Not 100% sure about 168.100.1.4 ip but the 168.100.1.3 ip is used by the official postfix mailinglist. Pretty sure they should not be removed from dnswl :-)
----- Originale Nachricht ----- Von: David Jones <djo...@ena.com> Gesendet: 24.01.18 - 03:26 An: users@spamassassin.apache.org Betreff: Re: Pretty good spoof of AmEx > On 01/23/2018 07:11 PM, Alex wrote: >> Hi, >> >> On Tue, Jan 23, 2018 at 4:52 PM, David Jones <djo...@ena.com> wrote: >>> Here is a good example of a spoof that might get user clicks. It didn't >>> have good SPF or DKIM but it could have pretty easily making it look pretty >>> clean in a default SA installation. >>> >>> https://pastebin.com/GTG8K56a >>> >>> Need to get this IP off of the HostKarma and dnswl.org whitelists if anyone >>> from there is on this list. >> > > Sounds like this is a shared IP with some good senders so this may need > to be reported to cloud9.net so they can find the source of this abuse > of their server. > >> This appears to have hit on your side. Is this just an FYI? >> > > Do you mean my SA (MailScanner) blocked it? Yes it did. Mostly due to > properly trained Bayes DB, DCC, Pyzor, and a local rules. Just trying > to show my strategy for detecting and blocking spoofing as SPF, DKIM, > and DMARC are being properly implemented by companies that are common > targets of spoofing. > > Safely whitelist_auth the Envelope-From domain and then setup > header/body rules to block the spoofing text. > >> X-ENA-MailScanner-SpamCheck: not spam (whitelisted), SpamAssassin (cached, >> score=17.85, required 4, BAYES_99 5.20, BAYES_999 0.20, >> >> Yeah, not good. >> -2.5 RCVD_IN_HOSTKARMA_W RBL: Sender listed in HOSTKARMA-WHITE >> [168.100.1.4 listed in >> hostkarma.junkemailfilter.com] >> -2.3 RCVD_IN_DNSWL_MED RBL: Sender listed at http://www.dnswl.org/, >> medium >> trust [168.100.1.4 listed in list.dnswl.org] >> >> Were there no EnvelopeFrom or Return-Path header? >> > > EnvelopeFrom domain was welcome.aexp.com as you can see in the > Authentication-Results added by my MTA with OpenDMARC. The legit email > has perfect DMARC alignment on both SPF and DKIM and they run with p=reject. > > No Return-Path header in the original. > >> This hits a local rule involving undisclosed-recips and/or not to my >> domain and "urgent" messages. It also now hits pyzor and dcc >> > > Is this Bcc'd recipients? That can be helpful information but probably > not a high scoring rule unless you are combining it in a meta with other > hits. > >> I also have a rule that adds 1.2 points to emails that hit hostkarma >> with no domain security. >> > > How is this a sign of spam? Have you noticed a pattern? I will search > my logs (actually run a SQL query) for this to see if you are onto > something here. > >>> Kevin already had something similar to this in KAM.cf checking for SPF_FAIL >>> from aexp.com but it wouldn't help with that spoofed one at the top with the >>> "m" in the domain. >> >> Should we try to do something about "american express" with a faked >> domain (amexp.com)? >> > > We could setup a 60_blacklist_from.cf file in the SA ruleset for > definite bad domains but that's probably not the best place to maintain > that. It really should be in major DBLs that SA already knows to check. > > -- > David Jones