can think to use not the > ip but the C class to get much more hits For example someone sent from > 199.56.23.5 and have mx record 199.56.23.9 can be legitimate because > both come from 199.56.23 > > Have someone something like this ? Not quite, but assuming you're looking at using it for whitelisting purposes you can use: whitelist_from_rcvd *@gruppocommet.it gruppocommet.it That says that any mail sent with a @gruppocommet.it address that is received from a host with an rDNS matching gruppocommet.it will be whitelisted. It's rather effective and efficient. https://spamassassin.apache.org/full/3.4.x/doc/Mail_SpamAssassin_Conf.html#whitelist_and_blacklist_options may tell you more.