You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by ha...@t-online.de on 2008/12/08 05:25:35 UTC
Re: Spam slipping through
mouss said:
>>
>> >
>> > The implementation of it is not my concern. It's a pretty basic rule to
>> > require that addresses a commonly exploited spam attack vector.
>>
>> having the same address in the From and To is also seen in legitimate mail:
>> - I send mail to myself
>> - some people use their address in the To when they Bcc many people
>>
Hi,
well, I send mail to myself sometimes. The only way that this mail could go is
either straight from the mailserver to my inbox (if I am logged in), or from my
desktop client, via my mailserver, to the inbox.
So it seems to me that any sender claiming to be _me_ would _auth_ to the mailserver.
When I implemented this a while ago, some ebay mails violated that, and mails from
monster.com. AFAIK, at least ebay has learned that such mails are likely to be caught by various
reasons (DKIM?)
Wolfgang Hamann
Re: Spam slipping through
Posted by mouss <mo...@netoyen.net>.
LuKreme a écrit :
> On 8-Dec-2008, at 00:44, mouss wrote:
>>> DKIM is not a blacklister, but a whitelist based on if sender really
>>> use monster.com mta mail server or not :)
>>>
>> indeed.
>
>
> Checking my SPAM folder it seems that a LOT of spam gets DKIM_VERIFIED
>
> I have tons that look, essentially, like this:
>
> DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
> s=main; d=etacbase07.com;
> b=eVw4gychbdyZ01HyEGfBa7zjoxxjaaqVy+vHu9UeYI7+aKC971+ySnccA4klNvcBOIkAbiSgWl4YWXCn5SrkEg==;
>
> h=Received:Message-ID:Date:From:To:Subject:List-Unsubscribe:Mime-Version:Content-Type;
>
> Received: by 69.30.205.166 with SMTP id 4gki5ruu8m4116d
> for <*munged*>; Tue, 09 Dec 2008 13:11:33 -0600
> Message-ID: <wd...@etacbase07.com>
> Date: Tue, 09 Dec 2008 13:11:34 -0600
> From: "Goya Foods" <Go...@etacbase07.com>
> To: "Subscriber" <*munged*>
>
> So it looks like the only usefulness of DKIM for spam checking is really
> for the big mailers like gmail, paypal, ebay, etc? This message failed
> the SA check with a score over 11, so I'm not complaining.
>
If someone says: I'm Joe. then I don't care if he lies or not, unless
"being Joe" means something to me. so if I get mail from
foo@joe.example, dkim and dk signed, spf pass, great helo, nice looking
IP, ... etc. I don't care of all this stuff. I check the content.
If someone say: I'm your mother. then I'll ask to see his hand (sorry, I
don't know the name of the story in english. if you can read french,
check
http://satamania-bar.bbflash.net/conte-et-raconte-f5/le-loup-la-chevre-et-les-7-biquets-t908.htm
)
so yes, dkim is a whitelist mechanism that allows you to whitelist known
"names" when they sign their mail with a verifiable signature. it
doesn't mean you can trust any dkim-signed mail (because anybody can
sign his mail) nor that non signed mail is bad (even yahoo sends
unsigned mail) nor that a bad signature is bad (I've seen broken sigs
from yahoo).
> I have a dkim.cf that is pretty basic, I guess, but I've recently
> tweaked the settings a bit:
>
> score DKIM_VERIFIED -1.3
> score DKIM_SIGNED 1
> score USER_IN_DKIM_WHITELIST -10.0
> score USER_IN_DEF_DKIM_WL -3.3
> score ENV_AND_HDR_DKIM_MATCH -0.7
> score L_NOTVALID_GMAIL 3.0
> score L_NOTVALID_PAY 10
>
> I'm still testing these settings.
>
Re: Spam slipping through
Posted by Benny Pedersen <me...@junc.org>.
On Wed, December 10, 2008 23:16, LuKreme wrote:
> Which would, I think, score them a full 5 points up for failing
> DKIM, but give them a negative score from USER_IN_DKIM_WHITELIST?
try:
def_whitelist_auth *@company.tld
whitelist_auth user@comany.tld
why have the extra step with add score for not verified ?
another way is:
whitelist_auth *@company.tld
unwhitelist_auth user@company.tld
not tested here but should work in the config
--
Benny Pedersen
Need more webspace ? http://www.servage.net/?coupon=cust37098
Re: Spam slipping through
Posted by LuKreme <kr...@kreme.com>.
On 11-Dec-2008, at 10:48, Kelson wrote:
> LuKreme wrote:
>> On 10-Dec-2008, at 16:01, mouss wrote:
>>> so 5 is a little too high.
>> Ah, gotcha. I am scoring whitelist at -5 though, so a 5 still puts
>> them at 0. Without other spam tags, they should still pass, no?
>
> whitelist_from_dkim and related rules (whitelist_from_spf,
> whitelist_from_auth, etc.) only fire if the authentication is valid.
> The idea is to whitelist messages from a domain only when you can
> confirm that they really did come from that domain.
>
> So the whitelist and blacklist rules will never cancel each other
> out, because they'll never fire on the same message.
/facepalm
Got it, thanks!
--
There are strange things done in the midnight sun/By the men who
moil for gold; The Arctic trails have their secret tales/That
would make you blood run cold; The Northern Lights have seen
queer sights,/But the queerest they ever did see Was the night
on the marge of Lake Lebarge/ When I cremated Sam McGee
Re: Spam slipping through
Posted by Kelson <ke...@speed.net>.
LuKreme wrote:
> On 10-Dec-2008, at 16:01, mouss wrote:
>> so 5 is a little too high.
>
> Ah, gotcha. I am scoring whitelist at -5 though, so a 5 still puts them
> at 0. Without other spam tags, they should still pass, no?
whitelist_from_dkim and related rules (whitelist_from_spf,
whitelist_from_auth, etc.) only fire if the authentication is valid.
The idea is to whitelist messages from a domain only when you can
confirm that they really did come from that domain.
So the whitelist and blacklist rules will never cancel each other out,
because they'll never fire on the same message.
If you want to leave a DKIM failure for that domain as neutral, just
remove your custom blacklist rule.
--
Kelson Vibber
SpeedGate Communications <www.speed.net>
Re: Spam slipping through
Posted by LuKreme <kr...@kreme.com>.
On 10-Dec-2008, at 16:01, mouss wrote:
> while the whitelisting part is ok, the "blacklisting" part is risky:
> - they could mess up with their dns config during an update.... or
> they
> could add a new MTA, or reconfigure their MTA and "forget" to pass
> throgh the dkim signing application...
>
> - they may want to allow some of their users to post via their ISP,
> hotel,
>
> - ...
>
> so 5 is a little too high.
Ah, gotcha. I am scoring whitelist at -5 though, so a 5 still puts
them at 0. Without other spam tags, they should still pass, no?
On 10-Dec-2008, at 16:52, Benny Pedersen wrote:
> On Wed, December 10, 2008 23:16, LuKreme wrote:
>> Which would, I think, score them a full 5 points up for failing
>> DKIM, but give them a negative score from USER_IN_DKIM_WHITELIST?
>
> try:
>
> def_whitelist_auth *@company.tld
> whitelist_auth user@comany.tld
>
> why have the extra step with add score for not verified ?
Because, let's say comapny.tld is mybank.tld and messages that fail to
pass the check should be tagged up, right?
--
Strange things are afoot at the Circle K
Re: Spam slipping through
Posted by mouss <mo...@netoyen.net>.
LuKreme a écrit :
> On 10-Dec-2008, at 12:10, Kelson wrote:
>> Successful sender verification ALONE doesn't tell you much, because it
>> doesn't distinguish between a legit sender who uses DKIM and a spammer
>> who uses DKIM (or a spammer abusing a large sender). This is why the
>> default scores on DKIM_VERIFIED and DKIM_SIGNED are just enough to
>> track the rule, and not enough to significantly affect the score
>
> Thank you (and you too, mouss) for the explanation, this does make a lot
> of sense now. I guess I need to go through all my mail and find the
> DKIM info for the good sites.
>
> Given that I get mail from company.tld and they used DKIM and I trust it
> if it passes, and given that company.tld is a company where I am getting
> mail from their employees and not from their clients (like not an ISP),
> does this look about right:
>
> whitelist_from_dkim *@company.tld
> whitelist_from_dkim *@*.company.tld
> header __L_FROM_CTLD From:addr =~ /[\@.]company\.tld$/mi
> meta L_NOTVALID_CTLD !DKIM_VERIFIED && __L_FROM_CTLD
> score L_NOTVALID_CTLD 5
>
> Which would, I think, score them a full 5 points up for failing DKIM,
> but give them a negative score from USER_IN_DKIM_WHITELIST?
while the whitelisting part is ok, the "blacklisting" part is risky:
- they could mess up with their dns config during an update.... or they
could add a new MTA, or reconfigure their MTA and "forget" to pass
throgh the dkim signing application...
- they may want to allow some of their users to post via their ISP, hotel,
- ...
so 5 is a little too high.
I see yahoo mail failing verification (and yes, it is legit mail sent by
a yahoo user via yahoo. no forgery or anything). That should tell you
something ;-p
>
> And I assume that the dkim.cf that was in /etc/mail/spamassassin/ should
> be in /var/db/spamassassin/3.002.005/ instead?
>
no. it's your file, so leave it in your "site rules directory"
(/etc/.... apparently). /var/{db|lib}/spamassassin/.... is for automatic
updates.
Re: Spam slipping through
Posted by LuKreme <kr...@kreme.com>.
On 10-Dec-2008, at 12:10, Kelson wrote:
> Successful sender verification ALONE doesn't tell you much, because
> it doesn't distinguish between a legit sender who uses DKIM and a
> spammer who uses DKIM (or a spammer abusing a large sender). This
> is why the default scores on DKIM_VERIFIED and DKIM_SIGNED are just
> enough to track the rule, and not enough to significantly affect the
> score
Thank you (and you too, mouss) for the explanation, this does make a
lot of sense now. I guess I need to go through all my mail and find
the DKIM info for the good sites.
Given that I get mail from company.tld and they used DKIM and I trust
it if it passes, and given that company.tld is a company where I am
getting mail from their employees and not from their clients (like not
an ISP), does this look about right:
whitelist_from_dkim *@company.tld
whitelist_from_dkim *@*.company.tld
header __L_FROM_CTLD From:addr =~ /[\@.]company\.tld$/mi
meta L_NOTVALID_CTLD !DKIM_VERIFIED && __L_FROM_CTLD
score L_NOTVALID_CTLD 5
Which would, I think, score them a full 5 points up for failing DKIM,
but give them a negative score from USER_IN_DKIM_WHITELIST?
And I assume that the dkim.cf that was in /etc/mail/spamassassin/
should be in /var/db/spamassassin/3.002.005/ instead?
--
The trouble with being a god is that you've got no one to pray to.
Re: Spam slipping through
Posted by Kelson <ke...@speed.net>.
LuKreme wrote:
> So it looks like the only usefulness of DKIM for spam checking is really
> for the big mailers like gmail, paypal, ebay, etc?
A pass on DKIM (or any other sender verification system ) is useful for
any mailer that you *recognize*, regardless of size.
Trivial example: If you regularly do business with SmallCorp, and you
know they sign their mail using DKIM, you can whitelist those messages
that claim to be them and come through with a verified DKIM signature.
Successful sender verification ALONE doesn't tell you much, because it
doesn't distinguish between a legit sender who uses DKIM and a spammer
who uses DKIM (or a spammer abusing a large sender). This is why the
default scores on DKIM_VERIFIED and DKIM_SIGNED are just enough to track
the rule, and not enough to significantly affect the score
Combine it with a reputation system for those domains, even one as
simple as a bunch of whitelist_from_dkim rules in your local.cf, and it
becomes a powerful whitelisting & blacklisting tool.
--
Kelson Vibber
SpeedGate Communications <www.speed.net>
Re: Spam slipping through
Posted by John Hardin <jh...@impsec.org>.
On Tue, 2008-12-09 at 12:40 -0700, LuKreme wrote:
> Checking my SPAM folder it seems that a LOT of spam gets DKIM_VERIFIED
>
> So it looks like the only usefulness of DKIM for spam checking is
> really for the big mailers like gmail, paypal, ebay, etc?
The usefulness of SPF, DKIM and related technologies is for detecting
*forgeries*. Its relation to spam checking is indirect at best, and is
primarily for reliable whitelisting.
If you know a domain or user does not send spam, and they prove the
authenticity of their mail using one of these methods, then you can do a
couple of things: whitelist any authenticated mail from that
domain/user, and discard any unauthenticated mail from that domain/user.
Paypal and banks are the canonical examples, to combat phishing.
If the trustworthiness (from a spam perspective) of a domain is unknown
(e.g. gmail, yahoo, and other freemail services), then knowing that a
sender who claims to be from that domain is actually sending mail via
that domain's servers is of limited usefulness.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
You do not examine legislation in the light of the benefits it
will convey if properly administered, but in the light of the
wrongs it would do and the harms it would cause if improperly
administered. -- Lyndon B. Johnson
-----------------------------------------------------------------------
6 days until Bill of Rights day
Re: Spam slipping through
Posted by LuKreme <kr...@kreme.com>.
On 8-Dec-2008, at 00:44, mouss wrote:
>> DKIM is not a blacklister, but a whitelist based on if sender really
>> use monster.com mta mail server or not :)
>>
> indeed.
Checking my SPAM folder it seems that a LOT of spam gets DKIM_VERIFIED
I have tons that look, essentially, like this:
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
s=main; d=etacbase07.com;
b=eVw4gychbdyZ01HyEGfBa7zjoxxjaaqVy
+vHu9UeYI7+aKC971+ySnccA4klNvcBOIkAbiSgWl4YWXCn5SrkEg==;
h=Received:Message-ID:Date:From:To:Subject:List-Unsubscribe:Mime-
Version:Content-Type;
Received: by 69.30.205.166 with SMTP id 4gki5ruu8m4116d
for <*munged*>; Tue, 09 Dec 2008 13:11:33 -0600
Message-ID: <wd...@etacbase07.com>
Date: Tue, 09 Dec 2008 13:11:34 -0600
From: "Goya Foods" <Go...@etacbase07.com>
To: "Subscriber" <*munged*>
So it looks like the only usefulness of DKIM for spam checking is
really for the big mailers like gmail, paypal, ebay, etc? This
message failed the SA check with a score over 11, so I'm not
complaining.
I have a dkim.cf that is pretty basic, I guess, but I've recently
tweaked the settings a bit:
score DKIM_VERIFIED -1.3
score DKIM_SIGNED 1
score USER_IN_DKIM_WHITELIST -10.0
score USER_IN_DEF_DKIM_WL -3.3
score ENV_AND_HDR_DKIM_MATCH -0.7
score L_NOTVALID_GMAIL 3.0
score L_NOTVALID_PAY 10
I'm still testing these settings.
--
I know that you believe you understand what you think I said but I
am not sure you realize that what you heard is not what I
meant.
Re: Spam slipping through
Posted by mouss <mo...@netoyen.net>.
Benny Pedersen a écrit :
> On Mon, December 8, 2008 05:25, hamann.w@t-online.de wrote:
>> mouss said:
>
> bug:
> Mail::SpamAssassin::Plugin::dbg("FromInTo: Comparing '$from' and
> '$To");
>
> fixed line:
> Mail::SpamAssassin::Plugin::dbg("FromInTo: Comparing '$from' and
> '$To'");
>
Thanks!
>> well, I send mail to myself sometimes. The only way that this mail
>> could go is either straight from the mailserver to my inbox
>
> ALL_TRUSTED or NO_RELAYS hits ?
>
>> (if I am logged in), or from my desktop client, via my mailserver,
>> to the inbox.
>
> this should give ALL_TRUSTED
>
>> So it seems to me that any sender claiming to be _me_ would _auth_
>> to the mailserver.
>
> yes
>
but other people may do it differently. many domains allow their users
to send via ISP/hotel/...
if your domain requires authentication or submission from known systems,
then you can probably block "forgery" without checking the To header.
>> When I implemented this a while ago, some ebay mails violated that,
>> and mails from monster.com. AFAIK, at least ebay has learned that
>> such mails are likely to be caught by various reasons (DKIM?)
I think they got blocked by "reject mail from stranger claiming to be
mine" policy. and SPF may have finished convincing them. now I don't
know if others still use this practice (sending "on behalf" of a user).
>
> DKIM is not a blacklister, but a whitelist based on if sender really
> use monster.com mta mail server or not :)
>
indeed.
Re: Spam slipping through
Posted by Benny Pedersen <me...@junc.org>.
On Mon, December 8, 2008 05:25, hamann.w@t-online.de wrote:
> mouss said:
bug:
Mail::SpamAssassin::Plugin::dbg("FromInTo: Comparing '$from' and
'$To");
fixed line:
Mail::SpamAssassin::Plugin::dbg("FromInTo: Comparing '$from' and
'$To'");
> well, I send mail to myself sometimes. The only way that this mail
> could go is either straight from the mailserver to my inbox
ALL_TRUSTED or NO_RELAYS hits ?
> (if I am logged in), or from my desktop client, via my mailserver,
> to the inbox.
this should give ALL_TRUSTED
> So it seems to me that any sender claiming to be _me_ would _auth_
> to the mailserver.
yes
> When I implemented this a while ago, some ebay mails violated that,
> and mails from monster.com. AFAIK, at least ebay has learned that
> such mails are likely to be caught by various reasons (DKIM?)
DKIM is not a blacklister, but a whitelist based on if sender really
use monster.com mta mail server or not :)
--
Benny Pedersen
Need more webspace ? http://www.servage.net/?coupon=cust37098