I know the definition of spam is very subjective and dependent on your
particular the mail flow along with the expectations of the recipients.
On 02/06/2018 02:06 PM, David B Funk wrote:
On Tue, 6 Feb 2018, Kris Deugau wrote:
Alex wrote:
These phishes we've received were all from otherwise trusted sources
like salesforce, amazonses and sendgrid. These are examples that I
believe were previously whitelisted because of having received a phish
through these systems but have no been disabled.
whitelist_auth *@bounce.mail.salesforce.com
whitelist_auth *@sendgrid.net
whitelist_auth *@*.mcdlv.net
I've seen enough spam sent through all three - both by way of whole
apparently spammer-owned accounts and cracked-but-otherwise-legitimate
accounts - that I would never blanket-whitelist whole bulk email
providers.
Legitimate mail sent through them generally gets through anyway IME.
An alternative is to use "def_whitelist_auth" instead of "whitelist_auth"
That gives a -7.5 point bump to usually good sources which may
occasionally get abused.
That way if one of their accounts gets p0wned your anti-phish rules have
a chance of pulling the junk into the spam-tagged range.
Good point. One could also set the score for whitelist_auth-based
scores to something similar like -7.5 or -5.0 if the default score of
-100 is to far left for their comfort.
score USER_IN_DKIM_WHITELIST -7.5
score USER_IN_SPF_WHITELIST -7.5
Email filtering is really more than just 2 classifications: ham and
spam. If you break it down into a few more sub categories, then it's
easier/less risky to detect/block the bad stuff from compromised
accounts and zero-hour spam.
- Ham
- Trusted Mailing lists
- Trusted Bulk Senders (system generated)
- Good senders (human generated)
- Unwanted - valid/non-harvesting opt-out
- UCE from address being bought/sold on lists
- Something opted into accidentally (didn't uncheck a box)
- Spam
- BAD: Junk never opted into
- BAD: Questionable marketing of goods/pills
- VERY BAD: Spoofing/Phishing/Click-for-Malware-Infection
- VERY BAD: Malicious attachments/macros/scripting/etc
Most people on this list will probably combine the unwanted into the
spam category but 1) how can you objectively and consistently determine
that for your end users and 2) we can't trust end users to know the
difference between the two. From my experience, end users will flag
everything as spam and complain about it either way so the most
important thing to block is the malicious/spoofing/phishing/malware that
can do real damage.
My goal is to block all of the spam and none of the ham and unwanted. I
have an automated way to determine the ham and unwanted to create
whitelist_auth entries primarily of subdomains that do not have human
mailboxes that can be compromised.
The way we determine the categories above is by:
- Reputation: RBLs, DBLs, URIBLs, whitelist_*, blacklist_*, etc.
- Content: BAYES, words, phrases, regex rules, etc.
If I whitelist_auth in a safe way based on reputation since they mostly
score very low anyway, then I have a smaller subset to focus on with
content rules and meta rules to bump up the sensitivity on the content side.
As SPF, DKIM, and DMARC are deployed on subdomains delegated to trusted
third-party senders, then this tactic rewards those who use good SPF,
DKIM, and DMARC on a subdomain thus promoting itself. This makes sense
to me and has worked well for years now. Rspamd seems to be following a
similar approach in it's dmarc_whitelist.inc file.
--
David Jones
