Which SA test can detect/score this (fairly common) 'freemail' whack-a-mole?
An inbound spam was caught by SpamAssassin, flagged with BAYES_50=0.8 DCC_CHECK=1.1 DIGEST_MULTIPLE=0.293 HTML_MESSAGE=0.001 MIME_HTML_MOSTLY=0.428 MISSING_HEADERS=1.021 PYZOR_CHECK=2.5 REPLYTO_WITHOUT_TO_CC=1.552 To get to SA, it snuck by my DNSBLS, and passed SPF/DKIM/DMARC tests, Authentication-Results: dmarc.mail.example.com/876fg6sdf6876498f; dmarc=none header.from=gmail.com Authentication-Results: dkim.mail.example.com/876fg6sdf6876498f; dkim=pass (2048-bit key; unprotected) header.d=yahoo.com header.i=@yahoo.com header.b=UFAXzzUL Authentication-Results: spf.mail.example.com; spf=softfail (domain owner discourages use of this host) smtp.mailfrom=gmail.com (client-ip=212.82.96.171; helo=nm12-vm1.bullet.mail.ir2.yahoo.com; envelope-from=mrs.djoe...@gmail.com; receiver=u...@example.com) (TBH, I'm not exactly clear on how/why a msg this fake gets by all 3; need to take a closer look at that !) But, not being caught is NOT my current question. Instead, I'd like to know which specific test I can use to hit/score the 'freemail' whack-a-mole. For example, this particular email is Sent via 'freemail' @ YAHOO From 'freemail' @GMAIL ReplyTo 'freemail' @HOTMAIL Here are some of the headers Received: from nm12-vm1.bullet.mail.ir2.yahoo.com (nm12-vm1.bullet.mail.ir2.yahoo.com [212.82.96.171]) by mail.example.com (Postfix) with ESMTPS for ; Fri, 24 Jun 2016 08:26:08 -0400 (EDT) ... From: Dion Joelle Reply-To: Dion Joelle Message-ID: <#.javamail.ya...@mail.yahoo.com> What I don't see there are any of the FREEMAIL hits. Obviously, the fake freemail 'trifecta' (gmail/hotmail/yahoo) is an easy signature to hit on. I just need some guidance as to what test I need to use/configure/enable to hot/score on this patter/behavior? Jason
Re: Which SA test can detect/score this (fairly common) 'freemail' whack-a-mole?
On 2016-06-26 00:29, jaso...@mail-central.com wrote: Authentication-Results: dmarc.mail.example.com/876fg6sdf6876498f; dmarc=none header.from=gmail.com https://dane.sys4.de/smtp/gmail.com Authentication-Results: dkim.mail.example.com/876fg6sdf6876498f; dkim=pass (2048-bit key; unprotected) header.d=yahoo.com header.i=@yahoo.com header.b=UFAXzzUL https://dane.sys4.de/smtp/yahoo.com Authentication-Results: spf.mail.example.com; spf=softfail (domain owner discourages use of this host) smtp.mailfrom=gmail.com (client-ip=212.82.96.171; helo=nm12-vm1.bullet.mail.ir2.yahoo.com; envelope-from=mrs.djoe...@gmail.com; receiver=u...@example.com) so why not reject softfail based on it ? oh yahoo client use gmail, hmm :=) that user should use smtp auth on gmail, not use yahoo smtp servers for relaying and note DNSSEC is not needed to make it worse
Re: Which SA test can detect/score this (fairly common) 'freemail' whack-a-mole?
> https://dane.sys4.de/smtp/gmail.com > https://dane.sys4.de/smtp/yahoo.com > so why not reject softfail based on it ? > oh yahoo client use gmail, hmm :=) > that user should use smtp auth on gmail, not use yahoo smtp servers for > relaying > and note DNSSEC is not needed to make it worse Sorry, I really don't understand any of that. What relevance are the links to dane.sys4.de, and the rest of the comments? Like I said, I'm asking about 'freemail' detection in SA, why they're not used here, and how to config correctly so I do. Jason
Re: Which SA test can detect/score this (fairly common) 'freemail' whack-a-mole?
Sorry, I really don't understand any of that. and this is my problem What relevance are the links to dane.sys4.de, and the rest of the comments? same as mangled example.org ? Like I said, I'm asking about 'freemail' detection in SA, why they're not used here, and how to config correctly so I do. spamassassin 2>&1 -D -t msgfile output from this is ? sorry cant help more
Re: Which SA test can detect/score this (fairly common) 'freemail' whack-a-mole?
Am 26.06.2016 um 01:06 schrieb Benny Pedersen: On 2016-06-26 00:29, jaso...@mail-central.com wrote: Authentication-Results: dmarc.mail.example.com/876fg6sdf6876498f; dmarc=none header.from=gmail.com https://dane.sys4.de/smtp/gmail.com Authentication-Results: dkim.mail.example.com/876fg6sdf6876498f; dkim=pass (2048-bit key; unprotected) header.d=yahoo.com header.i=@yahoo.com header.b=UFAXzzUL https://dane.sys4.de/smtp/yahoo.com Authentication-Results: spf.mail.example.com; spf=softfail (domain owner discourages use of this host) smtp.mailfrom=gmail.com (client-ip=212.82.96.171; helo=nm12-vm1.bullet.mail.ir2.yahoo.com; envelope-from=mrs.djoe...@gmail.com; receiver=u...@example.com) so why not reject softfail based on it ? because he is no fool and likely repsonsible for others mail? SPF_SOFTFAIL != SPF_FAIL and when you don#t understand the difference better don't comment at all oh yahoo client use gmail, hmm :=) yes that's the topic that user should use smtp auth on gmail, not use yahoo smtp servers for relaying yes that's the topic there seems no be rule for From 'freemail' @GMAIL ReplyTo 'freemail' @HOTMAIL FREEMAIL_FORGED_REPLYTO "Freemail in Reply-To, but not From" comes near, but don't hit because are freemail *but different* ones signature.asc Description: OpenPGP digital signature
Re: Which SA test can detect/score this (fairly common) 'freemail' whack-a-mole?
On 2016-06-26 01:47, Reindl Harald wrote: Authentication-Results: spf.mail.example.com; spf=softfail (domain owner discourages use of this host) smtp.mailfrom=gmail.com (client-ip=212.82.96.171; helo=nm12-vm1.bullet.mail.ir2.yahoo.com; envelope-from=mrs.djoe...@gmail.com; receiver=u...@example.com) so why not reject softfail based on it ? because he is no fool and likely repsonsible for others mail? and its asked why do i get spam with spf softfails recipient have wanted that spam, possible spam that is not spam but relaying fails thats all i know for now
Re: Which SA test can detect/score this (fairly common) 'freemail' whack-a-mole?
Huh? > and its asked why do i get spam with spf softfails No, I'm not asking about the 'softfail'. At all. > recipient have wanted that spam Um, no. > possible spam that is not spam but relaying fails Again, huh? I'm asking a simple question -- what SA test detects the multiple freemail biz?
Re: Which SA test can detect/score this (fairly common) 'freemail' whack-a-mole?
Am 26.06.2016 um 02:02 schrieb Benny Pedersen: On 2016-06-26 01:47, Reindl Harald wrote: Authentication-Results: spf.mail.example.com; spf=softfail (domain owner discourages use of this host) smtp.mailfrom=gmail.com (client-ip=212.82.96.171; helo=nm12-vm1.bullet.mail.ir2.yahoo.com; envelope-from=mrs.djoe...@gmail.com; receiver=u...@example.com) so why not reject softfail based on it ? because he is no fool and likely repsonsible for others mail? and its asked why do i get spam with spf softfails nobody asked that, the only one talking about SPF_SOFTAIL is you signature.asc Description: OpenPGP digital signature
Re: Which SA test can detect/score this (fairly common) 'freemail' whack-a-mole?
On 2016-06-26 02:14, Reindl Harald wrote: Am 26.06.2016 um 02:02 schrieb Benny Pedersen: On 2016-06-26 01:47, Reindl Harald wrote: Authentication-Results: spf.mail.example.com; spf=softfail (domain owner discourages use of this host) smtp.mailfrom=gmail.com (client-ip=212.82.96.171; helo=nm12-vm1.bullet.mail.ir2.yahoo.com; envelope-from=mrs.djoe...@gmail.com; receiver=u...@example.com) so why not reject softfail based on it ? because he is no fool and likely repsonsible for others mail? and its asked why do i get spam with spf softfails nobody asked that, the only one talking about SPF_SOFTAIL is you there is multiple problems in the above, so just try to help with them aswell https://spamassassin.apache.org/full/3.3.x/doc/Mail_SpamAssassin_Conf.html is envelope_sender_header setup currect on spamassassin instalation, it helps freemail aswell if it is who say gamil was the envelope sender really ? all that debate here was closed if that softfail was rejected, but now its endless
Re: Which SA test can detect/score this (fairly common) 'freemail' whack-a-mole?
Noel On Sat, Jun 25, 2016, at 06:31 PM, Noel Butler wrote: > ignoring the usual trolls Benny and Harry (Reindl) got it > " loadplugin Mail::SpamAssassin::Plugin::FreeMail " is actually loaded? yep > /var/lib/spamassassin/3.004001/updates_spamassassin_org/20_freemail.cf I think that's it. The 20_freemail.cf in release had non-zero score. The updates/ file had =ZERO scores. So not firing at all. Deleted the updates folder, re ran updates, and now there are non-zero scores. Bit of a different mystery, but that solves the not-firing problem for now. Didn't think to check the SA distro's files ... > also, you may care to investigate clear_uridnsbl_skip_domain not saying > this is related, but its also a good thing to use ;) yep. in use. > Lastly, I've used the freemail rules since long before they were in SA > release, some of the default scores were low, so you might want to play > around upping them in a local cf once you get it working. Care to share what your local.cf's FREEMAIL* tweaks are? I understand, it varies on server & context -- I'm just curious as to magnitude of change/difference an experienced has seen/chosen. Thanks. Jason
Re: Which SA test can detect/score this (fairly common) 'freemail' whack-a-mole?
On Sun, Jun 26, 2016, at 02:15 AM, Groach wrote: > Am I right to think this implies that there is a setting or some other > mechanism that stops rules that have a Zero score from being run in the > first place? A flag or something? (I ask because I still have Zero score > rule results run and included in the headers and in this case the > FREEMAIL rule would still have been apparent). Could you explain please? Yep. https://spamassassin.apache.org/full/3.1.x/doc/Mail_SpamAssassin_Conf.html#scoring_options score SYMBOLIC_TEST_NAME n.nn [ n.nn n.nn n.nn ] ... Setting a rule's score to 0 will disable that rule from running. ... > (And why did your updates file have them as Zero scores? Have you > worked out why?) No clue. And looking at a couple of other installs, no such problem. The only thing that caught my attention was that the update date of a couple of files was different -- including the one with the freemail scores. What I did not check b4 deleting & re-updating with a clean set of updates was file corruption, and perms. But too late now, unfortunately. I checked my update cron jobs, and they seem to be working fine now, too. Jason
