Re: Bank fraud phish

Wed, 25 Oct 2017 08:31:11 -0700 

On 10/25/2017 09:39 AM, Rupert Gallagher wrote:



-------- Original Message --------
Subject: Re: Bank fraud phish
Local Time: 25 October 2017 4:18 PM
UTC Time: 25 October 2017 14:18
From: rwmailli...@googlemail.com
To: users@spamassassin.apache.org

On Wed, 25 Oct 2017 09:16:50 -0400
Rupert Gallagher wrote:

    The e-mail is still flagged as SPAM here.

     *
        DMARC fails, because it passes DKIM, but fails SPF.

        This is wrong in every detail.

        It can't fail or pass DMARC because the domain welchtitles.com
        <http://welchtitles.com> doesn't
        have a DMARC record.

        If it did have a record it would pass DMARC because it doesn't
        have an
        aligned DKIM pass, but does have an aligned SPF pass.



We run DMARC compliance tests even if the sending domain does not adopt 
the standard.



That is not practical across the board and not wise.  Spammers can setup 
SPF and DKIM alignment plus a DMARC record to make it perfect.  You may 
decide to whitelist_auth trusted good senders or subtract points but you 
can't add points when the opposite is true unless you have manually 
verified the sender is a spammer and created a blacklist_from entry for 
that domain.



The DMARC standard says that EITHER (only takes one) SPF must pass and 
align with the envelope-from domain OR DKIM must pass and align with the 
the From: header domain.  DMARC doesn't require both to pass and align 
but it's best when it does.


https://blog.returnpath.com/how-to-explain-dmarc-in-plain-english/


The only valid way to do DMARC checks with SpamAssassin today is to run 
something like OpenDMARC on your milter and check headers with custom 
local SA custom rules.  That is what I do.



As a sender, it takes a lot of work to get DMARC passing so you can't 
assume that every sender is ready to for DMARC checks and they just 
forgot to setup their _dmarc TXT record.  This may work locally in a 
small environment but it won't scale out with larger environments 
without a lot of false positives.




Concerning SPF, the domain is *now* listing outlook.com as permitted 
sender. The original

header includes evidence of the change:


 > Received-SPF: None (protection.outlook.com: welchtitles.com does not 
designate permitted sender hosts)






--
David Jones























					Reply via email to