You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Alex <my...@gmail.com> on 2021/08/27 17:36:40 UTC

freshworks and DKIM and KAM

Hi,

I can't figure out why attempts at adding emails from the
freshworks.com domain to the welcome list aren't successful. This is
from a quarantined message on my amavis/SA/fedora system.

I'm not sure why the entirety of freshworks.com would be blocked in
the first place?
 *  9.0 KAM_FROM_URIBL_PCCC RBL: From address listed in PCCC URIBL
 *      (https://raptor.pccc.com/RBL)
 *      [listed in freshworks.com.wild.pccc.com]
 *  9.0 KAM_BODY_URIBL_PCCC Body contains URI listed in PCCC URIBL
 *      (https://raptor.pccc.com/RBL)
 *      [URI: freshworks.com]

X-Envelope-From:
<bo...@frwfiddkim.freshworks.com>
Authentication-Results: xavier.example.com (amavisd-new);
dkim=pass (2048-bit key) header.d=freshworks.com

All of these rules were hit for this email, yet it is still being quarantined.
"DKIM_SIGNED","DKIM_VALID","DKIM_VALID_AU", "USER_IN_DKIM_WELCOMELIST"

USER_IN_DKIM_WELCOMELIST is only scored with 0.01. I saw a reference
to feature_blocklist_welcomelist in 60_whitelist_dkim.cf. Perhaps
that's related?

$ spamassassin --version
SpamAssassin version 4.0.0-r1889518
  running on Perl version 5.32.1

Here are my welcomelist/whitelist entries:
welcomelist_from_dkim *@frwfiddkim.freshworks.com
welcomelist_from_dkim *@freshworks.com
welcomelist_from *@frwfiddkim.freshworks.com
whitelist_from *@frwfiddkim.freshworks.com
welcomelist_from *@freshworks.com
welcomelist_from *@freshsales.com
welcomelist_from *@*.freshsales.com
welcomelist_from *@*.freshworks.com
welcomelist_from *@freshmarketer.com
welcomelist_from *@freshsales.io
welcomelist_auth *@freshworks.com
welcomelist_auth *@*.freshworks.com
welcomelist_spf *@frwfiddkim.freshworks.com
whitelist_spf *@frwfiddkim.freshworks.com

Many of these are just temporary to test different options (especially
the *_from entries).

Is this a bug?

https://pastebin.com/6u4uNnLQ

Ideas greatly appreciated.

Re: freshworks and DKIM and KAM

Posted by "Kevin A. McGrail" <km...@apache.org>.

NOTE: All entries on the wild RBL are hand reviewed.

Freshworks was listed on 8/11 for spamming.   They seem to have freshteam,
freshsales, freshworks, etc. and present a problem.  I've delisted them for
now and will keep an eye on more samples.

Re: KAM Ruleset, the best way to install it is to use the channel:
https://mcgrail.com/template/kam.cf_channel

The manual downloads are problematic because people rarely install it
correctly with all the files or sometimes using the kam only plugin which
is unlikely to work correctly for most people.

BTW, the wild RBL is not commercial but it was DDoSed when a major system
started using it for 10's of millions of systems.  Thanks to Linode, we
will be launching two mirrors for the RBL and putting it back in use for
the world.

Regards,
KAM

--
Kevin A. McGrail
Member, Apache Software Foundation
Chair Emeritus Apache SpamAssassin Project
https://www.linkedin.com/in/kmcgrail - 703.798.0171

On Sat, Aug 28, 2021 at 5:06 AM Matus UHLAR - fantomas <uh...@fantomas.sk>
wrote:

> On 27.08.21 13:36, Alex wrote:
> >I can't figure out why attempts at adding emails from the
> >freshworks.com domain to the welcome list aren't successful. This is
> >from a quarantined message on my amavis/SA/fedora system.
>
> >X-Envelope-From:
> ><bounces+5.327789648558399953-support=
> freshworks.com@frwfiddkim.freshworks.com>
>
> >All of these rules were hit for this email, yet it is still being
> quarantined.
> >"DKIM_SIGNED","DKIM_VALID","DKIM_VALID_AU", "USER_IN_DKIM_WELCOMELIST"
>
> note that DKIM rules are supposed to hit on From:, not on envelope from.
>
> >USER_IN_DKIM_WELCOMELIST is only scored with 0.01. I saw a reference
> >to feature_blocklist_welcomelist in 60_whitelist_dkim.cf. Perhaps
> >that's related?
>
> seems that while USER_IN_DKIM_WELCOMELIST does have proper score configured
> in 60_whitelist_dkim.cf (-0.01 or -100)
>
> ...it's being overriden in 72_scores.cf:
>
> score USER_IN_DKIM_WELCOMELIST              0.001 0.001 0.001 0.001
>
> a bug report should do that.
> until then, put:
>
> score USER_IN_DKIM_WELCOMELIST      -100.000
>
> into your local overrides.
>
>
> >https://pastebin.com/6u4uNnLQ
> >
> >Ideas greatly appreciated.
>
> --
> Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
> Warning: I wish NOT to receive e-mail advertising to this address.
> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> Christian Science Programming: "Let God Debug It!".
>

Re: freshworks and DKIM and KAM

Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.

On 27.08.21 13:36, Alex wrote:
>I can't figure out why attempts at adding emails from the
>freshworks.com domain to the welcome list aren't successful. This is
>from a quarantined message on my amavis/SA/fedora system.

>X-Envelope-From:
><bo...@frwfiddkim.freshworks.com>

>All of these rules were hit for this email, yet it is still being quarantined.
>"DKIM_SIGNED","DKIM_VALID","DKIM_VALID_AU", "USER_IN_DKIM_WELCOMELIST"

note that DKIM rules are supposed to hit on From:, not on envelope from.

>USER_IN_DKIM_WELCOMELIST is only scored with 0.01. I saw a reference
>to feature_blocklist_welcomelist in 60_whitelist_dkim.cf. Perhaps
>that's related?

seems that while USER_IN_DKIM_WELCOMELIST does have proper score configured
in 60_whitelist_dkim.cf (-0.01 or -100)

...it's being overriden in 72_scores.cf:

score USER_IN_DKIM_WELCOMELIST              0.001 0.001 0.001 0.001

a bug report should do that.
until then, put:

score USER_IN_DKIM_WELCOMELIST      -100.000

into your local overrides.


>https://pastebin.com/6u4uNnLQ
>
>Ideas greatly appreciated.

-- 
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Christian Science Programming: "Let God Debug It!".

Re: freshworks and DKIM and KAM

Posted by Benny Pedersen <me...@junc.eu>.

On 2021-08-27 19:36, Alex wrote:

> https://pastebin.com/6u4uNnLQ

score USER_IN_DKIM_WELCOMELIST -10 -10 -10 -10

since USER_IN_DKIM_WHITELIST is not hitting then add this above score, 
its not a bug :=)

dont know if its same as here 
https://mailing.unix.spamassassin-talk.narkive.com/rijlOWzJ/short-circuit-user-in-dkim-whitelist-hits-sometimes

Re: freshworks and DKIM and KAM

Posted by Alex <my...@gmail.com>.

Hi,

> > I can't figure out why attempts at adding emails from the
> > freshworks.com domain to the welcome list aren't successful. This is
> > from a quarantined message on my amavis/SA/fedora system.
> >
> > I'm not sure why the entirety of freshworks.com would be blocked in
> > the first place?
> >   *  9.0 KAM_FROM_URIBL_PCCC RBL: From address listed in PCCC URIBL
> >   *      (https://raptor.pccc.com/RBL)
> >   *      [listed in freshworks.com.wild.pccc.com]
> >   *  9.0 KAM_BODY_URIBL_PCCC Body contains URI listed in PCCC URIBL
> >   *      (https://raptor.pccc.com/RBL)
> >   *      [URI: freshworks.com]
>
> Looking at the channel rules file that's surrounded by an ifplugin:
>
>    ifplugin Mail::SpamAssassin::Plugin::KAMOnly
>
> and so unless you are one of Peregrine Computer Consultants Corporation
> paying customers you are likely (correctly, justifiably) getting funky
> DNSBL lookup results.

Yes, it seems I have misinterpreted the meaning of the publically
available KAMOnly.cf file.

Fixed, thanks

Re: freshworks and DKIM and KAM

Posted by Kris Deugau <kd...@vianet.ca>.

Alex wrote:
> Hi,
> 
> I can't figure out why attempts at adding emails from the
> freshworks.com domain to the welcome list aren't successful. This is
> from a quarantined message on my amavis/SA/fedora system.
> 
> I'm not sure why the entirety of freshworks.com would be blocked in
> the first place?
>   *  9.0 KAM_FROM_URIBL_PCCC RBL: From address listed in PCCC URIBL
>   *      (https://raptor.pccc.com/RBL)
>   *      [listed in freshworks.com.wild.pccc.com]
>   *  9.0 KAM_BODY_URIBL_PCCC Body contains URI listed in PCCC URIBL
>   *      (https://raptor.pccc.com/RBL)
>   *      [URI: freshworks.com]

Looking at the channel rules file that's surrounded by an ifplugin:

   ifplugin Mail::SpamAssassin::Plugin::KAMOnly

and so unless you are one of Peregrine Computer Consultants Corporation 
paying customers you are likely (correctly, justifiably) getting funky 
DNSBL lookup results.

If you *are* a paying customer you'd need to contact their support to 
see why your DNSBL lookups are going sideways.

A number of rules in that channel are surrounded by barriers like this 
because they are variously unuseful for anyone else;  in this case, it's 
a DNSBL lookup that isn't publicly available.  Don't remove those 
barriers unless you really really know what you're doing.

-kgd