Re: SPF failure very low score

Thu, 15 Aug 2013 12:14:31 -0700

--On Thursday, August 15, 2013 3:06 PM -0400 Bowie Bailey <bowie_bai...@buc.com> wrote: 


On 8/15/2013 2:53 PM, Quanah Gibson-Mount wrote:

Yeah, I'm not complaining about people discussing facebook, but
pretending to be facebook.

Example:

Return-Path: no-re...@facebook.com
Received: from edge02-zcs.vmware.com (LHLO edge02-zcs.vmware.com)
  (10.113.208.52) by mbs01-zcs.vmware.com with LMTP; Thu, 15 Aug 2013
  11:11:37 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1])
        by edge02-zcs.vmware.com (Postfix) with ESMTP id 904D1992;
        Thu, 15 Aug 2013 11:11:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at edge02-zcs.vmware.com
X-Spam-Flag: NO
X-Spam-Score: 2.814
X-Spam-Level: **
X-Spam-Status: No, score=2.814 tagged_above=-10 required=3
tests=[BAYES_80=2,
        DKIM_ADSP_ALL=0.8, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001,
        KHOP_BIG_TO_CC=0.001, SPF_FAIL=0.001,
        T_HEADER_FROM_DIFFERENT_DOMAINS=0.01] autolearn=no
Received: from edge02-zcs.vmware.com ([127.0.0.1])
        by localhost (edge02-zcs.vmware.com [127.0.0.1]) (amavisd-new, port
        10024) with ESMTP id Ezz1yu95KGdl; Thu, 15 Aug 2013 11:11:36 -0700 (PDT)

<snip>

Message-ID: <520d16e7.407...@facebook.com>
Date: Thu, 15 Aug 2013 13:11:34 -0500
From: "Facebook" <notification+zrdohvri=v...@facebookmail.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12)
Gecko/20101103 Thunderbird/3.1.6
MIME-Version: 1.0


So what I need is something like:

header __FROM_FACEBOOK Return-Path:addr =~ /no-reply\@facebook.com/
meta __FORGED_SENDER (!SPF_PASS && !DKIM_VALID_AU)
meta FORGED_FACEBOOK_FROM (__FROM_FACEBOOK && __FORGED_SENDER)
score FORGED_FACEBOOK 1.5

Does that look correct?


Looks good to me.  The only thing I see is that you need to escape the
period in the regex.

header __FROM_FACEBOOK Return-Path:addr =~ /no-reply\@facebook\.com/

Otherwise, the period means "any character", which would probably not be
an issue here, but is not what you were intending.


Yeah, I noticed that after I sent it, thanks. :)

--Quanah


--

Quanah Gibson-Mount
Lead Engineer
Zimbra, Inc
--------------------
Zimbra ::  the leader in open source messaging and collaboration

Reply via email to