Re: SPF failure very low score

[Quanah Gibson-Mount]

--On Monday, August 12, 2013 2:02 PM -0700 John Hardin <jhar...@impsec.org> 
wrote:

On Mon, 12 Aug 2013, Bowie Bailey wrote:
On 8/12/2013 2:48 PM, John Hardin wrote:
 On Mon, 12 Aug 2013, Quanah Gibson-Mount wrote:

>  --On Friday, August 09, 2013 12:42 AM +0200 Benny Pedersen wrote:
>
> >
> >    body __BODY_FACEBOOK /Facebook/
> >    meta __FORGED_SENDER (!SPF_PASS && !DKIM_VALID_AU)
> >    meta FORGED_FACEBOOK_BODY (__BODY_FACEBOOK && __FORGED_SENDER)
> >
> >    maybe it could be more specific, just not tested it, but why
> >    accept forged ?
>  Thanks, that is helpful.  So I assume then I would do something like:
>
>  score FORGED_FACEBOOK_BODY 3.0
>
>  to give it a high SPAM score.
 ...so you want to punish any email that discusses Facebook and does not
 pass SPF *AND* DKIM? Regardless of where the message is (or claims to
 be) from?

Actually, __FORGED_SENDER only fires if the message fails *both* SPF and
DKIM.

(not A) and (not B) == not (A or B)

D'oh!

But this is still a check for message *discussing* Facebook and not
messages  specifically *from* Facebook.


Yeah, I'm not complaining about people discussing facebook, but pretending 
to be facebook.

Example:

Return-Path: no-re...@facebook.com
Received: from edge02-zcs.vmware.com (LHLO edge02-zcs.vmware.com)
(10.113.208.52) by mbs01-zcs.vmware.com with LMTP; Thu, 15 Aug 2013
11:11:37 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1])
        by edge02-zcs.vmware.com (Postfix) with ESMTP id 904D1992;
        Thu, 15 Aug 2013 11:11:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at edge02-zcs.vmware.com
X-Spam-Flag: NO
X-Spam-Score: 2.814
X-Spam-Level: **
X-Spam-Status: No, score=2.814 tagged_above=-10 required=3 
tests=[BAYES_80=2,
        DKIM_ADSP_ALL=0.8, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001,
        KHOP_BIG_TO_CC=0.001, SPF_FAIL=0.001,
        T_HEADER_FROM_DIFFERENT_DOMAINS=0.01] autolearn=no
Received: from edge02-zcs.vmware.com ([127.0.0.1])
        by localhost (edge02-zcs.vmware.com [127.0.0.1]) (amavisd-new, port 
10024)
        with ESMTP id Ezz1yu95KGdl; Thu, 15 Aug 2013 11:11:36 -0700 (PDT)
Received-SPF: fail (facebook.com ... _spf.facebook.com: Sender is not 
authorized by default to use 'no-re...@facebook.com' in 'mfrom' identity 
(mechanism '-all' matched)) receiver=edge02-zcs.vmware.com; 
identity=mailfrom; envelope-from="no-re...@facebook.com"; 
helo=mail.oandpa.com; client-ip=68.169.160.233
Received-SPF: fail (facebook.com ... _spf.facebook.com: Sender is not 
authorized by default to use 'no-re...@facebook.com' in 'mfrom' identity 
(mechanism '-all' matched)) receiver=edge02-zcs.vmware.com; 
identity=mailfrom; envelope-from="no-re...@facebook.com"; 
helo=mail.oandpa.com; client-ip=68.169.160.233
Received-SPF: fail (facebook.com ... _spf.facebook.com: Sender is not 
authorized by default to use 'no-re...@facebook.com' in 'mfrom' identity 
(mechanism '-all' matched)) receiver=edge02-zcs.vmware.com; 
identity=mailfrom; envelope-from="no-re...@facebook.com"; 
helo=mail.oandpa.com; client-ip=68.169.160.233
Received-SPF: fail (facebook.com ... _spf.facebook.com: Sender is not 
authorized by default to use 'no-re...@facebook.com' in 'mfrom' identity 
(mechanism '-all' matched)) receiver=edge02-zcs.vmware.com; 
identity=mailfrom; envelope-from="no-re...@facebook.com"; 
helo=mail.oandpa.com; client-ip=68.169.160.233
Received-SPF: fail (facebook.com ... _spf.facebook.com: Sender is not 
authorized by default to use 'no-re...@facebook.com' in 'mfrom' identity 
(mechanism '-all' matched)) receiver=edge02-zcs.vmware.com; 
identity=mailfrom; envelope-from="no-re...@facebook.com"; 
helo=mail.oandpa.com; client-ip=68.169.160.233
Received-SPF: fail (facebook.com ... _spf.facebook.com: Sender is not 
authorized by default to use 'no-re...@facebook.com' in 'mfrom' identity 
(mechanism '-all' matched)) receiver=edge02-zcs.vmware.com; 
identity=mailfrom; envelope-from="no-re...@facebook.com"; 
helo=mail.oandpa.com; client-ip=68.169.160.233
Received-SPF: fail (facebook.com ... _spf.facebook.com: Sender is not 
authorized by default to use 'no-re...@facebook.com' in 'mfrom' identity 
(mechanism '-all' matched)) receiver=edge02-zcs.vmware.com; 
identity=mailfrom; envelope-from="no-re...@facebook.com"; 
helo=mail.oandpa.com; client-ip=68.169.160.233
Received-SPF: fail (facebook.com ... _spf.facebook.com: Sender is not 
authorized by default to use 'no-re...@facebook.com' in 'mfrom' identity 
(mechanism '-all' matched)) receiver=edge02-zcs.vmware.com; 
identity=mailfrom; envelope-from="no-re...@facebook.com"; 
helo=mail.oandpa.com; client-ip=68.169.160.233
Received-SPF: fail (facebook.com ... _spf.facebook.com: Sender is not 
authorized by default to use 'no-re...@facebook.com' in 'mfrom' identity 
(mechanism '-all' matched)) receiver=edge02-zcs.vmware.com; 
identity=mailfrom; envelope-from="no-re...@facebook.com"; 
helo=mail.oandpa.com; client-ip=68.169.160.233
Received-SPF: fail (facebook.com ... _spf.facebook.com: Sender is not 
authorized by default to use 'no-re...@facebook.com' in 'mfrom' identity 
(mechanism '-all' matched)) receiver=edge02-zcs.vmware.com; 
identity=mailfrom; envelope-from="no-re...@facebook.com"; 
helo=mail.oandpa.com; client-ip=68.169.160.233
Received-SPF: fail (facebook.com ... _spf.facebook.com: Sender is not 
authorized by default to use 'no-re...@facebook.com' in 'mfrom' identity 
(mechanism '-all' matched)) receiver=edge02-zcs.vmware.com; 
identity=mailfrom; envelope-from="no-re...@facebook.com"; 
helo=mail.oandpa.com; client-ip=68.169.160.233
Received-SPF: fail (facebook.com ... _spf.facebook.com: Sender is not 
authorized by default to use 'no-re...@facebook.com' in 'mfrom' identity 
(mechanism '-all' matched)) receiver=edge02-zcs.vmware.com; 
identity=mailfrom; envelope-from="no-re...@facebook.com"; 
helo=mail.oandpa.com; client-ip=68.169.160.233
Received: from mail.oandpa.com (mail.oandpa.com [68.169.160.233])
        by edge02-zcs.vmware.com (Postfix) with ESMTP id 999EFCF5;
        Thu, 15 Aug 2013 11:11:24 -0700 (PDT)
Received: from rdtuujtuubjgcaecasw (192.168.1.13) by rdtuujtuubjgcaecasw. 
(68.169.160.233) with Microsoft SMTP Server id 8.0.685.24; Thu, 15 Aug 2013 
13:11:34 -0500
Message-ID: <520d16e7.407...@facebook.com>
Date: Thu, 15 Aug 2013 13:11:34 -0500
From: "Facebook" <notification+zrdohvri=v...@facebookmail.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) 
Gecko/20101103 Thunderbird/3.1.6
MIME-Version: 1.0


So what I need is something like:

header __FROM_FACEBOOK Return-Path:addr =~ /no-reply\@facebook.com/
meta __FORGED_SENDER (!SPF_PASS && !DKIM_VALID_AU)
meta FORGED_FACEBOOK_FROM (__FROM_FACEBOOK && __FORGED_SENDER)
score FORGED_FACEBOOK 1.5

Does that look correct?

Thanks,
Quanah

--

Quanah Gibson-Mount
Lead Engineer
Zimbra, Inc
--------------------
Zimbra ::  the leader in open source messaging and collaboration