Mailing List Archive: SpamAssassin: users

SPF failure very low score

Index | Next | Previous | View Threaded

quanah at zimbra

Aug 8, 2013, 1:34 PM

Post #1 of 24 (65 views)
Permalink

SPF failure very low score

For SA 3.4.0, it says in 50_scores.cf:

# SPF
# Note that the benefit for a valid SPF record is deliberately minimal; it's
# likely that more spammers would quickly move to setting valid SPF records
# otherwise. The penalties for an *incorrect* record, however, are large.
;)

However, ".001" does not seem LARGE to me at all. I would expect at least
a "1". Right now there is tons of facebook spam out there that clearly
fails SPF, such as the following:

X-Spam-Status: No, score=2.407 tagged_above=-10 required=3
tests=[BAYES_50=0.8, DKIM_ADSP_ALL=0.8, HTML_FONT_LOW_CONTRAST=0.001,
HTML_MESSAGE=0.001, KHOP_BIG_TO_CC=0.001, RDNS_NONE=0.793,
SPF_FAIL=0.001, T_HEADER_FROM_DIFFERENT_DOMAINS=0.01] autolearn=no

How is .001 in any way considered a "large" penalty?

--Quanah

--
Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra :: the leader in open source messaging and collaboration

jhardin at impsec

Aug 8, 2013, 1:49 PM

Post #2 of 24 (63 views)
Permalink

Re: SPF failure very low score [In reply to]

On Thu, 8 Aug 2013, Quanah Gibson-Mount wrote:

> For SA 3.4.0, it says in 50_scores.cf:
>
> # SPF
> # Note that the benefit for a valid SPF record is deliberately minimal; it's
> # likely that more spammers would quickly move to setting valid SPF records
> # otherwise. The penalties for an *incorrect* record, however, are large.
> ;)
>
> However, ".001" does not seem LARGE to me at all. I would expect at least a
> "1". Right now there is tons of facebook spam out there that clearly fails
> SPF, such as the following:
>
>
> X-Spam-Status: No, score=2.407 tagged_above=-10 required=3
> tests=[.BAYES_50=0.8, DKIM_ADSP_ALL=0.8,
> HTML_FONT_LOW_CONTRAST=0.001,
> HTML_MESSAGE=0.001, KHOP_BIG_TO_CC=0.001, RDNS_NONE=0.793,
> SPF_FAIL=0.001, T_HEADER_FROM_DIFFERENT_DOMAINS=0.01] autolearn=no
>
> How is .001 in any way considered a "large" penalty?

SPF is _by itself_ not useful as a spam sign.

If you're seeing a lot of facebook spam that fails SPF because it's being
forged, then a rule that checks SPF_FAIL *IF* the mail claims to be from
Facebook, and adds a point or two, would be more reasonable.

--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin [at] impsec FALaholic #11174 pgpk -a jhardin [at] impsec
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Christian martyrs don't explode. -- Marisol
-----------------------------------------------------------------------
7 days until the 68th anniversary of the end of World War II

quanah at zimbra

Aug 8, 2013, 2:02 PM

Post #3 of 24 (64 views)
Permalink

Re: SPF failure very low score [In reply to]

--On August 8, 2013 1:49:18 PM -0700 John Hardin <jhardin [at] impsec> wrote:

>> How is .001 in any way considered a "large" penalty?
>
> SPF is _by itself_ not useful as a spam sign.
>
> If you're seeing a lot of facebook spam that fails SPF because it's being
> forged, then a rule that checks SPF_FAIL *IF* the mail claims to be from
> Facebook, and adds a point or two, would be more reasonable.

Ok, that sounds reasonable, but that still doesn't align with the comment
in the 50_scores.cf file. ;)

Can you provide an example? I've done some basic custom rules, but the
above is a little more complex.

Thanks,
Quanah

--
Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra :: the leader in open source messaging and collaboration

dfs at roaringpenguin

Aug 8, 2013, 2:14 PM

Post #4 of 24 (64 views)
Permalink

Re: SPF failure very low score [In reply to]

On Thu, 8 Aug 2013 13:49:18 -0700 (PDT)
John Hardin <jhardin [at] impsec> wrote:

> SPF is _by itself_ not useful as a spam sign.

Indeed. In my experience, most SPF "softfail" results and a fairly large
fraction of SPF "fail" results are from misconfigured domains whose
administrators don't bother making correct SPF records.

Additionally, SPF "pass" is (in my experience) a slight indicator of spam
because spammers are a bit more diligent about trying to get their messages
to pass SPF than many legitimate senders. :(

+1 to John's comments about domain-specific SPF scores. For certain domains,
an SPF fail is a strong indicator of spam or phishing. These are the
domains I score strongly for SPF fail:

adp.com, aexp.com, apple.com, bankofamerica.com, bbb.org, bmo.com,
chase.com, discover.com, dnb.com, ebay.com, emailinfo.chase.com,
id.apple.com, inbound.efax.com, irs.gov, newegg.com, paypal.com,
verizonwireless.com, welcome.aexp.com, wellsfargo.com

as well as my own domain, roaringpenguin.com.

Any others the list would like to suggest? Should SpamAssassin
come with a built-in list?

Regards,

David.

quanah at zimbra

Aug 8, 2013, 2:22 PM

Post #5 of 24 (64 views)
Permalink

Re: SPF failure very low score [In reply to]

--On August 8, 2013 5:14:12 PM -0400 "David F. Skoll"
<dfs [at] roaringpenguin> wrote:

> On Thu, 8 Aug 2013 13:49:18 -0700 (PDT)
> John Hardin <jhardin [at] impsec> wrote:
>
>> SPF is _by itself_ not useful as a spam sign.
>
> Indeed. In my experience, most SPF "softfail" results and a fairly large
> fraction of SPF "fail" results are from misconfigured domains whose
> administrators don't bother making correct SPF records.
>
> Additionally, SPF "pass" is (in my experience) a slight indicator of spam
> because spammers are a bit more diligent about trying to get their
> messages to pass SPF than many legitimate senders. :(
>
> +1 to John's comments about domain-specific SPF scores. For certain
> domains, an SPF fail is a strong indicator of spam or phishing. These
> are the domains I score strongly for SPF fail:
>
> adp.com, aexp.com, apple.com, bankofamerica.com, bbb.org, bmo.com,
> chase.com, discover.com, dnb.com, ebay.com, emailinfo.chase.com,
> id.apple.com, inbound.efax.com, irs.gov, newegg.com, paypal.com,
> verizonwireless.com, welcome.aexp.com, wellsfargo.com
>
> as well as my own domain, roaringpenguin.com.

I would love to see your rules here so I can see how you did it. I don't
see if/and in the SA docs on rules.

--Quanah

--
Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra :: the leader in open source messaging and collaboration

fmartin at linkedin

Aug 8, 2013, 2:31 PM

Post #6 of 24 (64 views)
Permalink

Re: SPF failure very low score [In reply to]

On Aug 8, 2013, at 10:49 PM, John Hardin <jhardin [at] impsec> wrote:

> On Thu, 8 Aug 2013, Quanah Gibson-Mount wrote:
>
>> For SA 3.4.0, it says in 50_scores.cf:
>>
>> # SPF
>> # Note that the benefit for a valid SPF record is deliberately minimal; it's
>> # likely that more spammers would quickly move to setting valid SPF records
>> # otherwise. The penalties for an *incorrect* record, however, are large. ;)
>>
>> However, ".001" does not seem LARGE to me at all. I would expect at least a "1". Right now there is tons of facebook spam out there that clearly fails SPF, such as the following:
>>
>>
>> X-Spam-Status: No, score=2.407 tagged_above=-10 required=3
>> tests=[.BAYES_50=0.8, DKIM_ADSP_ALL=0.8,
>> HTML_FONT_LOW_CONTRAST=0.001,
>> HTML_MESSAGE=0.001, KHOP_BIG_TO_CC=0.001, RDNS_NONE=0.793,
>> SPF_FAIL=0.001, T_HEADER_FROM_DIFFERENT_DOMAINS=0.01] autolearn=no
>>
>> How is .001 in any way considered a "large" penalty?
>
> SPF is _by itself_ not useful as a spam sign.
>
> If you're seeing a lot of facebook spam that fails SPF because it's being forged, then a rule that checks SPF_FAIL *IF* the mail claims to be from Facebook, and adds a point or two, would be more reasonable.
>
Facebook dkim signs all their emails with the domain facebookmail.com, so you may have better luck using the ADSP rules...

dfs at roaringpenguin

Aug 8, 2013, 2:33 PM

Post #7 of 24 (63 views)
Permalink

Re: SPF failure very low score [In reply to]

On Thu, 08 Aug 2013 14:22:53 -0700
Quanah Gibson-Mount <quanah [at] zimbra> wrote:

> I would love to see your rules here so I can see how you did it. I
> don't see if/and in the SA docs on rules.

Emm... actually, I did it outside of the SA infrastructure.

I imagine you could do something like:

header __MY_SENSITIVE_DOMAIN Return-Path =~ /\@(:?ebay\.com|paypal\.com|irs\.gov)/i

meta MY_SPF_FAIL SPF_FAIL && __MY_SENSITIVE_DOMAIN
score MY_SPF_FAIL 5.0
describe MY_SPF_FAIL SPF failure on a sensitive domain

This is all completely untested, you understand. ;)

Regards,

David.

darxus at chaosreigns

Aug 8, 2013, 2:38 PM

Post #8 of 24 (64 views)
Permalink

Re: SPF failure very low score [In reply to]

On 08/08, Quanah Gibson-Mount wrote:
> For SA 3.4.0, it says in 50_scores.cf:
>
> # SPF
> # Note that the benefit for a valid SPF record is deliberately minimal; it's
> # likely that more spammers would quickly move to setting valid SPF records
> # otherwise. The penalties for an *incorrect* record, however, are
> large. ;)
>
> However, ".001" does not seem LARGE to me at all. I would expect at
> least a "1". Right now there is tons of facebook spam out there
> that clearly fails SPF, such as the following:
>
>
> X-Spam-Status: No, score=2.407 tagged_above=-10 required=3
> tests=[BAYES_50=0.8, DKIM_ADSP_ALL=0.8, HTML_FONT_LOW_CONTRAST=0.001,
> HTML_MESSAGE=0.001, KHOP_BIG_TO_CC=0.001, RDNS_NONE=0.793,
> SPF_FAIL=0.001, T_HEADER_FROM_DIFFERENT_DOMAINS=0.01] autolearn=no
>
> How is .001 in any way considered a "large" penalty?

As has been said, SPF is kind of a terrible spam indicator:
http://ruleqa.spamassassin.org/?daterev=20130808-r1511618-n&rule=SPF_FAIL

MSECS SPAM% HAM% S/O RANK SCORE NAME WHO/AGE
0 0.1057 1.4410 0.068 0.40 0.00 SPF_FAIL

That says it hits over 10x as large a portion of non-spam as spam.

The explanation for the quote is, quite simply, that it is out of date, and
you should fix it.

--
"As humans, we are taught to forget that we are animals."
- forward to Johnny The Homicidal Maniac
http://www.ChaosReigns.com

quanah at zimbra

Aug 8, 2013, 2:40 PM

Post #9 of 24 (63 views)
Permalink

Re: SPF failure very low score [In reply to]

--On August 8, 2013 5:38:52 PM -0400 darxus [at] chaosreigns wrote:
> The explanation for the quote is, quite simply, that it is out of date,
> and you should fix it.

I don't have commit access to SA's SVN. ;) I suppose I can file a bug. ;)

--Quanah

--
Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra :: the leader in open source messaging and collaboration

rwmaillists at googlemail

Aug 8, 2013, 3:01 PM

Post #10 of 24 (64 views)
Permalink

Re: SPF failure very low score [In reply to]

On Thu, 8 Aug 2013 21:31:59 +0000
Franck Martin wrote:

>
> On Aug 8, 2013, at 10:49 PM, John Hardin <jhardin [at] impsec> wrote:
>
> > On Thu, 8 Aug 2013, Quanah Gibson-Mount wrote:

> >> How is .001 in any way considered a "large" penalty?

Comments can be useful when they agree with reality, but all too often
they are just preliminary opinions that never get corrected.

> > SPF is _by itself_ not useful as a spam sign.
> >
> > If you're seeing a lot of facebook spam that fails SPF because it's
> > being forged, then a rule that checks SPF_FAIL *IF* the mail claims
> > to be from Facebook, and adds a point or two, would be more
> > reasonable.
> >
> Facebook dkim signs all their emails with the domain
> facebookmail.com, so you may have better luck using the ADSP rules...

dkim is generally the better way to go since legitimate emails can fail
SPF due to forwarding.

quanah at zimbra

Aug 8, 2013, 3:16 PM

Post #11 of 24 (64 views)
Permalink

Re: SPF failure very low score [In reply to]

--On August 8, 2013 5:33:26 PM -0400 "David F. Skoll"
<dfs [at] roaringpenguin> wrote:

> On Thu, 08 Aug 2013 14:22:53 -0700
> Quanah Gibson-Mount <quanah [at] zimbra> wrote:
>
>> I would love to see your rules here so I can see how you did it. I
>> don't see if/and in the SA docs on rules.
>
> Emm... actually, I did it outside of the SA infrastructure.
>
> I imagine you could do something like:
>
> header __MY_SENSITIVE_DOMAIN Return-Path =~
> /\@(:?ebay\.com|paypal\.com|irs\.gov)/i
>
> meta MY_SPF_FAIL SPF_FAIL && __MY_SENSITIVE_DOMAIN
> score MY_SPF_FAIL 5.0
> describe MY_SPF_FAIL SPF failure on a sensitive domain

Thanks, that's a useful start. :)

--Quanah

--
Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra :: the leader in open source messaging and collaboration

me at junc

Aug 8, 2013, 3:17 PM

Post #12 of 24 (64 views)
Permalink

Re: SPF failure very low score [In reply to]

Quanah Gibson-Mount skrev den 2013-08-08 22:34:

> How is .001 in any way considered a "large" penalty?

meta SPF_FAIL (3) (3) (3) (3)

in local.cf fixes it

or use pypolicyd-spf on mta stage

me at junc

Aug 8, 2013, 3:24 PM

Post #13 of 24 (64 views)
Permalink

Re: SPF failure very low score [In reply to]

John Hardin skrev den 2013-08-08 22:49:

> SPF is _by itself_ not useful as a spam sign.

-1

> If you're seeing a lot of facebook spam that fails SPF because it's
> being forged, then a rule that checks SPF_FAIL *IF* the mail claims
> to
> be from Facebook, and adds a point or two, would be more reasonable.

why not check if dkim passed then ?, combine body facebook, with
spf_fail and no dkim headers, its 3 lines :)

the bug is not a bug, but a missing rule

for the OP problem is why did he allow spf_fails in mta ?

quanah at zimbra

Aug 8, 2013, 3:26 PM

Post #14 of 24 (63 views)
Permalink

Re: SPF failure very low score [In reply to]

--On August 8, 2013 11:01:43 PM +0100 RW <rwmaillists [at] googlemail> wrote:
>> Facebook dkim signs all their emails with the domain
>> facebookmail.com, so you may have better luck using the ADSP rules...
>
> dkim is generally the better way to go since legitimate emails can fail
> SPF due to forwarding.

Ok, so I imagine I want to do something like:

header DKIM_ADSP_DISCARD eval:check_dkim_adsp('D')

but only for facebook.com... I don't see exactly how I tie those two
together?

Thanks!

--Quanah

--
Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra :: the leader in open source messaging and collaboration

me at junc

Aug 8, 2013, 3:31 PM

Post #15 of 24 (64 views)
Permalink

Re: SPF failure very low score [In reply to]

RW skrev den 2013-08-09 00:01:

> dkim is generally the better way to go since legitimate emails can
> fail
> SPF due to forwarding.

and dkim never fails on forwards ?, well it does if forwards mangle
bódy and removes or changes headers in a way that dkim breaks, i have
seen it since i begin using it, it not yet resolved, but for
spamassassin i can atleast get dmarc=pass return

try sending email from facebook to one self mailadress not on facebook
:)

make rule on this

on spf, just remember to have trusted_networks setup with all ips that
do forwarding, then spf does work, but who cares ?

me at junc

Aug 8, 2013, 3:36 PM

Post #16 of 24 (63 views)
Permalink

Re: SPF failure very low score [In reply to]

David F. Skoll skrev den 2013-08-08 23:14:

> +1 to John's comments about domain-specific SPF scores. For certain
> domains,
> an SPF fail is a strong indicator of spam or phishing. These are the
> domains I score strongly for SPF fail:

yes spf pass does not default get -100 :))))

maybe change it for default to be 100 ?, until senders get more respect
for there own problems ?

trusted non spamming domains should be whitelist_from_auth and if there
is comming spam from this domain then remove it, i have done this all
years here

me at junc

Aug 8, 2013, 3:42 PM

Post #17 of 24 (64 views)
Permalink

Re: SPF failure very low score [In reply to]

Quanah Gibson-Mount skrev den 2013-08-08 23:22:

> I would love to see your rules here so I can see how you did it. I
> don't see if/and in the SA docs on rules.

body __BODY_FACEBOOK /Facebook/
meta __FORGED_SENDER (!SPF_PASS && !DKIM_VALID_AU)
meta FORGED_FACEBOOK_BODY (__BODY_FACEBOOK && __FORGED_SENDER)

maybe it could be more specific, just not tested it, but why accept
forged ?

me at junc

Aug 8, 2013, 3:45 PM

Post #18 of 24 (63 views)
Permalink

Re: SPF failure very low score [In reply to]

David F. Skoll skrev den 2013-08-08 23:33:

> meta MY_SPF_FAIL SPF_FAIL && __MY_SENSITIVE_DOMAIN
> score MY_SPF_FAIL 5.0
> describe MY_SPF_FAIL SPF failure on a sensitive domain
>
> This is all completely untested, you understand. ;)

make meta on !SPF_PASS is same as all versions of SPF_FAIL

Mark.Martinec+sa at ijs

Aug 9, 2013, 4:18 AM

Post #19 of 24 (42 views)
Permalink

Re: SPF failure very low score (DKIM whitelisting and ADSP rules) [In reply to]

On Friday 09 August 2013 00:26:09 Quanah Gibson-Mount wrote:
> Ok, so I imagine I want to do something like:
>
> header DKIM_ADSP_DISCARD eval:check_dkim_adsp('D')
>
> but only for facebook.com... I don't see exactly how I tie those two
> together?

==============
To add POSITIVE spam score points to mail with a "From" from specific
domains but with no valid DKIM signature, see 60_adsp_override_dkim.cf .
Protected domains there include ebay, paypal, bankofamerica,
amazon, linkedin, facebookmail, ...

To add domains protected from forgery (the following are already
in the default 60_adsp_override_dkim.cf set of rules):
adsp_override birthdayalarm.com all
adsp_override astrology.com all
adsp_override linkedin.com all
adsp_override *.linkedin.com all
adsp_override facebookmail.com all
adsp_override *.greenpeace.org all
...
These are default scores for forgery (i.e. for ADSP failures):
score DKIM_ADSP_ALL 0 1.1 0 0.8
score DKIM_ADSP_DISCARD 0 1.8 0 1.8
score DKIM_ADSP_NXDOMAIN 0 0.8 0 0.9

and equivalent scores but permissive on failed mail that went through
some mailing list:
score NML_ADSP_CUSTOM_LOW 0 0.7 0 0.7
score NML_ADSP_CUSTOM_MED 0 1.2 0 0.9
score NML_ADSP_CUSTOM_HIGH 0 2.6 0 2.5

If there is a need to assign a non-default score for mail from specific
domains with no valid DKIM signature, instead of adsp_override one can
add a specific rule for such domains:

header DKIM_ADSP_ALL_YG1 eval:check_dkim_adsp('*', gmail.com, yahoo.com)
score DKIM_ADSP_ALL_YG1 0.1

header DKIM_ADSP_ALL_YG2 eval:check_dkim_adsp('*', .gmail.com, .yahoo.com)
score DKIM_ADSP_ALL_YG2 0.1

==============
To add NEGATIVE score points assigned to mail from specific domains
with valid DKIM signatures, see 60_whitelist_dkim.cf .
Benefiting domains there include ebay, paypal, cisco, hotels.com,
lufthansa, skype, several scientific newsletters, ...

Add further domains like:
whitelist_from_dkim *@uu.se
whitelist_from_dkim *@uni-bremen.de
whitelist_from_dkim *@tugraz.at
whitelist_from_dkim *@tu-graz.ac.at
whitelist_from_dkim *@univie.ac.at
whitelist_from_dkim *@univ-tours.fr
whitelist_from_dkim *@cern.ch
whitelist_from_dkim *@amazon.com
whitelist_from_dkim *@springer.delivery.net
whitelist_from_dkim *@cisco.com
whitelist_from_dkim *@info.hp.com
whitelist_from_dkim *@alert.bankofamerica.com
whitelist_from_dkim *@cnn.com
whitelist_from_dkim *@*.cnn.com
whitelist_from_dkim service [at] youtube
whitelist_from_dkim *@* paypal.com
def_whitelist_from_dkim *@yousendit.com
def_whitelist_from_dkim *@meetup.com
def_whitelist_from_dkim dailyhoroscope [at] astrology
def_whitelist_from_dkim *@twitter.com
def_whitelist_from_dkim *@*.twitter.com
def_whitelist_from_dkim *@*.twitter.com twitter.com
def_whitelist_from_dkim *@email.creativepro.com
def_whitelist_from_dkim *@publicservice-mailer.co.uk

and adjust scores if necessary:
score USER_IN_DEF_DKIM_WL -1.5
score USER_IN_DKIM_WHITELIST -12

If there is a need to assign a non-default score for valid DKIM-signed
mail from specific domains, instead of whitelist_from_dkim one can add
a specific rule for such domains:

full DKIM_VALID_WEGAME eval:check_dkim_valid(email.wegame.com)
score DKIM_VALID_WEGAME -8

Mark

thomas-lists at nybeta

Aug 9, 2013, 6:02 AM

Post #20 of 24 (41 views)
Permalink

Re: SPF failure very low score [In reply to]

On 8/8/2013 4:49 PM, John Hardin wrote:
> On Thu, 8 Aug 2013, Quanah Gibson-Mount wrote:
>
> SPF is _by itself_ not useful as a spam sign.
>
> If you're seeing a lot of facebook spam that fails SPF because it's
> being forged, then a rule that checks SPF_FAIL *IF* the mail claims to
> be from Facebook, and adds a point or two, would be more reasonable.
>

In our setup, we get good results from outright blocking any SPF fails
using policyd-spf (python version) during the SMTP transaction and we've
only had to whitelist a handful of badly configured servers. We block
about 4% of all inbound messages by blocking on SPF FAIL.

So I'd argue that SPF FAIL is a pretty good indicator that the message
is very likely to be spam. But in our setup, those messages never get
that far.

SPF PASS, however, is not a good indicator either way.

quanah at zimbra

Aug 12, 2013, 11:23 AM

Post #21 of 24 (5 views)
Permalink

Re: SPF failure very low score [In reply to]

--On Friday, August 09, 2013 12:42 AM +0200 Benny Pedersen wrote:

> Quanah Gibson-Mount skrev den 2013-08-08 23:22:
>
>> I would love to see your rules here so I can see how you did it. I
>> don't see if/and in the SA docs on rules.
>
> body __BODY_FACEBOOK /Facebook/
> meta __FORGED_SENDER (!SPF_PASS && !DKIM_VALID_AU)
> meta FORGED_FACEBOOK_BODY (__BODY_FACEBOOK && __FORGED_SENDER)
>
> maybe it could be more specific, just not tested it, but why accept
> forged ?

Thanks, that is helpful. So I assume then I would do something like:

score FORGED_FACEBOOK_BODY 3.0

to give it a high SPAM score.

--Quanah

--

Quanah Gibson-Mount
Lead Engineer
Zimbra, Inc
--------------------
Zimbra :: the leader in open source messaging and collaboration

jhardin at impsec

Aug 12, 2013, 11:48 AM

Post #22 of 24 (5 views)
Permalink

Re: SPF failure very low score [In reply to]

On Mon, 12 Aug 2013, Quanah Gibson-Mount wrote:

> --On Friday, August 09, 2013 12:42 AM +0200 Benny Pedersen wrote:
>
>> Quanah Gibson-Mount skrev den 2013-08-08 23:22:
>>
>> > I would love to see your rules here so I can see how you did it. I
>> > don't see if/and in the SA docs on rules.
>>
>> body __BODY_FACEBOOK /Facebook/
>> meta __FORGED_SENDER (!SPF_PASS && !DKIM_VALID_AU)
>> meta FORGED_FACEBOOK_BODY (__BODY_FACEBOOK && __FORGED_SENDER)
>>
>> maybe it could be more specific, just not tested it, but why accept
>> forged ?
>
> Thanks, that is helpful. So I assume then I would do something like:
>
> score FORGED_FACEBOOK_BODY 3.0
>
> to give it a high SPAM score.

...so you want to punish any email that discusses Facebook and does not
pass SPF *AND* DKIM? Regardless of where the message is (or claims to be)
from?

This is not a *Facebook forgery* rule, this is a *"Facebook"* + *forgery*
rule.

For it to be a *facebook forgery* rule you'd need to look in the message
headers to see whether the message claims to be from the facebook domain,
or do more selective body text matching to see if the body is trying to
make the reader think the message is from Facebook.

--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin [at] impsec FALaholic #11174 pgpk -a jhardin [at] impsec
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Health Care _is_ a right - the government has no business keeping
you from getting it. But forcing somebody else to pay for your
health care at gunpoint (i.e. through taxation) is _not_ a right.
-----------------------------------------------------------------------
3 days until the 68th anniversary of the end of World War II

Bowie_Bailey at BUC

Aug 12, 2013, 1:56 PM

Post #23 of 24 (1 views)
Permalink

Re: SPF failure very low score [In reply to]

On 8/12/2013 2:48 PM, John Hardin wrote:
> On Mon, 12 Aug 2013, Quanah Gibson-Mount wrote:
>
>> --On Friday, August 09, 2013 12:42 AM +0200 Benny Pedersen wrote:
>>
>>>
>>> body __BODY_FACEBOOK /Facebook/
>>> meta __FORGED_SENDER (!SPF_PASS && !DKIM_VALID_AU)
>>> meta FORGED_FACEBOOK_BODY (__BODY_FACEBOOK && __FORGED_SENDER)
>>>
>>> maybe it could be more specific, just not tested it, but why accept
>>> forged ?
>> Thanks, that is helpful. So I assume then I would do something like:
>>
>> score FORGED_FACEBOOK_BODY 3.0
>>
>> to give it a high SPAM score.
> ...so you want to punish any email that discusses Facebook and does not
> pass SPF *AND* DKIM? Regardless of where the message is (or claims to be)
> from?

Actually, __FORGED_SENDER only fires if the message fails *both* SPF and
DKIM.

(not A) and (not B) == not (A or B)

But this is still a check for message *discussing* Facebook and not
messages specifically *from* Facebook.

--
Bowie

jhardin at impsec

Aug 12, 2013, 2:02 PM

Post #24 of 24 (1 views)
Permalink

Re: SPF failure very low score [In reply to]

On Mon, 12 Aug 2013, Bowie Bailey wrote:

> On 8/12/2013 2:48 PM, John Hardin wrote:
>> On Mon, 12 Aug 2013, Quanah Gibson-Mount wrote:
>>
>> > --On Friday, August 09, 2013 12:42 AM +0200 Benny Pedersen wrote:
>> >
>> > >
>> > > body __BODY_FACEBOOK /Facebook/
>> > > meta __FORGED_SENDER (!SPF_PASS && !DKIM_VALID_AU)
>> > > meta FORGED_FACEBOOK_BODY (__BODY_FACEBOOK && __FORGED_SENDER)
>> > >
>> > > maybe it could be more specific, just not tested it, but why accept
>> > > forged ?
>> > Thanks, that is helpful. So I assume then I would do something like:
>> >
>> > score FORGED_FACEBOOK_BODY 3.0
>> >
>> > to give it a high SPAM score.
>> ...so you want to punish any email that discusses Facebook and does not
>> pass SPF *AND* DKIM? Regardless of where the message is (or claims to be)
>> from?
>
> Actually, __FORGED_SENDER only fires if the message fails *both* SPF and
> DKIM.
>
> (not A) and (not B) == not (A or B)

D'oh!

> But this is still a check for message *discussing* Facebook and not messages
> specifically *from* Facebook.

--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin [at] impsec FALaholic #11174 pgpk -a jhardin [at] impsec
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
It's easy to be noble with other people's money.
-- John McKay, _The Welfare State:
No Mercy for the Middle Class_
-----------------------------------------------------------------------
3 days until the 68th anniversary of the end of World War II

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads