--On Monday, August 12, 2013 2:02 PM -0700 John Hardin <jhar...@impsec.org>
wrote:
On Mon, 12 Aug 2013, Bowie Bailey wrote:
On 8/12/2013 2:48 PM, John Hardin wrote:
On Mon, 12 Aug 2013, Quanah Gibson-Mount wrote:
> --On Friday, August 09, 2013 12:42 AM +0200 Benny Pedersen wrote:
>
> >
> > body __BODY_FACEBOOK /Facebook/
> > meta __FORGED_SENDER (!SPF_PASS && !DKIM_VALID_AU)
> > meta FORGED_FACEBOOK_BODY (__BODY_FACEBOOK && __FORGED_SENDER)
> >
> > maybe it could be more specific, just not tested it, but why
> > accept forged ?
> Thanks, that is helpful. So I assume then I would do something like:
>
> score FORGED_FACEBOOK_BODY 3.0
>
> to give it a high SPAM score.
...so you want to punish any email that discusses Facebook and does not
pass SPF *AND* DKIM? Regardless of where the message is (or claims to
be) from?
Actually, __FORGED_SENDER only fires if the message fails *both* SPF and
DKIM.
(not A) and (not B) == not (A or B)
D'oh!
But this is still a check for message *discussing* Facebook and not
messages specifically *from* Facebook.
Yeah, I'm not complaining about people discussing facebook, but pretending
to be facebook.
Example:
Return-Path: no-re...@facebook.com
Received: from edge02-zcs.vmware.com (LHLO edge02-zcs.vmware.com)
(10.113.208.52) by mbs01-zcs.vmware.com with LMTP; Thu, 15 Aug 2013
11:11:37 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1])
by edge02-zcs.vmware.com (Postfix) with ESMTP id 904D1992;
Thu, 15 Aug 2013 11:11:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at edge02-zcs.vmware.com
X-Spam-Flag: NO
X-Spam-Score: 2.814
X-Spam-Level: **
X-Spam-Status: No, score=2.814 tagged_above=-10 required=3
tests=[BAYES_80=2,
DKIM_ADSP_ALL=0.8, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001,
KHOP_BIG_TO_CC=0.001, SPF_FAIL=0.001,
T_HEADER_FROM_DIFFERENT_DOMAINS=0.01] autolearn=no
Received: from edge02-zcs.vmware.com ([127.0.0.1])
by localhost (edge02-zcs.vmware.com [127.0.0.1]) (amavisd-new, port
10024)
with ESMTP id Ezz1yu95KGdl; Thu, 15 Aug 2013 11:11:36 -0700 (PDT)
Received-SPF: fail (facebook.com ... _spf.facebook.com: Sender is not
authorized by default to use 'no-re...@facebook.com' in 'mfrom' identity
(mechanism '-all' matched)) receiver=edge02-zcs.vmware.com;
identity=mailfrom; envelope-from="no-re...@facebook.com";
helo=mail.oandpa.com; client-ip=68.169.160.233
Received-SPF: fail (facebook.com ... _spf.facebook.com: Sender is not
authorized by default to use 'no-re...@facebook.com' in 'mfrom' identity
(mechanism '-all' matched)) receiver=edge02-zcs.vmware.com;
identity=mailfrom; envelope-from="no-re...@facebook.com";
helo=mail.oandpa.com; client-ip=68.169.160.233
Received-SPF: fail (facebook.com ... _spf.facebook.com: Sender is not
authorized by default to use 'no-re...@facebook.com' in 'mfrom' identity
(mechanism '-all' matched)) receiver=edge02-zcs.vmware.com;
identity=mailfrom; envelope-from="no-re...@facebook.com";
helo=mail.oandpa.com; client-ip=68.169.160.233
Received-SPF: fail (facebook.com ... _spf.facebook.com: Sender is not
authorized by default to use 'no-re...@facebook.com' in 'mfrom' identity
(mechanism '-all' matched)) receiver=edge02-zcs.vmware.com;
identity=mailfrom; envelope-from="no-re...@facebook.com";
helo=mail.oandpa.com; client-ip=68.169.160.233
Received-SPF: fail (facebook.com ... _spf.facebook.com: Sender is not
authorized by default to use 'no-re...@facebook.com' in 'mfrom' identity
(mechanism '-all' matched)) receiver=edge02-zcs.vmware.com;
identity=mailfrom; envelope-from="no-re...@facebook.com";
helo=mail.oandpa.com; client-ip=68.169.160.233
Received-SPF: fail (facebook.com ... _spf.facebook.com: Sender is not
authorized by default to use 'no-re...@facebook.com' in 'mfrom' identity
(mechanism '-all' matched)) receiver=edge02-zcs.vmware.com;
identity=mailfrom; envelope-from="no-re...@facebook.com";
helo=mail.oandpa.com; client-ip=68.169.160.233
Received-SPF: fail (facebook.com ... _spf.facebook.com: Sender is not
authorized by default to use 'no-re...@facebook.com' in 'mfrom' identity
(mechanism '-all' matched)) receiver=edge02-zcs.vmware.com;
identity=mailfrom; envelope-from="no-re...@facebook.com";
helo=mail.oandpa.com; client-ip=68.169.160.233
Received-SPF: fail (facebook.com ... _spf.facebook.com: Sender is not
authorized by default to use 'no-re...@facebook.com' in 'mfrom' identity
(mechanism '-all' matched)) receiver=edge02-zcs.vmware.com;
identity=mailfrom; envelope-from="no-re...@facebook.com";
helo=mail.oandpa.com; client-ip=68.169.160.233
Received-SPF: fail (facebook.com ... _spf.facebook.com: Sender is not
authorized by default to use 'no-re...@facebook.com' in 'mfrom' identity
(mechanism '-all' matched)) receiver=edge02-zcs.vmware.com;
identity=mailfrom; envelope-from="no-re...@facebook.com";
helo=mail.oandpa.com; client-ip=68.169.160.233
Received-SPF: fail (facebook.com ... _spf.facebook.com: Sender is not
authorized by default to use 'no-re...@facebook.com' in 'mfrom' identity
(mechanism '-all' matched)) receiver=edge02-zcs.vmware.com;
identity=mailfrom; envelope-from="no-re...@facebook.com";
helo=mail.oandpa.com; client-ip=68.169.160.233
Received-SPF: fail (facebook.com ... _spf.facebook.com: Sender is not
authorized by default to use 'no-re...@facebook.com' in 'mfrom' identity
(mechanism '-all' matched)) receiver=edge02-zcs.vmware.com;
identity=mailfrom; envelope-from="no-re...@facebook.com";
helo=mail.oandpa.com; client-ip=68.169.160.233
Received-SPF: fail (facebook.com ... _spf.facebook.com: Sender is not
authorized by default to use 'no-re...@facebook.com' in 'mfrom' identity
(mechanism '-all' matched)) receiver=edge02-zcs.vmware.com;
identity=mailfrom; envelope-from="no-re...@facebook.com";
helo=mail.oandpa.com; client-ip=68.169.160.233
Received: from mail.oandpa.com (mail.oandpa.com [68.169.160.233])
by edge02-zcs.vmware.com (Postfix) with ESMTP id 999EFCF5;
Thu, 15 Aug 2013 11:11:24 -0700 (PDT)
Received: from rdtuujtuubjgcaecasw (192.168.1.13) by rdtuujtuubjgcaecasw.
(68.169.160.233) with Microsoft SMTP Server id 8.0.685.24; Thu, 15 Aug 2013
13:11:34 -0500
Message-ID: <520d16e7.407...@facebook.com>
Date: Thu, 15 Aug 2013 13:11:34 -0500
From: "Facebook" <notification+zrdohvri=v...@facebookmail.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12)
Gecko/20101103 Thunderbird/3.1.6
MIME-Version: 1.0
So what I need is something like:
header __FROM_FACEBOOK Return-Path:addr =~ /no-reply\@facebook.com/
meta __FORGED_SENDER (!SPF_PASS && !DKIM_VALID_AU)
meta FORGED_FACEBOOK_FROM (__FROM_FACEBOOK && __FORGED_SENDER)
score FORGED_FACEBOOK 1.5
Does that look correct?
Thanks,
Quanah
--
Quanah Gibson-Mount
Lead Engineer
Zimbra, Inc
--------------------
Zimbra :: the leader in open source messaging and collaboration