You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by MySQL Student <my...@gmail.com> on 2009/09/11 01:21:16 UTC
JMF whitelist and RAZOR conflict
Hi,
I have several emails that are tagged with RCVD_IN_JMF_W,
SPF_SOFTFAIL, and RAZOR2_CHECK such as this one:
http://pastebin.com/m4a4d990e
Is the criteria for being listed on the JMF_W simply that it contains
a domain that is whitelisted, despite whether it contains another URL
that is blacklisted?
Would I be advised to make the JMF_W score very low, or create a meta
that doesn't really whitelist it unless it isn't also blacklisted?
meta META_NOT_JMF_RAZOR (RCVD_IN_JMF_W && !RAZOR2_CHECK)
It also appears to spoof the kraftfoods.com mail server, correct? Is
there a possible rule to be created here?
Thanks,
Alex
Re: JMF whitelist and RAZOR conflict
Posted by Benny Pedersen <me...@junc.org>.
On lør 12 sep 2009 19:30:09 CEST, Henrik K wrote
> PS. SPF is checked on internal, not trusted border. Even though
> they are the same for most people..
some ?
> and I don't think you can disable SPF checks
> in any way except fully.
if spf test is done in mta stage with prepended header for spf pass,
no problem to whitelist trusted forwards
this header can be used as a spf test header in spf plugin, remember
to disable perl spf test
perldoc Mail::SpamAssassin::Plugin::SPF
cam freemail plugin use spf softfail and or spf fail domain as a
freemail domain test ? (maybe even spf neotral)
bad idear ?
pypolicyd-spf is used here in my postfix after postfix do its rbl testing
--
xpoint
Re: JMF whitelist and RAZOR conflict
Posted by Benny Pedersen <me...@junc.org>.
On lør 12 sep 2009 23:46:44 CEST, John Hardin wrote
> The latter. Possibly through another list instead of
> trusted_networks; the semantics are slightly different and
> overloading the current trusted list with an SPF meaning might be a
it will be one more networks list to manage, and keeping track of what
is what later will get more confused if there is a seperate list for
spf, it just magic that it have worked so long without any wondering
why all that spf fails in sa :)
> bad idea. spf_forwarders perhaps?
imho i will say no keep it trusted_networks, makes lees lists and it
still make sense to trusted_networks to also include spf testing
outside this barrier, to minic how pypolicyd-spf does it in mta
whar types of ips i whitelist is:
1: isp that are known to forward custommers emails
2: forwarders that dont use srs or else have type of email handling
email forward systems
what types i remove from trusted_networks is:
1: ips that send spams
2: forwards where there is spam scanning and still forward the spam
i still have to see spf pass and spf whitelist in spam here :)
(first part is easy for the spammer, 2nd part is the paying one)
--
xpoint
Re: JMF whitelist and RAZOR conflict
Posted by John Hardin <jh...@impsec.org>.
On Sat, 12 Sep 2009, Benny Pedersen wrote:
> On lør 12 sep 2009 20:22:21 CEST, John Hardin wrote
>
>> Hrm. Changing that might be something to consider, then.
>
> change sa to support srs ?
>
> or spf trusted_networks ?
The latter. Possibly through another list instead of trusted_networks; the
semantics are slightly different and overloading the current trusted list
with an SPF meaning might be a bad idea. spf_forwarders perhaps?
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
There is no doubt in my mind that millions of lives could have been
saved if the people were not "brainwashed" about gun ownership and
had been well armed. ... Gun haters always want to forget the Warsaw
Ghetto uprising, which is a perfect example of how a ragtag,
half-starved group of Jews took 10 handguns and made asses out of
the Nazis. -- Theodore Haas, Dachau survivor
-----------------------------------------------------------------------
5 days until the 222nd anniversary of the signing of the U.S. Constitution
Re: JMF whitelist and RAZOR conflict
Posted by Benny Pedersen <me...@junc.org>.
On lør 12 sep 2009 20:22:21 CEST, John Hardin wrote
> Hrm. Changing that might be something to consider, then.
change sa to support srs ?
or spf trusted_networks ?
the later does work in my setup, if one know its not so, please tell
me what my error is
--
xpoint
Re: JMF whitelist and RAZOR conflict
Posted by John Hardin <jh...@impsec.org>.
On Sat, 12 Sep 2009, Henrik K wrote:
> On Sat, Sep 12, 2009 at 09:02:35AM -0700, John Hardin wrote:
>> On Fri, 11 Sep 2009, MySQL Student wrote:
>>
>>>> are you recieving forwarded emails from spf domains ?
>>>
>>> If I understand correctly, no. I have no relationship with any external
>>> source and their SPF records.
>>>
>>>> if so add the forward ip to trusted_networks (so spf will be disabled
>>>> from this hosts)
>>>
>>> Do you mean to avoid the processing overhead? IOW, don't bother
>>> checking SPF records for trusted domains?
>>
>> One of the problems with SPF is that someone who sets up forwarding (e.g.
>> you have a gmail account, and you set it to automatically forward
>> messages to your "real" account) breaks SPF checks for messages received
>> via the forward. If I send a mail to your gmail account, and google
>> forwards it to your real account, your MTA will see a message from an
>> @impsec.org address originating from an MTA that my SPF record says is
>> not a valid source. SPF fail.
>
> Bad example, gmail rewrites forwards properly coming from your@gmail.com.
Oops. But you get the idea.
>> If you tell SA that google is trusted, that pushes the SPF test point
>> back one step - where did *google* receive the message from?
>> mail.impsec.org? Okay, then - SPF pass.
>
> PS. SPF is checked on internal, not trusted border. Even though they are
> the same for most people.. and I don't think you can disable SPF checks
> in any way except fully.
Hrm. Changing that might be something to consider, then.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
So Microsoft's invented the ASCII equivalent to ugly ink spots that
appear on your letter when your pen is malfunctioning.
-- Greg Andrews, about Microsoft's way to encode apostrophes
-----------------------------------------------------------------------
5 days until the 222nd anniversary of the signing of the U.S. Constitution
Re: JMF whitelist and RAZOR conflict
Posted by Henrik K <he...@hege.li>.
On Sat, Sep 12, 2009 at 09:02:35AM -0700, John Hardin wrote:
> On Fri, 11 Sep 2009, MySQL Student wrote:
>
>>> are you recieving forwarded emails from spf domains ?
>>
>> If I understand correctly, no. I have no relationship with any external
>> source and their SPF records.
>>
>>> if so add the forward ip to trusted_networks (so spf will be disabled
>>> from this hosts)
>>
>> Do you mean to avoid the processing overhead? IOW, don't bother
>> checking SPF records for trusted domains?
>
> One of the problems with SPF is that someone who sets up forwarding (e.g.
> you have a gmail account, and you set it to automatically forward
> messages to your "real" account) breaks SPF checks for messages received
> via the forward. If I send a mail to your gmail account, and google
> forwards it to your real account, your MTA will see a message from an
> @impsec.org address originating from an MTA that my SPF record says is
> not a valid source. SPF fail.
Bad example, gmail rewrites forwards properly coming from your@gmail.com.
> If you tell SA that google is trusted, that pushes the SPF test point
> back one step - where did *google* receive the message from?
> mail.impsec.org? Okay, then - SPF pass.
PS. SPF is checked on internal, not trusted border. Even though they are the
same for most people.. and I don't think you can disable SPF checks in any
way except fully.
Re: JMF whitelist and RAZOR conflict
Posted by John Hardin <jh...@impsec.org>.
On Fri, 11 Sep 2009, MySQL Student wrote:
>> are you recieving forwarded emails from spf domains ?
>
> If I understand correctly, no. I have no relationship with any external
> source and their SPF records.
>
>> if so add the forward ip to trusted_networks (so spf will be disabled
>> from this hosts)
>
> Do you mean to avoid the processing overhead? IOW, don't bother checking
> SPF records for trusted domains?
One of the problems with SPF is that someone who sets up forwarding (e.g.
you have a gmail account, and you set it to automatically forward messages
to your "real" account) breaks SPF checks for messages received via the
forward. If I send a mail to your gmail account, and google forwards it to
your real account, your MTA will see a message from an @impsec.org address
originating from an MTA that my SPF record says is not a valid source. SPF
fail.
If you tell SA that google is trusted, that pushes the SPF test point back
one step - where did *google* receive the message from? mail.impsec.org?
Okay, then - SPF pass.
> On a somewhat related note, how does BOTNET differ from RDNS_NONE?
> What is the logic behind the BOTNET rule? Is there some known list
> that it's checking, or is it just likely to be a dynamic IP or
> compromised host if it doesn't have a reverse DNS entry?
RDNS_NONE is, well, _no_ rDNS data.
BOTNET uses a lot of heuristics to determine whether the sender looks
dynamic. I suggest you read the list archives back when it was first
proposed and released for more details.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
An entitlement beneficiary is a person or special interest group
who didn't earn your money, but demands the right to take your
money because they *want* it. -- John McKay, _The Welfare State:
No Mercy for the Middle Class_
-----------------------------------------------------------------------
5 days until the 222nd anniversary of the signing of the U.S. Constitution
Re: JMF whitelist and RAZOR conflict
Posted by MySQL Student <my...@gmail.com>.
Hi,
>> I have several emails that are tagged with RCVD_IN_JMF_W,
>> SPF_SOFTFAIL, and RAZOR2_CHECK such as this one:
>> http://pastebin.com/m4a4d990e
>
> why accept SPF_SOFTFAIL ?
>
> cant this be solved ?
I don't understand. I'm still learning how the SPF rules work.
Shouldn't I be adding points for an SPF_FAIL? This indicates a spoof
attempt, no?
> are you recieving forwarded emails from spf domains ?
If I understand correctly, no. I have no relationship with any
external source and their SPF records.
> if so add the forward ip to trusted_networks (so spf will be disabled from
> this hosts)
Do you mean to avoid the processing overhead? IOW, don't bother
checking SPF records for trusted domains?
>> Is the criteria for being listed on the JMF_W simply that it
>> contains a domain that is whitelisted, despite whether it
>> contains another URL that is blacklisted?
>
> this is spamassassin working, if there is a blacklisted domain add it to
> your uribl_skip_domain list
Ah, you mean if the domain is erroneously on the blacklist, right?
>> Would I be advised to make the JMF_W score very low, or create a
>> meta that doesn't really whitelist it unless it isn't also blacklisted?
>
> this is ip and not domains
On a somewhat related note, how does BOTNET differ from RDNS_NONE?
What is the logic behind the BOTNET rule? Is there some known list
that it's checking, or is it just likely to be a dynamic IP or
compromised host if it doesn't have a reverse DNS entry?
Thanks so much for the clarification, and confirmation about Gevalia/Kraft.
Thanks,
Alex
Re: JMF whitelist and RAZOR conflict
Posted by Benny Pedersen <me...@junc.org>.
On Fri 11 Sep 2009 01:21:16 AM CEST, MySQL Student wrote
> I have several emails that are tagged with RCVD_IN_JMF_W,
> SPF_SOFTFAIL, and RAZOR2_CHECK such as this one:
> http://pastebin.com/m4a4d990e
why accept SPF_SOFTFAIL ?
cant this be solved ?
are you recieving forwarded emails from spf domains ?
if so add the forward ip to trusted_networks (so spf will be disabled
from this hosts)
> Is the criteria for being listed on the JMF_W simply that it
> contains a domain that is whitelisted, despite whether it
> contains another URL that is blacklisted?
this is spamassassin working, if there is a blacklisted domain add it
to your uribl_skip_domain list
> Would I be advised to make the JMF_W score very low, or create a
> meta that doesn't really whitelist it unless it isn't also blacklisted?
this is ip and not domains
> meta META_NOT_JMF_RAZOR (RCVD_IN_JMF_W && !RAZOR2_CHECK)
> It also appears to spoof the kraftfoods.com mail server, correct?
> Is there a possible rule to be created here?
rule is okay as a ham score, well writed
--
xpoint
Re: JMF whitelist and RAZOR conflict
Posted by Kelson <ke...@speed.net>.
RW wrote:
> Razor looks-up fuzzy hashes of an email on a server that records the
> values that have previously been reported for spam. JMF_W is based on
> the IP address of the last hop into your trusted network (or internal
> if you set it up that way). Neither is based on URLs.
Actually, Razor does check URLs as well. It's one of the signature
types. Type 8, I think.
--
Kelson Vibber
SpeedGate Communications <www.speed.net>
Re: JMF whitelist and RAZOR conflict
Posted by RW <rw...@googlemail.com>.
On Thu, 10 Sep 2009 21:23:11 -0400
MySQL Student <my...@gmail.com> wrote:
> Hi,
>
> >> http://pastebin.com/m4a4d990e
> >>
> >> Is the criteria for being listed on the JMF_W simply that it
> >> contains a domain that is whitelisted, despite whether it contains
> >> another URL that is blacklisted?
> >
> > I'm not sure what you are saying here, it's not as if the people
> > running the whitelist could lookup the IP address on razor.
>
> I'm saying that it appears odd that it would be listed on both RAZOR
> and JMF_W, unless the JMF_W found the kraftfoods.com URL and the RAZOR
> rules found the bogus
> http://ADSENSETREASUREONLINE.yolasite.com URL. Unless the yolasite.com
> is a legitimate kraftfoods site?
Razor looks-up fuzzy hashes of an email on a server that records the
values that have previously been reported for spam. JMF_W is based on
the IP address of the last hop into your trusted network (or internal
if you set it up that way). Neither is based on URLs.
DNS whitelists are hard to spoof. Both examples involve exchange
server, perhaps a spammer is exploiting a Windows or exchange
vulnerability.
Re: JMF whitelist and RAZOR conflict
Posted by MySQL Student <my...@gmail.com>.
Hi,
>> http://pastebin.com/m4a4d990e
>>
>> Is the criteria for being listed on the JMF_W simply that it contains
>> a domain that is whitelisted, despite whether it contains another URL
>> that is blacklisted?
>
> I'm not sure what you are saying here, it's not as if the people
> running the whitelist could lookup the IP address on razor.
I'm saying that it appears odd that it would be listed on both RAZOR
and JMF_W, unless the JMF_W found the kraftfoods.com URL and the RAZOR
rules found the bogus
http://ADSENSETREASUREONLINE.yolasite.com URL. Unless the yolasite.com
is a legitimate kraftfoods site?
>> meta META_NOT_JMF_RAZOR (RCVD_IN_JMF_W && !RAZOR2_CHECK)
>
> Why RAZOR2_CHECK? Why not other positive scoring rules? The trouble is
> that the whitelist rule is then pointless. Set it's score at a value
> that's commensurate with it's effectiveness on your email.
Does my question now make sense? I was looking at it from more of a
validation point of view for JMF_W, because of the apparent conflict
with RAZOR.
>> It also appears to spoof the kraftfoods.com mail server, correct? Is
>> there a possible rule to be created here?
>
> No, it was almost certainly sent through kraftfoods.com. It's based on
> an IP address recorded by your trusted network.
Maybe I should have used a better example. Can I ask you to look at this one?
http://pastebin.com/m7d61b26f
This uses IP 66.132.135.108 as its URL (xybersleuth.com), and unless
that's not a spammer's site, then there's something wrong. This email
includes JMF_W and RAZOR2_CF_RANGE_51_100 and URIBL_BLACK in the same
message, although it has a very low bayes score. Which is correct?
Thanks,
Alex
Re: JMF whitelist and RAZOR conflict
Posted by RW <rw...@googlemail.com>.
On Thu, 10 Sep 2009 19:21:16 -0400
MySQL Student <my...@gmail.com> wrote:
> Hi,
>
> I have several emails that are tagged with RCVD_IN_JMF_W,
> SPF_SOFTFAIL, and RAZOR2_CHECK such as this one:
>
> http://pastebin.com/m4a4d990e
>
> Is the criteria for being listed on the JMF_W simply that it contains
> a domain that is whitelisted, despite whether it contains another URL
> that is blacklisted?
I'm not sure what you are saying here, it's not as if the people
running the whitelist could lookup the IP address on razor.
> Would I be advised to make the JMF_W score very low, or create a meta
> that doesn't really whitelist it unless it isn't also blacklisted?
>
> meta META_NOT_JMF_RAZOR (RCVD_IN_JMF_W && !RAZOR2_CHECK)
Why RAZOR2_CHECK? Why not other positive scoring rules? The trouble is
that the whitelist rule is then pointless. Set it's score at a value
that's commensurate with it's effectiveness on your email.
It might be sensible to make metarules for RCVD_IN_DNSWL_* and
RCVD_IN_JMF_W, if you are going to use both.
> It also appears to spoof the kraftfoods.com mail server, correct? Is
> there a possible rule to be created here?
No, it was almost certainly sent through kraftfoods.com. It's based on
an IP address recorded by your trusted network.
RE: JMF whitelist and RAZOR conflict
Posted by Bob O'Brien <bo...@barracuda.com>.
No - that really came out of mail2.kraftfoods.com (parent corporation of Gevalia, remember?)
I have seen other samples of the same message spamming other recipients, and there's no question of source IP.
Bob
-----Original Message-----
From: MySQL Student [mailto:mysqlstudent@gmail.com]
Sent: Thursday, September 10, 2009 4:21 PM
It also appears to spoof the kraftfoods.com mail server, correct? Is
there a possible rule to be created here?
----------------------------------
Check out the Barracuda Spam & Virus Firewall - offering the fastest
virus & malware protection in the industry: www.barracudanetworks.com/spam