Re: Whitelist rules should never pass on SPF fail

[Noel Butler]

On 11/05/2024 03:40, Bill Cole wrote:

So what? domain owners state hard fail it SHOULD be hard failed, 
irrespective of if YOU think you know better than THEM or not, if we 
hardfail we accept the risks that come with it.


In practice, there is a prioritizing of whose wishes I prioritize on 
the receiving systems I work with. If my customer wants to receive the 
mail and the individual generating the mail is not generating that 
desire fraudulently, I don't care much about what the domain owner 
says.


I hope you have an indemnity clause in your contracts (or written 
statement from them) to legally protect you, and your professional 
indemnity insurance (or your countries version of it) is current...


I do not work for the domain owners of the world and I am not obligated 
to enforce their usage rules on their users.


Obligated no, its your network, your rules, but honouring them is the 
correct "good netizen" thing to do.


I'm sure the crime gangs and spammers reading this list greatly 
appreciate you telling them they got better chances with you then most 
:P


Obviously I take their input seriously when trying to detect fraud but 
I've seen too many cases of "-all" being used with incomplete or 
obsolete lists of "permitted" hosts to accept that they know all of the 
places their mail gets generated.


The idea of using -all is not just configuring it and forgetting it, 
it's part of the accepted risk that if you change something, you change 
your SPF statements too, if they forget, the complaints of blocked mail 
should prompt them to fix it, or if they are just flat out too damn 
lazy, then they get what they deserve.


Adherence has improved out of sight in past 5 to 10 years, and I've seen 
no problems caused by SPF, I can't remember the last time we had one.


I've also given up all hope of getting the few places that are still 
doing transparent forwarding to adopt SRS or any other mechanisms to 
avoid SPF breakage to ever change.


I guess the traffic with them is low, if it was high, blocking would 
likely get them off their buts.


--
Regards,
Noel Butler

Re: Whitelist rules should never pass on SPF fail

[Bill Cole]

On 2024-05-09 at 17:21:07 UTC-0400 (Fri, 10 May 2024 07:21:07 +1000)
Noel Butler 
is rumored to have said:

> So what? domain owners state hard fail it SHOULD be hard failed, irrespective 
> of if YOU think you know better than THEM or not, if we hardfail we accept 
> the risks that come with it.

In principle, that is fine (as a demonstration of why some principles are 
pointless and do more harm than good...)

In practice, there is a prioritizing of whose wishes I prioritize on the 
receiving systems I work with. If my customer wants to receive the mail and the 
individual generating the mail is not generating that desire fraudulently, I 
don't care much about what the domain owner says. I do not work for the domain 
owners of the world and I am not obligated to enforce their usage rules on 
their users. Obviously I take their input seriously when trying to detect fraud 
but I've seen too many cases of "-all" being used with incomplete or obsolete 
lists of "permitted" hosts to accept that they know all of the places their 
mail gets generated.

I've also given up all hope of getting the few places that are still doing 
transparent forwarding to adopt SRS or any other mechanisms to avoid SPF 
breakage to ever change. There is no ROI in trying to fix such cases 
individually but users still want their college email addresses to work decades 
after graduating and some colleges have pandered to them. So have some 
professional orgs.


-- 
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire

Re: Whitelist rules should never pass on SPF fail

[Noel Butler]

On 09/05/2024 22:47, Bill Cole wrote:


On 2024-05-09 at 08:37:06 UTC-0400 (Thu, 09 May 2024 14:37:06 +0200)
Benny Pedersen 
is rumored to have said:

Bill Cole skrev den 2024-05-09 14:22:

In fact, I can't think of any whitelist test that should pass if SPF 
fails.
If you operate on the theory that a SPF failure is always a sign of 
spam, you can make your SpamAssassin always trust SPF failures 
absolutely. I would not recommend that. Some people screw up their SPF 
records. Other people forward mail transparently, which reliably breaks 
SPF. SPF is broken *by design* as a spam control tool AND as a mail 
authentication tool. We knew this 20 years ago, but it remains a useful 
tool if you work with its limits rather than assuming that they do not 
exist.


spf domain owner asked for hardfails, so why not score spf_fail as 100 ? 
:)
I believe that has been covered in extreme detail and redundancy here 
and in other email-related fora MANY times over the past 20 years.


Domain owners do not KNOW all the paths their mail follows, even when 
they think that they do. Users frequently find ways to break SPF without 
doing anything wrong.


It's not often I agree with what Benny says, but this is one of them.

So what? domain owners state hard fail it SHOULD be hard failed, 
irrespective of if YOU think you know better than THEM or not, if we 
hardfail we accept the risks that come with it.


This is why SPF should always be handled separately by a milter, so a 
hard fail wont make it to spamassassin or others who think they can 
ignore a domain owners wishes.


--
Regards,
Noel Butler

Re: Whitelist rules should never pass on SPF fail

[Bill Cole]

On 2024-05-09 at 08:37:06 UTC-0400 (Thu, 09 May 2024 14:37:06 +0200)
Benny Pedersen 
is rumored to have said:


Bill Cole skrev den 2024-05-09 14:22:

In fact, I can't think of any whitelist test that should pass if SPF 
fails.


If you operate on the theory that a SPF failure is always a sign of 
spam, you can make your SpamAssassin always trust SPF failures 
absolutely. I would not recommend that. Some people screw up their 
SPF records. Other people forward mail transparently, which reliably 
breaks SPF. SPF is broken *by design* as a spam control tool AND as a 
mail authentication tool. We knew this 20 years ago, but it remains a 
useful tool if you work with its limits rather than assuming that 
they do not exist.


spf domain owner asked for hardfails, so why not score spf_fail as 100 
? :)


I believe that has been covered in extreme detail and redundancy here 
and in other email-related fora MANY times over the past 20 years.


Domain owners do not KNOW all the paths their mail follows, even when 
they think that they do. Users frequently find ways to break SPF without 
doing anything wrong.



on the other hans if spf domain owner asked for softfails it would not 
still be 100


but i still suggest to report to dnswl, if not dnswl none listed


Reasonable advice.



--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo@toad.social and many *@billmail.scconsult.com 
addresses)

Not Currently Available For Hire

Re: Whitelist rules should never pass on SPF fail

[Benny Pedersen]

Bill Cole skrev den 2024-05-09 14:22:

In fact, I can't think of any whitelist test that should pass if SPF 
fails.


If you operate on the theory that a SPF failure is always a sign of 
spam, you can make your SpamAssassin always trust SPF failures 
absolutely. I would not recommend that. Some people screw up their SPF 
records. Other people forward mail transparently, which reliably breaks 
SPF. SPF is broken *by design* as a spam control tool AND as a mail 
authentication tool. We knew this 20 years ago, but it remains a useful 
tool if you work with its limits rather than assuming that they do not 
exist.


spf domain owner asked for hardfails, so why not score spf_fail as 100 ? 
:)


on the other hans if spf domain owner asked for softfails it would not 
still be 100


but i still suggest to report to dnswl, if not dnswl none listed

Re: Whitelist rules should never pass on SPF fail

[Bill Cole]

On 2024-05-08 at 15:53:47 UTC-0400 (Wed, 08 May 2024 16:53:47 -0300)
kurt.va1der.ca via users 
is rumored to have said:

I received a (relatively) well crafted Phishing email today.  It was 
clearly a well planned campaign.  The Spamassassin score was as 
follows:


X-Spam-Status: No, score=-0.4 required=5.0 
tests=GOOG_REDIR_NORDNS=0.001,

HTML_FONT_LOW_CONTRAST=0.001,HTML_MESSAGE=0.001,
NORDNS_LOW_CONTRAST=0.001,RCVD_IN_DNSWL_HI=-5,RDNS_NONE=1.274,
SPF_FAIL=0.919,SPF_HELO_NONE=0.001,URIBL_BLOCKED=0.001,WIKI_IMG=2.397
autolearn=disabled version=3.4.6

DNS white-hole list checks should never ever pass if the SPF checks 
fail.


The only "white-hole" item there is RCVD_IN_DNSWL_HI, which is a 
DNS-based list where IPs which are supposedly "good" can be listed, i.e. 
it is external to SA, not something we manage. You are suggesting that 
the knowledge that an IP does not send spam should be entirely ignored 
if that IP offers a message which fails SPF, which is a solely a domain 
verification and has well-known common failure modes.


I could not disagree more. One purpose in principle for IP-wise 
welcomelisting like DNSWL is to identify known-good transparent 
forwarders who for whatever reason do not implement SRS but also do not 
forward spam.


DNS-based list IP tests are scored in the default distribution without a 
strong  basis, because they do not normally get handled by the RuleQA 
process. It has often been reported here that RCVD_IN_DNSWL_HI is too 
forgiving and that seems true to me. You may wish to reduce its positive 
power. I set it to -2 based on my local observations. YMMV.


You are free to create a local meta-rule which makes SPF_FAIL cancel out 
RCVD_IN_DNSWL_HI. You are free to make the SPF_FAIL score higher. You 
are free to use the priority and shortcircuiting features to assure that 
SPF_FAIL causes DNSWL checks to not be run. I would not expect any of 
these to have an overall positive effect on your email.


In fact, I can't think of any whitelist test that should pass if SPF 
fails.


If you operate on the theory that a SPF failure is always a sign of 
spam, you can make your SpamAssassin always trust SPF failures 
absolutely. I would not recommend that. Some people screw up their SPF 
records. Other people forward mail transparently, which reliably breaks 
SPF. SPF is broken *by design* as a spam control tool AND as a mail 
authentication tool. We knew this 20 years ago, but it remains a useful 
tool if you work with its limits rather than assuming that they do not 
exist.


I could attach a higher score to SPF_FAIL, but that would unduly 
affect cases where the sender wasn't white listed.


I fail to see how that's a problem, in a world where SPF failure 
overrides an IP-based welcome list. However, I do not understand that 
world in general, so I'm sure there's something I'm missing...


I need a way to force Spammassassin to negate the effect of one test 
on the passing of another.


A simple logical problem:

 score RULE_A 3
 score RULE_B -2

 meta  CANCEL_B_IF_A  RULE_A && RULE_B
 score CANCEL_B_IF_A  2

You can also use 'priority' directives to make rules execute in a 
defined order  and a 'shortcircuit' directive to make SA stop processing 
later rules if a specific rule hits. This will also skip any other 
'late' checks, so you have to set priorities with care to avoid 
shortcircuiting rules that you want checked. Consult the docs for 
details.




--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo@toad.social and many *@billmail.scconsult.com 
addresses)

Not Currently Available For Hire

Re: Whitelist rules should never pass on SPF fail

[Benny Pedersen]

kurt.va1der.ca via users skrev den 2024-05-08 21:53:

I received a (relatively) well crafted Phishing email today.  It was
clearly a well planned campaign.  The Spamassassin score was as
follows:

X-Spam-Status: No, score=-0.4 required=5.0
tests=GOOG_REDIR_NORDNS=0.001,
HTML_FONT_LOW_CONTRAST=0.001,HTML_MESSAGE=0.001,
NORDNS_LOW_CONTRAST=0.001,RCVD_IN_DNSWL_HI=-5,RDNS_NONE=1.274,

SPF_FAIL=0.919,SPF_HELO_NONE=0.001,URIBL_BLOCKED=0.001,WIKI_IMG=2.397
autolearn=disabled version=3.4.6

DNS white-hole list checks should never ever pass if the SPF checks
fail.  In fact, I can't think of any whitelist test that should pass
if SPF fails.  I could attach a higher score to SPF_FAIL, but that
would unduly affect cases where the sender wasn't white listed.

I need a way to force Spammassassin to negate the effect of one test
on the passing of another.


https://www.dnswl.org/?page_id=17

you should solve URIBL_BLOCKED aswell

and lastly 3.4.6 is old now

more help ?

Re: Whitelist rules should never pass on SPF fail

[Noel Butler]

On 09/05/2024 05:57, Jarland Donnell wrote:

That's easy though at least. Set the DNSWL rule to 0. I appreciate 
their effort but it's simply not an accurate way to determine the value 
of an email in 2024. It's never been the deciding factor between 
whether or not an email was spam, in any email I've audited in the last 
decade.


This!

Trust must be earned, not assumed (or bought)

--
Regards,
Noel Butler

Re: Whitelist rules should never pass on SPF fail

[Loren Wilton]

Obviously the right way is for the master rules to be adjusted. But if you want 
a local fix, try something like this:

score   RCVD_IN_DNSWL_HI   -0.001

metaMY_RCVD_IN_DNSWL_HIRCVD_IN_DNSWL_HI && !SPF_FAIL
score   MY_RCVD_IN_DNSWL_HI-5
describeMY_RCVD_IN_DNSWL_HIIn DNS whitelist, good SPF

  - Original Message - 
  I received a (relatively) well crafted Phishing email today.  It was clearly 
a well planned campaign.  The Spamassassin score was as follows:

  X-Spam-Status: No, score=-0.4 required=5.0 tests=GOOG_REDIR_NORDNS=0.001,
  HTML_FONT_LOW_CONTRAST=0.001,HTML_MESSAGE=0.001,
  NORDNS_LOW_CONTRAST=0.001,RCVD_IN_DNSWL_HI=-5,RDNS_NONE=1.274,
  SPF_FAIL=0.919,SPF_HELO_NONE=0.001,URIBL_BLOCKED=0.001,WIKI_IMG=2.397
  autolearn=disabled version=3.4.6

  DNS white-hole list checks should never ever pass if the SPF checks fail.  In 
fact, I can't think of any whitelist test that should pass if SPF fails.  I 
could attach a higher score to SPF_FAIL, but that would unduly affect cases 
where the sender wasn't white listed.

  I need a way to force Spammassassin to negate the effect of one test on the 
passing of another.

Re: Whitelist rules should never pass on SPF fail

[Jarland Donnell]

That’s easy though at least. Set the DNSWL rule to 0. I appreciate their effort 
but it’s simply not an accurate way to determine the value of an email in 2024. 
It’s never been the deciding factor between whether or not an email was spam, 
in any email I’ve audited in the last decade.

> On Wednesday, May 08, 2024 at 2:53 PM, kurt.va1der.ca via users 
> mailto:users@spamassassin.apache.org)> wrote:
>
> I received a (relatively) well crafted Phishing email today. It was clearly a 
> well planned campaign. The Spamassassin score was as follows:
>
>
> X-Spam-Status: No, score=-0.4 required=5.0 tests=GOOG_REDIR_NORDNS=0.001,
> HTML_FONT_LOW_CONTRAST=0.001,HTML_MESSAGE=0.001,
> NORDNS_LOW_CONTRAST=0.001,RCVD_IN_DNSWL_HI=-5,RDNS_NONE=1.274,
> SPF_FAIL=0.919,SPF_HELO_NONE=0.001,URIBL_BLOCKED=0.001,WIKI_IMG=2.397
> autolearn=disabled version=3.4.6
>
>
> DNS white-hole list checks should never ever pass if the SPF checks fail. In 
> fact, I can't think of any whitelist test that should pass if SPF fails. I 
> could attach a higher score to SPF_FAIL, but that would unduly affect cases 
> where the sender wasn't white listed.
>
>
> I need a way to force Spammassassin to negate the effect of one test on the 
> passing of another.
>
>
>
>
>
>
>

Re: Whitelist or add negative values for score

[Matus UHLAR - fantomas]

On 23.12.22 21:24, Joey J wrote:

This is the best I can grab header wise, Names/IP's have changed here to
protect privacy.
Know the following:
The senders real server (1.2.3.4), (1.2.3.4 is the SPF match) sends the
mail to the gateway, and the gateway blocked it as shown.
Yes, legit going to paypal.



Dec 19 19:39:42 mgw postfix/smtpd[1070732]: 1270980A01: 
client=Sender.MailServer.com[1.2.3.4]
Dec 19 19:39:42 mgw postfix/cleanup[1070437]: 1270980A01: 
message-id=
Dec 19 19:39:42 mgw postfix/qmgr[5368]: 1270980A01: from=, 
size=673334, nrcpt=1 (queue active)
Dec 19 19:39:42 mgw postfix/smtpd[1070732]: disconnect from 
Sender.MailServer.com[1.2.3.4] ehlo=2 starttls=1 mail=1 rcpt=1 bdat=1 quit=1 
commands=7
Dec 19 19:39:42 mgw pmg-smtp-filter[1070564]: A760963A1044E2E16D: new mail 
message-id=#012
Dec 19 19:39:42 mgw pmg-smtp-filter[1070564]: A760963A1044E2E16D: virus 
detected: Heuristics.Phishing.Email.SpoofedDomain (clamav)
Dec 19 19:39:47 mgw pmg-smtp-filter[1070564]: A760963A1044E2E16D: SA score=3/5 
time=4.186 bayes=0.00 autolearn=no autolearn_force=no 
hits=ClamAVHeuristics(3),AWL(-0.969),BAYES_00(-1.9),BIGNUM_EMAILS_MANY(2.999),DKIM_INVALID(0.1),DKIM_SIGNED(0.1),HTML_FONT_LOW_CONTRAST(0.001),HTML_MESSAGE(0.001),KAM_DMARC_STATUS(0.01),SPF_HELO_NONE(0.001),SPF_PASS(-0.001),T_FILL_THIS_FORM_SHORT(0.01),URIBL_BLOCKED(0.001)


sender address is sen...@customer.com and SPF passed (SPF_PASS), so:

welcomelist_auth sen...@customer.com 
or

welcomelist_from_spf sen...@customer.com

should both allow this sender.
I assume the sen...@customer.com is also in the From: address.

welcomelist_from_dkim sen...@customer.com
will NOT work, because there's no valid DKIM signature.



On 21.12.22 15:48, Joey J wrote:
>Thank you for pointing me in the better direction.
>Since not many people are typing these types of email , I could do the one
>off rule and it would be manageable.
>But in better seeing the welcomelist_from_spf option, I think this will be
>my first try.


On Thu, Dec 22, 2022 at 2:24 AM Matus UHLAR - fantomas  
wrote:
welcomelist_auth does the same as welcomelist_from_spf and 
welcomelist_from_dkim both.


Note that SPF is related to envelope from address and if it's different 
from header From:, it won't help you much.


You haven't provided example of mail (headers) we are talking about.
Without it, we can only guess what your problem really is and what the
solution should be.


>On Wed, Dec 21, 2022 at 2:39 PM Greg Troxel  wrote:
>> The other thing that should be done for j...@company.com is that
>> company.com should sign their mail with DKIM, and then you can
>>
>>   welcomelist_from_dkim *@company.com
>>
>> I find that many companies I deal with that produce semi-spammy mail
>> (most big companies :-) have DKIM signatures and I can welcomelist on
>> that, without welcomelisting forgeries.
>>
>> You can of course use _rcvd for the IP address.  DKIM is just nicer if
>> you can get them to do it.


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
   One OS to rule them all, One OS to find them,
One OS to bring them all and into darkness bind them

Re: Whitelist or add negative values for score

[Joey J]

Hello All,

This is the best I can grab header wise, Names/IP's have changed here to
protect privacy.
Know the following:
The senders real server (1.2.3.4), (1.2.3.4 is the SPF match) sends the
mail to the gateway, and the gateway blocked it as shown.
Yes, legit going to paypal.

Based on your response, will assist in making the best choice.

Thanks everyone!


Dec 19 19:39:42 mgw postfix/smtpd[1070732]: connect from
Sender.MailServer.com[1.2.3.4]
Dec 19 19:39:42 mgw postfix/smtpd[1070732]: Anonymous TLS connection
established from Sender.MailServer.com[1.2.3.4]: TLSv1.2 with cipher
ECDHE-RSA-AES256-SHA384 (256/256 bits)
Dec 19 19:39:42 mgw postfix/smtpd[1070732]: 1270980A01: client=
Sender.MailServer.com[1.2.3.4]
Dec 19 19:39:42 mgw postfix/cleanup[1070437]: 1270980A01: message-id=<
mn0pr22mb3689503197a395d549ee6d0daa...@mn0pr22mb3689.namprd22.prod.outlook.com
>
Dec 19 19:39:42 mgw postfix/qmgr[5368]: 1270980A01:
from=, size=673334, nrcpt=1 (queue active)
Dec 19 19:39:42 mgw postfix/smtpd[1070732]: disconnect from
Sender.MailServer.com[1.2.3.4] ehlo=2 starttls=1 mail=1 rcpt=1 bdat=1
quit=1 commands=7
Dec 19 19:39:42 mgw pmg-smtp-filter[1070564]: A760963A1044E2E16D: new mail
message-id=<
mn0pr22mb3689503197a395d549ee6d0daa...@mn0pr22mb3689.namprd22.prod.outlook.com
>#012
Dec 19 19:39:42 mgw pmg-smtp-filter[1070564]: A760963A1044E2E16D: virus
detected: Heuristics.Phishing.Email.SpoofedDomain (clamav)
Dec 19 19:39:47 mgw pmg-smtp-filter[1070564]: A760963A1044E2E16D: SA
score=3/5 time=4.186 bayes=0.00 autolearn=no autolearn_force=no
hits=ClamAVHeuristics(3),AWL(-0.969),BAYES_00(-1.9),BIGNUM_EMAILS_MANY(2.999),DKIM_INVALID(0.1),DKIM_SIGNED(0.1),HTML_FONT_LOW_CONTRAST(0.001),HTML_MESSAGE(0.001),KAM_DMARC_STATUS(0.01),SPF_HELO_NONE(0.001),SPF_PASS(-0.001),T_FILL_THIS_FORM_SHORT(0.01),URIBL_BLOCKED(0.001)
Dec 19 19:39:47 mgw pmg-smtp-filter[1070564]: A760963A1044E2E16D: notify
 (rule: Block outgoing Spam, 342C580C8D)
Dec 19 19:39:47 mgw pmg-smtp-filter[1070564]: A760963A1044E2E16D: block
mail to  (rule: Block outgoing Spam)
Dec 19 19:39:47 mgw pmg-smtp-filter[1070564]: A760963A1044E2E16D:
processing time: 5.04 seconds (4.186, 0.664, 0)
Dec 19 19:39:47 mgw postfix/lmtp[1070520]: 1270980A01: to=<
recipi...@paypal.com>, relay=127.0.0.1[127.0.0.1]:10023, delay=5.2,
delays=0.06/0/0.05/5.1, dsn=2.7.0, status=sent (250 2.7.0 BLOCKED
(A760963A1044E2E16D))
Dec 19 19:39:47 mgw postfix/qmgr[5368]: 1270980A01: removed




On Thu, Dec 22, 2022 at 2:24 AM Matus UHLAR - fantomas 
wrote:

> On 21.12.22 15:48, Joey J wrote:
> >Thank you for pointing me in the better direction.
> >Since not many people are typing these types of email , I could do the one
> >off rule and it would be manageable.
> >But in better seeing the welcomelist_from_spf option, I think this will be
> >my first try.
>
> welcomelist_auth does the same as welcomelist_from_spf and
> welcomelist_from_dkim
> both.
>
> Note that SPF is related to envelope from address and if it's different
> from
> header From:, it won't help you much.
>
> You haven't provided example of mail (headers) we are talking about.
> Without it, we can only guess what your problem really is and what the
> solution should be.
>
>
> >On Wed, Dec 21, 2022 at 2:39 PM Greg Troxel  wrote:
> >> The other thing that should be done for j...@company.com is that
> >> company.com should sign their mail with DKIM, and then you can
> >>
> >>   welcomelist_from_dkim *@company.com
> >>
> >> I find that many companies I deal with that produce semi-spammy mail
> >> (most big companies :-) have DKIM signatures and I can welcomelist on
> >> that, without welcomelisting forgeries.
> >>
> >> You can of course use _rcvd for the IP address.  DKIM is just nicer if
> >> you can get them to do it.
> --
> Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
> Warning: I wish NOT to receive e-mail advertising to this address.
> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> 2B|!2B, that's a question!
>


-- 
Thanks!
Joey

Re: Whitelist or add negative values for score

[John Hardin]

On Wed, 21 Dec 2022, Joey J wrote:


But in better seeing the welcomelist_from_spf option, I think this will be
my first try.


If you are *really* worried about getting faked mail from that 
correspondent, you can do something like:


whitelist_from_spf  j...@company.com
blacklist_from  j...@company.com

I have a bunch of these sort of entries in my local config:

whitelist_auth  *@wellsfargo.com
blacklist_from  *@wellsfargo.com
whitelist_auth  *@*.wellsfargo.com
blacklist_from  *@*.wellsfargo.com
whitelist_auth  *@netflix.com
blacklist_from  *@netflix.com
whitelist_auth  *@*.netflix.com
blacklist_from  *@*.netflix.com

You may need to dial back the blacklist score a bit for it to work 
reliably:


score  USER_IN_BLACKLIST   85.000  # let whitelist override blacklist


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.org pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  "Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never
  does quite what I want. I wish Christopher Robin was here."
   -- Peter da Silva in a.s.r
---
 3 days until Christmas

Re: Whitelist or add negative values for score

[Matus UHLAR - fantomas]

On 21.12.22 15:48, Joey J wrote:

Thank you for pointing me in the better direction.
Since not many people are typing these types of email , I could do the one
off rule and it would be manageable.
But in better seeing the welcomelist_from_spf option, I think this will be
my first try.


welcomelist_auth does the same as welcomelist_from_spf and welcomelist_from_dkim
both.

Note that SPF is related to envelope from address and if it's different from 
header From:, it won't help you much.


You haven't provided example of mail (headers) we are talking about.
Without it, we can only guess what your problem really is and what the 
solution should be.




On Wed, Dec 21, 2022 at 2:39 PM Greg Troxel  wrote:

The other thing that should be done for j...@company.com is that
company.com should sign their mail with DKIM, and then you can

  welcomelist_from_dkim *@company.com

I find that many companies I deal with that produce semi-spammy mail
(most big companies :-) have DKIM signatures and I can welcomelist on
that, without welcomelisting forgeries.

You can of course use _rcvd for the IP address.  DKIM is just nicer if
you can get them to do it.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
2B|!2B, that's a question!

Re: Whitelist or add negative values for score

[Joey J]

Kris & Greg,

Thank you for pointing me in the better direction.
Since not many people are typing these types of email , I could do the one
off rule and it would be manageable.
But in better seeing the welcomelist_from_spf option, I think this will be
my first try.

I appreciate all of your points and it makes us all better evaluate what we
are doing and consider efficiency and effectiveness.

Thanks!!

On Wed, Dec 21, 2022 at 2:39 PM Greg Troxel  wrote:

> The other thing that should be done for j...@company.com is that
> company.com should sign their mail with DKIM, and then you can
>
>   welcomelist_from_dkim *@company.com
>
> I find that many companies I deal with that produce semi-spammy mail
> (most big companies :-) have DKIM signatures and I can welcomelist on
> that, without welcomelisting forgeries.
>
> You can of course use _rcvd for the IP address.  DKIM is just nicer if
> you can get them to do it.
>


-- 
Thanks!
Joey

Re: Whitelist or add negative values for score

[Kris Deugau]

Joey J wrote:

Thanks Everyone.
Within all of the responses, I will try to reply here.
1. The legit sender will talk about big numbers because of the real 
things he is involved with so big numbers is still a valid method to 
score, just not in this case.
2. The SPF record is set to fail on no match, however this does not 
automatically say, ok it's the approved source everything is ok, let 
them spam out, SA will still score content, and simply not score for bad 
SPF.
3. The goal is to say for user j...@company.com , 
if we can confirm the source is their mail server IP, the lets add some 
negative value, lets say -2, to allow message that might be scored such 
as the above #1 because they are legit.


Unless there is something I'm missing, I'm not sure how to better 
explain it.
Yes, I can provide the full headers, but I thought the spam info was 
enough to provide the SA aspect of the scoring.


This is why I thought of the extra rule based on email address and IP 
combo, almost confirming its legit, to add ot the negative score.


If you really want to go down this road, and assign small or 
individualized scores for senders like this instead of just using 
welcomelist_from_(rcvd|dkim|spf) or welcomelist_auth, use something like 
this:


header __FROM_GOODGUY   From:addr =~ /^joe\@company\.com$/
header __RCVD_GOODGUY   X-Spam-Relays-External =~ /^\[ ip=1\.2\.3\.4 /
meta NOTSPAM_GOODGUY__FROM_GOODGUY && __RCVD_GOODGUY
describe NOTSPAM_GOODGUY Score nudge for j...@company.com
score NOTSPAM_GOODGUY   -2

Have a long read through "man Mail::SpamAssassin::Conf" to deconstruct 
those.


But that doesn't scale well to very many senders, where welcomelist_* 
seem to scale pretty well to at least low thousands of entries.  _spf 
and _dkim in particular also rely on other information published by the 
sender, so *you* don't have to keep manually updating your rules if 
their mail sending infrastructure changes.


I'd be more inclined to to some per-user score setting on the 
*recipient* account - ie, whoever is receiving these can have a line 
added to ~/.spamassassin/user_prefs (or whereever you're storing SA 
userprefs) saying "score BIGNUM_EMAILS_MANY (-1)".


I'd also see if you can narrow down exactly what 
Phishing.Email.SpoofedDomain is hitting on, IME it's all too likely to 
fire on a certain class of legitimate mail and what you've described 
sounds like a prime place for FPs.  Calling ClamAV like this either 
requires a plugin or relies on ClamAV being called earlier, and leaving 
a header for SA to check.  You'll have to do a bit more digging to find 
out how it's configured.


Locally I started with the plugin on the wiki 
(https://cwiki.apache.org/confluence/display/SPAMASSASSIN/ClamAVPlugin) 
and extended it quite a bit.  I've just posted the current production 
version at http://deepnet.cx/~kdeugau/spamtools/clamav.pm.  I have that 
particular Clam hit scored at 1.5 due to the FP potential.


-kgd

Re: Whitelist or add negative values for score

[Greg Troxel]

The other thing that should be done for j...@company.com is that
company.com should sign their mail with DKIM, and then you can

  welcomelist_from_dkim *@company.com

I find that many companies I deal with that produce semi-spammy mail
(most big companies :-) have DKIM signatures and I can welcomelist on
that, without welcomelisting forgeries.

You can of course use _rcvd for the IP address.  DKIM is just nicer if
you can get them to do it.

Re: Whitelist or add negative values for score

[Joey J]

Thanks Everyone.
Within all of the responses, I will try to reply here.
1. The legit sender will talk about big numbers because of the real things
he is involved with so big numbers is still a valid method to score, just
not in this case.
2. The SPF record is set to fail on no match, however this does not
automatically say, ok it's the approved source everything is ok, let them
spam out, SA will still score content, and simply not score for bad SPF.
3. The goal is to say for user j...@company.com, if we can confirm the
source is their mail server IP, the lets add some negative value, lets say
-2, to allow message that might be scored such as the above #1 because they
are legit.

Unless there is something I'm missing, I'm not sure how to better explain
it.
Yes, I can provide the full headers, but I thought the spam info was enough
to provide the SA aspect of the scoring.

This is why I thought of the extra rule based on email address and IP
combo, almost confirming its legit, to add ot the negative score.



On Wed, Dec 21, 2022 at 1:12 PM Bill Cole <
sausers-20150...@billmail.scconsult.com> wrote:

> On 2022-12-21 at 12:02:27 UTC-0500 (Wed, 21 Dec 2022 18:02:27 +0100)
> Matus UHLAR - fantomas 
> is rumored to have said:
> [...]>
> > On 21.12.22 11:19, Henrik K wrote:
> >> It will pass welcomelist_auth, since there is SPF_PASS, which you
> missed:
> >>
> >> SPF_PASS   -0.001 SPF: sender matches SPF record
> >
> > I understood KAM_DMARC_STATUS as failing SPF alignment.
>
>KAM_DMARC_STATUS  0.01  Test Rule for DKIM or SPF Failure with Strict
> Alignment
>
> Note that 'or' is not 'and' in that description. The message in question
> had a bad DKIM signature.
>
>
> --
> Bill Cole
> b...@scconsult.com or billc...@apache.org
> (AKA @grumpybozo and many *@billmail.scconsult.com addresses)
> Not Currently Available For Hire
>


-- 
Thanks!
Joey

Re: Whitelist or add negative values for score

[Bill Cole]

On 2022-12-21 at 12:02:27 UTC-0500 (Wed, 21 Dec 2022 18:02:27 +0100)
Matus UHLAR - fantomas 
is rumored to have said:
[...]>
> On 21.12.22 11:19, Henrik K wrote:
>> It will pass welcomelist_auth, since there is SPF_PASS, which you missed:
>>
>> SPF_PASS   -0.001 SPF: sender matches SPF record
>
> I understood KAM_DMARC_STATUS as failing SPF alignment.

   KAM_DMARC_STATUS  0.01  Test Rule for DKIM or SPF Failure with Strict 
Alignment

Note that 'or' is not 'and' in that description. The message in question had a 
bad DKIM signature.


-- 
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire

Re: Whitelist or add negative values for score

[Dominic Raferd]

On 20/12/2022 23:59, Joey J wrote:

Thanks to Bill and Matus for your responses.

Basically, the client is talking about real money transactions, 
airplanes, paypal etc, but he is a legit sender with these often 
flagged topics.
Sometimes the message goes through, but by the time you reply 2 or 3 
times, there are more of the buzz words that SA looks at based on rules.


We can't whitelist j...@company.com because of course everyone 
pretending to be him will more than likely get whitelisted and you 
know the rest.
This is why I thought if user j...@company.com from ip 1.2.3.4 
condition would allow me to add some negative score to get over the 
total flagging it as spam.


You guys would know better than I as to which would be the best 
method, I like scoring it some and going to -100.


Within the reject to the user it had the following:

Spam detection results: 3

ClamAVHeuristics 3 ClamAV heuristic test: Phishing.Email.SpoofedDomain 
(clamav)


AWL -0.969 Adjusted score from AWL reputation of From: address

BAYES_00 -1.9 Bayes spam probability is 0 to 1%

BIGNUM_EMAILS_MANY  2.999 Lots of email addresses/leads, over and over

DKIM_INVALID 0.1 DKIM or DK signature exists, but is not valid

DKIM_SIGNED 0.1 Message has a DKIM or DK signature, not necessarily valid

HTML_FONT_LOW_CONTRAST 0.001 HTML font color similar or identical to 
background


HTML_MESSAGE 0.001 HTML included in message

KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict 
Alignment


SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record

SPF_PASS -0.001 SPF: sender matches SPF record

T_FILL_THIS_FORM_SHORT 0.01 Fill in a short form with personal information

URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was 
blocked.  See 
http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block


My approach is like this:

describe LOCAL_WELCOMING_4 Pseudo-welcomelist (case-insensitive)
score LOCAL_WELCOMING_4 -4
header LOCAL_WELCOMING_4 From =~ /(fred\@bloggs\.com|\@jones\.com)>?\s*$/i

I have a few of these with different score reductions (4,6,8,10 etc) all 
held in /etc/spamassassin/local_welcoming.cf. If you end up with a lot 
of addresses to be 'welcomed' (as I do) you need some code to manage 
them, but the principle is simple enough: they act to reduce the score 
of any email where the 'From:' address matches the regex. They do not 
guarantee acceptance (the spam score is still calculated, only some 
amount (4 in the case above) is deducted, and they do not (in my case 
anyway) apply to virus-laden emails.

Re: Whitelist or add negative values for score

[Matus UHLAR - fantomas]

> DKIM_INVALID  0.1 DKIM or DK signature exists, but is not valid
>
> DKIM_SIGNED   0.1 Message has a DKIM or DK signature, not
> necessarily valid
>
> HTML_FONT_LOW_CONTRAST  0.001 HTML font color similar or identical to
> background
>
> HTML_MESSAGE0.001 HTML included in message
>
> KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict
> Alignment



On Wed, Dec 21, 2022 at 08:43:18AM +0100, Matus UHLAR - fantomas wrote:

this rule indicates that mail would NOT pass welcomelist_auth

If this is the mail you want then yes, you need welcomelist_from_rcvd, but
that's sender's faule.


On 21.12.22 11:19, Henrik K wrote:

It will pass welcomelist_auth, since there is SPF_PASS, which you missed:

SPF_PASS   -0.001 SPF: sender matches SPF record


I understood KAM_DMARC_STATUS as failing SPF alignment.

in such case From: is not the same as envelope From, so while SPF matches 
the envelope from, From: domain is different from the one that has to be 
listed in welcomelist_auth for it to work.


was I wrong?


We still miss example of original e-mail headers to decide better.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
LSD will make your ECS screen display 16.7 million colors

Re: Whitelist or add negative values for score

[Henrik K]

On Wed, Dec 21, 2022 at 08:43:18AM +0100, Matus UHLAR - fantomas wrote:
> > DKIM_INVALID  0.1 DKIM or DK signature exists, but is not valid
> > 
> > DKIM_SIGNED   0.1 Message has a DKIM or DK signature, not
> > necessarily valid
> > 
> > HTML_FONT_LOW_CONTRAST  0.001 HTML font color similar or identical to
> > background
> > 
> > HTML_MESSAGE0.001 HTML included in message
> > 
> > KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict
> > Alignment
> 
> this rule indicates that mail would NOT pass welcomelist_auth
> 
> If this is the mail you want then yes, you need welcomelist_from_rcvd, but
> that's sender's faule.

It will pass welcomelist_auth, since there is SPF_PASS, which you missed:

SPF_PASS   -0.001 SPF: sender matches SPF record

Re: Whitelist or add negative values for score

[Matus UHLAR - fantomas]

On 20.12.22 18:59, Joey J wrote:

Basically, the client is talking about real money transactions, airplanes,
paypal etc, but he is a legit sender with these often flagged topics.
Sometimes the message goes through, but by the time you reply 2 or 3 times,
there are more of the buzz words that SA looks at based on rules.

We can't whitelist j...@company.com because of course everyone pretending to
be him will more than likely get whitelisted and you know the rest.


You have misunderstood that welcomelist_auth means.

It means that the sender has to pass SPF or DKIM, which means that random 
people can NOT just send j...@company.com.



Within the reject to the user it had the following:
Spam detection results:  3


was this the legitimate mail? If so, your sender has multiple problems.


ClamAVHeuristics3 ClamAV heuristic test:
Phishing.Email.SpoofedDomain (clamav)


this is at least not nice, problematic I'd say.


AWL-0.969 Adjusted score from AWL reputation of From:
address

BAYES_00 -1.9 Bayes spam probability is 0 to 1%

BIGNUM_EMAILS_MANY  2.999 Lots of email addresses/leads, over and over


this is very common with spam.


DKIM_INVALID  0.1 DKIM or DK signature exists, but is not valid

DKIM_SIGNED   0.1 Message has a DKIM or DK signature, not
necessarily valid

HTML_FONT_LOW_CONTRAST  0.001 HTML font color similar or identical to
background

HTML_MESSAGE0.001 HTML included in message

KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict
Alignment


this rule indicates that mail would NOT pass welcomelist_auth 

If this is the mail you want then yes, you need welcomelist_from_rcvd, but 
that's sender's faule.



T_FILL_THIS_FORM_SHORT   0.01 Fill in a short form with personal information
URIBL_BLOCKED   0.001 ADMINISTRATOR NOTICE: The query to URIBL was
blocked.  See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block


this usually means you need to configure your own DNS server and not use 
public google/cloudflage/quad9 or your ISPs DNS servers.


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Nothing is fool-proof to a talented fool.

Re: Whitelist or add negative values for score

[Loren Wilton]

Personally I'd look at why BIGNUM_EMAILS_MANY is hitting and see if there is 
something the sender could do to avoid it. I'm pretty sure I've never seen that 
rule hit in any of my spam, so it must be something a bit unique.

Loren

Re: Whitelist or add negative values for score

[Joey J]

Thanks to Bill and Matus for your responses.

Basically, the client is talking about real money transactions, airplanes,
paypal etc, but he is a legit sender with these often flagged topics.
Sometimes the message goes through, but by the time you reply 2 or 3 times,
there are more of the buzz words that SA looks at based on rules.

We can't whitelist j...@company.com because of course everyone pretending to
be him will more than likely get whitelisted and you know the rest.
This is why I thought if user j...@company.com from ip 1.2.3.4 condition
would allow me to add some negative score to get over the total flagging it
as spam.

You guys would know better than I as to which would be the best method, I
like scoring it some and going to -100.

Within the reject to the user it had the following:

Spam detection results:  3

ClamAVHeuristics3 ClamAV heuristic test:
Phishing.Email.SpoofedDomain (clamav)

AWL-0.969 Adjusted score from AWL reputation of From:
address

BAYES_00 -1.9 Bayes spam probability is 0 to 1%

BIGNUM_EMAILS_MANY  2.999 Lots of email addresses/leads, over and over

DKIM_INVALID  0.1 DKIM or DK signature exists, but is not valid

DKIM_SIGNED   0.1 Message has a DKIM or DK signature, not
necessarily valid

HTML_FONT_LOW_CONTRAST  0.001 HTML font color similar or identical to
background

HTML_MESSAGE0.001 HTML included in message

KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict
Alignment

SPF_HELO_NONE   0.001 SPF: HELO does not publish an SPF Record

SPF_PASS   -0.001 SPF: sender matches SPF record

T_FILL_THIS_FORM_SHORT   0.01 Fill in a short form with personal information
URIBL_BLOCKED   0.001 ADMINISTRATOR NOTICE: The query to URIBL was
blocked.  See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block



On Tue, Dec 20, 2022 at 6:14 AM Matus UHLAR - fantomas 
wrote:

> On 19.12.22 20:05, Joey J wrote:
> >I'm trying to see if there is a "best way" to provide negative scoring for
> >a certain persons email.
> >As an example if j...@company.com is communicating with paypal or other
> real
> >banking institutions, then at times within the email chain, SA will tag it
> >as spam.
>
> do you have an example?
>
> >I want to see if there is if email is from j...@company.com AND is from IP
> >address 1.2.3.4, then lets take away 2 from the score, hopefully allowing
> >those legitimate types of messages through.
>
> there are techniques like SPF and DKIM to authenticate e-mail.
> In such case you should be able to "welcomelist_auth j...@company.com"
> without
> providing outgoing mailserver IP
>
> --
> Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
> Warning: I wish NOT to receive e-mail advertising to this address.
> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> BSE = Mad Cow Desease ... BSA = Mad Software Producents Desease
>


-- 
Thanks!
Joey

Re: Whitelist or add negative values for score

[Matus UHLAR - fantomas]

On 19.12.22 20:05, Joey J wrote:

I'm trying to see if there is a "best way" to provide negative scoring for
a certain persons email.
As an example if j...@company.com is communicating with paypal or other real
banking institutions, then at times within the email chain, SA will tag it
as spam.


do you have an example?


I want to see if there is if email is from j...@company.com AND is from IP
address 1.2.3.4, then lets take away 2 from the score, hopefully allowing
those legitimate types of messages through.


there are techniques like SPF and DKIM to authenticate e-mail.
In such case you should be able to "welcomelist_auth j...@company.com" without 
providing outgoing mailserver IP


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
BSE = Mad Cow Desease ... BSA = Mad Software Producents Desease

Re: Whitelist or add negative values for score

[Bill Cole]

On 2022-12-19 at 21:43:08 UTC-0500 (Mon, 19 Dec 2022 21:43:08 -0500)
Joey J 
is rumored to have said:


Thanks,
So welcomelist_from_rcvd j...@company.com [1.2.3.4]
Is saying if it's received from j...@company.com and the IP 
combination?

And then simply score it
 welcomelist_from_rcvd score -2
I will try that thank you!


No, there is no score line for a 'welcomelist_from_rcvd' directive.

The syntax for all of the welcomelist/blocklist directives is documented 
in Mail::SpamAssassin::Conf. You can see that with:


 perldoc Mail::SpamAssassin::Conf

In previous versions, these directives all used 'whitelist' and 
'blacklist' so if you are not running 3.4.6 or 4.0.0 those names will be 
in the docs.


The scores for the various wl/bl settings are controlled by a set of 
rules distributed and described in rules/60_welcomelist.cf. As Greg 
indicated, welcomelist_from_rcvd causes a hit on USER_IN_WELCOMELIST, 
which has a default score of -100. You can change that locally in your 
local.cf file, but it will change for ALL addresses you've used with 
welcomelist_from_rcvd or (not recommended) welcomelist_from. You can 
also use def_welcomelist_from_rcvd, which is used for the addresses in 
the "default" welcomelist which is part of the rules distribution. That 
is scored via USER_IN_DEF_WELCOMELIST, set at -15 in the distribution.


A better tool for this would be welcomelist_from_auth, which you can use 
if the sender's SPF authorizes the IP you see the mail from or if their 
mail is signed with DKIM.


The BEST solution would be to figure out specifically why the mail is 
sometimes being tagged as spam, and fix that.





On Mon, Dec 19, 2022 at 8:39 PM Greg Troxel  wrote:



Joey J  writes:

I'm trying to see if there is a "best way" to provide negative 
scoring

for

a certain persons email.


That's easy.  There are many ways, but not best way.

As an example if j...@company.com is communicating with paypal or 
other

real
banking institutions, then at times within the email chain, SA will 
tag

it

as spam.


It's really not clear what your issue is.

I want to see if there is if email is from j...@company.com AND is 
from

IP
address 1.2.3.4, then lets take away 2 from the score, hopefully 
allowing

those legitimate types of messages through.
I couldn't find an example on how to accomplish this dual criteria 
check.

Any assistance is apreciated.


welcomelist_from_rcvd   j...@company.com [1.2.3.4]

should work, but -100.  It would be nice if welcomelist_* could take 
a

score, but it you are sure you want *your* SA to not mark it as spam,
-100 is the way to spell that.




--
Thanks!
Joey



--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire

Re: Whitelist or add negative values for score

[Joey J]

Actually, what would be the format, in respect to header for that rule?
so
header welcomelist_from_rcvd   j...@company.com [1.2.3.4]

On Mon, Dec 19, 2022 at 8:39 PM Greg Troxel  wrote:

>
> Joey J  writes:
>
> > I'm trying to see if there is a "best way" to provide negative scoring
> for
> > a certain persons email.
>
> That's easy.  There are many ways, but not best way.
>
> > As an example if j...@company.com is communicating with paypal or other
> real
> > banking institutions, then at times within the email chain, SA will tag
> it
> > as spam.
>
> It's really not clear what your issue is.
>
> > I want to see if there is if email is from j...@company.com AND is from
> IP
> > address 1.2.3.4, then lets take away 2 from the score, hopefully allowing
> > those legitimate types of messages through.
> > I couldn't find an example on how to accomplish this dual criteria check.
> > Any assistance is apreciated.
>
> welcomelist_from_rcvd   j...@company.com [1.2.3.4]
>
> should work, but -100.  It would be nice if welcomelist_* could take a
> score, but it you are sure you want *your* SA to not mark it as spam,
> -100 is the way to spell that.
>


-- 
Thanks!
Joey

Re: Whitelist or add negative values for score

[Joey J]

Thanks,
So welcomelist_from_rcvd j...@company.com [1.2.3.4]
Is saying if it's received from j...@company.com and the IP combination?
And then simply score it
 welcomelist_from_rcvd score -2
I will try that thank you!

On Mon, Dec 19, 2022 at 8:39 PM Greg Troxel  wrote:

>
> Joey J  writes:
>
> > I'm trying to see if there is a "best way" to provide negative scoring
> for
> > a certain persons email.
>
> That's easy.  There are many ways, but not best way.
>
> > As an example if j...@company.com is communicating with paypal or other
> real
> > banking institutions, then at times within the email chain, SA will tag
> it
> > as spam.
>
> It's really not clear what your issue is.
>
> > I want to see if there is if email is from j...@company.com AND is from
> IP
> > address 1.2.3.4, then lets take away 2 from the score, hopefully allowing
> > those legitimate types of messages through.
> > I couldn't find an example on how to accomplish this dual criteria check.
> > Any assistance is apreciated.
>
> welcomelist_from_rcvd   j...@company.com [1.2.3.4]
>
> should work, but -100.  It would be nice if welcomelist_* could take a
> score, but it you are sure you want *your* SA to not mark it as spam,
> -100 is the way to spell that.
>


-- 
Thanks!
Joey

Re: Whitelist or add negative values for score

[Greg Troxel]

Joey J  writes:

> I'm trying to see if there is a "best way" to provide negative scoring for
> a certain persons email.

That's easy.  There are many ways, but not best way.

> As an example if j...@company.com is communicating with paypal or other real
> banking institutions, then at times within the email chain, SA will tag it
> as spam.

It's really not clear what your issue is.

> I want to see if there is if email is from j...@company.com AND is from IP
> address 1.2.3.4, then lets take away 2 from the score, hopefully allowing
> those legitimate types of messages through.
> I couldn't find an example on how to accomplish this dual criteria check.
> Any assistance is apreciated.

welcomelist_from_rcvd   j...@company.com[1.2.3.4]

should work, but -100.  It would be nice if welcomelist_* could take a
score, but it you are sure you want *your* SA to not mark it as spam,
-100 is the way to spell that.


signature.asc
Description: PGP signature

Re: Whitelist a domain for the URI_HEX check?

[Henrik K]

On Tue, Dec 17, 2019 at 05:41:53PM +, RW wrote:
> On Tue, 17 Dec 2019 12:07:34 -0500
> Sean Hennessey wrote:
> 
> > Is it possible to whitelist a domain for the URI_HEX check like you
> > can with the uridnsbl_skip_domain directive?
> 
> No. 
> 
> It currently only scores 0.1, which isn't worth the trouble of
> individual exceptions. If you are seeing anything else you should
> check for a custom score and that your rules aren't badly out of date.

Atleast many FPs come from http://#aabbcc uris which HTML parser for some
reason produces.  Committed some fixes.

Re: Whitelist a domain for the URI_HEX check?

[RW]

On Tue, 17 Dec 2019 12:07:34 -0500
Sean Hennessey wrote:

> Is it possible to whitelist a domain for the URI_HEX check like you
> can with the uridnsbl_skip_domain directive?

No. 

It currently only scores 0.1, which isn't worth the trouble of
individual exceptions. If you are seeing anything else you should
check for a custom score and that your rules aren't badly out of date.

Re: Whitelist rcvd IP

[shanew]

I believe the "whitelist_from_rcvd" option, which is now in
SpamAssassin core, functions the same as the old
Mail::SpamAssassin::Plugin::WhitelistRcvdIP module, though with a
slightly different syntax.  If you really want to use it as a blanket
whitelist for a certain IP address or range, the first parameter can
be specified as *@*.  Whether that's advisable, I'll leave to others
to comment.

Also, the old WhitelistRcvdIP plugin is about 12 years old, and I see
no development since then, so I'd be reluctant to use it.



On Wed, 12 Jun 2019, Emanuel Gonzalez wrote:


Hello,

I have the need to mark certain IP addresses as secure, only for receiving
mail, but I can not find information about it.

In a publication they advise using the module called Mail :: SpamAssassin ::
Plugin :: WhitelistRcvdIP but I can not find it.

Any ideas.?

Regards,




--
Public key #7BBC68D9 at| Shane Williams
http://pgp.mit.edu/|  System Admin - UT CompSci
=--+---
All syllogisms contain three lines |  sha...@shanew.net
Therefore this is not a syllogism  | www.ischool.utexas.edu/~shanew

Re: Whitelist rcvd IP

[John Hardin]

On Wed, 12 Jun 2019, Benny Pedersen wrote:


Emanuel Gonzalez skrev den 2019-06-12 17:48:


 I have the need to mark certain IP addresses as secure, only for
receiving mail, but I can not find information about it.


its trusted_networks


That is not whitelisting. That's whether or not a network is trusted to 
not forge header information.


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Maxim VI: If violence wasn’t your last resort, you failed to resort
to enough of it.
---
 804 days since the first commercial re-flight of an orbital booster (SpaceX)

Re: Whitelist rcvd IP

[John Hardin]

On Wed, 12 Jun 2019, Emanuel Gonzalez wrote:


Hello,

I have the need to mark certain IP addresses as secure, only for receiving 
mail, but I can not find information about it.

In a publication they advise using the module called Mail :: SpamAssassin :: 
Plugin :: WhitelistRcvdIP but I can not find it.

Any ideas.?


How is SA glued into your MTA? Are there options there to *completely 
skip* SA scanning for given submitting IP addresses?



--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Maxim VI: If violence wasn’t your last resort, you failed to resort
to enough of it.
---
 804 days since the first commercial re-flight of an orbital booster (SpaceX)

Re: Whitelist rcvd IP

[Benny Pedersen]

Emanuel Gonzalez skrev den 2019-06-12 17:48:


 I have the need to mark certain IP addresses as secure, only for
receiving mail, but I can not find information about it.


its trusted_networks


 In a publication they advise using the module called Mail ::
SpamAssassin :: Plugin :: WhitelistRcvdIP but I can not find it.


link to this dokumeention is where ?


 Any ideas.?


no

Re: Whitelist IP for SBL check

[shridhar shetty]

Yes, I missed it.

On Sat, Feb 24, 2018 at 12:49 AM, RW  wrote:

> On Sat, 24 Feb 2018 00:36:56 +0530
> shridhar shetty wrote:
>
>
> > 'Your local "fix" won't stop a URIBL_SBL hit at the other, rcpt's
> > end.' In such case we relay our mails through an external server
> > which has clean reputation. That way our mails are delivered to the
> > recipient.
>
> That will help with RCVD_IN_SBL, but URIBL_SBL is based on URI domains.
>

Re: Whitelist IP for SBL check

[RW]

On Sat, 24 Feb 2018 00:36:56 +0530
shridhar shetty wrote:


> 'Your local "fix" won't stop a URIBL_SBL hit at the other, rcpt's
> end.' In such case we relay our mails through an external server
> which has clean reputation. That way our mails are delivered to the
> recipient.

That will help with RCVD_IN_SBL, but URIBL_SBL is based on URI domains.

Re: Whitelist IP for SBL check

[shridhar shetty]

Hello Axb,

Below are the response to your queries.

Why not fix the SBL issue instead of trying to work around it?
Fixing the SBL issue is the first thing we do. But it takes some time so we
do not want our outbound mail service to be affected due to this.

'Your local "fix" won't stop a URIBL_SBL hit at the other, rcpt's end.'
In such case we relay our mails through an external server which has clean
reputation. That way our mails are delivered to the recipient.

Give us the SBL number and we may be able to help you out.
Do you mean the response code from zen.spamhaus? the response code is
127.0.0.2



On Fri, Feb 23, 2018 at 10:35 PM, Axb  wrote:

>
> On 02/23/2018 03:26 PM, shridhar shetty wrote:
>
>> Hello,
>>
>> In our infra we use spamassassin to scan our **outgoing** mails too. This
>> is to prevent spammers using our infra to send mails and get our IP's
>> blacklisted. We perform various DNSBL tests on the mail body.
>>
>> One of our IPs got listed in Spamhaus SBL for some reason, so now our
>> outgoing mails are getting detected as spam if the email body contains our
>> local domainname whose IP is listed in SBL(hitting URIBL_SBL rule).
>> We have hundreds of domainnames mapped to an single IP.
>>
>
>
> Why not fix the SBL issue instead of trying to work around it?
> Your local "fix" won't stop a URIBL_SBL hit at the other, rcpt's end.
> Give us the SBL number and we may be able to help you out.
>
>
>

Re: Whitelist IP for SBL check

[Markus Clardy]

Considering the issue, couldn't you in theory just add "uridnsbl_skip_domain
ip.on.blk.lst"?

I mean, according to URIBL_SBL, it would be if the IP itself is on the
blacklist, so wouldn't skipping the "domain" of a specific IP skip
detection?

On Fri, Feb 23, 2018 at 4:55 PM, David Jones  wrote:

> On 02/23/2018 10:46 AM, Axb wrote:
>
>> On 02/23/2018 04:33 PM, David Jones wrote:
>>
>>> On 02/23/2018 08:26 AM, shridhar shetty wrote:
>>>
 Hello,

 In our infra we use spamassassin to scan our **outgoing** mails too.
 This is to prevent spammers using our infra to send mails and get our IP's
 blacklisted. We perform various DNSBL tests on the mail body.


>>> We also scan outbound aggressively to keep our own IPs clean.  I monitor
>>> for our own IPs getting listed in major RBLs every 15 minutes and hourly I
>>> have a script that checks my own IPs in all RBLs listed at
>>> http://multirbl.valli.org/.  You need to make sure you have a good
>>> abuse@ contact setup for your IP ranges based on a WHOIS lookup of the
>>> IPs.  You must setup feedback loops with all of the major platforms out
>>> there like Yahoo, AOL, Comcast, etc.
>>>
>>> We send out millions of spammy looking emails every week from from
>>> student management systems that don't have an opt-out method to lots of
>>> parents on freemail platforms.  We very rarely get listed on RBLs and have
>>> excellent delivery rates mainly because of compromised account detection
>>> and blocking of outbound mail from the single sender quickly when this is
>>> triggered.  Most sane RBLs will allow for a little junk outbound as long as
>>> you stop it quickly because compromised accounts happen.
>>>
>>>
>>> One of our IPs got listed in Spamhaus SBL for some reason, so now our
 outgoing mails are getting detected as spam if the email body contains our
 local domainname whose IP is listed in SBL(hitting URIBL_SBL rule).
 We have hundreds of domainnames mapped to an single IP.

 Is there a way to exclude local IP from DNSBL checks. For eg: if there
 is a local domainname xyz.org  present in the mail
 body, then spamassassin should not mark it as spam even if A or NS record
 for xyz.org  is listed in SBL.


>>> Setup a quick meta rule that subtracts the same points that the local IP
>>> on Spamhaus adds until you can find a better way to handle this.
>>>
>>> header __RCVD_LOCAL_IP Received =~ /\[xx\.xx\.xx\.xx\]/
>>> meta SPAMHAUS_LOCAL_IP_OFFSET __RCVD_LOCAL_IP && RCVD_IN_XBL
>>> score SPAMHAUS_LOCAL_IP_OFFSET -1.0
>>>
>>> You will need to adjust the header rule to match your Received header
>>> format of your particular MTA and also match the actual Spamhaus rule that
>>> is getting hit.  I just guessed it was RCVD_IN_XBL.
>>>
>>>
>> you are aware that your recommendation doesn't apply to a
>> uridnssub  URIBL_SBLzen.spamhaus.org.   A   127.0.0.2
>> hit ?
>>
>>
>>
>>
> I was in a hurry, sorry.  My last paragraph had a disclaimer that 2 things
> would need to be adjusted.  Here is 1 of them corrected so the OP will only
> have to make sure the header rule matches his MTA's format:
>
> header __RCVD_LOCAL_IP Received =~ /\[xx\.xx\.xx\.xx\]/
> meta URIBL_SBL_LOCAL_IP_OFFSET __RCVD_LOCAL_IP && URIBL_SBL
> score URIBL_SBL_LOCAL_IP_OFFSET -1.0
>
> --
> David Jones
>



-- 
 - Markus

Re: Whitelist IP for SBL check

[Axb]

On 02/23/2018 03:26 PM, shridhar shetty wrote:

Hello,

In our infra we use spamassassin to scan our **outgoing** mails too. This
is to prevent spammers using our infra to send mails and get our IP's
blacklisted. We perform various DNSBL tests on the mail body.

One of our IPs got listed in Spamhaus SBL for some reason, so now our
outgoing mails are getting detected as spam if the email body contains our
local domainname whose IP is listed in SBL(hitting URIBL_SBL rule).
We have hundreds of domainnames mapped to an single IP.



Why not fix the SBL issue instead of trying to work around it?
Your local "fix" won't stop a URIBL_SBL hit at the other, rcpt's end.
Give us the SBL number and we may be able to help you out.

Re: Whitelist IP for SBL check

[David Jones]

On 02/23/2018 10:46 AM, Axb wrote:

On 02/23/2018 04:33 PM, David Jones wrote:

On 02/23/2018 08:26 AM, shridhar shetty wrote:

Hello,

In our infra we use spamassassin to scan our **outgoing** mails too. 
This is to prevent spammers using our infra to send mails and get our 
IP's blacklisted. We perform various DNSBL tests on the mail body.




We also scan outbound aggressively to keep our own IPs clean.  I 
monitor for our own IPs getting listed in major RBLs every 15 minutes 
and hourly I have a script that checks my own IPs in all RBLs listed 
at http://multirbl.valli.org/.  You need to make sure you have a good 
abuse@ contact setup for your IP ranges based on a WHOIS lookup of the 
IPs.  You must setup feedback loops with all of the major platforms 
out there like Yahoo, AOL, Comcast, etc.


We send out millions of spammy looking emails every week from from 
student management systems that don't have an opt-out method to lots 
of parents on freemail platforms.  We very rarely get listed on RBLs 
and have excellent delivery rates mainly because of compromised 
account detection and blocking of outbound mail from the single sender 
quickly when this is triggered.  Most sane RBLs will allow for a 
little junk outbound as long as you stop it quickly because 
compromised accounts happen.



One of our IPs got listed in Spamhaus SBL for some reason, so now our 
outgoing mails are getting detected as spam if the email body 
contains our local domainname whose IP is listed in SBL(hitting 
URIBL_SBL rule).

We have hundreds of domainnames mapped to an single IP.

Is there a way to exclude local IP from DNSBL checks. For eg: if 
there is a local domainname xyz.org  present in the 
mail body, then spamassassin should not mark it as spam even if A or 
NS record for xyz.org  is listed in SBL.




Setup a quick meta rule that subtracts the same points that the local 
IP on Spamhaus adds until you can find a better way to handle this.


header __RCVD_LOCAL_IP Received =~ /\[xx\.xx\.xx\.xx\]/
meta SPAMHAUS_LOCAL_IP_OFFSET __RCVD_LOCAL_IP && RCVD_IN_XBL
score SPAMHAUS_LOCAL_IP_OFFSET -1.0

You will need to adjust the header rule to match your Received header 
format of your particular MTA and also match the actual Spamhaus rule 
that is getting hit.  I just guessed it was RCVD_IN_XBL.




you are aware that your recommendation doesn't apply to a
uridnssub  URIBL_SBL    zen.spamhaus.org.   A   127.0.0.2
hit ?





I was in a hurry, sorry.  My last paragraph had a disclaimer that 2 
things would need to be adjusted.  Here is 1 of them corrected so the OP 
will only have to make sure the header rule matches his MTA's format:


header __RCVD_LOCAL_IP Received =~ /\[xx\.xx\.xx\.xx\]/
meta URIBL_SBL_LOCAL_IP_OFFSET __RCVD_LOCAL_IP && URIBL_SBL
score URIBL_SBL_LOCAL_IP_OFFSET -1.0

--
David Jones

Re: Whitelist IP for SBL check

[Axb]

On 02/23/2018 04:33 PM, David Jones wrote:

On 02/23/2018 08:26 AM, shridhar shetty wrote:

Hello,

In our infra we use spamassassin to scan our **outgoing** mails too. 
This is to prevent spammers using our infra to send mails and get our 
IP's blacklisted. We perform various DNSBL tests on the mail body.




We also scan outbound aggressively to keep our own IPs clean.  I monitor 
for our own IPs getting listed in major RBLs every 15 minutes and hourly 
I have a script that checks my own IPs in all RBLs listed at 
http://multirbl.valli.org/.  You need to make sure you have a good 
abuse@ contact setup for your IP ranges based on a WHOIS lookup of the 
IPs.  You must setup feedback loops with all of the major platforms out 
there like Yahoo, AOL, Comcast, etc.


We send out millions of spammy looking emails every week from from 
student management systems that don't have an opt-out method to lots of 
parents on freemail platforms.  We very rarely get listed on RBLs and 
have excellent delivery rates mainly because of compromised account 
detection and blocking of outbound mail from the single sender quickly 
when this is triggered.  Most sane RBLs will allow for a little junk 
outbound as long as you stop it quickly because compromised accounts 
happen.



One of our IPs got listed in Spamhaus SBL for some reason, so now our 
outgoing mails are getting detected as spam if the email body contains 
our local domainname whose IP is listed in SBL(hitting URIBL_SBL rule).

We have hundreds of domainnames mapped to an single IP.

Is there a way to exclude local IP from DNSBL checks. For eg: if there 
is a local domainname xyz.org  present in the mail 
body, then spamassassin should not mark it as spam even if A or NS 
record for xyz.org  is listed in SBL.




Setup a quick meta rule that subtracts the same points that the local IP 
on Spamhaus adds until you can find a better way to handle this.


header __RCVD_LOCAL_IP Received =~ /\[xx\.xx\.xx\.xx\]/
meta SPAMHAUS_LOCAL_IP_OFFSET __RCVD_LOCAL_IP && RCVD_IN_XBL
score SPAMHAUS_LOCAL_IP_OFFSET -1.0

You will need to adjust the header rule to match your Received header 
format of your particular MTA and also match the actual Spamhaus rule 
that is getting hit.  I just guessed it was RCVD_IN_XBL.




you are aware that your recommendation doesn't apply to a
uridnssub  URIBL_SBLzen.spamhaus.org.   A   127.0.0.2
hit ?

Re: Whitelist IP for SBL check

[David Jones]

On 02/23/2018 08:26 AM, shridhar shetty wrote:

Hello,

In our infra we use spamassassin to scan our **outgoing** mails too. 
This is to prevent spammers using our infra to send mails and get our 
IP's blacklisted. We perform various DNSBL tests on the mail body.




We also scan outbound aggressively to keep our own IPs clean.  I monitor 
for our own IPs getting listed in major RBLs every 15 minutes and hourly 
I have a script that checks my own IPs in all RBLs listed at 
http://multirbl.valli.org/.  You need to make sure you have a good 
abuse@ contact setup for your IP ranges based on a WHOIS lookup of the 
IPs.  You must setup feedback loops with all of the major platforms out 
there like Yahoo, AOL, Comcast, etc.


We send out millions of spammy looking emails every week from from 
student management systems that don't have an opt-out method to lots of 
parents on freemail platforms.  We very rarely get listed on RBLs and 
have excellent delivery rates mainly because of compromised account 
detection and blocking of outbound mail from the single sender quickly 
when this is triggered.  Most sane RBLs will allow for a little junk 
outbound as long as you stop it quickly because compromised accounts happen.



One of our IPs got listed in Spamhaus SBL for some reason, so now our 
outgoing mails are getting detected as spam if the email body contains 
our local domainname whose IP is listed in SBL(hitting URIBL_SBL rule).

We have hundreds of domainnames mapped to an single IP.

Is there a way to exclude local IP from DNSBL checks. For eg: if there 
is a local domainname xyz.org  present in the mail body, 
then spamassassin should not mark it as spam even if A or NS record for 
xyz.org  is listed in SBL.




Setup a quick meta rule that subtracts the same points that the local IP 
on Spamhaus adds until you can find a better way to handle this.


header __RCVD_LOCAL_IP Received =~ /\[xx\.xx\.xx\.xx\]/
meta SPAMHAUS_LOCAL_IP_OFFSET __RCVD_LOCAL_IP && RCVD_IN_XBL
score SPAMHAUS_LOCAL_IP_OFFSET -1.0

You will need to adjust the header rule to match your Received header 
format of your particular MTA and also match the actual Spamhaus rule 
that is getting hit.  I just guessed it was RCVD_IN_XBL.


--
David Jones

Re: whitelist issues with sprintpcs.com

[Shawn Bakhtiar]

One possibility I don't see mentioned is to simply accept this at the MTA level.

I've often had to do this when a sending domain is misconfigured but is part of 
our legitimate senders. It obviously opens up doors you'll have to monitor 
other ways.

but in Sendmail it is as simple as adding the domains to the access db.

Then use something a la the following to set a really low score on those emails:

https://spamassassin.apache.org/full/3.1.x/doc/Mail_SpamAssassin_Plugin_AccessDB.html



On Jul 3, 2016, at 10:43 AM, Alex 
> wrote:

Hi,

I'm trying to whitelist mail from sprintpcs.com in the 
best way
possible, but it's ignoring attempts at even using whitelist_from and
I don't know why. Perhaps it's something with the way the mail is
formatted? No SPF or DKIM available to be used.

These messages are being quarantined because people are using sending
photos in a quick text message without any subject or body content.

I've put up an example here and hoped someone could take a look.

http://pastebin.com/1vapSDdF

This appears to be the only available headers:

Received: from lxnsmsomta04.localdomain (smtp4a.mo.sprintpcs.com [66.1.208.13])
   by mail01.example.com (Postfix) with ESMTP id 7FF846800CC30
   for ; Sat, 25 Jun 2016 21:21:21 -0400 (EDT)
Received: from musreb31.nmcc.sprintspectrum.com (unknown [10.25.157.71])
   by lxnsmsomta04.localdomain (Postfix) with ESMTP id 64B18608C
   for ; Sat, 25 Jun 2016 20:19:20 -0500 (CDT)

The envelope-from looks okay, but the "From" is not formatted properly.

X-Envelope-From: <15556142...@pm.sprint.com>
From: 5556142...@pm.sprint.com

Thanks for any ideas.
Alex

Re: whitelist issues with sprintpcs.com

[Bill Cole]

On 4 Jul 2016, at 21:57, Alex wrote:


Hi,

On Mon, Jul 4, 2016 at 9:00 PM, Bill Cole
 wrote:

On 3 Jul 2016, at 14:48, Alex wrote:


On 2016-07-03 20:18, Alex wrote:


whitelist_from *@pm.sprintpcs.com


[...]


From: Sprint User <5556142...@pm.sprint.com>



One of these things is not like the other...  Not that it actually 
matters.


This is also substantially confused by the fact that your pastebin 
version
is both mangled by whatever is "quarantining" the message and 
apparently
manually munged for privacy. That is probably confusing some of the 
people
offering "help" becuase it isn't obvious what is substituted for what 
and

how various oddities arose in that odd message...


Outside of using "example" in place of our domain, and changing the
phone number without affecting its format, no other changes were made.


I figured that out after doing my own testing and seeing that most of 
what looked strange about your example was Sprint's. I had not looked at 
the details of their breakage for a while and some of it is new.


There are SO MANY wrong things about this. At the top of the list: 
Sprint is
adding fraudulent Resent-* headers. This breaks ANY rational attempt 
to
whitelist in SpamAssassin, which unfortunately trusts the Resent-From 
header
above all others to the point of ignoring all others entirely. If I 
manually

remove the Resent-From header, SA sees both the RFC5321.MailFrom and
RFC5322.From values as part of "all '*From' addrs" but with 
Resent-From it

only sees the local alias to which the SMS was sent.


In my initial message, I mentioned these were being quarantined, which
I thought was enough to make it clear I was pulling them from my
quarantine.


That was quite clear to me. Quarantine mechanisms vary greatly so it is 
never exactly clear what a quarantine process has done and what is 
original. Your quarantine  seems to have changed the envelope sender to 
the null sender, but it also preserv the original and other information 
in X-* headers so that doesn't matter.



It was discovered in a later post that these Resent-From
headers were added during this quarantine process. I'm very sorry for
the confusion.


Here's the issue: I don't believe that to be the case, although it is 
what I thought at first as well when looking at your sample.


However, since the message I sent myself as a test from my Sprint phone 
to my personal mail server had analogous Resent-* headers with 
Resent-Date matching the first Sprint timestamp, and I don't use any 
sort of quarantine or other gadgetry that would ever add Resent-* 
headers, it is clearly a quirk of Sprint.


Sprint is adding headers that cannot be accidental which describe a 
resending event that never happened at the point where the message 
entered the Internet email system through their machines. Without the 
Resent-From header SpamAssassin could whitelist based on the envelope 
sender (RFC5321.MailFrom) or even the From header (RFC5322.From) but 
Sprint's inexplicable addition of the header make them impossible to 
whitelist in any sane manner.



After removing the Resent-From headers, I'm able to successfully test
the whitelisting of the quarantined messages against my local
whitelist_from_rcvd entries.

Sprint is definitely broken, and I hate having to whitelist them. It
is really just the KAM_LAZY_DOMAIN_SECURITY from the KAM.cf rules
that's causing it to be quarantined. I suppose I could also write a
meta that subtracts the same points if it's been relayed through
sprintpcs, etc. I'm discussing this rule separately with Joe/Kevin for
this reason.

Thanks for your thorough help, as always.


I fear my first message was too verbose to be clear, so I'll put it more 
directly:


Whitelisting of Sprint's messages based on any type of sender address 
cannot work. That's entirely the fault of Sprint's weird addition of a 
fake Resent-From header and a non-intuitive quirk of SpamAssassin that 
makes Resent-From much too powerful.

Re: whitelist issues with sprintpcs.com

[Alex]

Hi,

On Mon, Jul 4, 2016 at 9:00 PM, Bill Cole
 wrote:
> On 3 Jul 2016, at 14:48, Alex wrote:
>
>>> On 2016-07-03 20:18, Alex wrote:
>>>
 whitelist_from *@pm.sprintpcs.com
>
> [...]
>>
>> From: Sprint User <5556142...@pm.sprint.com>
>
>
> One of these things is not like the other...  Not that it actually matters.
>
> This is also substantially confused by the fact that your pastebin version
> is both mangled by whatever is "quarantining" the message and apparently
> manually munged for privacy. That is probably confusing some of the people
> offering "help" becuase it isn't obvious what is substituted for what and
> how various oddities arose in that odd message...

Outside of using "example" in place of our domain, and changing the
phone number without affecting its format, no other changes were made.

> There are SO MANY wrong things about this. At the top of the list: Sprint is
> adding fraudulent Resent-* headers. This breaks ANY rational attempt to
> whitelist in SpamAssassin, which unfortunately trusts the Resent-From header
> above all others to the point of ignoring all others entirely. If I manually
> remove the Resent-From header, SA sees both the RFC5321.MailFrom and
> RFC5322.From values as part of "all '*From' addrs" but with Resent-From it
> only sees the local alias to which the SMS was sent.

In my initial message, I mentioned these were being quarantined, which
I thought was enough to make it clear I was pulling them from my
quarantine. It was discovered in a later post that these Resent-From
headers were added during this quarantine process. I'm very sorry for
the confusion.

After removing the Resent-From headers, I'm able to successfully test
the whitelisting of the quarantined messages against my local
whitelist_from_rcvd entries.

Sprint is definitely broken, and I hate having to whitelist them. It
is really just the KAM_LAZY_DOMAIN_SECURITY from the KAM.cf rules
that's causing it to be quarantined. I suppose I could also write a
meta that subtracts the same points if it's been relayed through
sprintpcs, etc. I'm discussing this rule separately with Joe/Kevin for
this reason.

Thanks for your thorough help, as always.
Alex

Re: whitelist issues with sprintpcs.com

[Bill Cole]

On 3 Jul 2016, at 14:48, Alex wrote:


On 2016-07-03 20:18, Alex wrote:


whitelist_from *@pm.sprintpcs.com

[...]

From: Sprint User <5556142...@pm.sprint.com>


One of these things is not like the other...  Not that it actually 
matters.


This is also substantially confused by the fact that your pastebin 
version is both mangled by whatever is "quarantining" the message and 
apparently manually munged for privacy. That is probably confusing some 
of the people offering "help" becuase it isn't obvious what is 
substituted for what and how various oddities arose in that odd 
message...


In my experience messages recently emerging from Sprint PCS (these days 
just called "Sprint" because they've almost entirely exited all other 
businesses and "PCS" has no particular branding value) come from 
'1[10-digits]@pm.sprint.com' as RFC5321.MailFrom and 
'[10-digits]@pm.sprint.com' as RFC5322.From and look like the one below 
which I just sent myself. All redactions are enclosed in [] and 
represent these values:


10DIGIT: My 10-digit (NANP) phone number used to send the SMS
LOCALALIAS: The virtual alias in scconsult.com it was sent to
LOCALUSER: The real user on the real host that handled final delivery

There is NO OTHER modification of the message as delivered. X-Spam-Score 
and X-Spam-Score headers are added locally by MIMEDefang and represent 
the analysis by the local instance of SpamAssassin


= BEGIN SAMPLE MESSAGE =
Return-Path: <1[10DIGIT]@pm.sprint.com>
X-Original-To: [LOCALALIAS]@scconsult.com
Delivered-To: [LOCALUSER]@toaster.scconsult.com
Received: from lxnsmsomta01.localdomain (smtp1a.mo.sprintpcs.com 
[66.1.208.6])

by toaster.scconsult.com (Postfix) with ESMTP id 3rk30K3Rt5z1Zfg5v
for ; Mon,  4 Jul 2016 19:20:33 -0400 (EDT)
Received: from musres11.nmcc.sprintspectrum.com (unknown [10.25.157.71])
by lxnsmsomta01.localdomain (Postfix) with ESMTP id 7520F6807
for <[LOCALALIAS]@scconsult.com>; Mon,  4 Jul 2016 18:20:27 -0500 (CDT)
Resent-Date: Mon, 04 Jul 2016 23:20:27 GMT
Resent-From: [LOCALALIAS]@scconsult.com
Resent-To: [LOCALALIAS]@scconsult.com
Received: by pixmbl.com ; Mon, 04 Jul 2016 23:20:27 GMT
Content-Type: 
multipart/related;boundary=1_577AEF37_3309AC80;type="text/html"

Date: Mon, 04 Jul 2016 23:20:23 GMT
To: [LOCALALIAS]@scconsult.com
From: [10DIGIT]@pm.sprint.com
Message-ID: 
Mime-Version: 1.0
X-Spam-Score: 4.122 () 
BAYES_60,HTML_MESSAGE,MIME_HTML_ONLY,MISSING_SUBJECT,SCC_DEBUG,SCC_RCVD_FORMAT3

Subject:
X-Spam-Status: Maybe, score=4.122 required=4.3 
tests=[BAYES_60,HTML_MESSAGE,MIME_HTML_ONLY,MISSING_SUBJECT,SCC_DEBUG,SCC_RCVD_FORMAT3]


--1_577AEF37_3309AC80
Content-Type: text/html;charset="UTF-8"
Content-Transfer-Encoding: base64

PEhUTUw+CiAgICAgICAgPEhFQUQ+CiAgICAgICAgICAgICAgICA8VElUTEU+PC9USVRMRT4KICAg
ICAgICA8L0hFQUQ+CiAgICAgICAgPEJPRFk+CiAgICAgICAgICAgICAgICA8UCBhbGlnbj0ibGVm
dCI+PEZPTlQgZmFjZT0iVmVyZGFuYSIgY29sb3I9IiNjYzAwMDAiIHNpemU9IjIiPlNlbnQgZnJv
bSBteSBtb2JpbGUuCiAgICAgICAgICAgICAgICA8QlI+X19fX19fX19fX19fX19fX19fX19fX19f
X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fXzwvRk9OVD48L1A+CgogICAgICAg
ICAgICAgICAgPFBSRT4KSGV5IGplcmsuIEknbSB0YWxraW5nIHRvIFlPVQoKPC9QUkU+CiAgICAg
ICAgPC9CT0RZPgo8L0hUTUw+Cg==
--1_577AEF37_3309AC80--
= END SAMPLE MESSAGE =

There are SO MANY wrong things about this. At the top of the list: 
Sprint is adding fraudulent Resent-* headers. This breaks ANY rational 
attempt to whitelist in SpamAssassin, which unfortunately trusts the 
Resent-From header above all others to the point of ignoring all others 
entirely. If I manually remove the Resent-From header, SA sees both the 
RFC5321.MailFrom and RFC5322.From values as part of "all '*From' addrs" 
but with Resent-From it only sees the local alias to which the SMS was 
sent.


Beyond that, this message which started as a 29-character SMS got turned 
into 362 characters of HTML with a pointless intro line and nominally 
wrapped in a "multipart/related" which in fact was just one part. And 
since as an SMS, the original had no Subject, it added on a Subject that 
was empty. And to top it off, they EHLO with a bogus name despite having 
a perfectly good one available to them.


Given the stupidity with which Sprint handles messages from their 
mobiles to the Internet, I have a hard time justifying the work required 
to whitelist them. You actually cannot do it now in SpamAssassin without 
special rules created just for Sprint and carefully crafted to avoid 
applying to anyone else. I see no reason in my circumstances to do that 
work. I have complained to Sprint myself as their customer and been lied 
to in response. I have complained to them as a postmaster of the US 
branch of a well-known Global 50 conglomerate and been ignored. They 
have gotten worse over the past 8 years since I held that role, and I 
now have far less need to work around their increased 

Re: whitelist issues with sprintpcs.com

[Sidney Markowitz]

Benny Pedersen wrote on 4/07/16 9:47 AM:
> On 2016-07-03 23:34, Groach wrote:
>> On 03/07/2016 23:29, Reindl Harald wrote:

It turns out that this mailing list software gives me only a bigger hammer
than I wanted to use. I cannot place individuals under moderation so I can
review their posts before allowing them through. The best I can do is to add a
name to a list of senders whose posts are rejected. They will continue to
receive the mailing list.

I will do that if necessary without further comment. Send the off-topic/toxic
emails to each other if you can't help yourself from posting them, but not to
this list.

Here is an excerpt of my post from last month about off-topic posts. I
recognize that this post is off-topic by my own definition. My prerogative as
moderator.

This is the SpamAssassin users mailing list. Discussions related to
SpamAssassin are fine. Rudely insulting someone, even if they are as
frustrating stupid as you claim is off topic. Telling someone how rude they
are is off topic. Explaining how someone's apparent rudeness was just an
innocent mistake caused by a culture difference in how they write their name
is off topic. Complaining that someone should do something about the off topic
messages or we should all stay on topic is off topic.


 Sidney

Re: whitelist issues with sprintpcs.com

[Reindl Harald]

Am 03.07.2016 um 23:47 schrieb Benny Pedersen:

On 2016-07-03 23:34, Groach wrote:

On 03/07/2016 23:29, Reindl Harald wrote:


sorry, but when i see Benny after 5 years experience on several
lists i just have enough, mouth wide often but technical still a
noob

 http://geekologie.com/2011/08/08/mad-on-the-internet-cut.jpg


http://ipv6bingo.com/ :=)

whitelist_from is not a bug in spamassassin, like guns dont kill people,
people do :=)


nobody talked at whitelist_from which is the last resort when 
whitelist_from_rcvd is not possible for whatever reasons and *nothing* 
is a bug by existence as long it is not default


come back when you have something valueable to say (2 out of 500 posts 
AFAIR)




signature.asc
Description: OpenPGP digital signature

Re: whitelist issues with sprintpcs.com

[Benny Pedersen]

On 2016-07-03 23:34, Groach wrote:

On 03/07/2016 23:29, Reindl Harald wrote:


sorry, but when i see Benny after 5 years experience on several
lists i just have enough, mouth wide often but technical still a
noob

 http://geekologie.com/2011/08/08/mad-on-the-internet-cut.jpg


http://ipv6bingo.com/ :=)

whitelist_from is not a bug in spamassassin, like guns dont kill people, 
people do :=)

Re: whitelist issues with sprintpcs.com

[Groach]

On 03/07/2016 23:29, Reindl Harald wrote:
sorry, but when i see Benny after 5 years experience on several lists 
i just have enough, mouth wide often but technical still a noob

http://geekologie.com/2011/08/08/mad-on-the-internet-cut.jpg

Re: whitelist issues with sprintpcs.com

[Reindl Harald]

Am 03.07.2016 um 23:24 schrieb Alex:

whitelist_from *@pm.sprintpcs.com

does not work.. Why?


It's because the mail has a Resent-From which overrides any other from type
header.

From the documentation Mail::SpamAssassin::Conf

"The headers checked for whitelist addresses are as follows: if Resent-From is
set, use that; otherwise check all addresses taken from the following set of
headers:

Envelope-Sender
Resent-Sender
X-Envelope-From
From

In addition, the ``envelope sender'' data, taken from the SMTP envelope data
where this is available, is looked up."


Thanks so much. I never would have expected it to not apply the
whitelist settings based on the presence of a particular header.

Thanks also to RW and Reindl, despite the bickering


sorry, but when i see Benny after 5 years experience on several lists i 
just have enough, mouth wide often but technical still a noob




signature.asc
Description: OpenPGP digital signature

Re: whitelist issues with sprintpcs.com

[Alex]

Hi,

 whitelist_from *@pm.sprintpcs.com

 does not work.. Why?
>
> It's because the mail has a Resent-From which overrides any other from type
> header.
>
> From the documentation Mail::SpamAssassin::Conf
>
> "The headers checked for whitelist addresses are as follows: if Resent-From is
> set, use that; otherwise check all addresses taken from the following set of
> headers:
>
> Envelope-Sender
> Resent-Sender
> X-Envelope-From
> From
>
> In addition, the ``envelope sender'' data, taken from the SMTP envelope data
> where this is available, is looked up."

Thanks so much. I never would have expected it to not apply the
whitelist settings based on the presence of a particular header.

Thanks also to RW and Reindl, despite the bickering.

Thanks,
Alex

Re: whitelist issues with sprintpcs.com

[RW]

On Sun, 3 Jul 2016 14:18:38 -0400
Alex wrote:

> Hi,
> 
> >>> since they are fucking too stupid for SPF on their subdomains
> >>> whitelist_from_rcvd *@pm.sprint.com sprintpcs.com  
> >>
> >> all headers begin with x- is pr defination forged header
> >>  
> 
> > when there is no SPF/DKIM you need to rely on headers  
> 
> omg, both of you guys. I didn't say anything about SPF. I realize
> there's no SPF/DKIM, and in fact already stated that. I'm trying to
> get even the most basic form of whitelisting working.
> 
> whitelist_from *@pm.sprintpcs.com
> 
> does not work.. Why?

The email you linked has a Resent-From header. If you edit that out and
retest it will probably work.

Re: whitelist issues with sprintpcs.com

[Groach]

On 03/07/2016 22:43, Sidney Markowitz wrote:

whitelist_from *@pm.sprintpcs.com

does not work.. Why?

It's because the mail has a Resent-From which overrides any other from type
header.

 From the documentation Mail::SpamAssassin::Conf

"The headers checked for whitelist addresses are as follows: if Resent-From is
set, use that; otherwise check all addresses taken from the following set of
headers:

 Envelope-Sender
 Resent-Sender
 X-Envelope-From
 From

In addition, the ``envelope sender'' data, taken from the SMTP envelope data
where this is available, is looked up."

  Sidney


And look:  not a single impolite, bad mannered, offensive expletive 
or swear word in sight.


What a pleasant surprise  - to see an answer that ISNT accusing, 
squabbling or swearing at someone.  (Sometimes I often forget this is a 
PUBLIC mailing list I am watching.  It just gets embarassing.)

Re: whitelist issues with sprintpcs.com

[Sidney Markowitz]

Alex wrote on 4/07/16 6:48 AM:
> Hi,
> 
> On Sun, Jul 3, 2016 at 2:29 PM, Benny Pedersen  wrote:
>> On 2016-07-03 20:18, Alex wrote:
>>
>>> whitelist_from *@pm.sprintpcs.com
>>>
>>> does not work.. Why?

It's because the mail has a Resent-From which overrides any other from type
header.

>From the documentation Mail::SpamAssassin::Conf

"The headers checked for whitelist addresses are as follows: if Resent-From is
set, use that; otherwise check all addresses taken from the following set of
headers:

Envelope-Sender
Resent-Sender
X-Envelope-From
From

In addition, the ``envelope sender'' data, taken from the SMTP envelope data
where this is available, is looked up."

 Sidney

Re: whitelist issues with sprintpcs.com

[Reindl Harald]

Am 03.07.2016 um 20:36 schrieb Benny Pedersen:

On 2016-07-03 20:26, Reindl Harald wrote:


Envelope-Sender
Resent-Sender
X-Envelope-From
From


please tell me what mta add this headers as envelope_sender header ?


obviously enough otherwise it would no exist


maybe you after that could tell who is idiot ?


well, i can explain that in a better way

EVERY header in doubt is forged, starting with From at the begin and 
hence for x-headers SpamAssasin relys on internal_networks and/or 
trusted_networks to know *which* headers are on your own side and which 
are from untrsued networks


hence all your first 3 or 4 replies are bullshit by definition

nobody asked for unforgeable whitelisting since it#s not posible in the 
case of the OP


the following rule is the way to go
whitelist_from_rcvd *@pm.sprint.com sprintpcs.com

and *yes i know* that the PTR can be forged, since i control the 
PTR-zones of our interfaces it would take 10 seconds to get a 
something.sprintpcs.com


the real problem of the OP is moste likely "(amavisd-new, port 10024)" 
and so the SA-list is the wrong place for "why is whitelist_from_rcvd 
from not working properly"





signature.asc
Description: OpenPGP digital signature

Re: whitelist issues with sprintpcs.com

[Alex]

Hi,

On Sun, Jul 3, 2016 at 2:29 PM, Benny Pedersen  wrote:
> On 2016-07-03 20:18, Alex wrote:
>
>> whitelist_from *@pm.sprintpcs.com
>>
>> does not work.. Why?
>
> DSN is not possible to whitelist, its a rfc to accept always DSN

Strictly speaking, it was a quarantined message, not a DSN.

I also tried manually inserting the email address between the <> and
it still didn't work.

I also tried formatting the From: header properly:

From: Sprint User <5556142...@pm.sprint.com>

and it still doesn't work. I'm thinking now it's something else
related to it being a quarantined message. However, I've done this
kind of thing for years and years with no problems.

> Return-Path: <>
>
> whats envelope_sender_header have you in local.cf ?

I don't have any such option in local.cf

Thanks,
Alex

Re: whitelist issues with sprintpcs.com

[Benny Pedersen]

On 2016-07-03 20:26, Reindl Harald wrote:


Envelope-Sender
Resent-Sender
X-Envelope-From
From


please tell me what mta add this headers as envelope_sender header ?

maybe you after that could tell who is idiot ?

Re: whitelist issues with sprintpcs.com

[Benny Pedersen]

On 2016-07-03 20:18, Alex wrote:


whitelist_from *@pm.sprintpcs.com

does not work.. Why?


DSN is not possible to whitelist, its a rfc to accept always DSN

Return-Path: <>

whats envelope_sender_header have you in local.cf ?

Re: whitelist issues with sprintpcs.com

[Reindl Harald]

Am 03.07.2016 um 20:23 schrieb Benny Pedersen:

On 2016-07-03 20:16, Reindl Harald wrote:


when there is no SPF/DKIM you need to rely on headers


keep away from using x- headers for whitelist still

its forged


again you are an idiot and should RTFM before play smart-ass

http://spamassassin.apache.org/full/3.4.x/doc/Mail_SpamAssassin_Conf.html

whitelist_from u...@example.com

The headers checked for whitelist addresses are as follows: if 
Resent-From is set, use that; otherwise check all addresses taken from 
the following set of headers:


Envelope-Sender
Resent-Sender
X-Envelope-From
From



signature.asc
Description: OpenPGP digital signature

Re: whitelist issues with sprintpcs.com

[Reindl Harald]

Am 03.07.2016 um 20:21 schrieb Benny Pedersen:

On 2016-07-03 20:17, Reindl Harald wrote:

what about shut up?


...


the subdomain has no SPF and so there is not much than headers
since the subdomain has no SPF there is no SPF test at all


its irelevaant


you are an idiot

"pm.sprint.com" has no SPF
"sprint.com" has SPF

and so you can't use SPF for @pm.sprint.com



signature.asc
Description: OpenPGP digital signature

Re: whitelist issues with sprintpcs.com

[Reindl Harald]

Am 03.07.2016 um 20:18 schrieb Alex:

Hi,


since they are fucking too stupid for SPF on their subdomains
whitelist_from_rcvd *@pm.sprint.com sprintpcs.com


all headers begin with x- is pr defination forged header




when there is no SPF/DKIM you need to rely on headers


omg, both of you guys. I didn't say anything about SPF


i know that - see my frist reply


I realize
there's no SPF/DKIM, and in fact already stated that. I'm trying to
get even the most basic form of whitelisting working.

whitelist_from *@pm.sprintpcs.com

does not work.. Why?


maybe because they are just idiots and the from-header is invalid?
From: 5556142...@pm.sprint.com

there are no <>

anyways, you are talking a lot that you have tried several things 
without mention *what* you tried


whitelist_from_rcvd *@pm.sprint.com sprintpcs.com

RTFM:
"whitelist_from_rcvd" hangs on the sender and reverse-dns

X-Envelope-From: <15556142...@pm.sprint.com>
X-Spam-RelaysUntrusted: [ ip=66.1.208.13 rdns=smtp4a.mo.sprintpcs.com

when that don't work blame the sender for a) invalid headers and b) 
using SPF for "sprint.com" but not for "pm.sprint.com"




signature.asc
Description: OpenPGP digital signature

Re: whitelist issues with sprintpcs.com

[Benny Pedersen]

On 2016-07-03 20:16, Reindl Harald wrote:


when there is no SPF/DKIM you need to rely on headers


keep away from using x- headers for whitelist still

its forged

Re: whitelist issues with sprintpcs.com

[Benny Pedersen]

On 2016-07-03 20:17, Reindl Harald wrote:

what about shut up?


...


the subdomain has no SPF and so there is not much than headers
since the subdomain has no SPF there is no SPF test at all


its irelevaant

Re: whitelist issues with sprintpcs.com

[Alex]

Hi,

>>> since they are fucking too stupid for SPF on their subdomains
>>> whitelist_from_rcvd *@pm.sprint.com sprintpcs.com
>>
>> all headers begin with x- is pr defination forged header
>>

> when there is no SPF/DKIM you need to rely on headers

omg, both of you guys. I didn't say anything about SPF. I realize
there's no SPF/DKIM, and in fact already stated that. I'm trying to
get even the most basic form of whitelisting working.

whitelist_from *@pm.sprintpcs.com

does not work.. Why?


>

Re: whitelist issues with sprintpcs.com

[Reindl Harald]

Am 03.07.2016 um 20:15 schrieb Benny Pedersen:

On 2016-07-03 19:54, Alex wrote:


As I mentioned, all attempts to whitelist are ignored. I just don't
know why.


do not use x- headers for spf testing in spamassassin since its pr
defination forged


what about shut up?

the subdomain has no SPF and so there is not much than headers
since the subdomain has no SPF there is no SPF test at all



signature.asc
Description: OpenPGP digital signature

Re: whitelist issues with sprintpcs.com

[Benny Pedersen]

On 2016-07-03 19:54, Alex wrote:

As I mentioned, all attempts to whitelist are ignored. I just don't 
know why.


do not use x- headers for spf testing in spamassassin since its pr 
defination forged

Re: whitelist issues with sprintpcs.com

[Reindl Harald]

Am 03.07.2016 um 20:14 schrieb Benny Pedersen:

On 2016-07-03 19:46, Reindl Harald wrote:


X-Envelope-From: <15556142...@pm.sprint.com>
From: 5556142...@pm.sprint.com


since they are fucking too stupid for SPF on their subdomains
whitelist_from_rcvd *@pm.sprint.com sprintpcs.com


all headers begin with x- is pr defination forged header

pay more attention


blablub

when there is no SPF/DKIM you need to rely on headers



signature.asc
Description: OpenPGP digital signature

Re: whitelist issues with sprintpcs.com

[Benny Pedersen]

On 2016-07-03 19:46, Reindl Harald wrote:


X-Envelope-From: <15556142...@pm.sprint.com>
From: 5556142...@pm.sprint.com


since they are fucking too stupid for SPF on their subdomains
whitelist_from_rcvd *@pm.sprint.com sprintpcs.com


all headers begin with x- is pr defination forged header

pay more attention

Re: whitelist issues with sprintpcs.com

[Alex]

Hi,

>>> whitelist_from_rcvd *@pm.sprint.com sprintpcs.com
>>
>>
>> As I mentioned, all attempts to whitelist are ignored. I just don't know
>> why
>
> you did not properly mention your attempts
> the above works, i have a long list of "whitelist_from_rcvd" for idiots too
> stupid for SPF or DKIM where whitelist_auth is not possible

I mentioned that I tried even whitelist_from and it also didn't work.
There's something wrong with this specific message. I've also done
this before without a problem, but this one doesn't work.

> P.S.:
> PLEASE DO NOT PRESS REPLY ALL - JUST REPLY TO THE LIST BECAUSE OTHERWISTE
> YOU BREAK "REPLY-LIST" OF SANE MAIL CLIENTS

Yes, must be some gmail thing, sorry. Try to not shout :-)


>
>

Re: whitelist issues with sprintpcs.com

[Reindl Harald]

Am 03.07.2016 um 19:54 schrieb Alex:

Received: from lxnsmsomta04.localdomain (smtp4a.mo.sprintpcs.com
[66.1.208.13])
by mail01.example.com (Postfix) with ESMTP id 7FF846800CC30
for ; Sat, 25 Jun 2016 21:21:21 -0400 (EDT)
Received: from musreb31.nmcc.sprintspectrum.com (unknown [10.25.157.71])
by lxnsmsomta04.localdomain (Postfix) with ESMTP id 64B18608C
for ; Sat, 25 Jun 2016 20:19:20 -0500 (CDT)

The envelope-from looks okay, but the "From" is not formatted properly.

X-Envelope-From: <15556142...@pm.sprint.com>
From: 5556142...@pm.sprint.com


since they are fucking too stupid for SPF on their subdomains


Yeah, crazy, right?


whitelist_from_rcvd *@pm.sprint.com sprintpcs.com


As I mentioned, all attempts to whitelist are ignored. I just don't know why


you did not properly mention your attempts

the above works, i have a long list of "whitelist_from_rcvd" for idiots 
too stupid for SPF or DKIM where whitelist_auth is not possible


P.S.:
PLEASE DO NOT PRESS REPLY ALL - JUST REPLY TO THE LIST BECAUSE 
OTHERWISTE YOU BREAK "REPLY-LIST" OF SANE MAIL CLIENTS





signature.asc
Description: OpenPGP digital signature

Re: whitelist issues with sprintpcs.com

[Alex]

Hi,

>> Received: from lxnsmsomta04.localdomain (smtp4a.mo.sprintpcs.com
>> [66.1.208.13])
>> by mail01.example.com (Postfix) with ESMTP id 7FF846800CC30
>> for ; Sat, 25 Jun 2016 21:21:21 -0400 (EDT)
>> Received: from musreb31.nmcc.sprintspectrum.com (unknown [10.25.157.71])
>> by lxnsmsomta04.localdomain (Postfix) with ESMTP id 64B18608C
>> for ; Sat, 25 Jun 2016 20:19:20 -0500 (CDT)
>>
>> The envelope-from looks okay, but the "From" is not formatted properly.
>>
>> X-Envelope-From: <15556142...@pm.sprint.com>
>> From: 5556142...@pm.sprint.com
>
> since they are fucking too stupid for SPF on their subdomains

Yeah, crazy, right?

> whitelist_from_rcvd *@pm.sprint.com sprintpcs.com

As I mentioned, all attempts to whitelist are ignored. I just don't know why.

>
>

Re: whitelist issues with sprintpcs.com

[Reindl Harald]

Am 03.07.2016 um 19:43 schrieb Alex:

I'm trying to whitelist mail from sprintpcs.com in the best way
possible, but it's ignoring attempts at even using whitelist_from and
I don't know why. Perhaps it's something with the way the mail is
formatted? No SPF or DKIM available to be used.

These messages are being quarantined because people are using sending
photos in a quick text message without any subject or body content.

I've put up an example here and hoped someone could take a look.

http://pastebin.com/1vapSDdF

This appears to be the only available headers:

Received: from lxnsmsomta04.localdomain (smtp4a.mo.sprintpcs.com [66.1.208.13])
by mail01.example.com (Postfix) with ESMTP id 7FF846800CC30
for ; Sat, 25 Jun 2016 21:21:21 -0400 (EDT)
Received: from musreb31.nmcc.sprintspectrum.com (unknown [10.25.157.71])
by lxnsmsomta04.localdomain (Postfix) with ESMTP id 64B18608C
for ; Sat, 25 Jun 2016 20:19:20 -0500 (CDT)

The envelope-from looks okay, but the "From" is not formatted properly.

X-Envelope-From: <15556142...@pm.sprint.com>
From: 5556142...@pm.sprint.com


since they are fucking too stupid for SPF on their subdomains
whitelist_from_rcvd *@pm.sprint.com sprintpcs.com




signature.asc
Description: OpenPGP digital signature

Re: whitelist filter not matching

[Benny Pedersen]

Rick Hantz (TirNanOg) skrev den 2015-03-14 00:14:

For some reason,
whitelist_from *@*.usps.gov
whitelist_from *@*.usps.com
doesn't work on the header below. Anyone spot something that I missed?



id D8.68.23218.0CC53055; Fri, 13 Mar 2015 16:55:12 -0500 (CDT)
Return-Path: prvs=4514d207e3=us_postal_serv...@usps.com
From: us_postal_serv...@usps.com


whitelist_from *@usps.com

is missing, note whitelist_from can be forged from the sender, and you 
dont want that


but anyway life is risky, learn to live with it

https://dmarcian.com/spf-survey/usps.com

whitelist_from_spf *@usps.com

is safe

https://dmarcian.com/dmarc-inspector/usps.com

seems thay use fo=1 so if dkim is missing it would be forged

Re: whitelist filter not matching

[Benny Pedersen]

David B Funk skrev den 2015-03-14 01:23:


As usps.com publishes SPF records you can use whitelist_from_auth and
be safer from abuse.


thay miss to add dkim, and dmarc says fo=1

oh crap :=)

Re: whitelist filter not matching

[John Hardin]

On Fri, 13 Mar 2015, Rick Hantz (TirNanOg) wrote:


For some reason,
whitelist_from *@*.usps.gov
whitelist_from *@*.usps.com
doesn't work on the header below. Anyone spot something that I missed?

From: us_postal_serv...@usps.com


There's no subdomain there. You may need two entries:

whitelist_from *@usps.com
whitelist_from *@*.usps.com

--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Maxim VI: If violence wasn’t your last resort, you failed to resort
to enough of it.
---
 Tomorrow: Albert Einstein's 136th Birthday

Re: whitelist filter not matching

[David B Funk]

On Fri, 13 Mar 2015, Rick Hantz (TirNanOg) wrote:


For some reason,
whitelist_from *@*.usps.gov
whitelist_from *@*.usps.com
doesn't work on the header below. Anyone spot something that I missed?

Received: from mailcentral12.srvs.usps.gov ([56.0.143.18]:47963
helo=gk-c18-email.usps.gov)
by coeus.lunarmania.com with esmtps (TLSv1:DHE-RSA-AES256-SHA:256)
(Exim 4.82)
(envelope-from prvs=4514d207e3=us_postal_serv...@usps.com)
id 1YWXY0-0006Qi-SZ
for rickhan!tirnanog.com; Fri, 13 Mar 2015 14:55:14 -0700
Received: from mailrelay-ch10i.usps.gov (eagnmn-dlp07.usps.gov
[56.207.40.123])
by gk-c18-email.usps.gov (Sendmail 8.14.3) with SMTP id
D3.37.05253.0CC53055; Fri, 13 Mar 2015 16:55:12 -0500 (CDT)
Received: from eagnmnmep1c96.usps.gov (eagnmnmep1c96.usps.gov
[56.201.220.135])
by mailrelay-ch10i.usps.gov (Symantec Messaging Gateway) with SMTP
id D8.68.23218.0CC53055; Fri, 13 Mar 2015 16:55:12 -0500 (CDT)
Return-Path: prvs=4514d207e3=us_postal_serv...@usps.com
From: us_postal_serv...@usps.com
To: rickhan!tirnanog.com
Subject: USPS Shipment Info for 9405903699300375496337
Date: Fri, 13 Mar 2015 14:55:12 -0700

[snip..]

As usps.com publishes SPF records you can use whitelist_from_auth and
be safer from abuse.

EG:
 whitelist_from_auth *@usps.gov
 whitelist_from_auth *@*.usps.gov


--
Dave Funk  University of Iowa
dbfunk (at) engineering.uiowa.eduCollege of Engineering
319/335-5751   FAX: 319/384-0549   1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include std_disclaimer.h
Better is not better, 'standard' is better. B{

Re: whitelist filter not matching

[Axb]

On 03/14/2015 12:14 AM, Rick Hantz (TirNanOg) wrote:

From:us_postal_serv...@usps.com


whitelist_from *@usps.com

or safer (prevent forged senders)

whitelist_from_rcvd *@usps.com usps.gov

watch your syntax...

Re: whitelist limitations

[Reindl Harald]

Am 13.11.2014 um 21:08 schrieb Justin Edmands:

We have a few thousand vendors in our websites database that I would
like to add to a whitelist. I am thinking of creating a
/etc/mail/spamassassin/corewhitelist.cf http://corewhitelist.cf from
this database.

What are the limitations/ repercussions of using a sitewide whitelist?
If I have 2000 addresses in the whitelist, will it take an extra
3,30,60,etc. seconds to process an email? base the performance off of a
2GB RAM 1vCPU 5560 Xeon virtual machine.

What if this list grows to 2 entries?


don't do that!

that sort of whitelisting also means that you bypass any forged mail 
because the From-header and you can't implement a spoofing protection 
also covering From: besides envelope without break mailing-lists


put their servers on a DNSWL with rbdnsd so you trust a specific remote 
host and not a untrustable header!






signature.asc
Description: OpenPGP digital signature

Re: whitelist limitations

[David B Funk]

On Thu, 13 Nov 2014, Justin Edmands wrote:


We have a few thousand vendors in our websites database that I would like to 
add to a whitelist. I am thinking of
creating a /etc/mail/spamassassin/corewhitelist.cf from this database.

What are the limitations/ repercussions of using a sitewide whitelist? If I 
have 2000 addresses in the whitelist,
will it take an extra 3,30,60,etc. seconds to process an email? base the 
performance off of a 2GB RAM 1vCPU 5560
Xeon virtual machine.

What if this list grows to 2 entries?


What exactly do you want to whitelist?
1) specific full e-mail addresses of those vendors who will be sending you 
e-mail from their remote system? (EG joe-sm...@vendor.site.com)
2) URL/domain names of their site (IE anything referring to 
http://vendor.site.com)


If specific e-mail addresses, do they have SPF/DKIM/etc support on their
outgoing mail systems? (IE can you use whitelist_auth ).


--
Dave Funk  University of Iowa
dbfunk (at) engineering.uiowa.eduCollege of Engineering
319/335-5751   FAX: 319/384-0549   1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include std_disclaimer.h
Better is not better, 'standard' is better. B{

Re: whitelist limitations

[Axb]

On 11/13/2014 09:08 PM, Justin Edmands wrote:

We have a few thousand vendors in our websites database that I would like
to add to a whitelist. I am thinking of creating a /etc/mail/spamassassin/
corewhitelist.cf from this database.

What are the limitations/ repercussions of using a sitewide whitelist? If I
have 2000 addresses in the whitelist, will it take an extra 3,30,60,etc.
seconds to process an email? base the performance off of a 2GB RAM 1vCPU
5560 Xeon virtual machine.

What if this list grows to 2 entries?



While it's not advisable to keep huge whitelists, depending on your 
traffic, 2000 shortcircuited entries won't hurt *average* performance so 
much so you'd feel it.
It all really depends on your expectations, needs and system load 
without the WL.


What's the average load on that VM?
How many msgs/day
What's you're average processing time/msg?
How much of that traffic would be whitelisted?

Does a whitelisted sender get processed in under 0.5 sec?

Re: whitelist limitations

[David F. Skoll]

On Thu, 13 Nov 2014 15:08:40 -0500
Justin Edmands shockwav...@gmail.com wrote:

 What if this list grows to 2 entries?

How are you calling SpamAssassin?  Maybe you should build (for example)
a Berkeley DB of whitelisted addresses and simply skip SpamAssassin for
those ones, assuming the method you use to integrate with SpamAssassin
is flexible enough to support this.  This should give you roughly constant
lookup time regardless of how many whitelist entries you have.

Regards,

David.

Re: whitelist limitations

[John Hardin]

On Thu, 13 Nov 2014, Justin Edmands wrote:


We have a few thousand vendors in our websites database that I would like
to add to a whitelist. I am thinking of creating a /etc/mail/spamassassin/
corewhitelist.cf from this database.

What are the limitations/ repercussions of using a sitewide whitelist? If I
have 2000 addresses in the whitelist, will it take an extra 3,30,60,etc.
seconds to process an email? base the performance off of a 2GB RAM 1vCPU
5560 Xeon virtual machine.

What if this list grows to 2 entries?


It might be more efficient to whitelist them in your MTA at the glue level
- i.e., if an email comes from their MTA, don't even pass it to SA at all.

--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Maxim VI: If violence wasn’t your last resort, you failed to resort
  to enough of it.
---
 896 days since the first successful private support mission to ISS (SpaceX)

Re: whitelist limitations

[Benny Pedersen]

On November 14, 2014 12:54:15 AM John Hardin jhar...@impsec.org wrote:


It might be more efficient to whitelist them in your MTA at the glue level
- i.e., if an email comes from their MTA, don't even pass it to SA at all.


One draw back is that ham learning is not using content from auth senders 
so in bayes

Re: Whitelist one mail with multiple destinations

[Antony Stone]

On Wednesday 10 September 2014 at 14:56:06 (EU time), M. Rodrigo Monteiro 
wrote:

 Hi. Here is my scenario:
 
 Internet - MX (Postfix) - Relay (Postfix + Amavis with SpamAssassin) -
 Zimbra

 My problem is that when an e-mail comes to multiple destinations and
 one of them is whitelisted, all these destinations becomes whitelisted
 too.

Looks like you want to set smtp_destination_recipient_limit = 1 in your front 
end (MX) postfix setup:

http://postfix.1071664.n5.nabble.com/Split-multiple-recipient-mail-td48458.html


Antony.

-- 
APL [is a language], in which you can write a program to simulate shuffling a 
deck of cards and then dealing them out to several players, in four 
characters, none of which appear on a standard keyboard.

 - David Given

   Please reply to the list;
 please *don't* CC me.

Re: Whitelist one mail with multiple destinations

[Kevin A. McGrail]

On 9/10/2014 8:56 AM, M. Rodrigo Monteiro wrote:

Hi. Here is my scenario:

Internet - MX (Postfix) - Relay (Postfix + Amavis with SpamAssassin) - Zimbra

In SpamAssassin, I have a whitelist/blacklist. All the e-mail passes
through, but Spams are taged (header and subject).

My problem is that when an e-mail comes to multiple destinations and
one of them is whitelisted, all these destinations becomes whitelisted
too.

In the real example below, the e-mail cs...@mydomain.com is
whitelisted (-200 score). An unique e-mail (spam) comes to 20, 30
destinations and one of them is cs...@mydomain.com. All the
destinations were whitelisted (-200 score).

Here is the header of one e-mail and the log of Postfix.
This behavior is SpamAssassin or Amavisd-new?
The behavior is Amavis.  You need to look at settings (if Amavis can do 
it) or a glue like MIMEDefang that can do stream by domain or stream by 
recipient type solutions to separate the one email into multiple emails 
for individualized test and scoring.


My understanding is that this will negate your ability to decline spam 
during the SMTP connection, though.


Regards,
KAM

Re: Whitelist one mail with multiple destinations

[Antony Stone]

On Wednesday 10 September 2014 at 15:17:29 (EU time), Kevin A. McGrail wrote:

 On 9/10/2014 8:56 AM, M. Rodrigo Monteiro wrote:
  Hi. Here is my scenario:
  
  Internet - MX (Postfix) - Relay (Postfix + Amavis with SpamAssassin) -
  Zimbra
  
  In SpamAssassin, I have a whitelist/blacklist. All the e-mail passes
  through, but Spams are taged (header and subject).
  
  My problem is that when an e-mail comes to multiple destinations and
  one of them is whitelisted, all these destinations becomes whitelisted
  too.
  
  In the real example below, the e-mail cs...@mydomain.com is
  whitelisted (-200 score). An unique e-mail (spam) comes to 20, 30
  destinations and one of them is cs...@mydomain.com. All the
  destinations were whitelisted (-200 score).
  
  Here is the header of one e-mail and the log of Postfix.
  This behavior is SpamAssassin or Amavisd-new?
 
 The behavior is Amavis.  You need to look at settings (if Amavis can do
 it) or a glue like MIMEDefang that can do stream by domain or stream by
 recipient type solutions to separate the one email into multiple emails
 for individualized test and scoring.
 
 My understanding is that this will negate your ability to decline spam
 during the SMTP connection, though.

Surely that's been negated already, because the MX isn't running SA, therefore 
by the time SA sees the mail and can decide spam/ham, it's already been 
accepted?


Antony.

-- 
It wouldn't be a good idea to talk about him behind his back in front of 
him.

 - murble

   Please reply to the list;
 please *don't* CC me.

Re: Whitelist one mail with multiple destinations

[David F. Skoll]

On Wed, 10 Sep 2014 09:56:06 -0300
M. Rodrigo Monteiro fale...@rodrigomonteiro.net wrote:

 My problem is that when an e-mail comes to multiple destinations and
 one of them is whitelisted, all these destinations becomes whitelisted
 too.

There are really only two ways to get around this, and neither one
is particularly pleasant.

Option 1 is to tempfail all RCPT: commands after the first successful one.
This lets you process per-user rules, but has the very bad side-effect
of significantly delaying messages to a large number of recipients.
Depending on the other end, the sender may get a delivery-delayed warning
or the message might not even reach all recipients.  Also, some marginal
SMTP implementations are not tested very well and do not react correctly
if some RCPT commans succeed and others are tempfailed.

Option 2 is to accept the message unfiltered, split it into multiple copies,
and remail each copy so it can be scanned per-recipient.  This avoids
the delay, but it also means you cannot reject spam with a 5xx SMTP failure
code or you'll be blacklisted for backscatter.

Here at Roaring Penguin, we picked Option 2 as the lesser of the two
evils.

Regards,

David.

Re: Whitelist one mail with multiple destinations

[M. Rodrigo Monteiro]

2014-09-10 10:23 GMT-03:00 David F. Skoll d...@roaringpenguin.com:
 Option 2 is to accept the message unfiltered, split it into multiple copies,
 and remail each copy so it can be scanned per-recipient.  This avoids
 the delay, but it also means you cannot reject spam with a 5xx SMTP failure
 code or you'll be blacklisted for backscatter.

How can I do it?
All my Spams passes, none are blocked. It's no problem not reject them.


 Here at Roaring Penguin, we picked Option 2 as the lesser of the two
 evils.

 Regards,

 David.

Thanks,
Rodrigo.

Re: Whitelist one mail with multiple destinations

[M. Rodrigo Monteiro]

2014-09-10 10:17 GMT-03:00 Antony Stone
antony.st...@spamassassin.open.source.it:
 On Wednesday 10 September 2014 at 14:56:06 (EU time), M. Rodrigo Monteiro
 wrote:

 Hi. Here is my scenario:

 Internet - MX (Postfix) - Relay (Postfix + Amavis with SpamAssassin) -
 Zimbra

 My problem is that when an e-mail comes to multiple destinations and
 one of them is whitelisted, all these destinations becomes whitelisted
 too.

 Looks like you want to set smtp_destination_recipient_limit = 1 in your front
 end (MX) postfix setup:

 http://postfix.1071664.n5.nabble.com/Split-multiple-recipient-mail-td48458.html

That not worked. I tested both on MX and Relay. Still the same problem.

# postconf smtp_destination_recipient_limit
smtp_destination_recipient_limit = $default_destination_recipient_limit
# postconf default_destination_recipient_limit
default_destination_recipient_limit = 1

Re: Whitelist one mail with multiple destinations

[David F. Skoll]

On Wed, 10 Sep 2014 10:59:16 -0300
M. Rodrigo Monteiro fale...@rodrigomonteiro.net wrote:

  Option 2 is to accept the message unfiltered, split it into
  multiple copies, and remail each copy so it can be scanned
  per-recipient.

 How can I do it?

It depends on the MTA you're using.  If you use one that supports
milter, you can use MIMEDefang to do it.

If you are processing the mail with procmail or some non-milter-supporting
MTA, then I have no idea... you probably will have to write something
custom to do it.

Regards,

David.

Re: Whitelist and DNS blacklists in SpamAssassin

[Benny Pedersen]

Per Jessen skrev den 2013-02-06 08:37:


For me that creates too much traffic, unfortunately.


use spf test before reject_unverified_sender reduce this problem here


was the plan not to get it up again ?

See the other postings about http://www.rfc-ignorant.de/ - someone is
working on it.


yep, if i can help i like to do it


I also had plans to continue it, but I simply don't
have the time to commit.


yes this is the part i wish more take time to do, but lifes continues 
anyway

Re: Whitelist and DNS blacklists in SpamAssassin

[Matus UHLAR - fantomas]

Matus UHLAR - fantomas skrev den 2013-02-04 09:25:
port 25 open. There are multiple ways to detect dynamic IPs (rDNS 
patterns,
PBL, SORBS-DUL, MAPS-DYNA) which I found more safe than TCP port 25 
open.


On 04.02.13 17:27, Benny Pedersen wrote:
i never write only but my point is that if port 25 is open, is it 
then still dynamic ?


if an IP is dynamic, it does not matter whether it has port 25 open.
I gave good examples why it should not be whitelisted. Not all ISPs block
incoming port 25...


i did not say its not more test to do


well I don't see a reason to test for port 25 open, maybe to block open
relays and/or SMTP redirect on misconfigured routers...

This is what e.g. rfci-ignorant or many other rhsbl blacklists are 
for.


thay are dead


they are alive on rfc-ignorant.de :-)

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Where do you want to go to die? [Microsoft]

Re: Whitelist and DNS blacklists in SpamAssassin

[Per Jessen]

Matus UHLAR - fantomas wrote:

Matus UHLAR - fantomas skrev den 2013-02-04 09:25:
port 25 open. There are multiple ways to detect dynamic IPs (rDNS
patterns,
PBL, SORBS-DUL, MAPS-DYNA) which I found more safe than TCP port 25
open.
 
 On 04.02.13 17:27, Benny Pedersen wrote:
i never write only but my point is that if port 25 is open, is it
then still dynamic ?
 
 if an IP is dynamic, it does not matter whether it has port 25 open.
 I gave good examples why it should not be whitelisted. Not all ISPs
 block incoming port 25...
 
i did not say its not more test to do
 
 well I don't see a reason to test for port 25 open, maybe to block
 open relays and/or SMTP redirect on misconfigured routers...
 
This is what e.g. rfci-ignorant or many other rhsbl blacklists are
for.

thay are dead
 
 they are alive on rfc-ignorant.de :-)
 

Resurrected perhaps, but not quite alive. 



-- 
Per Jessen, Zürich (-0.1°C)
http://www.dns24.ch/ - free DNS hosting, made in Switzerland.

Re: Whitelist and DNS blacklists in SpamAssassin

[Matthias Leisi]

On Tue, Feb 5, 2013 at 8:27 AM, Per Jessen p...@computer.org wrote:


  This is what e.g. rfci-ignorant or many other rhsbl blacklists are
  for.

 rfc-ignorant has gone off-line.


http://www.rfc-ignorant.de/

-- Matthias

Re: Whitelist and DNS blacklists in SpamAssassin

[Per Jessen]

Matthias Leisi wrote:

 On Tue, Feb 5, 2013 at 8:27 AM, Per Jessen p...@computer.org wrote:
 
 
  This is what e.g. rfci-ignorant or many other rhsbl blacklists are
  for.

 rfc-ignorant has gone off-line.

 
 http://www.rfc-ignorant.de/
 
 -- Matthias


Thanks, I didn't know someone had decided to continue the project. I
suggested it on the rfc-ignorant mailing list but there wasn't much
interest.  



-- 
Per Jessen, Zürich (7.5°C)
http://www.dns24.ch/ - free DNS hosting, made in Switzerland.

Re: Whitelist and DNS blacklists in SpamAssassin

[Rob McEwen]

On 2/5/2013 6:22 AM, Per Jessen wrote:
 http://www.rfc-ignorant.de/
  
  -- Matthias
 Thanks, I didn't know someone had decided to continue the project. I
 suggested it on the rfc-ignorant mailing list but there wasn't much
 interest.  

Interesting and good news!... but their home page states that their
zones are not yet populated. So I guess they are not yet operational
yet? (or maybe the site messages is out of date?)

-- 
Rob McEwen
http://dnsbl.invaluement.com/
r...@invaluement.com
+1 (478) 475-9032

Re: Whitelist and DNS blacklists in SpamAssassin

[Benny Pedersen]

Per Jessen skrev den 2013-02-05 08:27:


rfc-ignorant has gone off-line.


thats why i choiced to use reject_unverified_sender in postfix, and yes 
i know it can be abused, but it solves more problems then it creates for 
me


was the plan not to get it up again ?