Re: SPF failure very low score
--On Monday, August 12, 2013 2:02 PM -0700 John Hardin jhar...@impsec.org wrote: On Mon, 12 Aug 2013, Bowie Bailey wrote: On 8/12/2013 2:48 PM, John Hardin wrote: On Mon, 12 Aug 2013, Quanah Gibson-Mount wrote: --On Friday, August 09, 2013 12:42 AM +0200 Benny Pedersen wrote: body __BODY_FACEBOOK /Facebook/ meta __FORGED_SENDER (!SPF_PASS !DKIM_VALID_AU) meta FORGED_FACEBOOK_BODY (__BODY_FACEBOOK __FORGED_SENDER) maybe it could be more specific, just not tested it, but why accept forged ? Thanks, that is helpful. So I assume then I would do something like: score FORGED_FACEBOOK_BODY 3.0 to give it a high SPAM score. ...so you want to punish any email that discusses Facebook and does not pass SPF *AND* DKIM? Regardless of where the message is (or claims to be) from? Actually, __FORGED_SENDER only fires if the message fails *both* SPF and DKIM. (not A) and (not B) == not (A or B) D'oh! But this is still a check for message *discussing* Facebook and not messages specifically *from* Facebook. Yeah, I'm not complaining about people discussing facebook, but pretending to be facebook. Example: Return-Path: no-re...@facebook.com Received: from edge02-zcs.vmware.com (LHLO edge02-zcs.vmware.com) (10.113.208.52) by mbs01-zcs.vmware.com with LMTP; Thu, 15 Aug 2013 11:11:37 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by edge02-zcs.vmware.com (Postfix) with ESMTP id 904D1992; Thu, 15 Aug 2013 11:11:37 -0700 (PDT) X-Virus-Scanned: amavisd-new at edge02-zcs.vmware.com X-Spam-Flag: NO X-Spam-Score: 2.814 X-Spam-Level: ** X-Spam-Status: No, score=2.814 tagged_above=-10 required=3 tests=[BAYES_80=2, DKIM_ADSP_ALL=0.8, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, KHOP_BIG_TO_CC=0.001, SPF_FAIL=0.001, T_HEADER_FROM_DIFFERENT_DOMAINS=0.01] autolearn=no Received: from edge02-zcs.vmware.com ([127.0.0.1]) by localhost (edge02-zcs.vmware.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ezz1yu95KGdl; Thu, 15 Aug 2013 11:11:36 -0700 (PDT) Received-SPF: fail (facebook.com ... _spf.facebook.com: Sender is not authorized by default to use 'no-re...@facebook.com' in 'mfrom' identity (mechanism '-all' matched)) receiver=edge02-zcs.vmware.com; identity=mailfrom; envelope-from=no-re...@facebook.com; helo=mail.oandpa.com; client-ip=68.169.160.233 Received-SPF: fail (facebook.com ... _spf.facebook.com: Sender is not authorized by default to use 'no-re...@facebook.com' in 'mfrom' identity (mechanism '-all' matched)) receiver=edge02-zcs.vmware.com; identity=mailfrom; envelope-from=no-re...@facebook.com; helo=mail.oandpa.com; client-ip=68.169.160.233 Received-SPF: fail (facebook.com ... _spf.facebook.com: Sender is not authorized by default to use 'no-re...@facebook.com' in 'mfrom' identity (mechanism '-all' matched)) receiver=edge02-zcs.vmware.com; identity=mailfrom; envelope-from=no-re...@facebook.com; helo=mail.oandpa.com; client-ip=68.169.160.233 Received-SPF: fail (facebook.com ... _spf.facebook.com: Sender is not authorized by default to use 'no-re...@facebook.com' in 'mfrom' identity (mechanism '-all' matched)) receiver=edge02-zcs.vmware.com; identity=mailfrom; envelope-from=no-re...@facebook.com; helo=mail.oandpa.com; client-ip=68.169.160.233 Received-SPF: fail (facebook.com ... _spf.facebook.com: Sender is not authorized by default to use 'no-re...@facebook.com' in 'mfrom' identity (mechanism '-all' matched)) receiver=edge02-zcs.vmware.com; identity=mailfrom; envelope-from=no-re...@facebook.com; helo=mail.oandpa.com; client-ip=68.169.160.233 Received-SPF: fail (facebook.com ... _spf.facebook.com: Sender is not authorized by default to use 'no-re...@facebook.com' in 'mfrom' identity (mechanism '-all' matched)) receiver=edge02-zcs.vmware.com; identity=mailfrom; envelope-from=no-re...@facebook.com; helo=mail.oandpa.com; client-ip=68.169.160.233 Received-SPF: fail (facebook.com ... _spf.facebook.com: Sender is not authorized by default to use 'no-re...@facebook.com' in 'mfrom' identity (mechanism '-all' matched)) receiver=edge02-zcs.vmware.com; identity=mailfrom; envelope-from=no-re...@facebook.com; helo=mail.oandpa.com; client-ip=68.169.160.233 Received-SPF: fail (facebook.com ... _spf.facebook.com: Sender is not authorized by default to use 'no-re...@facebook.com' in 'mfrom' identity (mechanism '-all' matched)) receiver=edge02-zcs.vmware.com; identity=mailfrom; envelope-from=no-re...@facebook.com; helo=mail.oandpa.com; client-ip=68.169.160.233 Received-SPF: fail (facebook.com ... _spf.facebook.com: Sender is not authorized by default to use 'no-re...@facebook.com' in 'mfrom' identity (mechanism '-all' matched)) receiver=edge02-zcs.vmware.com; identity=mailfrom; envelope-from=no-re...@facebook.com; helo=mail.oandpa.com; client-ip=68.169.160.233 Received-SPF: fail (facebook.com ... _spf.facebook.com: Sender is not authorized by default to use
Re: SPF failure very low score
On 8/15/2013 2:53 PM, Quanah Gibson-Mount wrote: Yeah, I'm not complaining about people discussing facebook, but pretending to be facebook. Example: Return-Path: no-re...@facebook.com Received: from edge02-zcs.vmware.com (LHLO edge02-zcs.vmware.com) (10.113.208.52) by mbs01-zcs.vmware.com with LMTP; Thu, 15 Aug 2013 11:11:37 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by edge02-zcs.vmware.com (Postfix) with ESMTP id 904D1992; Thu, 15 Aug 2013 11:11:37 -0700 (PDT) X-Virus-Scanned: amavisd-new at edge02-zcs.vmware.com X-Spam-Flag: NO X-Spam-Score: 2.814 X-Spam-Level: ** X-Spam-Status: No, score=2.814 tagged_above=-10 required=3 tests=[BAYES_80=2, DKIM_ADSP_ALL=0.8, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, KHOP_BIG_TO_CC=0.001, SPF_FAIL=0.001, T_HEADER_FROM_DIFFERENT_DOMAINS=0.01] autolearn=no Received: from edge02-zcs.vmware.com ([127.0.0.1]) by localhost (edge02-zcs.vmware.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ezz1yu95KGdl; Thu, 15 Aug 2013 11:11:36 -0700 (PDT) snip Message-ID: 520d16e7.407...@facebook.com Date: Thu, 15 Aug 2013 13:11:34 -0500 From: Facebook notification+zrdohvri=v...@facebookmail.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101103 Thunderbird/3.1.6 MIME-Version: 1.0 So what I need is something like: header __FROM_FACEBOOK Return-Path:addr =~ /no-reply\@facebook.com/ meta __FORGED_SENDER (!SPF_PASS !DKIM_VALID_AU) meta FORGED_FACEBOOK_FROM (__FROM_FACEBOOK __FORGED_SENDER) score FORGED_FACEBOOK 1.5 Does that look correct? Looks good to me. The only thing I see is that you need to escape the period in the regex. header __FROM_FACEBOOK Return-Path:addr =~ /no-reply\@facebook\.com/ Otherwise, the period means any character, which would probably not be an issue here, but is not what you were intending. -- Bowie
Re: SPF failure very low score
Quanah Gibson-Mount skrev den 2013-08-15 20:53: header __FROM_FACEBOOK Return-Path:addr =~ /no-reply\@facebook.com/ meta __FORGED_SENDER (!SPF_PASS !DKIM_VALID_AU) meta FORGED_FACEBOOK_FROM (__FROM_FACEBOOK __FORGED_SENDER) score FORGED_FACEBOOK 1.5 Does that look correct? yes, add and test
Re: SPF failure very low score
--On Thursday, August 15, 2013 3:06 PM -0400 Bowie Bailey bowie_bai...@buc.com wrote: On 8/15/2013 2:53 PM, Quanah Gibson-Mount wrote: Yeah, I'm not complaining about people discussing facebook, but pretending to be facebook. Example: Return-Path: no-re...@facebook.com Received: from edge02-zcs.vmware.com (LHLO edge02-zcs.vmware.com) (10.113.208.52) by mbs01-zcs.vmware.com with LMTP; Thu, 15 Aug 2013 11:11:37 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by edge02-zcs.vmware.com (Postfix) with ESMTP id 904D1992; Thu, 15 Aug 2013 11:11:37 -0700 (PDT) X-Virus-Scanned: amavisd-new at edge02-zcs.vmware.com X-Spam-Flag: NO X-Spam-Score: 2.814 X-Spam-Level: ** X-Spam-Status: No, score=2.814 tagged_above=-10 required=3 tests=[BAYES_80=2, DKIM_ADSP_ALL=0.8, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, KHOP_BIG_TO_CC=0.001, SPF_FAIL=0.001, T_HEADER_FROM_DIFFERENT_DOMAINS=0.01] autolearn=no Received: from edge02-zcs.vmware.com ([127.0.0.1]) by localhost (edge02-zcs.vmware.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ezz1yu95KGdl; Thu, 15 Aug 2013 11:11:36 -0700 (PDT) snip Message-ID: 520d16e7.407...@facebook.com Date: Thu, 15 Aug 2013 13:11:34 -0500 From: Facebook notification+zrdohvri=v...@facebookmail.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101103 Thunderbird/3.1.6 MIME-Version: 1.0 So what I need is something like: header __FROM_FACEBOOK Return-Path:addr =~ /no-reply\@facebook.com/ meta __FORGED_SENDER (!SPF_PASS !DKIM_VALID_AU) meta FORGED_FACEBOOK_FROM (__FROM_FACEBOOK __FORGED_SENDER) score FORGED_FACEBOOK 1.5 Does that look correct? Looks good to me. The only thing I see is that you need to escape the period in the regex. header __FROM_FACEBOOK Return-Path:addr =~ /no-reply\@facebook\.com/ Otherwise, the period means any character, which would probably not be an issue here, but is not what you were intending. Yeah, I noticed that after I sent it, thanks. :) --Quanah -- Quanah Gibson-Mount Lead Engineer Zimbra, Inc Zimbra :: the leader in open source messaging and collaboration
Re: SPF failure very low score
On Thu, 15 Aug 2013, Quanah Gibson-Mount wrote: header __FROM_FACEBOOK Return-Path:addr =~ /no-reply\@facebook\.com/ Any reason you're limiting it to just the no-reply address? You might also want to broaden the domain a bit. How about: header __FROM_FACEBOOK Return-Path:addr =~ /\@facebook(?:mail)?\.com$/ -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Maxim IX: Never turn your back on an enemy. --- Today: the 68th anniversary of the end of World War II
Re: SPF failure very low score
--On Thursday, August 15, 2013 12:36 PM -0700 John Hardin wrote: On Thu, 15 Aug 2013, Quanah Gibson-Mount wrote: header __FROM_FACEBOOK Return-Path:addr =~ /no-reply\@facebook\.com/ Any reason you're limiting it to just the no-reply address? You might also want to broaden the domain a bit. How about: header __FROM_FACEBOOK Return-Path:addr =~ /\@facebook(?:mail)?\.com$/ well, so far, all 200 or so of these I've seen all use the same Return-Path. The From: varies, but Return-Path doesn't. --Quanah -- Quanah Gibson-Mount Lead Engineer Zimbra, Inc Zimbra :: the leader in open source messaging and collaboration
Re: SPF failure very low score
John Hardin skrev den 2013-08-15 21:36: header __FROM_FACEBOOK Return-Path:addr =~ /\@facebook(?:mail)?\.com$/ https://dmarcian.com/dmarc-inspector/facebookmail.com https://dmarcian.com/spf-survey/facebookapp.com
Re: SPF failure very low score
Quanah Gibson-Mount skrev den 2013-08-15 21:43: well, so far, all 200 or so of these I've seen all use the same Return-Path. The From: varies, but Return-Path doesn't. then dont test other facebook domains, there is alot of other facebook real domains that is owned by same payers, make rules simple so it is to learn from also on errors :) teories and pratics is not always the same solution or problems
Re: SPF failure very low score
--On Friday, August 09, 2013 12:42 AM +0200 Benny Pedersen wrote: Quanah Gibson-Mount skrev den 2013-08-08 23:22: I would love to see your rules here so I can see how you did it. I don't see if/and in the SA docs on rules. body __BODY_FACEBOOK /Facebook/ meta __FORGED_SENDER (!SPF_PASS !DKIM_VALID_AU) meta FORGED_FACEBOOK_BODY (__BODY_FACEBOOK __FORGED_SENDER) maybe it could be more specific, just not tested it, but why accept forged ? Thanks, that is helpful. So I assume then I would do something like: score FORGED_FACEBOOK_BODY 3.0 to give it a high SPAM score. --Quanah -- Quanah Gibson-Mount Lead Engineer Zimbra, Inc Zimbra :: the leader in open source messaging and collaboration
Re: SPF failure very low score
On Mon, 12 Aug 2013, Quanah Gibson-Mount wrote: --On Friday, August 09, 2013 12:42 AM +0200 Benny Pedersen wrote: Quanah Gibson-Mount skrev den 2013-08-08 23:22: I would love to see your rules here so I can see how you did it. I don't see if/and in the SA docs on rules. body __BODY_FACEBOOK /Facebook/ meta __FORGED_SENDER (!SPF_PASS !DKIM_VALID_AU) meta FORGED_FACEBOOK_BODY (__BODY_FACEBOOK __FORGED_SENDER) maybe it could be more specific, just not tested it, but why accept forged ? Thanks, that is helpful. So I assume then I would do something like: score FORGED_FACEBOOK_BODY 3.0 to give it a high SPAM score. ...so you want to punish any email that discusses Facebook and does not pass SPF *AND* DKIM? Regardless of where the message is (or claims to be) from? This is not a *Facebook forgery* rule, this is a *Facebook* + *forgery* rule. For it to be a *facebook forgery* rule you'd need to look in the message headers to see whether the message claims to be from the facebook domain, or do more selective body text matching to see if the body is trying to make the reader think the message is from Facebook. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Health Care _is_ a right - the government has no business keeping you from getting it. But forcing somebody else to pay for your health care at gunpoint (i.e. through taxation) is _not_ a right. --- 3 days until the 68th anniversary of the end of World War II
Re: SPF failure very low score
On 8/12/2013 2:48 PM, John Hardin wrote: On Mon, 12 Aug 2013, Quanah Gibson-Mount wrote: --On Friday, August 09, 2013 12:42 AM +0200 Benny Pedersen wrote: body __BODY_FACEBOOK /Facebook/ meta __FORGED_SENDER (!SPF_PASS !DKIM_VALID_AU) meta FORGED_FACEBOOK_BODY (__BODY_FACEBOOK __FORGED_SENDER) maybe it could be more specific, just not tested it, but why accept forged ? Thanks, that is helpful. So I assume then I would do something like: score FORGED_FACEBOOK_BODY 3.0 to give it a high SPAM score. ...so you want to punish any email that discusses Facebook and does not pass SPF *AND* DKIM? Regardless of where the message is (or claims to be) from? Actually, __FORGED_SENDER only fires if the message fails *both* SPF and DKIM. (not A) and (not B) == not (A or B) But this is still a check for message *discussing* Facebook and not messages specifically *from* Facebook. -- Bowie
Re: SPF failure very low score
On Mon, 12 Aug 2013, Bowie Bailey wrote: On 8/12/2013 2:48 PM, John Hardin wrote: On Mon, 12 Aug 2013, Quanah Gibson-Mount wrote: --On Friday, August 09, 2013 12:42 AM +0200 Benny Pedersen wrote: body __BODY_FACEBOOK /Facebook/ meta __FORGED_SENDER (!SPF_PASS !DKIM_VALID_AU) meta FORGED_FACEBOOK_BODY (__BODY_FACEBOOK __FORGED_SENDER) maybe it could be more specific, just not tested it, but why accept forged ? Thanks, that is helpful. So I assume then I would do something like: score FORGED_FACEBOOK_BODY 3.0 to give it a high SPAM score. ...so you want to punish any email that discusses Facebook and does not pass SPF *AND* DKIM? Regardless of where the message is (or claims to be) from? Actually, __FORGED_SENDER only fires if the message fails *both* SPF and DKIM. (not A) and (not B) == not (A or B) D'oh! But this is still a check for message *discussing* Facebook and not messages specifically *from* Facebook. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- It's easy to be noble with other people's money. -- John McKay, _The Welfare State: No Mercy for the Middle Class_ --- 3 days until the 68th anniversary of the end of World War II
Re: SPF failure very low score (DKIM whitelisting and ADSP rules)
On Friday 09 August 2013 00:26:09 Quanah Gibson-Mount wrote:
Ok, so I imagine I want to do something like:
header DKIM_ADSP_DISCARD eval:check_dkim_adsp('D')
but only for facebook.com... I don't see exactly how I tie those two
together?
==
To add POSITIVE spam score points to mail with a From from specific
domains but with no valid DKIM signature, see 60_adsp_override_dkim.cf .
Protected domains there include ebay, paypal, bankofamerica,
amazon, linkedin, facebookmail, ...
To add domains protected from forgery (the following are already
in the default 60_adsp_override_dkim.cf set of rules):
adsp_override birthdayalarm.com all
adsp_override astrology.com all
adsp_override linkedin.com all
adsp_override *.linkedin.comall
adsp_override facebookmail.com all
adsp_override *.greenpeace.org all
...
These are default scores for forgery (i.e. for ADSP failures):
score DKIM_ADSP_ALL0 1.1 0 0.8
score DKIM_ADSP_DISCARD0 1.8 0 1.8
score DKIM_ADSP_NXDOMAIN 0 0.8 0 0.9
and equivalent scores but permissive on failed mail that went through
some mailing list:
score NML_ADSP_CUSTOM_LOW 0 0.7 0 0.7
score NML_ADSP_CUSTOM_MED 0 1.2 0 0.9
score NML_ADSP_CUSTOM_HIGH 0 2.6 0 2.5
If there is a need to assign a non-default score for mail from specific
domains with no valid DKIM signature, instead of adsp_override one can
add a specific rule for such domains:
header DKIM_ADSP_ALL_YG1 eval:check_dkim_adsp('*', gmail.com, yahoo.com)
score DKIM_ADSP_ALL_YG1 0.1
header DKIM_ADSP_ALL_YG2 eval:check_dkim_adsp('*', .gmail.com, .yahoo.com)
score DKIM_ADSP_ALL_YG2 0.1
==
To add NEGATIVE score points assigned to mail from specific domains
with valid DKIM signatures, see 60_whitelist_dkim.cf .
Benefiting domains there include ebay, paypal, cisco, hotels.com,
lufthansa, skype, several scientific newsletters, ...
Add further domains like:
whitelist_from_dkim *@uu.se
whitelist_from_dkim *@uni-bremen.de
whitelist_from_dkim *@tugraz.at
whitelist_from_dkim *@tu-graz.ac.at
whitelist_from_dkim *@univie.ac.at
whitelist_from_dkim *@univ-tours.fr
whitelist_from_dkim *@cern.ch
whitelist_from_dkim *@amazon.com
whitelist_from_dkim *@springer.delivery.net
whitelist_from_dkim *@cisco.com
whitelist_from_dkim *@info.hp.com
whitelist_from_dkim *@alert.bankofamerica.com
whitelist_from_dkim *@cnn.com
whitelist_from_dkim *@*.cnn.com
whitelist_from_dkim serv...@youtube.com
whitelist_from_dkim *@*paypal.com
def_whitelist_from_dkim *@yousendit.com
def_whitelist_from_dkim *@meetup.com
def_whitelist_from_dkim dailyhorosc...@astrology.com
def_whitelist_from_dkim *@twitter.com
def_whitelist_from_dkim *@*.twitter.com
def_whitelist_from_dkim *@*.twitter.com twitter.com
def_whitelist_from_dkim *@email.creativepro.com
def_whitelist_from_dkim *@publicservice-mailer.co.uk
and adjust scores if necessary:
score USER_IN_DEF_DKIM_WL -1.5
score USER_IN_DKIM_WHITELIST -12
If there is a need to assign a non-default score for valid DKIM-signed
mail from specific domains, instead of whitelist_from_dkim one can add
a specific rule for such domains:
full DKIM_VALID_WEGAME eval:check_dkim_valid(email.wegame.com)
score DKIM_VALID_WEGAME -8
Mark
Re: SPF failure very low score
On 8/8/2013 4:49 PM, John Hardin wrote: On Thu, 8 Aug 2013, Quanah Gibson-Mount wrote: SPF is _by itself_ not useful as a spam sign. If you're seeing a lot of facebook spam that fails SPF because it's being forged, then a rule that checks SPF_FAIL *IF* the mail claims to be from Facebook, and adds a point or two, would be more reasonable. In our setup, we get good results from outright blocking any SPF fails using policyd-spf (python version) during the SMTP transaction and we've only had to whitelist a handful of badly configured servers. We block about 4% of all inbound messages by blocking on SPF FAIL. So I'd argue that SPF FAIL is a pretty good indicator that the message is very likely to be spam. But in our setup, those messages never get that far. SPF PASS, however, is not a good indicator either way.
Re: SPF failure very low score
On Thu, 8 Aug 2013, Quanah Gibson-Mount wrote: For SA 3.4.0, it says in 50_scores.cf: # SPF # Note that the benefit for a valid SPF record is deliberately minimal; it's # likely that more spammers would quickly move to setting valid SPF records # otherwise. The penalties for an *incorrect* record, however, are large. ;) However, .001 does not seem LARGE to me at all. I would expect at least a 1. Right now there is tons of facebook spam out there that clearly fails SPF, such as the following: X-Spam-Status: No, score=2.407 tagged_above=-10 required=3 tests=[BAYES_50=0.8, DKIM_ADSP_ALL=0.8, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, KHOP_BIG_TO_CC=0.001, RDNS_NONE=0.793, SPF_FAIL=0.001, T_HEADER_FROM_DIFFERENT_DOMAINS=0.01] autolearn=no How is .001 in any way considered a large penalty? SPF is _by itself_ not useful as a spam sign. If you're seeing a lot of facebook spam that fails SPF because it's being forged, then a rule that checks SPF_FAIL *IF* the mail claims to be from Facebook, and adds a point or two, would be more reasonable. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Christian martyrs don't explode. -- Marisol --- 7 days until the 68th anniversary of the end of World War II
Re: SPF failure very low score
--On August 8, 2013 1:49:18 PM -0700 John Hardin jhar...@impsec.org wrote: How is .001 in any way considered a large penalty? SPF is _by itself_ not useful as a spam sign. If you're seeing a lot of facebook spam that fails SPF because it's being forged, then a rule that checks SPF_FAIL *IF* the mail claims to be from Facebook, and adds a point or two, would be more reasonable. Ok, that sounds reasonable, but that still doesn't align with the comment in the 50_scores.cf file. ;) Can you provide an example? I've done some basic custom rules, but the above is a little more complex. Thanks, Quanah -- Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc Zimbra :: the leader in open source messaging and collaboration
Re: SPF failure very low score
On Thu, 8 Aug 2013 13:49:18 -0700 (PDT) John Hardin jhar...@impsec.org wrote: SPF is _by itself_ not useful as a spam sign. Indeed. In my experience, most SPF softfail results and a fairly large fraction of SPF fail results are from misconfigured domains whose administrators don't bother making correct SPF records. Additionally, SPF pass is (in my experience) a slight indicator of spam because spammers are a bit more diligent about trying to get their messages to pass SPF than many legitimate senders. :( +1 to John's comments about domain-specific SPF scores. For certain domains, an SPF fail is a strong indicator of spam or phishing. These are the domains I score strongly for SPF fail: adp.com, aexp.com, apple.com, bankofamerica.com, bbb.org, bmo.com, chase.com, discover.com, dnb.com, ebay.com, emailinfo.chase.com, id.apple.com, inbound.efax.com, irs.gov, newegg.com, paypal.com, verizonwireless.com, welcome.aexp.com, wellsfargo.com as well as my own domain, roaringpenguin.com. Any others the list would like to suggest? Should SpamAssassin come with a built-in list? Regards, David.
Re: SPF failure very low score
--On August 8, 2013 5:14:12 PM -0400 David F. Skoll d...@roaringpenguin.com wrote: On Thu, 8 Aug 2013 13:49:18 -0700 (PDT) John Hardin jhar...@impsec.org wrote: SPF is _by itself_ not useful as a spam sign. Indeed. In my experience, most SPF softfail results and a fairly large fraction of SPF fail results are from misconfigured domains whose administrators don't bother making correct SPF records. Additionally, SPF pass is (in my experience) a slight indicator of spam because spammers are a bit more diligent about trying to get their messages to pass SPF than many legitimate senders. :( +1 to John's comments about domain-specific SPF scores. For certain domains, an SPF fail is a strong indicator of spam or phishing. These are the domains I score strongly for SPF fail: adp.com, aexp.com, apple.com, bankofamerica.com, bbb.org, bmo.com, chase.com, discover.com, dnb.com, ebay.com, emailinfo.chase.com, id.apple.com, inbound.efax.com, irs.gov, newegg.com, paypal.com, verizonwireless.com, welcome.aexp.com, wellsfargo.com as well as my own domain, roaringpenguin.com. I would love to see your rules here so I can see how you did it. I don't see if/and in the SA docs on rules. --Quanah -- Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc Zimbra :: the leader in open source messaging and collaboration
Re: SPF failure very low score
On Aug 8, 2013, at 10:49 PM, John Hardin jhar...@impsec.org wrote: On Thu, 8 Aug 2013, Quanah Gibson-Mount wrote: For SA 3.4.0, it says in 50_scores.cf: # SPF # Note that the benefit for a valid SPF record is deliberately minimal; it's # likely that more spammers would quickly move to setting valid SPF records # otherwise. The penalties for an *incorrect* record, however, are large. ;) However, .001 does not seem LARGE to me at all. I would expect at least a 1. Right now there is tons of facebook spam out there that clearly fails SPF, such as the following: X-Spam-Status: No, score=2.407 tagged_above=-10 required=3 tests=[BAYES_50=0.8, DKIM_ADSP_ALL=0.8, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, KHOP_BIG_TO_CC=0.001, RDNS_NONE=0.793, SPF_FAIL=0.001, T_HEADER_FROM_DIFFERENT_DOMAINS=0.01] autolearn=no How is .001 in any way considered a large penalty? SPF is _by itself_ not useful as a spam sign. If you're seeing a lot of facebook spam that fails SPF because it's being forged, then a rule that checks SPF_FAIL *IF* the mail claims to be from Facebook, and adds a point or two, would be more reasonable. Facebook dkim signs all their emails with the domain facebookmail.com, so you may have better luck using the ADSP rules...
Re: SPF failure very low score
On Thu, 08 Aug 2013 14:22:53 -0700 Quanah Gibson-Mount qua...@zimbra.com wrote: I would love to see your rules here so I can see how you did it. I don't see if/and in the SA docs on rules. Emm... actually, I did it outside of the SA infrastructure. I imagine you could do something like: header__MY_SENSITIVE_DOMAIN Return-Path =~ /\@(:?ebay\.com|paypal\.com|irs\.gov)/i meta MY_SPF_FAIL SPF_FAIL __MY_SENSITIVE_DOMAIN score MY_SPF_FAIL 5.0 describe MY_SPF_FAIL SPF failure on a sensitive domain This is all completely untested, you understand. ;) Regards, David.
Re: SPF failure very low score
On 08/08, Quanah Gibson-Mount wrote: For SA 3.4.0, it says in 50_scores.cf: # SPF # Note that the benefit for a valid SPF record is deliberately minimal; it's # likely that more spammers would quickly move to setting valid SPF records # otherwise. The penalties for an *incorrect* record, however, are large. ;) However, .001 does not seem LARGE to me at all. I would expect at least a 1. Right now there is tons of facebook spam out there that clearly fails SPF, such as the following: X-Spam-Status: No, score=2.407 tagged_above=-10 required=3 tests=[BAYES_50=0.8, DKIM_ADSP_ALL=0.8, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, KHOP_BIG_TO_CC=0.001, RDNS_NONE=0.793, SPF_FAIL=0.001, T_HEADER_FROM_DIFFERENT_DOMAINS=0.01] autolearn=no How is .001 in any way considered a large penalty? As has been said, SPF is kind of a terrible spam indicator: http://ruleqa.spamassassin.org/?daterev=20130808-r1511618-nrule=SPF_FAIL MSECSSPAM% HAM% S/ORANK SCORE NAME WHO/AGE 0 0.1057 1.4410 0.0680.400.00 SPF_FAIL That says it hits over 10x as large a portion of non-spam as spam. The explanation for the quote is, quite simply, that it is out of date, and you should fix it. -- As humans, we are taught to forget that we are animals. - forward to Johnny The Homicidal Maniac http://www.ChaosReigns.com
Re: SPF failure very low score
--On August 8, 2013 5:38:52 PM -0400 dar...@chaosreigns.com wrote: The explanation for the quote is, quite simply, that it is out of date, and you should fix it. I don't have commit access to SA's SVN. ;) I suppose I can file a bug. ;) --Quanah -- Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc Zimbra :: the leader in open source messaging and collaboration
Re: SPF failure very low score
On Thu, 8 Aug 2013 21:31:59 + Franck Martin wrote: On Aug 8, 2013, at 10:49 PM, John Hardin jhar...@impsec.org wrote: On Thu, 8 Aug 2013, Quanah Gibson-Mount wrote: How is .001 in any way considered a large penalty? Comments can be useful when they agree with reality, but all too often they are just preliminary opinions that never get corrected. SPF is _by itself_ not useful as a spam sign. If you're seeing a lot of facebook spam that fails SPF because it's being forged, then a rule that checks SPF_FAIL *IF* the mail claims to be from Facebook, and adds a point or two, would be more reasonable. Facebook dkim signs all their emails with the domain facebookmail.com, so you may have better luck using the ADSP rules... dkim is generally the better way to go since legitimate emails can fail SPF due to forwarding.
Re: SPF failure very low score
--On August 8, 2013 5:33:26 PM -0400 David F. Skoll d...@roaringpenguin.com wrote: On Thu, 08 Aug 2013 14:22:53 -0700 Quanah Gibson-Mount qua...@zimbra.com wrote: I would love to see your rules here so I can see how you did it. I don't see if/and in the SA docs on rules. Emm... actually, I did it outside of the SA infrastructure. I imagine you could do something like: header__MY_SENSITIVE_DOMAIN Return-Path =~ /\@(:?ebay\.com|paypal\.com|irs\.gov)/i meta MY_SPF_FAIL SPF_FAIL __MY_SENSITIVE_DOMAIN score MY_SPF_FAIL 5.0 describe MY_SPF_FAIL SPF failure on a sensitive domain Thanks, that's a useful start. :) --Quanah -- Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc Zimbra :: the leader in open source messaging and collaboration
Re: SPF failure very low score
Quanah Gibson-Mount skrev den 2013-08-08 22:34: How is .001 in any way considered a large penalty? meta SPF_FAIL (3) (3) (3) (3) in local.cf fixes it or use pypolicyd-spf on mta stage
Re: SPF failure very low score
John Hardin skrev den 2013-08-08 22:49: SPF is _by itself_ not useful as a spam sign. -1 If you're seeing a lot of facebook spam that fails SPF because it's being forged, then a rule that checks SPF_FAIL *IF* the mail claims to be from Facebook, and adds a point or two, would be more reasonable. why not check if dkim passed then ?, combine body facebook, with spf_fail and no dkim headers, its 3 lines :) the bug is not a bug, but a missing rule for the OP problem is why did he allow spf_fails in mta ?
Re: SPF failure very low score
--On August 8, 2013 11:01:43 PM +0100 RW rwmailli...@googlemail.com wrote:
Facebook dkim signs all their emails with the domain
facebookmail.com, so you may have better luck using the ADSP rules...
dkim is generally the better way to go since legitimate emails can fail
SPF due to forwarding.
Ok, so I imagine I want to do something like:
header DKIM_ADSP_DISCARD eval:check_dkim_adsp('D')
but only for facebook.com... I don't see exactly how I tie those two
together?
Thanks!
--Quanah
--
Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
Zimbra :: the leader in open source messaging and collaboration
Re: SPF failure very low score
RW skrev den 2013-08-09 00:01: dkim is generally the better way to go since legitimate emails can fail SPF due to forwarding. and dkim never fails on forwards ?, well it does if forwards mangle bódy and removes or changes headers in a way that dkim breaks, i have seen it since i begin using it, it not yet resolved, but for spamassassin i can atleast get dmarc=pass return try sending email from facebook to one self mailadress not on facebook :) make rule on this on spf, just remember to have trusted_networks setup with all ips that do forwarding, then spf does work, but who cares ?
Re: SPF failure very low score
David F. Skoll skrev den 2013-08-08 23:14: +1 to John's comments about domain-specific SPF scores. For certain domains, an SPF fail is a strong indicator of spam or phishing. These are the domains I score strongly for SPF fail: yes spf pass does not default get -100 : maybe change it for default to be 100 ?, until senders get more respect for there own problems ? trusted non spamming domains should be whitelist_from_auth and if there is comming spam from this domain then remove it, i have done this all years here
Re: SPF failure very low score
Quanah Gibson-Mount skrev den 2013-08-08 23:22: I would love to see your rules here so I can see how you did it. I don't see if/and in the SA docs on rules. body __BODY_FACEBOOK /Facebook/ meta __FORGED_SENDER (!SPF_PASS !DKIM_VALID_AU) meta FORGED_FACEBOOK_BODY (__BODY_FACEBOOK __FORGED_SENDER) maybe it could be more specific, just not tested it, but why accept forged ?
Re: SPF failure very low score
David F. Skoll skrev den 2013-08-08 23:33: meta MY_SPF_FAIL SPF_FAIL __MY_SENSITIVE_DOMAIN score MY_SPF_FAIL 5.0 describe MY_SPF_FAIL SPF failure on a sensitive domain This is all completely untested, you understand. ;) make meta on !SPF_PASS is same as all versions of SPF_FAIL
