On 04/24/2014 03:22 PM, Michael Storz wrote:
Am 2014-04-24 14:31, schrieb Axb:
On 04/24/2014 02:20 PM, Michael Storz wrote:
Am 2014-04-24 13:27, schrieb Axb:
On 04/24/2014 01:22 PM, Michael Storz wrote:
Am 2014-04-24 12:58, schrieb Axb:
On 04/24/2014 12:52 PM, Michael Storz wrote:
Since Yahoo and AOL have moved to a DMARC policy of reject, mail
senders
are changing the way they are sending their emails. Instead of
using the
email address of an user in RFC5322.From they use their own address
and
put the address of the user in the Reply-To field.
FREEMAIL_FORGED_REPLYTO fires on these emails and produce false
positives.
From examples taken from log lines of amavisd:
From: GIVENNAME_SURNAME_via_LinkedIn_<mem...@linkedin.com>
(dkim:AUTHOR)
From: NAME_via_Dropbox_<no-re...@dropbox.com> (dkim:AUTHOR)
Since more and more such emails will occur, for example all web
forms
will send their emails in this way, the rule does not make sense
anymore.
good thing you can lower the score if that rule can cause FPs on its
own.
Sure, that's what I have done already.
The rule does what it was designed to.
Well, if we want to do hairsplitting, then the answer is no: it is not
forged anymore, therefore the name is wrong ;-)
pls pastebin a sample msg including full headers.
http://pastebin.com/fSj4azex (will expire in one week)
since I had to change personal information of my customer, evaluaton of
DKIM will fail. But FREEMAIL_FORGED_REPLYTO will still fire.
the rule does the right thing..
# header FREEMAIL_FROM eval:check_freemail_from(['regex'])
#
# Checks all possible "from" headers to see if sender is freemail.
# Uses SA all_from_addrs() function (includes 'Resent-From', 'From',
# 'EnvelopeFrom' etc).
Linkedin have chosen to modify the From: ... let's avoid the DMARC
/Y!/AOL discussion here - there's enough noise about it all over the
places.
for once I have to agree with Benny that some ppl may want to
whitelist_from_dkim *@linkedin.com
and maybe others.
I have answered that already, why this is not a good idea.
To lower the score or modify the rule would make it loose its teeth
and it is very valuable outside the edge cases which tamper with the
From:
It depends on how many false positives you are willing to accept, I am
already seeing more false positives than spammails where the detection
relies on this rule. And this will change in the near future to be even
worse.
BTW. in addition I found FPs today with regular emails from Badoo.
Thanks for looking into this issue.
feel free to re-open
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6744
and pls include a few samples where this issue may apply
