You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by jandev <ja...@gmx.ch> on 2019/04/17 21:16:30 UTC
Spammer in white list aka USER_IN_DEF_SPF_WL
Hi all
Yesterday our mail server received unwanted email from simpliv.com. It was
valid DKIM signed for mail.simpliv.com
Despite the sender ip was listed at Sorbs the email even passed the bayesian
filter:
Surprisingly the ip/domain is part of a SA shipped white list: Rule
USER_IN_DEF_SPF_WL gave it -7.5!
simpliv.com sent the spam to an email address which was used solely for
registering an account with slack.com. It seems that simpliv.com
bought/stole/harvested email addresses in shady ways and uses the email
database as spam to advertise its courses.
/var/lib/spamassassin/3.004002/updates_spamassassin_org/60_whitelist_auth.cf
where the simpliv.com is added says: "These senders should be considered
trusted following proper opt-in and opt-out practices,..."
There was no proper opt-in, even Sorbs list them now, probably because they
hit a honey pot, hence I request simpliv.com to be removed from this white
list.
Otherwise having spammers in this SA shipped white list makes the list
useless.
Any idea how to proceed?
Thank you very much
Jan Dev
--
Sent from: http://spamassassin.1065346.n5.nabble.com/SpamAssassin-Users-f3.html
Re: Spammer in white list aka USER_IN_DEF_SPF_WL
Posted by jandev <ja...@gmx.ch>.
@lbutlr wrote
> Is there a reason you didn't disclose the IP address? That domain is NOT
> listed in the current 60_whitelist_spf.cf
Sorry, header excerpt got cut-off by nabble:
List-Unsubscribe:
<mailto:v-cclaed_cckdmdndni_dkgloijp_dkgloijp_a@bounce.comm06.simpliv.com?subject=Unsubscribe>
X-Warning: bounce.comm06.simpliv.com is listed at dnsbl.sorbs.net
(127.0.0.6: Currently Sending Spam See:
http://www.sorbs.net/lookup.shtml?129.41.222.236)
X-Spam-Score-new: -6.0
X-Spam-Score-Int-new: -59
X-Spam-Bar-new: ------
X-Spam-Report-new:
scores=BAYES_20=-0.001,HTML_FONT_LOW_CONTRAST=0.001,HTML_MESSAGE=0.001,MIME_HTML_ONLY=0.723,MIME_HTML_ONLY_MULTI=0.001,MPART_ALT_DIFF=0.79,RCVD_IN_DNSWL_NONE=-0.0001,SPF_HELO_PASS=-0.001,SPF_PASS=-0.001,USER_IN_DEF_SPF_WL=-7.5
| required=5.0 | autolearn=no autolearn_force=no, score=1.832
X-Spam-Status: NO
Or see pastebin for the whole header: https://pastebin.com/sjix9CDp
--
Sent from: http://spamassassin.1065346.n5.nabble.com/SpamAssassin-Users-f3.html
Re: Spammer in white list aka USER_IN_DEF_SPF_WL
Posted by "@lbutlr" <kr...@kreme.com>.
On 17 Apr 2019, at 15:16, jandev <ja...@gmx.ch> wrote:
> Surprisingly the ip/domain is part of a SA shipped white list: Rule
> USER_IN_DEF_SPF_WL gave it -7.5!
Is there a reason you didn't disclose the IP address? That domain is NOT listed in the current 60_whitelist_spf.cf
It IS listed in 60_whitelist_auth.cf however.
(For me, including hard-coded whitelists in the SA bistro has always seemed like a viper that is going to get someone in the ass eventually. Also, some of the shit sites listed are rather disturbing. buy.com? aol? yahoo? I know I don't want mail from any of those (I drop yahoo connections long before I get their mail).
simpliv.com is a 2yo domain hiding behind Godaddy "privacy", so why are they getting special treatment?
--
"I am" is reportedly the shortest sentence in the English language.
Could it be that "I do" is the longest sentence?
Re: Spammer in white list aka USER_IN_DEF_SPF_WL
Posted by RW <rw...@googlemail.com>.
On Thu, 2 May 2019 20:42:54 +0000
David Jones wrote:
> On 5/2/19 3:11 PM, RW wrote:
> >
> > The Invaluement lists are marketed as low-FP. There's a huge
> > difference between being good enough to stay out of Invaluement and
> > being good enough for whitelisting at the -15 point level.
>
> Default score for def_whitelist_auth is -7.5.
There is no default score for def_whitelist_auth, it's a shorthand
for separate spf and dkim entries, and many def_whitelist_auth
matches pick-up -7.5 for both.
simpliv.com should have picked-up -15 point, but the OP appears to have
disabled or broken DKIM in SA as there isn't even DKIM_SIGNED.
Re: Spammer in white list aka USER_IN_DEF_SPF_WL
Posted by David Jones <dj...@ena.com>.
On 5/2/19 3:11 PM, RW wrote:
>
> That just means it's a known source of email and not a zombie or IP
> address controlled by an outright spammer. The level of trust is
> described as 'none', that's a lower level than some freemail servers.
>
> The DKIM signing domain isn't listed at all on dkimwl.
>
>
>> More importantly, it's [not] listed in Invaluement (IVM or IVM24):
>
> The Invaluement lists are marketed as low-FP. There's a huge difference
> between being good enough to stay out of Invaluement and being good
> enough for whitelisting at the -15 point level.
Default score for def_whitelist_auth is -7.5.
>
>
>> Every platform has the occassional bad customer that needs
>> to be kicked off
>
> From it's website simpliv.com appears to be a company that markets
> online training provided by third-party trainers. In that situation
> simpliv should be managing the lists and enforcing opt-in.
>
>
>
>
It's removed in SVN so it should get taken out tomorrow night as long as
the rules promotion is working.
--
David Jones
Re: Spammer in white list aka USER_IN_DEF_SPF_WL
Posted by RW <rw...@googlemail.com>.
On Thu, 2 May 2019 03:15:13 +0000
David Jones wrote:
> On 5/1/19 6:04 PM, RW wrote:
> > On Wed, 1 May 2019 10:39:08 -0700 (MST)
> > jandev wrote:
> >
> >> David,
> >>
> >> I tried to send the original email to the email address you
> >> requested. But your mail hoster blocks (554 5.7.1) my TLDs.
> >
> > I doesn't really matter, you posted a link to pastebin on the list.
> >
> > It passed SPF with the envelope domain bounce.comm06.simpliv.com
> > which matches:
> >
> > def_whitelist_auth *@*.simpliv.com
> >
>
> 129.41.222.236 has a senderscore.org score of 94 currently
it was 84 in early April.
> and is
> listed in dnswl.org as score but do not block outright.
That just means it's a known source of email and not a zombie or IP
address controlled by an outright spammer. The level of trust is
described as 'none', that's a lower level than some freemail servers.
The DKIM signing domain isn't listed at all on dkimwl.
> More importantly, it's [not] listed in Invaluement (IVM or IVM24):
The Invaluement lists are marketed as low-FP. There's a huge difference
between being good enough to stay out of Invaluement and being good
enough for whitelisting at the -15 point level.
> Every platform has the occassional bad customer that needs
> to be kicked off
From it's website simpliv.com appears to be a company that markets
online training provided by third-party trainers. In that situation
simpliv should be managing the lists and enforcing opt-in.
Re: Spammer in white list aka USER_IN_DEF_SPF_WL
Posted by David Jones <dj...@ena.com>.
On 5/1/19 10:15 PM, David Jones wrote:
> On 5/1/19 6:04 PM, RW wrote:
>> On Wed, 1 May 2019 10:39:08 -0700 (MST)
>> jandev wrote:
>>
>>> David,
>>>
>>> I tried to send the original email to the email address you
>>> requested. But your mail hoster blocks (554 5.7.1) my TLDs.
>>
>> I doesn't really matter, you posted a link to pastebin on the list.
>>
>> It passed SPF with the envelope domain bounce.comm06.simpliv.com
>> which matches:
>>
>> def_whitelist_auth *@*.simpliv.com
>>
>
> 129.41.222.236 has a senderscore.org score of 94 currently and is listed
> in dnswl.org as score but do not block outright. More importantly, it's
I meant to say "it's NOT listed" in IVM which is a very accurate RBL.
> listed in Invaluement (IVM or IVM24):
>
> http://multirbl.valli.org/lookup/129.41.222.236.html
>
> The email headers that were posted in pastebein.com are from mass
> marketer that has a valid unsubscribe header/link.
>
> I wouldn't classify that email as spam unless there were multiple
> reports of them not honoring the unsubscribe or not handling abuse
> reports. Every platform has the occassional bad customer that needs to
> be kicked off so most RBLs (good ones anyway) will allow for a small
> amount of UCE before hitting the threshold to be listed/blocked.
>
--
David Jones
Re: Spammer in white list aka USER_IN_DEF_SPF_WL
Posted by David Jones <dj...@ena.com>.
On 5/1/19 6:04 PM, RW wrote:
> On Wed, 1 May 2019 10:39:08 -0700 (MST)
> jandev wrote:
>
>> David,
>>
>> I tried to send the original email to the email address you
>> requested. But your mail hoster blocks (554 5.7.1) my TLDs.
>
> I doesn't really matter, you posted a link to pastebin on the list.
>
> It passed SPF with the envelope domain bounce.comm06.simpliv.com
> which matches:
>
> def_whitelist_auth *@*.simpliv.com
>
129.41.222.236 has a senderscore.org score of 94 currently and is listed
in dnswl.org as score but do not block outright. More importantly, it's
listed in Invaluement (IVM or IVM24):
http://multirbl.valli.org/lookup/129.41.222.236.html
The email headers that were posted in pastebein.com are from mass
marketer that has a valid unsubscribe header/link.
I wouldn't classify that email as spam unless there were multiple
reports of them not honoring the unsubscribe or not handling abuse
reports. Every platform has the occassional bad customer that needs to
be kicked off so most RBLs (good ones anyway) will allow for a small
amount of UCE before hitting the threshold to be listed/blocked.
--
David Jones
Re: Spammer in white list aka USER_IN_DEF_SPF_WL
Posted by RW <rw...@googlemail.com>.
On Wed, 1 May 2019 10:39:08 -0700 (MST)
jandev wrote:
> David,
>
> I tried to send the original email to the email address you
> requested. But your mail hoster blocks (554 5.7.1) my TLDs.
I doesn't really matter, you posted a link to pastebin on the list.
It passed SPF with the envelope domain bounce.comm06.simpliv.com
which matches:
def_whitelist_auth *@*.simpliv.com
Re: Spammer in white list aka USER_IN_DEF_SPF_WL
Posted by jandev <ja...@gmx.ch>.
David,
I tried to send the original email to the email address you requested. But
your mail hoster blocks (554 5.7.1) my TLDs. And an email to your postmaster
to activate my TLD/domain has never been replied.
Regards
Jan
--
Sent from: http://spamassassin.1065346.n5.nabble.com/SpamAssassin-Users-f3.html
Re: Spammer in white list aka USER_IN_DEF_SPF_WL
Posted by jandev <ja...@gmx.ch>.
Hi David
Thanks a lot for your reply.
Please find the redacted headers of the message mentioned above:
https://pastebin.com/sjix9CDp
(sorry, nabble removed the headers in the initial post)
Cheers
Jan
--
Sent from: http://spamassassin.1065346.n5.nabble.com/SpamAssassin-Users-f3.html
Re: Spammer in white list aka USER_IN_DEF_SPF_WL
Posted by David Jones <dj...@ena.com>.
On 4/17/19 4:16 PM, jandev wrote:
> Hi all
>
> Yesterday our mail server received unwanted email from simpliv.com. It was
> valid DKIM signed for mail.simpliv.com
> Despite the sender ip was listed at Sorbs the email even passed the bayesian
> filter:
>
>
> Surprisingly the ip/domain is part of a SA shipped white list: Rule
> USER_IN_DEF_SPF_WL gave it -7.5!
>
> simpliv.com sent the spam to an email address which was used solely for
> registering an account with slack.com. It seems that simpliv.com
> bought/stole/harvested email addresses in shady ways and uses the email
> database as spam to advertise its courses.
>
> /var/lib/spamassassin/3.004002/updates_spamassassin_org/60_whitelist_auth.cf
> where the simpliv.com is added says: "These senders should be considered
> trusted following proper opt-in and opt-out practices,..."
>
> There was no proper opt-in, even Sorbs list them now, probably because they
> hit a honey pot, hence I request simpliv.com to be removed from this white
> list.
> Otherwise having spammers in this SA shipped white list makes the list
> useless.
>
Please post a lightly redacted version in pastebin.com so I can see what
went wrong. That seems odd to hit USER_IN_DEF_SPF_WL when it was DKIM
signed for mail.simpliv.com. The envelope-from domain would have been
mail.simpliv.com and I can't find that in my database going back 6+ months.
The def_whitelist_auth entries are only supposed to hit when SPF_PASS or
DKIM_VALID_AU are hit. I need to see the original headers to learn what
happened and possibly adjust the logic in the determination of
trustworthy senders.
I have no problem with removing this entry if this sender is no longer
trustworthy. They were at the time it was added but things do change
over time. This would be the second entry in a couple of years to be
removed out of the hundreds of entries.
P.S. blacklist_from entries should override any whitelist_* entry, if I
remember correctly.
--
David Jones
Re: Spammer in white list aka USER_IN_DEF_SPF_WL
Posted by RW <rw...@googlemail.com>.
On Wed, 17 Apr 2019 14:16:30 -0700 (MST)
jandev wrote:
> Hi all
>
> Yesterday our mail server received unwanted email from simpliv.com.
> ...
> Surprisingly the ip/domain is part of a SA shipped white list: Rule
> USER_IN_DEF_SPF_WL gave it -7.5!
I was going to suggest you unwhitelist it yourself, but it doesn't seem
to be possible.
If I'm reading the code correctly only unwhitelist_from_rcvd applies to
both the full and default (_DEF_) versions. The other unwhitelist_*
entries only apply to the full whitelists, not the default.