You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Chip <je...@gmail.com> on 2018/01/28 18:36:14 UTC
Shortcircuit reports only 1 test
I have the following in local.cf
shortcircuit DKIM_VALID_AU on
shortcircuit SPF_PASS on
score DKIM_VALID_AU -100
score SPF_PASS -100
The question is are all triggers reported in headers (DKIM and SPF), or
just some?
A look at the logs and SA headers shows:
Logs:
2018-01-28 13:24:05 1efrcb-00016p-3g DKIM: d=gmail.com s=20161025
c=relaxed/relaxed a=rsa-sha256 b=2048 [verification succeeded]
2018-01-28 13:24:10 1efrcb-00016p-3g H=mail-wm0-f51.google.com
[74.125.82.51]:52869 Warning: "SpamAssassin as XXXXXXXXXX detected
message as NOT spam (-100.0)"
However headers in message only show:
X-Spam-Status: No, score=-100.0
X-Spam-Score: -999
X-Spam-Bar: ---------------------------------------------------
X-Ham-Report: Spam detection software, running on the system "XXXXX.com",
has NOT identified this incoming email as spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
root\@localhost for details.
Content preview: so what are you going to do today?
Content analysis details: (-100.0 points, 5.0 required)
pts rule name description
---- ----------------------
--------------------------------------------------
-0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no
trust
[74.125.82.51 listed in list.dnswl.org]
-0.0 RCVD_IN_MSPIKE_H3 RBL: Good reputation (+3)
[74.125.82.51 listed in wl.mailspike.net]
-0.0 SHORTCIRCUIT Not all rules were run, due to a shortcircuited rule
-100 SPF_PASS SPF: sender matches SPF record <------ okay, great.
Where is the DKIM message or is only one trigger reported?
X-Spam-Flag: NO
Re: Shortcircuit reports only 1 test
Posted by Chip <je...@gmail.com>.
Now I see that whitelist_from_rcvd is probably the best all around. As
explained here:
*whitelist_from_rcvd addr@lists.sourceforge.net
<ma...@lists.sourceforge.net> sourceforge.net*
Works similarly to whitelist_from, except that in addition to
matching a sender address, a relay's rDNS name or its IP address
must match too for the whitelisting rule to fire. The first
parameter is a sender's e-mail address to whitelist, and the second
is a string to match the relay's rDNS, or its IP address. Matching
is case-insensitive.
This second parameter is matched against the TCP-info information
field as provided in a FROM clause of a trace information (i.e. the
Received header field, see RFC 5321
<http://www.ietf.org/rfc/rfc5321.txt>). Only the Received header
fields inserted by trusted hosts are considered. This parameter can
either be a full hostname, or the domain component of that hostname,
or an IP address in square brackets. The reverse DNS lookup is done
by a MTA, not by SpamAssassin.
In case of an IPv4 address in brackets, it may be truncated on
classful boundaries to cover whole subnets,
e.g. |[10.1.2.3]|, |[10.1.2]|, |[10.1]|, |[10]|. CIDR notation is
currently not supported, nor is IPv6. The matching on IP address is
mainly provided to cover rare cases where whitelisting of a sending
MTA is desired which does not have a correct reverse DNS configured.
In other words, if the host that connected to your MX had an IP
address 192.0.2.123 that mapped to 'sendinghost.example.org', you
should specify |sendinghost.example.org|, or |example.org|,
or |[192.0.2.123]| or |[192.0.2]| here.
Note that this requires that |internal_networks| be correct. For
simple cases, it will be, but for a complex network you may get
better results by setting that parameter.
It also requires that your mail exchangers be configured to perform
DNS reverse lookups on the connecting host's IP address, and to
record the result in the generated Received header field according
to RFC 5321 <http://www.ietf.org/rfc/rfc5321.txt>.
e.g.
whitelist_from_rcvd joe@example.com example.com
whitelist_from_rcvd *@axkit.org sergeant.org
whitelist_from_rcvd *@axkit.org [192.0.2.123]
On 01/28/2018 04:52 PM, David Jones wrote:
> On 01/28/2018 02:25 PM, Benny Pedersen wrote:
>> Chip skrev den 2018-01-28 21:01:
>>> I see that makes sense. Thanks for the clarity.
>>>
>>> However how do you get to 150?
>>>
>>> good DKIM = 100
>>> good SPF = 100
>>>
>>> That totals 200
>>
>> one more reason not to use it
>>
>> use domain based whitelist_auth not just global all that is dkim pass
>> or spf pass
>>
>
> He is not using this SA instance in a typical mail filtering way. He
> is trying to do some sort of analysis of spoofing based on SPF_PASS
> and DKIM_VALID_AU. I am still not sure how spoofing can be determined
> without some form of spammyness taken into consideration.
>
> If you whitelist_auth the commonly spoofed brands/companies, then
> spoofing should score well above zero but how do you determine
> spoofing from regular spam without manually checking?
>
>
>> if you want spammers control what is spam or not cuntinue helping
>> them :=)
>>
>> meta DMARC_SPAM (!DKIM_VALID_AU && !SPF_PASS)
>>
>> && means AND so both need to be not pass
>
>
Shortcircuit reports only 1 test
Posted by Chip <je...@gmail.com>.
I will try my best to explain a subset of this project in greater detail
without going into too much detail as you never know who is on this list.
Assume all of the following:
An smtp server that always accepts email but never sends email.
Mailboxes with unique user names such that it would be highly unlikely -
although not impossible - for a spammer to guess the local part.
Domains on the server with equally unusual domain names such that it
would be unlikely for them to be uncovered in a standard name search
although probably ip to name, rDNS resolution, etc. could reveal some
details, depending on privacy protect, etc.
Assume unusual /user name /accounts//on the server similar to the
following: Thahgiel-HufferJones-III
Assume unusual /domain name /accounts on the server similar to the
following: CheadoosBrush.com
Further assume, for example, that Sally@brandnamecompany.com sends email
to this server. So does Frank@anotherbrandnamecompany.com and so does
joe@yetanotherbrandnamecompany.com.
Assume this is a limited universe of senders - that's important because
it shrinks the authorized senders to a very, very small subset.
Need to dump all spam into spam folder. That's trivial.
What is not trivial is protecting against spoofed from:
sally@brandnamecompany.com sending email to
Thahgiel-HufferJones-III@cheadoosbrush.com - if the
localpart@brandnamecompany.com is spoofed how to protect against that,
given that a spammer may be using properly configured dkim/spf?
I incorrectly assumed that all spammers don't use properly configured
dkim/spf, yet many actually can configure spf/dkim properly - so the
method of testing for passing dkim/spf in combination with a real
(albeit spoofed) local part, would probably pass through the
short-circuit plugin.
Given that the universe of senders is extremely limited although from
many different domains, I'm guessing the best way is to whitelist IP's
of those sending domains and block or direct to spam all others. Yet,
many brandnamecompany.com have a wide range of IPs - From which IP in
the mail headers does SpamAssassin cross-reference to ascertain if it's
part of the whitelist?
I'm sure my explanation is revealing some ignorance - don't hesitate to
educate me.
Thanks.
On 01/28/2018 04:52 PM, David Jones wrote:
> On 01/28/2018 02:25 PM, Benny Pedersen wrote:
>> Chip skrev den 2018-01-28 21:01:
>>> I see that makes sense. Thanks for the clarity.
>>>
>>> However how do you get to 150?
>>>
>>> good DKIM = 100
>>> good SPF = 100
>>>
>>> That totals 200
>>
>> one more reason not to use it
>>
>> use domain based whitelist_auth not just global all that is dkim pass
>> or spf pass
>>
>
> He is not using this SA instance in a typical mail filtering way. He
> is trying to do some sort of analysis of spoofing based on SPF_PASS
> and DKIM_VALID_AU. I am still not sure how spoofing can be determined
> without some form of spammyness taken into consideration.
>
> If you whitelist_auth the commonly spoofed brands/companies, then
> spoofing should score well above zero but how do you determine
> spoofing from regular spam without manually checking?
>
>
>> if you want spammers control what is spam or not cuntinue helping
>> them :=)
>>
>> meta DMARC_SPAM (!DKIM_VALID_AU && !SPF_PASS)
>>
>> && means AND so both need to be not pass
>
>
Re: Shortcircuit reports only 1 test
Posted by David Jones <dj...@ena.com>.
On 01/28/2018 02:25 PM, Benny Pedersen wrote:
> Chip skrev den 2018-01-28 21:01:
>> I see that makes sense. Thanks for the clarity.
>>
>> However how do you get to 150?
>>
>> good DKIM = 100
>> good SPF = 100
>>
>> That totals 200
>
> one more reason not to use it
>
> use domain based whitelist_auth not just global all that is dkim pass or
> spf pass
>
He is not using this SA instance in a typical mail filtering way. He is
trying to do some sort of analysis of spoofing based on SPF_PASS and
DKIM_VALID_AU. I am still not sure how spoofing can be determined
without some form of spammyness taken into consideration.
If you whitelist_auth the commonly spoofed brands/companies, then
spoofing should score well above zero but how do you determine spoofing
from regular spam without manually checking?
> if you want spammers control what is spam or not cuntinue helping them :=)
>
> meta DMARC_SPAM (!DKIM_VALID_AU && !SPF_PASS)
>
> && means AND so both need to be not pass
--
David Jones
Re: Shortcircuit reports only 1 test
Posted by Benny Pedersen <me...@junc.eu>.
Chip skrev den 2018-01-28 21:01:
> I see that makes sense. Thanks for the clarity.
>
> However how do you get to 150?
>
> good DKIM = 100
> good SPF = 100
>
> That totals 200
one more reason not to use it
use domain based whitelist_auth not just global all that is dkim pass or
spf pass
if you want spammers control what is spam or not cuntinue helping them
:=)
meta DMARC_SPAM (!DKIM_VALID_AU && !SPF_PASS)
&& means AND so both need to be not pass
Re: Shortcircuit reports only 1 test
Posted by Chip <je...@gmail.com>.
Ah, yes, it's coming together now. Thanks for the tutorial. I'm
assuming when you say "less than" and you are working with negative
numbers, that the less than moves the score towards, for example, -200
from a for example, -150.
On 01/28/2018 03:12 PM, David Jones wrote:
> On 01/28/2018 02:09 PM, David Jones wrote:
>> On 01/28/2018 02:01 PM, Chip wrote:
>>> I see that makes sense. Thanks for the clarity.
>>>
>>> However how do you get to 150?
>>>
>>> good DKIM = 100
>>> good SPF = 100
>>>
>>> That totals 200
>>>
>>
>> Think about it for a minute. We are talking about negative numbers.
>> There could be some spam hits that add a few points to a negative 200
>> to make it like -196.6 or -175.0. Anything less than minus 150 will
>> have hit both SPF_PASS and DKIM_VALID_AU if those are the only
>> shortcircuit'd hits.
>>
>
> Or you can definitely do a meta rule like Benny suggested so you know
> when both rules hit by a rule match rather than checking the score.
> It just depends on what you are using to process the output and how
> flexible it is to find the score and turn it into a number from a string.
>
Re: Shortcircuit reports only 1 test
Posted by David Jones <dj...@ena.com>.
On 01/28/2018 02:09 PM, David Jones wrote:
> On 01/28/2018 02:01 PM, Chip wrote:
>> I see that makes sense. Thanks for the clarity.
>>
>> However how do you get to 150?
>>
>> good DKIM = 100
>> good SPF = 100
>>
>> That totals 200
>>
>
> Think about it for a minute. We are talking about negative numbers.
> There could be some spam hits that add a few points to a negative 200 to
> make it like -196.6 or -175.0. Anything less than minus 150 will have
> hit both SPF_PASS and DKIM_VALID_AU if those are the only shortcircuit'd
> hits.
>
Or you can definitely do a meta rule like Benny suggested so you know
when both rules hit by a rule match rather than checking the score. It
just depends on what you are using to process the output and how
flexible it is to find the score and turn it into a number from a string.
--
David Jones
Re: Shortcircuit reports only 1 test
Posted by David Jones <dj...@ena.com>.
On 01/28/2018 02:01 PM, Chip wrote:
> I see that makes sense. Thanks for the clarity.
>
> However how do you get to 150?
>
> good DKIM = 100
> good SPF = 100
>
> That totals 200
>
Think about it for a minute. We are talking about negative numbers.
There could be some spam hits that add a few points to a negative 200 to
make it like -196.6 or -175.0. Anything less than minus 150 will have
hit both SPF_PASS and DKIM_VALID_AU if those are the only shortcircuit'd
hits.
>
> On 01/28/2018 02:53 PM, David Jones wrote:
>> On 01/28/2018 12:36 PM, Chip wrote:
>>> I have the following in local.cf
>>>
>>> shortcircuit DKIM_VALID_AU on
>>> shortcircuit SPF_PASS on
>>> score DKIM_VALID_AU -100
>>> score SPF_PASS -100
>>>
>>
>> Just to be clear about these settings above for new SA users, this is
>> not recommended. This is a very special need that he has to classify
>> good SPF and DKIM emails. This has nothing to do with ham or spam so
>> don't use these settings in a real mail filtering environment.
>>
>>
>>> The question is are all triggers reported in headers (DKIM and SPF),
>>> or just some?
>>>
>>
>> The Shortcircuit plugin is going to skip many checks (hence the plugin
>> name) and therefore not all rules will show up. If you want to see
>> all of the rule hits, then remove the shortcircuit and keep the scores
>> at -100 like you have them. Then anything less than -50 would be good
>> on either SPF or DKIM and anything less than -150 should be good on
>> both SPF and DKIM.
>>
>>
>>> A look at the logs and SA headers shows:
>>>
>>> Logs:
>>>
>>> 2018-01-28 13:24:05 1efrcb-00016p-3g DKIM: d=gmail.com s=20161025
>>> c=relaxed/relaxed a=rsa-sha256 b=2048 [verification succeeded]
>>> 2018-01-28 13:24:10 1efrcb-00016p-3g H=mail-wm0-f51.google.com
>>> [74.125.82.51]:52869 Warning: "SpamAssassin as XXXXXXXXXX detected
>>> message as NOT spam (-100.0)"
>>>
>>> However headers in message only show:
>>>
>>> X-Spam-Status: No, score=-100.0
>>> X-Spam-Score: -999
>>> X-Spam-Bar: ---------------------------------------------------
>>> X-Ham-Report: Spam detection software, running on the system
>>> "XXXXX.com",
>>> has NOT identified this incoming email as spam. The original
>>> message has been attached to this so you can view it or label
>>> similar future email. If you have any questions, see
>>> root\@localhost for details.
>>>
>>> Content preview: so what are you going to do today?
>>>
>>>
>>> Content analysis details: (-100.0 points, 5.0 required)
>>>
>>> pts rule name description
>>> ---- ----------------------
>>> --------------------------------------------------
>>> -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at
>>> http://www.dnswl.org/, no
>>> trust
>>> [74.125.82.51 listed in list.dnswl.org]
>>> -0.0 RCVD_IN_MSPIKE_H3 RBL: Good reputation (+3)
>>> [74.125.82.51 listed in wl.mailspike.net]
>>> -0.0 SHORTCIRCUIT Not all rules were run, due to a
>>> shortcircuited rule
>>> -100 SPF_PASS SPF: sender matches SPF record <------ okay,
>>> great. Where is the DKIM message or is only one trigger reported?
>>> X-Spam-Flag: NO
>>>
>>>
>>>
>>
>>
>
--
David Jones
Re: Shortcircuit reports only 1 test
Posted by Chip <je...@gmail.com>.
I see that makes sense. Thanks for the clarity.
However how do you get to 150?
good DKIM = 100
good SPF = 100
That totals 200
On 01/28/2018 02:53 PM, David Jones wrote:
> On 01/28/2018 12:36 PM, Chip wrote:
>> I have the following in local.cf
>>
>> shortcircuit DKIM_VALID_AU on
>> shortcircuit SPF_PASS on
>> score DKIM_VALID_AU -100
>> score SPF_PASS -100
>>
>
> Just to be clear about these settings above for new SA users, this is
> not recommended. This is a very special need that he has to classify
> good SPF and DKIM emails. This has nothing to do with ham or spam so
> don't use these settings in a real mail filtering environment.
>
>
>> The question is are all triggers reported in headers (DKIM and SPF),
>> or just some?
>>
>
> The Shortcircuit plugin is going to skip many checks (hence the plugin
> name) and therefore not all rules will show up. If you want to see
> all of the rule hits, then remove the shortcircuit and keep the scores
> at -100 like you have them. Then anything less than -50 would be good
> on either SPF or DKIM and anything less than -150 should be good on
> both SPF and DKIM.
>
>
>> A look at the logs and SA headers shows:
>>
>> Logs:
>>
>> 2018-01-28 13:24:05 1efrcb-00016p-3g DKIM: d=gmail.com s=20161025
>> c=relaxed/relaxed a=rsa-sha256 b=2048 [verification succeeded]
>> 2018-01-28 13:24:10 1efrcb-00016p-3g H=mail-wm0-f51.google.com
>> [74.125.82.51]:52869 Warning: "SpamAssassin as XXXXXXXXXX detected
>> message as NOT spam (-100.0)"
>>
>> However headers in message only show:
>>
>> X-Spam-Status: No, score=-100.0
>> X-Spam-Score: -999
>> X-Spam-Bar: ---------------------------------------------------
>> X-Ham-Report: Spam detection software, running on the system
>> "XXXXX.com",
>> has NOT identified this incoming email as spam. The original
>> message has been attached to this so you can view it or label
>> similar future email. If you have any questions, see
>> root\@localhost for details.
>>
>> Content preview: so what are you going to do today?
>>
>>
>> Content analysis details: (-100.0 points, 5.0 required)
>>
>> pts rule name description
>> ---- ----------------------
>> --------------------------------------------------
>> -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at
>> http://www.dnswl.org/, no
>> trust
>> [74.125.82.51 listed in list.dnswl.org]
>> -0.0 RCVD_IN_MSPIKE_H3 RBL: Good reputation (+3)
>> [74.125.82.51 listed in wl.mailspike.net]
>> -0.0 SHORTCIRCUIT Not all rules were run, due to a
>> shortcircuited rule
>> -100 SPF_PASS SPF: sender matches SPF record <------ okay,
>> great. Where is the DKIM message or is only one trigger reported?
>> X-Spam-Flag: NO
>>
>>
>>
>
>
Re: Shortcircuit reports only 1 test
Posted by David Jones <dj...@ena.com>.
On 01/28/2018 12:36 PM, Chip wrote:
> I have the following in local.cf
>
> shortcircuit DKIM_VALID_AU on
> shortcircuit SPF_PASS on
> score DKIM_VALID_AU -100
> score SPF_PASS -100
>
Just to be clear about these settings above for new SA users, this is
not recommended. This is a very special need that he has to classify
good SPF and DKIM emails. This has nothing to do with ham or spam so
don't use these settings in a real mail filtering environment.
> The question is are all triggers reported in headers (DKIM and SPF), or
> just some?
>
The Shortcircuit plugin is going to skip many checks (hence the plugin
name) and therefore not all rules will show up. If you want to see all
of the rule hits, then remove the shortcircuit and keep the scores at
-100 like you have them. Then anything less than -50 would be good on
either SPF or DKIM and anything less than -150 should be good on both
SPF and DKIM.
> A look at the logs and SA headers shows:
>
> Logs:
>
> 2018-01-28 13:24:05 1efrcb-00016p-3g DKIM: d=gmail.com s=20161025
> c=relaxed/relaxed a=rsa-sha256 b=2048 [verification succeeded]
> 2018-01-28 13:24:10 1efrcb-00016p-3g H=mail-wm0-f51.google.com
> [74.125.82.51]:52869 Warning: "SpamAssassin as XXXXXXXXXX detected
> message as NOT spam (-100.0)"
>
> However headers in message only show:
>
> X-Spam-Status: No, score=-100.0
> X-Spam-Score: -999
> X-Spam-Bar: ---------------------------------------------------
> X-Ham-Report: Spam detection software, running on the system "XXXXX.com",
> has NOT identified this incoming email as spam. The original
> message has been attached to this so you can view it or label
> similar future email. If you have any questions, see
> root\@localhost for details.
>
> Content preview: so what are you going to do today?
>
>
> Content analysis details: (-100.0 points, 5.0 required)
>
> pts rule name description
> ---- ----------------------
> --------------------------------------------------
> -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at
> http://www.dnswl.org/, no
> trust
> [74.125.82.51 listed in list.dnswl.org]
> -0.0 RCVD_IN_MSPIKE_H3 RBL: Good reputation (+3)
> [74.125.82.51 listed in wl.mailspike.net]
> -0.0 SHORTCIRCUIT Not all rules were run, due to a shortcircuited rule
> -100 SPF_PASS SPF: sender matches SPF record <------ okay,
> great. Where is the DKIM message or is only one trigger reported?
> X-Spam-Flag: NO
>
>
>
--
David Jones
Re: Shortcircuit reports only 1 test
Posted by Benny Pedersen <me...@junc.eu>.
Chip skrev den 2018-01-28 19:36:
> I have the following in local.cf
>
> shortcircuit DKIM_VALID_AU on
> shortcircuit SPF_PASS on
> score DKIM_VALID_AU -100
> score SPF_PASS -100
>
> The question is are all triggers reported in headers (DKIM and SPF),
> or just some?
if you want to have both use:
meta DMARC_SC (DKIM_VALID_AU && SPF_PASS)
shortcircuit DMARC_SC on
describe DMARC_SC Meta: DKIM_VALID_AU && SPF_PASS
do not add score, since it will be added by shortcircuit
on is defailt no score, ham is default to -100, spam is default 100 in
shortcircuit
but score adjust does not matter
you did change spores above thats incorrect
Re: Shortcircuit reports only 1 test
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
On 28.01.18 13:36, Chip wrote:
>shortcircuit DKIM_VALID_AU on
>shortcircuit SPF_PASS on
>score DKIM_VALID_AU -100
>score SPF_PASS -100
1. shortcircuiting is affected by priotiry, not score.
2. are you sure you want to pass spam just because it was sent through
hacked accounts? (which is nowadays very common)
>The question is are all triggers reported in headers (DKIM and SPF), or
>just some?
>Where is the DKIM message or is only one trigger reported?
> X-Spam-Flag: NO
SA can use SPF and DKIM results from headers, when they are trusted -
they appear before trusted Received: lines (trusting header added by spammer
is not a good idea).
If not, SA validates SPF and DKIM itself.
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
The only substitute for good manners is fast reflexes.