Re: about fake mails
Yavuz Maslak a écrit : > Let me explain my problem and goal; > > For instance, a spammer installs a smtp server and he has a tool to send > his mails. He writes [EMAIL PROTECTED] in from adress and He sends his > mails using his smtp server. Namely, he doesn't use gmail's servers. I > want to give high score for these sort of mails. > > Now I have written a rule according to Jeff and Matus, > Thanks to both. > > header __L_ML1 Precedence =~ m{\b(list|bulk)\b}i > header __L_ML2 exists:List-Id > header __L_ML3 exists:List-Post > header __L_ML4 exists:Mailing-List > header __L_HAS_SNDR exists:Sender > meta __L_VIA_ML(__L_ML1 || __L_ML2 || __L_ML3 || __L_ML4 || > __L_HAS_SNDR) > header __L_FROM_GMAIL From:addr =~ [EMAIL PROTECTED] > meta L_UNVERIFIED_GMAIL (!DKIM_VERIFIED && __L_FROM_GMAIL && > !__L_VIA_ML) > priority L_UNVERIFIED_GMAIL 500 > scoreL_UNVERIFIED_GMAIL 2.5 > meta UNVERIFIED_GMAILMISS (!DKIM_VERIFIED && DKIM_SIGNED && > __L_FROM_GMAIL && !__L_VIA_ML) > priority UNVERIFIED_GMAILMISS 600 > scoreUNVERIFIED_GMAILMISS 0.0 > > any advances ? > copy the file http://www.netoyen.net/sa/dkim.cf to your spamassassin rules directory (the directory where you have local.cf). This file contains the rules suggested on http://www.ijs.si/software/amavisd/amavisd-new-docs.html#dkim so that you don't need to copy-paste ;-p run: spamassassin --lint if you get an error, then either you or I did something wrong ;-p you may increase the score of L_NOTVALID_GMAIL (and the like) if you want, but 2.8 should be enough.
Re: about fake mails
Let me explain my problem and goal; For instance, a spammer installs a smtp server and he has a tool to send his mails. He writes [EMAIL PROTECTED] in from adress and He sends his mails using his smtp server. Namely, he doesn't use gmail's servers. I want to give high score for these sort of mails. Now I have written a rule according to Jeff and Matus, Thanks to both. header __L_ML1 Precedence =~ m{\b(list|bulk)\b}i header __L_ML2 exists:List-Id header __L_ML3 exists:List-Post header __L_ML4 exists:Mailing-List header __L_HAS_SNDR exists:Sender meta __L_VIA_ML(__L_ML1 || __L_ML2 || __L_ML3 || __L_ML4 || __L_HAS_SNDR) header __L_FROM_GMAIL From:addr =~ [EMAIL PROTECTED] meta L_UNVERIFIED_GMAIL (!DKIM_VERIFIED && __L_FROM_GMAIL && !__L_VIA_ML) priority L_UNVERIFIED_GMAIL 500 scoreL_UNVERIFIED_GMAIL 2.5 meta UNVERIFIED_GMAILMISS (!DKIM_VERIFIED && DKIM_SIGNED && __L_FROM_GMAIL && !__L_VIA_ML) priority UNVERIFIED_GMAILMISS 600 scoreUNVERIFIED_GMAILMISS 0.0 any advances ? Yavuz Maslak a écrit : Ok I have started to use dkim verification. I defined whitelists in local.cf. it works. But I could not find how I give high score for a spammer who doesn't use gmail's mail servers. The link that I suggested in my previous post contains spamassassin rules. Although a domain has domain keys, how can I give positive score for a mail which comes from a fake smtp server ? what is a "fake smtp server"? please explain your problem and goal clearly. It would also help to post a sample spam on pastebin.com.
Re: about fake mails
Yavuz Maslak a écrit : > Ok > I have started to use dkim verification. I defined whitelists in > local.cf. it works. > But I could not find how I give high score for a spammer who doesn't > use gmail's mail servers. > The link that I suggested in my previous post contains spamassassin rules. > Although a domain has domain keys, how can I give positive score for a > mail which comes from a fake smtp server ? > what is a "fake smtp server"? please explain your problem and goal clearly. It would also help to post a sample spam on pastebin.com.
Re: about fake mails
Just that most of the spam with a gmail.com sender *is* coming from Gmail .. Kai -- Kai Schätzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com
RE: about fake mails
On Sun, December 7, 2008 15:52, Giampaolo Tomassoni wrote: > There is no direct way (to my knowledge) to do this. perldoc Mail::SpamAssassin::Conf see whitelist_auth perldoc Mail::SpamAssassin::Plugin::DKIM but okay make a default spam score for DKIM signed mails works :) and subtract it when its VERIFIED > You have to apply a positive score to all mail claiming to be > "From:" a gmail address, then apply a negative score voiding > the first one to the DKim-verified ones. i just add negative score when verified here -- Benny Pedersen Need more webspace ? http://www.servage.net/?coupon=cust37098
RE: about fake mails
From: "Giampaolo Tomassoni" <[EMAIL PROTECTED]> Date: Sun, 7 Dec 2008 15:52:10 +0100 > -Original Message- > From: Yavuz Maslak [mailto:[EMAIL PROTECTED] > Sent: Sunday, December 07, 2008 3:02 PM > > Ok > I have started to use dkim verification. I defined whitelists in > local.cf. > it works. > But I could not find how I give high score for a spammer who doesn't > use > gmail's mail servers. > > Although a domain has domain keys, how can I give positive score for a > mail > which comes from a fake smtp server ? There is no direct way (to my knowledge) to do this. You have to apply a positive score to all mail claiming to be "From:" a gmail address, then apply a negative score voiding the first one to the DKim-verified ones. You can write a meta rule for email that claims to be from gmail that does not have DKIM. # add some penalty points to mail from yahoo and gmail.com which # does not carry a valid signature; exempt mail from mailing lists header __L_ML1 Precedence =~ m{\b(list|bulk)\b}i header __L_ML2 exists:List-Id header __L_ML3 exists:List-Post header __L_ML4 exists:Mailing-List header __L_HAS_SNDR exists:Sender meta __L_VIA_ML(__L_ML1 || __L_ML2 || __L_ML3 || __L_ML4 || __L_HAS_SNDR) header __L_FROM_Y1 From:addr =~ [EMAIL PROTECTED] header __L_FROM_Y2 From:addr =~ [EMAIL PROTECTED](ar|br|cn|hk|my|sg)$}i header __L_FROM_Y3 From:addr =~ [EMAIL PROTECTED](id|in|jp|nz|uk)$}i header __L_FROM_Y4 From:addr =~ [EMAIL PROTECTED](ca|de|dk|es|fr|gr|ie|it|pl|se)$}i meta __L_FROM_YAHOO (__L_FROM_Y1 || __L_FROM_Y2 || __L_FROM_Y3 || __L_FROM_Y4) header __L_FROM_GMAIL From:addr =~ [EMAIL PROTECTED] meta L_UNVERIFIED_YAHOO (!DKIM_VERIFIED && !DK_VERIFIED && __L_FROM_YAHOO && !__L_VIA_ML) priority L_UNVERIFIED_YAHOO 500 scoreL_UNVERIFIED_YAHOO 2.5 meta L_UNVERIFIED_GMAIL (!DKIM_VERIFIED && __L_FROM_GMAIL && !__L_VIA_ML) priority L_UNVERIFIED_GMAIL 500 scoreL_UNVERIFIED_GMAIL 2.5 I got these rules from this list. I added !DK_VERIFIED to L_UNVERIFIED_YAHOO. -jeff
Re: about fake mails
> > From: Yavuz Maslak [mailto:[EMAIL PROTECTED] > > Sent: Sunday, December 07, 2008 3:02 PM > > But I could not find how I give high score for a spammer who doesn't > > use gmail's mail servers. > > > > Although a domain has domain keys, how can I give positive score for a > > mail which comes from a fake smtp server ? On 07.12.08 15:52, Giampaolo Tomassoni wrote: > There is no direct way (to my knowledge) to do this. > > You have to apply a positive score to all mail claiming to be "From:" a > gmail address, then apply a negative score voiding the first one to the > DKim-verified ones. I think that giving score that has gmail.com in From address, but is nor DKIM Verified, should be just enough. Generally, there should be a meta rule for domains that have sign-all policy and the mail is not signed, e.g.: meta DKIM_MISS (DKIM_POLICY_SIGNALL && !DKIM_VERIFIED) score DKIM_MISS 3.0 and maybe for mail that is signed, but the signature was meta DKIM_FAIL (DKIM_SIGNED && !DKIM_VERIFIED) score DKIM_MISS 1.0 ... I just guessed those scores, but maybe someone could run mass-check ? -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. A day without sunshine is like, night.
RE: about fake mails
> -Original Message- > From: Yavuz Maslak [mailto:[EMAIL PROTECTED] > Sent: Sunday, December 07, 2008 3:02 PM > > Ok > I have started to use dkim verification. I defined whitelists in > local.cf. > it works. > But I could not find how I give high score for a spammer who doesn't > use > gmail's mail servers. > > Although a domain has domain keys, how can I give positive score for a > mail > which comes from a fake smtp server ? There is no direct way (to my knowledge) to do this. You have to apply a positive score to all mail claiming to be "From:" a gmail address, then apply a negative score voiding the first one to the DKim-verified ones. Giampaolo > > Yavuz Maslak a écrit : > >> Sometimes, although anyone don't use domain.com's server, he sends > many > >> mails using himself smtp service as if these mails come from > @domian.com. > >> > >> the domain.com may be hotmail.com , gmail.com. > >> > >> is there a rule for that so that we can give some score for these > mails? > > > > for gmail, you can use dkim verification. look at the rules in > > http://www.ijs.si/software/amavisd/amavisd-new-docs.html#dkim > > you may want to accept non signed gmail mail if it comes from nabble > or > > others. > > > > > > for hotmail, there are already rules to catch such forgeries. take a > look > > at > > http://spamassassin.apache.org/tests_3_2_x.html > > > > if you have sample false negatives, post them on pastebin.com. > >
Re: about fake mails
Ok I have started to use dkim verification. I defined whitelists in local.cf. it works. But I could not find how I give high score for a spammer who doesn't use gmail's mail servers. Although a domain has domain keys, how can I give positive score for a mail which comes from a fake smtp server ? Yavuz Maslak a écrit : Sometimes, although anyone don't use domain.com's server, he sends many mails using himself smtp service as if these mails come from @domian.com. the domain.com may be hotmail.com , gmail.com. is there a rule for that so that we can give some score for these mails? for gmail, you can use dkim verification. look at the rules in http://www.ijs.si/software/amavisd/amavisd-new-docs.html#dkim you may want to accept non signed gmail mail if it comes from nabble or others. for hotmail, there are already rules to catch such forgeries. take a look at http://spamassassin.apache.org/tests_3_2_x.html if you have sample false negatives, post them on pastebin.com.
Re: about fake mails
On 06.12.08 00:54, Yavuz Maslak wrote: > Sometimes, although anyone don't use domain.com's server, he sends many > mails using himself smtp service as if these mails come from @domian.com. > > the domain.com may be hotmail.com , gmail.com. > > is there a rule for that so that we can give some score for these mails? implement SPF and/or DKIM checks at SMTP level. use SPF and DKIM plugins. -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. WinError #9: Out of error messages.
Re: about fake mails
Yavuz Maslak a écrit : > Sometimes, although anyone don't use domain.com's server, he sends many > mails using himself smtp service as if these mails come from @domian.com. > > the domain.com may be hotmail.com , gmail.com. > > is there a rule for that so that we can give some score for these mails? for gmail, you can use dkim verification. look at the rules in http://www.ijs.si/software/amavisd/amavisd-new-docs.html#dkim you may want to accept non signed gmail mail if it comes from nabble or others. for hotmail, there are already rules to catch such forgeries. take a look at http://spamassassin.apache.org/tests_3_2_x.html if you have sample false negatives, post them on pastebin.com.