You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Dan Malm <da...@one.com> on 2019/09/18 12:07:06 UTC
SPOOFED_FREEMAIL hitting non-spoofed freemail?
Hi,
I've gotten some reports about mails from hotmail being incorrectly
filtered as spam on my systems. I'm seeing a lot of perfectly valid,
non-spoofed mails from them hitting the SPOOFED_FREEMAIL rule. Is anyone
else seeing the same, or is it some issue in my configuration?
RuleQA seems to indicate something being wrong if I'm reading this
correct though:
overlap spam: 100% of SPOOFED_FREEMAIL hits also hit FREEMAIL_FROM; 99%
of FREEMAIL_FROM hits also hit SPOOFED_FREEMAIL (ham 100%)
100% of ham that hit's FREEMAIL_FROM also hits SPOOFED_FREEMAIL?
https://ruleqa.spamassassin.org/20190917-r1867043-n/SPOOFED_FREEMAIL/detail
--
BR/Mvh. Dan Malm, Systems Engineer, One.com
Re: SPOOFED_FREEMAIL hitting non-spoofed freemail?
Posted by John Hardin <jh...@impsec.org>.
On Wed, 18 Sep 2019, RW wrote:
> On Wed, 18 Sep 2019 15:30:46 +0200
> Dan Malm wrote:
>
>> Ok, I'm pretty sure this is mostly on my end, but I think there are
>> also some issues with the __NOT_SPOOFED meta rule.
>>
>> 1: I was able to reproduce getting the SPOOFED_FREEMAIL locally on my
>> machine when running spammassassin with the -L parameter.
>>
>> 2: The reason (I assume) that I get the rule hit on my servers is this
>> which I get when I run a manual spamassassin check with debugging
>> enabled: dbg: dkim: cannot load Mail::DKIM module, DKIM checks
>> disabled: Can't locate Mail/DKIM/Verifier.pm in @INC (you may need to
>> install the Mail::DKIM::Verifier module) (@INC contains: lib
>> /usr/local/lib/perl5/site_perl
>> /usr/local/lib/perl5/site_perl/mach/5.28
>> /usr/local/lib/perl5/5.28/mach /usr/local/lib/perl5/5.28) at
>> /usr/local/lib/perl5/site_perl/Mail/SpamAssassin/Plugin/DKIM.pm line
>> 675.
>>
>> So, given that the Mail::SpamAssassin::Plugin::DKIM plugin is loaded,
>> __NOT_SPOOFED will check DKIM_VALID and ignore the -L parameter and
>> ignore errors with the DKIM validity check.
>
> The rules will work around the DKIM plugin not being loaded by switching
> to a a simple header test for the signature, but they can't cope with
> DKIM being otherwise disabled. __NOT_SPOOFED is still checking for
> SPF_PASS.
>
> The rule QA webpage shows results for score set 0 (no net, no Bayes).
>> From other results I've seen, I think this has net plugins loaded, but
> unused. That means that !__NOT_SPOOFED is unconditionally true, so
> SPOOFED_FREEMAIL is effectivly then FREEMAIL_FROM && !__FS_SUBJ_RE.
Added tflags net to the SPOOFED_FREEM family and one or two others relying
on !__NOT_SPOOFED as part of the basic logic.
Sending svn/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf
Sending svn/trunk/rulesrc/sandbox/jhardin/20_shared_subrules.cf
Transmitting file data ..done
Committing transaction...
Committed revision 1867148.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Windows Genuine Advantage (WGA) means that now you use your
computer at the sufferance of Microsoft Corporation. They can
kill it remotely without your consent at any time for any reason;
it also shuts down in sympathy when the servers at Microsoft crash.
-----------------------------------------------------------------------
Tomorrow: Talk Like a Pirate day
Re: SPOOFED_FREEMAIL hitting non-spoofed freemail?
Posted by RW <rw...@googlemail.com>.
On Wed, 18 Sep 2019 15:30:46 +0200
Dan Malm wrote:
> Ok, I'm pretty sure this is mostly on my end, but I think there are
> also some issues with the __NOT_SPOOFED meta rule.
>
> 1: I was able to reproduce getting the SPOOFED_FREEMAIL locally on my
> machine when running spammassassin with the -L parameter.
>
> 2: The reason (I assume) that I get the rule hit on my servers is this
> which I get when I run a manual spamassassin check with debugging
> enabled: dbg: dkim: cannot load Mail::DKIM module, DKIM checks
> disabled: Can't locate Mail/DKIM/Verifier.pm in @INC (you may need to
> install the Mail::DKIM::Verifier module) (@INC contains: lib
> /usr/local/lib/perl5/site_perl
> /usr/local/lib/perl5/site_perl/mach/5.28
> /usr/local/lib/perl5/5.28/mach /usr/local/lib/perl5/5.28) at
> /usr/local/lib/perl5/site_perl/Mail/SpamAssassin/Plugin/DKIM.pm line
> 675.
>
> So, given that the Mail::SpamAssassin::Plugin::DKIM plugin is loaded,
> __NOT_SPOOFED will check DKIM_VALID and ignore the -L parameter and
> ignore errors with the DKIM validity check.
The rules will work around the DKIM plugin not being loaded by switching
to a a simple header test for the signature, but they can't cope with
DKIM being otherwise disabled. __NOT_SPOOFED is still checking for
SPF_PASS.
The rule QA webpage shows results for score set 0 (no net, no Bayes).
From other results I've seen, I think this has net plugins loaded, but
unused. That means that !__NOT_SPOOFED is unconditionally true, so
SPOOFED_FREEMAIL is effectivly then FREEMAIL_FROM && !__FS_SUBJ_RE.
The wont reflect the actual results in score set 0/2 with the plugins
unloaded or the results in sets 1/3.
Re: SPOOFED_FREEMAIL hitting non-spoofed freemail?
Posted by Dan Malm <da...@one.com>.
Ok, I'm pretty sure this is mostly on my end, but I think there are also
some issues with the __NOT_SPOOFED meta rule.
1: I was able to reproduce getting the SPOOFED_FREEMAIL locally on my
machine when running spammassassin with the -L parameter.
2: The reason (I assume) that I get the rule hit on my servers is this
which I get when I run a manual spamassassin check with debugging enabled:
dbg: dkim: cannot load Mail::DKIM module, DKIM checks disabled: Can't
locate Mail/DKIM/Verifier.pm in @INC (you may need to install the
Mail::DKIM::Verifier module) (@INC contains: lib
/usr/local/lib/perl5/site_perl /usr/local/lib/perl5/site_perl/mach/5.28
/usr/local/lib/perl5/5.28/mach /usr/local/lib/perl5/5.28) at
/usr/local/lib/perl5/site_perl/Mail/SpamAssassin/Plugin/DKIM.pm line 675.
So, given that the Mail::SpamAssassin::Plugin::DKIM plugin is loaded,
__NOT_SPOOFED will check DKIM_VALID and ignore the -L parameter and
ignore errors with the DKIM validity check.
On 9/18/19 2:07 PM, Dan Malm wrote:
> Hi,
>
> I've gotten some reports about mails from hotmail being incorrectly
> filtered as spam on my systems. I'm seeing a lot of perfectly valid,
> non-spoofed mails from them hitting the SPOOFED_FREEMAIL rule. Is anyone
> else seeing the same, or is it some issue in my configuration?
>
> RuleQA seems to indicate something being wrong if I'm reading this
> correct though:
>
> overlap spam: 100% of SPOOFED_FREEMAIL hits also hit FREEMAIL_FROM; 99%
> of FREEMAIL_FROM hits also hit SPOOFED_FREEMAIL (ham 100%)
>
> 100% of ham that hit's FREEMAIL_FROM also hits SPOOFED_FREEMAIL?
> https://ruleqa.spamassassin.org/20190917-r1867043-n/SPOOFED_FREEMAIL/detail
>
--
BR/Mvh. Dan Malm, Systems Engineer, One.com