Re: USER_IN_WHITELIST

[Bill Cole <sa...@billmail.scconsult.com>]

On 6 Jul 2016, at 21:13, Lorenzo Thurman wrote:

> I\u2019ve been receiving some spam where spamassassin identifies the 
> sender with USER_IN_WHITELIST. These senders (or domains) are most 
> definitely not in my whitelist. How can I get around this problem?

There are so many relevant variables unspecified that no one here has 
any hope of solving your problem.

To make it easier for us, please provide more information:

1. How are you using SpamAssassin? Specifically, if you have it hooked 
into an MTA like Postfix or Sendmail, tell us which one AND what 
mechanism you are using to integrate SA and the MTA.

2. If your system involved the use of spamd, what are its arguments and 
what user is it running as?

3. If you scan a message with this problem manually by piping it into 
'spamassassin -t -D' what does the resulting flood of debugging 
information say about what address it is finding as being in the 
whitelist?

Re: USER_IN_WHITELIST

[RW <rw...@googlemail.com>]

On Thu, 7 Jul 2016 10:03:37 -0500
Lorenzo Thurman wrote:

y
> 
> > On Jul 7, 2016, at 8:14 AM, Antony Stone
> > <An...@spamassassin.open.source.it> wrote:

> > There's a big difference between subdomains, and domains with
> > letters in front of "microsoft".
> > 
> > \.microsoft\.com$ will match anything ending in ".microsoft.com"
> > 
> > That means it will match www.microsoft.com and cdn.microsoft.com
> > for example, but it will not match
> > kajsdhfkjasghdskghlaskfhmicrosoft.com or onmicrosoft.com
> > 
> > The dot in front of "microsoft" in the regex is important :)

> 
> Great, thanks. 

You can't use a regex in a whitelisting entry.

Re: USER_IN_WHITELIST

[Sidney Markowitz <si...@sidney.com>]

Lorenzo Thurman wrote on 8/07/16 9:26 AM:
> Thanks for the info. Does anyone know how I can use whitelistfrom_rcvd? I can't find any clear answers via Google. 
> 

Excuse my typo for the correct spelling whitelist_from_rcvd.

To use it, look at the legitimate emails that you want to whitelist and check
the Received header that shows where your receiving mail server received the
email from the sending mail server. Typically for a corporate address like
microsoft.com the mail will have come from a host with a name like
smtp.microsoft.com or maila.microsoft.com. If the Received header does show
that the mail came from some ip address and also shows a host name for it in
the microsoft.com (for example) then you can use whitelist_from_recvd to
whitelist such mails. You can only put one address on a line, so you would
need two entries to get the two that you want:

whitelist_from_rcvd *@microsoft.com microsoft.com
whitelist_from_rcvd *.microsoft.com microsoft.com

But do check your emails to see if you get the proper Received headers to be
able to do this. Some mail servers do not do the reverse domain name lookup to
add the host name to the ip address in Received headers. Some email addresses
you may want to whitelist are not set up to reliably send from the same few
mail servers.

If somebody sends mail from a non-Microsoft mail server but with a
microsoft.com From address, it will not get whitelisted by this. That's
exactly what you want to not whitelist spammers who forge a microsoft.com
address.

 Sidney

Re: USER_IN_WHITELIST

[Reindl Harald <h....@thelounge.net>]

Am 07.07.2016 um 23:26 schrieb Lorenzo Thurman:
> Thanks for the info. Does anyone know how I can use whitelistfrom_rcvd? I can't find any clear answers via Google.

besides the typo the same way as the other whitelist options

the only difference is the second param with is the DNS-PTR of the 
sending host

whitelist_from_rcvd *@example.net example.com

look at the difference between .net / .com

when the PTR of the sending host ends with "example.com" sender 
"example.net" is fine
_________________________

for subdomains

*@example.net
*@*.example.net
_________________________

.example.net is imprtant because it dont match "somefucker-example.net"

Re: USER_IN_WHITELIST

[Lorenzo Thurman <lo...@thethurmans.com>]

"My Break-Dancing days are over, but there's always the Funky Chicken" -- The Full Monty

> On Jul 7, 2016, at 3:57 PM, Sidney Markowitz <si...@sidney.com> wrote:
> 
> Lorenzo Thurman wrote on 8/07/16 3:03 AM:
>>> On Jul 7, 2016, at 8:14 AM, Antony Stone <An...@spamassassin.open.source.it> wrote:
>>> \.microsoft\.com$ will match anything ending in ".microsoft.com"
> 
> RW already pointed this out, but to make sure nobody reading this thread
> misses it, the above is wrong because whitelist does not use regexps.
> 
> See
> https://spamassassin.apache.org/full/3.4.x/doc/Mail_SpamAssassin_Conf.html#whitelist_and_blacklist_options
> 
> where it says
> 
> "Whitelist and blacklist addresses are now file-glob-style patterns, so
> friend@somewhere.com, *@isp.com, or *.domain.net will all work. Specifically,
> * and ? are allowed, but all other metacharacters are not. Regular expressions
> are not used for security reasons. Matching is case-insensitive.
> 
> Multiple addresses per line, separated by spaces, is OK. Multiple
> whitelist_from lines are also OK."
> 
> Notice the last example there. Spamassassin is parsing out the email addresses
> and matching them with the patterns so you don't have to do tricky stuff like
> *@*.microsoft.com. Specifically, you can use
> 
> whitelist_from *@microsoft.com *.microsoft.com
> 
> which will match what you want but will not match anything@onmicrosoft.com and
> will not match foo.microsoft.com@example.com
> 
> As the page also points out if you can figure out how to use
> whitelistfrom_rcvd instead of whitelist_from it will protect against spammers
> spoofing the From address. Whether you can do that depends on whether the
> domain you are whitelisting has restrictions on what servers can send mail for it.
> 
> Sidney
> 
> 

Thanks for the info. Does anyone know how I can use whitelistfrom_rcvd? I can't find any clear answers via Google. 

Re: USER_IN_WHITELIST

[Sidney Markowitz <si...@sidney.com>]

Lorenzo Thurman wrote on 8/07/16 3:03 AM:
>> On Jul 7, 2016, at 8:14 AM, Antony Stone <An...@spamassassin.open.source.it> wrote:
>> \.microsoft\.com$ will match anything ending in ".microsoft.com"

RW already pointed this out, but to make sure nobody reading this thread
misses it, the above is wrong because whitelist does not use regexps.

See
https://spamassassin.apache.org/full/3.4.x/doc/Mail_SpamAssassin_Conf.html#whitelist_and_blacklist_options

where it says

"Whitelist and blacklist addresses are now file-glob-style patterns, so
friend@somewhere.com, *@isp.com, or *.domain.net will all work. Specifically,
* and ? are allowed, but all other metacharacters are not. Regular expressions
are not used for security reasons. Matching is case-insensitive.

Multiple addresses per line, separated by spaces, is OK. Multiple
whitelist_from lines are also OK."

Notice the last example there. Spamassassin is parsing out the email addresses
and matching them with the patterns so you don't have to do tricky stuff like
*@*.microsoft.com. Specifically, you can use

whitelist_from *@microsoft.com *.microsoft.com

which will match what you want but will not match anything@onmicrosoft.com and
will not match foo.microsoft.com@example.com

As the page also points out if you can figure out how to use
whitelistfrom_rcvd instead of whitelist_from it will protect against spammers
spoofing the From address. Whether you can do that depends on whether the
domain you are whitelisting has restrictions on what servers can send mail for it.

 Sidney

Re: USER_IN_WHITELIST

[Lorenzo Thurman <lo...@thethurmans.com>]

"My Break-Dancing days are over, but there's always the Funky Chicken" -- The Full Monty

> On Jul 7, 2016, at 8:14 AM, Antony Stone <An...@spamassassin.open.source.it> wrote:
> 
> On Thursday 07 July 2016 at 15:08:44, Lorenzo Thurman wrote:
> 
>>> On Jul 7, 2016, at 7:15 AM, Reindl Harald <h....@thelounge.net> wrote:
>>>> Am 07.07.2016 um 14:12 schrieb Joe Quinn:
>>>> In addition to the above, it's easy for a spammer to register something
>>>> like kajsdhfkjasghdskghlaskfhmicrosoft.com which would also be
>>>> whitelisted for you. I would recommend against using wildcard whitelist
>>>> patterns like that
>>> 
>>> should at least look similar to that:
>>> ^.*\.microsoft\.com$
>>> 
>>> well the ^ followed by .* is also pointless
>> 
>> I see. Thanks for the tip, I'll make changes. The reason I did wild cards
>> was so that I could also capture us domains. Is there a rule that allows
>> me to get subdomains w/o opening myself like I have?
> 
> There's a big difference between subdomains, and domains with letters in front 
> of "microsoft".
> 
> \.microsoft\.com$ will match anything ending in ".microsoft.com"
> 
> That means it will match www.microsoft.com and cdn.microsoft.com for example, 
> but it will not match kajsdhfkjasghdskghlaskfhmicrosoft.com or onmicrosoft.com
> 
> The dot in front of "microsoft" in the regex is important :)
> 
> 
> Antony.
> 
> -- 
> Tax inspectors are just accountants who work for the evil dictators of 
> democracy.
> 
>                                                   Please reply to the list;
>                                                         please *don't* CC me.

Great, thanks. 

Re: USER_IN_WHITELIST

[Antony Stone <An...@spamassassin.open.source.it>]

On Thursday 07 July 2016 at 15:08:44, Lorenzo Thurman wrote:

> > On Jul 7, 2016, at 7:15 AM, Reindl Harald <h....@thelounge.net> wrote:
> >> Am 07.07.2016 um 14:12 schrieb Joe Quinn:
> >> In addition to the above, it's easy for a spammer to register something
> >> like kajsdhfkjasghdskghlaskfhmicrosoft.com which would also be
> >> whitelisted for you. I would recommend against using wildcard whitelist
> >> patterns like that
> > 
> > should at least look similar to that:
> > ^.*\.microsoft\.com$
> > 
> > well the ^ followed by .* is also pointless
> 
> I see. Thanks for the tip, I'll make changes. The reason I did wild cards
> was so that I could also capture us domains. Is there a rule that allows
> me to get subdomains w/o opening myself like I have?

There's a big difference between subdomains, and domains with letters in front 
of "microsoft".

\.microsoft\.com$ will match anything ending in ".microsoft.com"

That means it will match www.microsoft.com and cdn.microsoft.com for example, 
but it will not match kajsdhfkjasghdskghlaskfhmicrosoft.com or onmicrosoft.com

The dot in front of "microsoft" in the regex is important :)


Antony.

-- 
Tax inspectors are just accountants who work for the evil dictators of 
democracy.

                                                   Please reply to the list;
                                                         please *don't* CC me.

Re: USER_IN_WHITELIST

[RW <rw...@googlemail.com>]

On Thu, 7 Jul 2016 14:15:18 +0200
Reindl Harald wrote:


> should at least look similar to that:
> ^.*\.microsoft\.com$
> 
> well the ^ followed by .* is also pointless

It's generated from a glob in the configuration.  

Re: USER_IN_WHITELIST

[RW <rw...@googlemail.com>]

On Thu, 7 Jul 2016 08:08:44 -0500
Lorenzo Thurman wrote:

> > 
> > well the ^ followed by .* is also pointless  
> 
> 
> I see. Thanks for the tip, 

It wasn't really a tip. The globs (wildcards) get converted into
regularly expressions that aren't quite as mimimalist as the could be
- but that's not under your control. 

> I'll make changes. The reason I did wild
> cards was so that I could also capture us domains. Is there a rule
> that allows me to get subdomains w/o opening myself like I have?

You need a separate entry, something like *.microsoft.com.

Re: USER_IN_WHITELIST

[Lorenzo Thurman <lo...@thethurmans.com>]

"My Break-Dancing days are over, but there's always the Funky Chicken" -- The Full Monty

> On Jul 7, 2016, at 7:15 AM, Reindl Harald <h....@thelounge.net> wrote:
> 
> 
> 
>> Am 07.07.2016 um 14:12 schrieb Joe Quinn:
>>> On 7/6/2016 11:42 PM, Bill Cole wrote:
>>> On 6 Jul 2016, at 23:10, lorenzo wrote:
>>> 
>>> [...]
>>>> The output from spamassassin -t -D < In-whitelist.txt gives the
>>>> answer, I believe:
>>>> 
>>>> address hefghhh@hkjhkjhk.onmicrosoft.com matches whitelist or
>>>> blacklist regexp: ^.*microsoft\.com$
>>>> 
>>>> Very sneaky. I think I can handle this one from here.
>>>> Thanks again.
>>> 
>>> Happy to be of help.
>>> 
>>> For what it's worth: *.onmicrosoft.com domains are part of free trials
>>> of Office365 and generate almost entirely spam. I suppose one could be
>>> a regular paying O365 customer and keep that free domain, but no one
>>> who does that can care much about their email. Spammers have been
>>> using those domains for years and MS really seems not to care about
>>> the fact that they've become a de facto indication of spam.
>> In addition to the above, it's easy for a spammer to register something
>> like kajsdhfkjasghdskghlaskfhmicrosoft.com which would also be
>> whitelisted for you. I would recommend against using wildcard whitelist
>> patterns like that
> 
> should at least look similar to that:
> ^.*\.microsoft\.com$
> 
> well the ^ followed by .* is also pointless


I see. Thanks for the tip, I'll make changes. The reason I did wild cards was so that I could also capture us domains. Is there a rule that allows me to get subdomains w/o opening myself like I have?
> 

Re: USER_IN_WHITELIST

[Reindl Harald <h....@thelounge.net>]

Am 07.07.2016 um 14:12 schrieb Joe Quinn:
> On 7/6/2016 11:42 PM, Bill Cole wrote:
>> On 6 Jul 2016, at 23:10, lorenzo wrote:
>>
>> [...]
>>> The output from spamassassin -t -D < In-whitelist.txt gives the
>>> answer, I believe:
>>>
>>> address hefghhh@hkjhkjhk.onmicrosoft.com matches whitelist or
>>> blacklist regexp: ^.*microsoft\.com$
>>>
>>> Very sneaky. I think I can handle this one from here.
>>> Thanks again.
>>
>> Happy to be of help.
>>
>> For what it's worth: *.onmicrosoft.com domains are part of free trials
>> of Office365 and generate almost entirely spam. I suppose one could be
>> a regular paying O365 customer and keep that free domain, but no one
>> who does that can care much about their email. Spammers have been
>> using those domains for years and MS really seems not to care about
>> the fact that they've become a de facto indication of spam.
> In addition to the above, it's easy for a spammer to register something
> like kajsdhfkjasghdskghlaskfhmicrosoft.com which would also be
> whitelisted for you. I would recommend against using wildcard whitelist
> patterns like that

should at least look similar to that:
^.*\.microsoft\.com$

well the ^ followed by .* is also pointless

Re: USER_IN_WHITELIST

[Joe Quinn <jq...@pccc.com>]

On 7/6/2016 11:42 PM, Bill Cole wrote:
> On 6 Jul 2016, at 23:10, lorenzo wrote:
>
> [...]
>> The output from spamassassin -t -D < In-whitelist.txt gives the 
>> answer, I believe:
>>
>> address hefghhh@hkjhkjhk.onmicrosoft.com matches whitelist or 
>> blacklist regexp: ^.*microsoft\.com$
>>
>> Very sneaky. I think I can handle this one from here.
>> Thanks again.
>
> Happy to be of help.
>
> For what it's worth: *.onmicrosoft.com domains are part of free trials 
> of Office365 and generate almost entirely spam. I suppose one could be 
> a regular paying O365 customer and keep that free domain, but no one 
> who does that can care much about their email. Spammers have been 
> using those domains for years and MS really seems not to care about 
> the fact that they've become a de facto indication of spam.
In addition to the above, it's easy for a spammer to register something 
like kajsdhfkjasghdskghlaskfhmicrosoft.com which would also be 
whitelisted for you. I would recommend against using wildcard whitelist 
patterns like that.

Re: USER_IN_WHITELIST

[Bill Cole <sa...@billmail.scconsult.com>]

On 6 Jul 2016, at 23:10, lorenzo wrote:

[...]
> The output from spamassassin -t -D < In-whitelist.txt gives the 
> answer, I believe:
>
> address hefghhh@hkjhkjhk.onmicrosoft.com matches whitelist or 
> blacklist regexp: ^.*microsoft\.com$
>
> Very sneaky. I think I can handle this one from here.
> Thanks again.

Happy to be of help.

For what it's worth: *.onmicrosoft.com domains are part of free trials 
of Office365 and generate almost entirely spam. I suppose one could be a 
regular paying O365 customer and keep that free domain, but no one who 
does that can care much about their email. Spammers have been using 
those domains for years and MS really seems not to care about the fact 
that they've become a de facto indication of spam.

Re: USER_IN_WHITELIST

[lorenzo <lo...@thethurmans.com>]

> On Jul 6, 2016, at 8:50 PM, Bill Cole <sa...@billmail.scconsult.com> wrote:
> 
> On 6 Jul 2016, at 21:13, Lorenzo Thurman wrote:
> 
>> I’ve been receiving some spam where spamassassin identifies the sender with USER_IN_WHITELIST. These senders (or domains) are most definitely not in my whitelist. How can I get around this problem?
> 
> There are so many relevant variables unspecified that no one here has any hope of solving your problem.
> 
> To make it easier for us, please provide more information:
> 
> 1. How are you using SpamAssassin? Specifically, if you have it hooked into an MTA like Postfix or Sendmail, tell us which one AND what mechanism you are using to integrate SA and the MTA.
> 
> 2. If your system involved the use of spamd, what are its arguments and what user is it running as?
> 
> 3. If you scan a message with this problem manually by piping it into 'spamassassin -t -D' what does the resulting flood of debugging information say about what address it is finding as being in the whitelist?
> 

Ah, ok. Here’s some info:
spamassassin v3.4.0 - Postfix 2.11.0  Ubuntu 14.04
/usr/sbin/spamd --create-prefs --max-children 5 --helper-home-dir -d --pidfile=/var/run/spamd.pid

In /etc/postfix/master.cf
smtp      inet  n       -       -       -       -       smtpd -vvv -o content_filter=spamassassin
spamassassin unix -     n       n       -       -       pipe flags=Rq user=nobody argv=/usr/bin/spamfilter.sh -oi -f ${sender} ${recipient}

The output from spamassassin -t -D < In-whitelist.txt gives the answer, I believe:

address hefghhh@hkjhkjhk.onmicrosoft.com matches whitelist or blacklist regexp: ^.*microsoft\.com$

Very sneaky. I think I can handle this one from here.
Thanks again.