You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Michael Scheidell <sc...@secnap.net> on 2007/08/03 19:26:44 UTC
hallmark greeting card spam and broken spf records.
(yes, spf is broken) especially when companies like hallmark, who know
they are being used as 'phishing' targets list the whole world as
authoritative mail servers.
I say damn them all, blacklist hallmark till they at least fix their spf
records: (i suspect its the :12" "9 )? shb a period?
on another note, I should contact spf plugin author and let him know
that an invalid spf record counts as "ip4:0.0.0.0/0" doesn't it?
host -t txt hallmark.com
hallmark.com descriptive text "v=spf1 ip4:208.1.139.0/24
ip4:129.33.92.43 ip4:129.33.92.44 ip4:65.116.50.141 ip4:65.116.50.144
ip4:65.116.50.142 ip4:65.116.50.143 ip4:162.94.28.0/24
ip4:209.176.191.124 ip4:209.176.191.121 ip4:209.176.191.123
ip4:209.176.191.122 ip4:193.132.80.20 ip4:12" "9.33.92.36
ip4:129.33.92.37 ip4:129.33.92.38 ip4:129.33.92.39 mx ~all"
X-Spam-Status: Yes, score=9.725 tagged_above=-999 required=5
tests=[BAYES_99=3.5, DCC_CHECK=2.17, DIGEST_MULTIPLE=0.001,
DKIM_POLICY_SIGNSOME=0, HTML_MESSAGE=0.001,
HTML_MIME_NO_HTML_TAG=0.097, MIME_HTML_ONLY=1.457,
RAZOR2_CF_RANGE_51_100=0.5, RAZOR2_CF_RANGE_E4_51_100=1.5,
RAZOR2_CHECK=0.5, SPF_PASS=-0.001]
Received: from s007.2uhosting.nl (s007.2uhosting.nl [195.238.74.4])
by fl.us.spammertrap.net (Postfix) with ESMTP id A3ABD170FA
for <sc...@secnap.net>; Fri, 3 Aug 2007 13:19:41 -0400 (EDT)
Received: from apache by s007.2uhosting.nl with local (Exim 4.53)
id 1IH0fF-000JM9-0J
for scheidell@secnap.net; Fri, 03 Aug 2007 19:10:13 +0200
To: scheidell@secnap.net
Subject: [SPAM]You have recieved a Hallmark E-Card !
From: hallmark.com <ha...@hallmark.com>
Reply-To: hallmark@hallmark.com
MIME-Version: 1.0
Message-Id:<11...@paypal.com>
Content-Type: text/html
Content-Transfer-Encoding: 8bit
Date: Fri, 03 Aug 2007 19:10:13 +0200
_________________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(tm).
For Information please see http://www.spammertrap.com
_________________________________________________________________________
Re: hallmark greeting card spam and broken spf records.
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
> On Friday 03 August 2007, Michael Scheidell wrote:
> > (yes, spf is broken) especially when companies like hallmark, who know
> > they are being used as 'phishing' targets list the whole world as
> > authoritative mail servers.
That does not mean "spf is broken". MX is not broken when someone sets his
MX to 127.0.0.1. It's just "their spf settings are broken".
On 03.08.07 20:24, Phil Barnett wrote:
> ----- Quoting from qmail.jms1.net ----
>
> Some people are improperly treating "SPF pass" as a strong non-spam flag when
> evaluating the "spam level" of a message. Spammers ARE taking advantage of
> this by placing +all in the SPF records of the domains that they purchase for
> the purposes of sending spam. What this does is tells the receiving server
> that ANY IP ADDRESS is allowed to send messages claiming to be "From:" that
> domain.
It was already mentioned that +ALL should be penalized in spamassassin. I
think even autogenerated score could be very high
> Obviously this is not a good thing, for two reasons. First, spammers are
> bypassing the filtering that SPF should be offering. Second, people are
> placing a lot more trust in SPF than they should. An "SPF failure" result can
> be used to place a lower trust value on a particular message, but as long as
> spammers are able to purchase their own domain names and create their own SPF
> records, an "SPF pass" result should not be used to place any higher trust
> value on a message.
That's basing misunserstanding of SPF conception. The fact that your ID card
is fake means you're suspect. The fact that it is valid does NOT mean that
you are OK - even criminals have ID cards.
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
WinError #98652: Operation completed successfully.
Re: hallmark greeting card spam and broken spf records.
Posted by Phil Barnett <ph...@philb.us>.
On Friday 03 August 2007, Michael Scheidell wrote:
> (yes, spf is broken) especially when companies like hallmark, who know
> they are being used as 'phishing' targets list the whole world as
> authoritative mail servers.
>
> I say damn them all, blacklist hallmark till they at least fix their spf
> records: (i suspect its the :12" "9 )? shb a period?
I have a good friend who patches his qmail so that if it sees a spf record
that is extra wide, he reverses it's meaning.
----- Quoting from qmail.jms1.net ----
Some people are improperly treating "SPF pass" as a strong non-spam flag when
evaluating the "spam level" of a message. Spammers ARE taking advantage of
this by placing +all in the SPF records of the domains that they purchase for
the purposes of sending spam. What this does is tells the receiving server
that ANY IP ADDRESS is allowed to send messages claiming to be "From:" that
domain.
Obviously this is not a good thing, for two reasons. First, spammers are
bypassing the filtering that SPF should be offering. Second, people are
placing a lot more trust in SPF than they should. An "SPF failure" result can
be used to place a lower trust value on a particular message, but as long as
spammers are able to purchase their own domain names and create their own SPF
records, an "SPF pass" result should not be used to place any higher trust
value on a message.
I have added an option to treat a +all term found within an SPF record as if
it said -all. This can be enabled by creating an SPF_BLOCK_PLUS_ALL
environment variable with a value other than "0". Note that this variable is
checked at the time the SPF check itself is done, which means if you want to
add, change, or delete this variable using the AUTH_SET variables, you can.
Linky here: http://qmail.jms1.net/patches/combined-details.shtml
--
Phil Barnett
AI4OF
SKCC #600
RE: hallmark greeting card spam and broken spf records.
Posted by Michael Scheidell <sc...@secnap.net>.
> -----Original Message-----
> From: McDonald, Dan [mailto:Dan.McDonald@austinenergy.com]
> Sent: Friday, August 03, 2007 2:45 PM
> To: users@spamassassin.apache.org
> Subject: Re: hallmark greeting card spam and broken spf records.
>
> On Fri, 2007-08-03 at 13:26 -0400, Michael Scheidell wrote:
> > (yes, spf is broken) especially when companies like
> hallmark, who know
> > they are being used as 'phishing' targets list the whole world as
> > authoritative mail servers.
> >
> > I say damn them all, blacklist hallmark till they at least
> fix their
> > spf
> > records: (i suspect its the :12" "9 )? shb a period?
>
> Isn't it the ~all (rather than -all)?
>
No, ~all would not match POSITIVLY for SPF_PASS.
It just would FAIL with a SPF_SOFT instead of an SPF_HARD
(funny thing, SPF_SOFT has a higher SA score then SFP_HARD)
_________________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(tm).
For Information please see http://www.spammertrap.com
_________________________________________________________________________
Re: hallmark greeting card spam and broken spf records.
Posted by "McDonald, Dan" <Da...@austinenergy.com>.
On Fri, 2007-08-03 at 13:26 -0400, Michael Scheidell wrote:
> (yes, spf is broken) especially when companies like hallmark, who know
> they are being used as 'phishing' targets list the whole world as
> authoritative mail servers.
>
> I say damn them all, blacklist hallmark till they at least fix their spf
> records: (i suspect its the :12" "9 )? shb a period?
Isn't it the ~all (rather than -all)?
--
Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX
Austin Energy
http://www.austinenergy.com
Re: hallmark greeting card spam and broken spf records.
Posted by "John D. Hardin" <jh...@impsec.org>.
On Fri, 3 Aug 2007, Michael Scheidell wrote:
> Subject: [SPAM]You have recieved a Hallmark E-Card !
http://www.impsec.org/~jhardin/antispam/postcards.cf has been updated
for this subject line, and also for some new domain names.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
...every time I sit down in front of a Windows machine I feel as
if the computer is just a place for the manufacturers to put their
advertising. -- fwadling on Y! SCOX
----------------------------------------------------------------------
Tomorrow: The 272nd anniversary of John Peter Zenger's acquittal