Re: Looking for a good Ebay whitelist
On Tue, 8 Aug 2006, jdow wrote: From: "Logan Shaw" <[EMAIL PROTECTED]> On Tue, 8 Aug 2006, jdow wrote: From: "Logan Shaw" <[EMAIL PROTECTED]> On Tue, 8 Aug 2006, wrote: I have been having FPs from Ebay in AU and DE, as well as [EMAIL PROTECTED] Does anybody have a good whitelist for these? So it seems like SPF is probably something good to rely on in this case. SMOMR - Simple Matter Of Meta Rules. If SPF is bad and says it is from ebay add spam points. I thought in this case the problem was false positives. Presumably forged ebay mails are such a nuisance that all kinds of rules (bayes?) hit, causing real ebay rules to get flagged every now and then. If SPF is good and says from ebay subtract some points in a meta rule. That gets you going while any whitelist that uses spf gets built. But isn't that exactly what "spf_whitelist_from [EMAIL PROTECTED]" does? From what I can tell by looking at the source (specifically the _check_spf_whitelist() sub), the spf_whitelist_from rule matches if both (a) the from address matches the given pattern ([EMAIL PROTECTED]" in this case), and (b) the message passes SPF checks. If the spf_whitelist_from rule does match, you will get a score USER_IN_SPF_WHITELIST -100.000 So, why create a meta-rule when there is a rule that already does just what you're describing? - Logan
Re: Looking for a good Ebay whitelist
jdow wrote:
If SPF is good and says from ebay subtract some points in a
meta rule. That gets you going while any whitelist that uses
spf gets built.
(Either that or "do it yourself." {^_-})
You might as well "do it yourself", since a single "whitelist_from_spf"
seems a lot simpler (and faster in every way) than creating header rules
against the EnvelopeFrom pseudo header (not From since it could say eBay
while the envelope says something else that passes an SPF check) and
then writing metas against those and SPF_PASS (not neutral or anything
else!).
Daryl
Re: Looking for a good Ebay whitelist
From: "Logan Shaw" <[EMAIL PROTECTED]>
On Tue, 8 Aug 2006, jdow wrote:
From: "Logan Shaw" <[EMAIL PROTECTED]>
On Tue, 8 Aug 2006, wrote:
I have been having FPs from Ebay in AU and DE, as well as
[EMAIL PROTECTED]
Does anybody have a good whitelist for these?
So it seems like SPF is probably something good to rely on
in this case. I don't fully understand the SPF plug-in,
but perhaps all you need to do is add the appropriate ebay
domains to new def_whitelist_from_spf rules like the ones
in 60_whitelist_spf.cf.
SMOMR - Simple Matter Of Meta Rules. If SPF is bad and says it is
from ebay add spam points.
I thought in this case the problem was false positives.
Presumably forged ebay mails are such a nuisance that all
kinds of rules (bayes?) hit, causing real ebay rules to get
flagged every now and then.
If SPF is good and says from ebay subtract some points in a
meta rule. That gets you going while any whitelist that uses
spf gets built.
(Either that or "do it yourself." {^_-})
{^_^}
Re: Looking for a good Ebay whitelist
On Tue, 8 Aug 2006, jdow wrote: From: "Logan Shaw" <[EMAIL PROTECTED]> On Tue, 8 Aug 2006, wrote: I have been having FPs from Ebay in AU and DE, as well as [EMAIL PROTECTED] Does anybody have a good whitelist for these? So it seems like SPF is probably something good to rely on in this case. I don't fully understand the SPF plug-in, but perhaps all you need to do is add the appropriate ebay domains to new def_whitelist_from_spf rules like the ones in 60_whitelist_spf.cf. SMOMR - Simple Matter Of Meta Rules. If SPF is bad and says it is from ebay add spam points. I thought in this case the problem was false positives. Presumably forged ebay mails are such a nuisance that all kinds of rules (bayes?) hit, causing real ebay rules to get flagged every now and then. But since all the info about which servers to whitelist is right there in the SPF records that eBay supplies, and since we know that eBay itself doesn't send spam, it seems like some whitelist_from_spf rules (which, as I understand it, whitelist an address or address pattern, but conditionally on it passing SPF checks) should be all that's necessary. Something like this: whitelist_from_spf [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] whitelist_from_spf [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] whitelist_from_spf [EMAIL PROTECTED] [EMAIL PROTECTED] whitelist_from_spf [EMAIL PROTECTED] Note that [EMAIL PROTECTED] is a judgement call since on the one hand it's already in 60_whitelist_spf.cf and on the other hand, it has a def_whitelist_from_spf rule, which gets a lower score than whitelist_from_spf. - Logan
Re: Looking for a good Ebay whitelist
From: "Logan Shaw" <[EMAIL PROTECTED]>
On Tue, 8 Aug 2006, wrote:
I have been having FPs from Ebay in AU and DE, as well as [EMAIL PROTECTED]
Does anybody have a good whitelist for these?
Because so many people try to forge messages from eBay but what
comes from their own servers is almost definitely not spam,
eBay seems like an ideal example of an organization that could
benefit from SPF. And sure enough:
$ host -t TXT ebay.com
ebay.com descriptive text "spf2.0/pra mx include:s._sid.ebay.com
include:m._sid.ebay.com include:p._sid.ebay.com include:c._sid.ebay.com ~all"
ebay.com descriptive text "v=spf1 mx include:s._spf.ebay.com include:m._spf.ebay.com
include:p._spf.ebay.com include:c._spf.ebay.com ~all"
$ host -t TXT ebay.com.au
ebay.com.au descriptive text "spf2.0/pra mx include:s._sid.ebay.com
include:m._sid.ebay.com include:p._sid.ebay.com include:c._sid.ebay.com ~all"
ebay.com.au descriptive text "v=spf1 mx include:s._spf.ebay.com
include:m._spf.ebay.com include:p._spf.ebay.com include:c._spf.ebay.com ~all"
$ host -t TXT ebay.de
ebay.de descriptive text "v=spf1 mx include:s._spf.ebay.com include:m._spf.ebay.com
include:p._spf.ebay.com include:c._spf.ebay.com ~all"
ebay.de descriptive text "spf2.0/pra mx include:s._sid.ebay.com
include:m._sid.ebay.com include:p._sid.ebay.com include:c._sid.ebay.com ~all"
So it seems like SPF is probably something good to rely on
in this case. I don't fully understand the SPF plug-in,
but perhaps all you need to do is add the appropriate ebay
domains to new def_whitelist_from_spf rules like the ones
in 60_whitelist_spf.cf.
This page:
http://pages.ebay.com/help/confidence/isgw-account-theft-spoof.html
has a list of eBay's US and international web sites, so presumably
the list of valid e-mail domains ([EMAIL PROTECTED], [EMAIL PROTECTED], etc.)
can be easily and correctly derived from that list.
SMOMR - Simple Matter Of Meta Rules. If SPF is bad and says it is
from ebay add spam points.
{^_^}
Re: Looking for a good Ebay whitelist
SARE maintains a whitelist. I don't know if those particular sites are on it or not. If you can provide the appropriate info for a whitelist_from_recvd line they could probably be added. Loren
Re: Looking for a good Ebay whitelist
At 09:52 08-08-2006, Mark Martinec wrote: Seems like ebay is signing messages with DomainKeys, I'm getting DK_VERIFIED in my log for mail from [EMAIL PROTECTED] and [EMAIL PROTECTED] and similar. Ebay.com and a few other high profile domains have been signing their mail with DK. Note that they still have the testing flag set. Regards, -sm
Re: Looking for a good Ebay whitelist
Heute (08.08.2006/18:52 Uhr) schrieb Mark Martinec, >> On Tue, 8 Aug 2006, Rob McEwen wrote: >> > The following are what I have deemed as frequently used official e-bay >> > smtp servers. This list might be used for whitelisting or/and negative >> > scoring: > Seems like ebay is signing messages with DomainKeys > Mark yes, really. --snip DomainKey-Signature: a=rsa-sha1; s=dk; d=ebay.de; c=nofws; q=dns; h=message-id:from:to:subject:mime-version:content-type: content-transfer-encoding:x-ebay-mailtracker; b=XVo26T4Vu0KfRwpbRa928JXSTP1INRdhJfnZm+zZjO/+eF0EsA1ep22j79xsDvxno r4rw2VzlTxgQppQrOC19TFr3M3MY/3iRmO7UnyQtj0oImISsFBxNrfv9WgzNlENPBHs HeQ+u8oAp31/6PbDsaH6Ne4ABnAbr+7TFaOnW5A= --snap -- Viele Gruesse, Kind regards, Jim Knuth [EMAIL PROTECTED] ICQ #277289867 -- Zufalls-Zitat -- Hilfe! Mein Editor verbucht die Drehstaben. -- Der Text hat nichts mit dem Empfaenger der Mail zu tun -- Virus free. Checked by NOD32 Version 1.1697 Build 7812 08.08.2006
Re: Looking for a good Ebay whitelist
> On Tue, 8 Aug 2006, Rob McEwen wrote:
> > The following are what I have deemed as frequently used official e-bay
> > smtp servers. This list might be used for whitelisting or/and negative
> > scoring:
Seems like ebay is signing messages with DomainKeys, I'm getting
DK_VERIFIED in my log for mail from [EMAIL PROTECTED] and
[EMAIL PROTECTED] and similar.
The Mail::SpamAssassin::Plugin::DKIM offers whitelist_from_dkim,
it should not be difficult to port it to
Mail::SpamAssassin::Plugin::DomainKeys, making a whitelist_from_dk.
Anyone?
Btw, the following patch is needed for Mail::DomainKeys 0.82
(the author has been notified):
---
--- DomainKeys/Signature.pm~Wed Jun 21 06:25:26 2006
+++ DomainKeys/Signature.pm Thu Aug 3 20:01:52 2006
@@ -46,5 +46,5 @@
/^d=([A-Za-z0-9\-\.]+)$/ and
$self->{'DOMN'} = lc $1;
- /^h=(\S+)$/ and
+ /^h=(.*)$/s and
$self->{'HDRS'} = lc $1;
/^q=(dns)$/i and
@@ -269,5 +269,5 @@
if (wantarray and $self->{'HDRS'}) {
- my @list = split /:/, $self->{'HDRS'};
+ my @list = split /[ \t]*:[ \t]*/, $self->{'HDRS'};
return @list;
}
---
Mark
RE: Looking for a good Ebay whitelist
On Tue, 8 Aug 2006, Rob McEwen wrote: The following are what I have deemed as frequently used official e-bay smtp servers. This list might be used for whitelisting or/and negative scoring: 66.135.195.180-181 66.135.195.254 66.135.197.7-29 66.135.197.164 66.135.207.155 66.135.209.198-221 66.135.215.231-240 216.113.168.128 216.113.168.139 216.113.184.201-203 216.113.188.96 216.113.188.112 216.113.188.202 But I make no guarantees about this list. Please correct me if there are any errors or omissions. Use at your own risk. By looking up their SPF records, you get a much larger list: s._spf.ebay.com descriptive text "v=spf1 ip4:66.135.209.192/27 ip4:66.135.197.0/27 ip4:64.4.240.64/27 ip4:64.4.244.64/27 ~all" m._spf.ebay.com descriptive text "v=spf1 ip4:66.135.215.224/27 ip4:216.33.244.96/27 ip4:216.33.244.84 ~all" p._spf.ebay.com descriptive text "v=spf1 ip4:67.72.99.26 ip4:206.165.246.83 ip4:206.165.246.84 ip4:206.165.246.85 ip4:206.165.246.86 ip4:64.127.115.252 ip4:194.64.234.129/27 include:p2._spf.ebay.com ~all" p2._spf.ebay.com descriptive text "v=spf1 ip4:65.110.161.77 ip4:204.13.11.49 ip4:204.13.11.51 ~all" c._spf.ebay.com descriptive text "v=spf1 ip4:12.155.144.75 ip4:62.22.61.131 ip4:63.104.149.126 ip4:64.68.79.253 ip4:64.94.204.222 ip4:66.135.215.134 ip4:67.72.12.29 include:c2._spf.ebay.com ~all" c2._spf.ebay.com descriptive text "v=spf1 ip4:80.93.9.10 ip4:195.234.136.12 ip4:203.49.69.114 ip4:209.63.28.11 ip4:210.80.80.136 ip4:212.110.10.2 ip4:212.147.136.123 include:c3._spf.ebay.com ~all" c3._spf.ebay.com descriptive text "v=spf1 ip4:213.219.8.227 ip4:216.113.168.128 ip4:216.113.175.128 ip4:216.177.178.3 ip4:217.149.33.234 ip4:220.248.6.124 ip4:67.72.12.30 include:c4._spf.ebay.com ~all" c4._spf.ebay.com descriptive text "v=spf1 ip4:216.113.188.112 ip4:80.66.137.58 ip4:212.208.64.34 ip4:216.113.188.96 ip4:216.33.244.6 ip4:216.33.244.7 ~all" Grabbing the IP addresses out of that looks like this: 12.155.144.75 62.22.61.131 63.104.149.126 64.127.115.252 64.4.240.64/27 64.4.244.64/27 64.68.79.253 64.94.204.222 65.110.161.77 66.135.197.0/27 66.135.209.192/27 66.135.215.134 66.135.215.224/27 67.72.12.29 67.72.12.30 67.72.99.26 80.66.137.58 80.93.9.10 194.64.234.129/27 195.234.136.12 203.49.69.114 204.13.11.49 204.13.11.51 206.165.246.83 206.165.246.84 206.165.246.85 206.165.246.86 209.63.28.11 210.80.80.136 212.110.10.2 212.147.136.123 212.208.64.34 213.219.8.227 216.113.168.128 216.113.175.128 216.113.188.112 216.113.188.96 216.177.178.3 216.33.244.6 216.33.244.7 216.33.244.84 216.33.244.96/27 217.149.33.234 220.248.6.124 Of course, it is probably better to use whatever they publish through DNS rather than your own fixed copy of the list, which is bound to go out of date. Especially since a list that long is likely to be out of date pretty quickly. Also, in my previous message, I suggested maybe the original poster should add some def_whitelist_from_spf configuration lines. "perldoc Mail::SpamAssassin::Plugin::SPF" seems to indicates that "whitelist_from_spf" (no "def") would be better. Sort of on the same subject, is there any kind of network whitelist of domains that both (a) can be trusted to themselves not send out spam and (b) have valid SPF records? SPF strikes me as a useful way of authenticating that messages were not forged. But a spammer could get a server, register a domain, and register valid SPF records. So you need both (a) and (b) to be sure a message isn't spam. With a whitelist of domains that use SPF and don't themselves send spam, you could give a huge negative score to messages from that domain. A distributed database would make it possible to make this list pretty extensive (but never, of course, exhaustive). Of course, the data in the distributed database would have to be trustworthy... - Logan
RE: Looking for a good Ebay whitelist
RE: Looking for a good Ebay whitelist The following are what I have deemed as frequently used official e-bay smtp servers. This list might be used for whitelisting or/and negative scoring: 66.135.195.180-181 66.135.195.254 66.135.197.7-29 66.135.197.164 66.135.207.155 66.135.209.198-221 66.135.215.231-240 216.113.168.128 216.113.168.139 216.113.184.201-203 216.113.188.96 216.113.188.112 216.113.188.202 But I make no guarantees about this list. Please correct me if there are any errors or omissions. Use at your own risk. Rob McEwen PowerView Systems
Re: Looking for a good Ebay whitelist
On Tue, 8 Aug 2006, wrote: I have been having FPs from Ebay in AU and DE, as well as [EMAIL PROTECTED] Does anybody have a good whitelist for these? Because so many people try to forge messages from eBay but what comes from their own servers is almost definitely not spam, eBay seems like an ideal example of an organization that could benefit from SPF. And sure enough: $ host -t TXT ebay.com ebay.com descriptive text "spf2.0/pra mx include:s._sid.ebay.com include:m._sid.ebay.com include:p._sid.ebay.com include:c._sid.ebay.com ~all" ebay.com descriptive text "v=spf1 mx include:s._spf.ebay.com include:m._spf.ebay.com include:p._spf.ebay.com include:c._spf.ebay.com ~all" $ host -t TXT ebay.com.au ebay.com.au descriptive text "spf2.0/pra mx include:s._sid.ebay.com include:m._sid.ebay.com include:p._sid.ebay.com include:c._sid.ebay.com ~all" ebay.com.au descriptive text "v=spf1 mx include:s._spf.ebay.com include:m._spf.ebay.com include:p._spf.ebay.com include:c._spf.ebay.com ~all" $ host -t TXT ebay.de ebay.de descriptive text "v=spf1 mx include:s._spf.ebay.com include:m._spf.ebay.com include:p._spf.ebay.com include:c._spf.ebay.com ~all" ebay.de descriptive text "spf2.0/pra mx include:s._sid.ebay.com include:m._sid.ebay.com include:p._sid.ebay.com include:c._sid.ebay.com ~all" So it seems like SPF is probably something good to rely on in this case. I don't fully understand the SPF plug-in, but perhaps all you need to do is add the appropriate ebay domains to new def_whitelist_from_spf rules like the ones in 60_whitelist_spf.cf. This page: http://pages.ebay.com/help/confidence/isgw-account-theft-spoof.html has a list of eBay's US and international web sites, so presumably the list of valid e-mail domains ([EMAIL PROTECTED], [EMAIL PROTECTED], etc.) can be easily and correctly derived from that list. - Logan
