You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Kris Deugau <kd...@vianet.ca> on 2022/09/28 22:13:15 UTC
More Sendgrid trouble?
Is anyone else seeing intermittent FNs on mail sent through Sendgrid
where the nominal sender has a default welcomelist_* entry?
Today's spample is a Mcafee scam email, pretty clearly sent through
Intuit's Sendgrid account based on the rDNS. On testing in my sandbox
it was only allowed through due to the stock welcomelist entry for Intuit.
Not 100% sure whether this is a Sendgrid issue, or an Intuit issue -
I've reported the message to both of them, for whatever good it will do.
-kgd
Re: More Sendgrid trouble?
Posted by Bill Cole <sa...@billmail.scconsult.com>.
On 2022-09-29 at 13:26:45 UTC-0400 (Thu, 29 Sep 2022 13:26:45 -0400)
Greg Troxel <gd...@lexort.com>
is rumored to have said:
> Kris Deugau <kd...@vianet.ca> writes:
>
>> The Bayes result is not great, but the USER_IN_DEF_*_WL hits between
>> them account for most of that negative score anyway.
>
> With dkim-signed spam, I think the only two paths forward are:
> - hope they fix their apparently compromised system
> - take them out the default WL (locally now, and via a rule update in
> a few weeks)
Or a few days...
# svn commit -m "Intuit reported as spamming on Users ML" 60_welcomelist_auth.cf
Authentication realm: <https://svn.apache.org:443> ASF Committers
Password for 'billcole': ***************
Sending 60_welcomelist_auth.cf
Transmitting file data .done
Committing transaction...
Committed revision 1904337.
I believe that means it will be gone before Monday.
--
Bill Cole
bill@scconsult.com or billcole@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire
Re: More Sendgrid trouble?
Posted by Greg Troxel <gd...@lexort.com>.
Kris Deugau <kd...@vianet.ca> writes:
> The Bayes result is not great, but the USER_IN_DEF_*_WL hits between
> them account for most of that negative score anyway.
With dkim-signed spam, I think the only two paths forward are:
- hope they fix their apparently compromised system
- take them out the default WL (locally now, and via a rule update in
a few weeks)
Re: More Sendgrid trouble?
Posted by Kris Deugau <kd...@vianet.ca>.
(Please keep followups onlist)
Greg Troxel wrote:
>
> Kris Deugau <kd...@vianet.ca> writes:
>
>> Is anyone else seeing intermittent FNs on mail sent through Sendgrid
>> where the nominal sender has a default welcomelist_* entry?
>>
>> Today's spample is a Mcafee scam email, pretty clearly sent through
>> Intuit's Sendgrid account based on the rDNS. On testing in my sandbox
>> it was only allowed through due to the stock welcomelist entry for
>> Intuit.
>>
>> Not 100% sure whether this is a Sendgrid issue, or an Intuit issue -
>> I've reported the message to both of them, for whatever good it will do.
>
> very interesting. was this DKIM signed?
Yes:
Return-Path:
<bo...@e.notification.intuit.com>
Received: from o4.e.notification.intuit.com (o4.e.notification.intuit.com
[167.89.82.160]) by mx1.vianet.ca (Postfix) with ESMTPS id E4302E2772 for
<so...@vianet.ca>; Wed, 28 Sep 2022 14:24:06 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=notification.intuit.com;
h=content-type:from:mime-version:subject:reply-to:to:cc; s=s1;
bh=cem614y7LjhCakVm2PClbzzDPtLgkUnWZufjB4BFAXo=;
b=BTa5rYwH+gyMfdKhDMQ15X9iFaAdLBFhAiRCJwzxBvx42ZmbqQCbfC30ql1u51jxZKiT
iUpIb/ARRtec87L/7Nz48dT74BcDdyAN/mPL7swD+9XPcY0guTmM5ZavQrJ7AH/prFYObp
4qJkZw9vDxi5Yjr8NFs3uHLyT7cJvim6WYLLGOU06/9Ua24RnakigWgAMiUp0xvsQEK4FJ
mtMP+z/XF1q2gBY0iR7YGbMuUqoiv8b5tEdUdb8GjGV1Vz2qUA9z38wlUHDPpibwRbQC7l
nIQNREZFjtewsE9oWo9aMeZUApLDsgA7YUlLAgllMoMmZyLBnq+6/kgxS6Hns4fQ==
Received: by filterdrecv-5df9649458-lk4n8 with SMTP id
filterdrecv-5df9649458-lk4n8-1-63349146-3 2022-09-28
18:24:06.106760561 +0000
UTC m=+74162.886769780
Received: from Mjg3ODI0ODM (unknown) by geopod-ismtpd-2-0 (SG) with HTTP id
JJelQZe8RUWAZNkCxHBvWQ Wed, 28 Sep 2022 18:24:05.991 +0000 (UTC)
spamd/main[22469]: spamd: result: . -18.593 -
BAYES_00,DKIMWL_WL_HIGH,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,EXCESSIVE_BASE64_TEXT,HTML_MESSAGE,RCVD_IN_BL_SPAMCOP_NET,SPF_HELO_NONE,SPF_PASS,T_REMOTE_IMAGE,USER_IN_DEF_DKIM_WL,USER_IN_DEF_SPF_WL
(I've patched spamd to show more numeric precision in several fields for
easier log analysis.)
The Bayes result is not great, but the USER_IN_DEF_*_WL hits between
them account for most of that negative score anyway.
-kgd
Re: More Sendgrid trouble?
Posted by Greg Troxel <gd...@lexort.com>.
Kris Deugau <kd...@vianet.ca> writes:
> Is anyone else seeing intermittent FNs on mail sent through Sendgrid
> where the nominal sender has a default welcomelist_* entry?
>
> Today's spample is a Mcafee scam email, pretty clearly sent through
> Intuit's Sendgrid account based on the rDNS. On testing in my sandbox
> it was only allowed through due to the stock welcomelist entry for
> Intuit.
>
> Not 100% sure whether this is a Sendgrid issue, or an Intuit issue -
> I've reported the message to both of them, for whatever good it will do.
very interesting. was this DKIM signed?