You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Chris <cp...@embarqmail.com> on 2011/03/05 04:44:19 UTC
Short Circuit USER_IN_DKIM_WHITELIST hits sometimes
Two posts from the same person, one hits on the short circuit rule the
other doesn't. The line in my dkimwhitelist.cf is:
whitelist_from_dkim ellisfain@embarqmail.com
Headers from one that did hit and one that didn't are posted here:
http://pastebin.com/j0j4pFb1
Anyone see a reason for this?
--
Chris
KeyID 0xE372A7DA98E6705C
31.11°N 97.89°W (Elev. 1092 ft)
Re: Short Circuit USER_IN_DKIM_WHITELIST hits sometimes
Posted by Chris <cp...@embarqmail.com>.
On Sat, 2011-03-05 at 11:03 -0800, John Hardin wrote:
> On Sat, 5 Mar 2011, Chris wrote:
>
> > cdneumann
> > <cd...@hot.rr.com>, "cantrell, james" <jl...@embarqmail.com>,
> > "@pop.embarq.synacor.com>, \"ballard\", \"aajhp" <bu...@aol.com>
> >
> > The two look the same except for the last few entries where the one
> > marked spam has the last few addressees borked. Apparently something is
> > intermittently adding the @pop.embarq.synacor.com to the list.
>
> Don't focus too closely on the @pop.embarq.synacor.com. Look for simpler
> solutions.
>
> I'd suggest from the above that the sender's address book entry for
> <bu...@aol.com> is what's screwed up. It might have
> "@pop.embarq.synacor.com>, \"ballard\", \"aajhp" as the name associated
> with that address.
>
> Having multiple examples to compare will be a good idea, though, and might
> rule out the address book idea, unless several address book entries are
> borked in a similar fashion.
>
Thanks John, I'll keep a watch on any more that land in my spam folder
and compare the entries.
--
Chris
KeyID 0xE372A7DA98E6705C
31.11°N 97.89°W (Elev. 1092 ft)
Re: Short Circuit USER_IN_DKIM_WHITELIST hits sometimes
Posted by John Hardin <jh...@impsec.org>.
On Sat, 5 Mar 2011, Chris wrote:
> cdneumann
> <cd...@hot.rr.com>, "cantrell, james" <jl...@embarqmail.com>,
> "@pop.embarq.synacor.com>, \"ballard\", \"aajhp" <bu...@aol.com>
>
> The two look the same except for the last few entries where the one
> marked spam has the last few addressees borked. Apparently something is
> intermittently adding the @pop.embarq.synacor.com to the list.
Don't focus too closely on the @pop.embarq.synacor.com. Look for simpler
solutions.
I'd suggest from the above that the sender's address book entry for
<bu...@aol.com> is what's screwed up. It might have
"@pop.embarq.synacor.com>, \"ballard\", \"aajhp" as the name associated
with that address.
Having multiple examples to compare will be a good idea, though, and might
rule out the address book idea, unless several address book entries are
borked in a similar fashion.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Windows Genuine Advantage (WGA) means that now you use your
computer at the sufferance of Microsoft Corporation. They can
kill it remotely without your consent at any time for any reason;
it also shuts down in sympathy when the servers at Microsoft crash.
-----------------------------------------------------------------------
8 days until Albert Einstein's 132nd Birthday
Re: Short Circuit USER_IN_DKIM_WHITELIST hits sometimes
Posted by Chris <cp...@embarqmail.com>.
On Sat, 2011-03-05 at 08:40 -0800, John Hardin wrote:
> On Sat, 5 Mar 2011, Chris wrote:
>
> > In the example I posted I also see this in the To: headers when saved as
> > a .txt file - "@pop.embarq.synacor.com>, \"ballard\", \"aajhp"
> > <bu...@aol.com>
>
> > I see the same thing -
> > "@pop.embarq.synacor.com>, \"cantrell, james\", \"billybeckner\"
> > <bi...@yahoo.com>, \"ballard\" <bu...@aol.com>, \"aajhp"
> > <jl...@embarqmail.com>, I have no idea where the '\' are coming from.
>
> That means the email address <bu...@aol.com> has the comment
> "@pop.embarq.synacor.com>, \"ballard\", \"aajhp" associated with it, and
> the email address <jl...@embarqmail.com> has the comment
> "@pop.embarq.synacor.com>, \"cantrell, james\", \"billybeckner\"
> > <bi...@yahoo.com>, \"ballard\" <bu...@aol.com>, \"aajhp"
>
> A more-expected example would be: "John Hardin" <jh...@impsec.org>
>
> That's why the quotes are escaped - they are embedded in the comment.
>
> _something_ is farking up the recipients list. Whether it's whatever is
> composing the message (perhaps it's not properly parsing a recipients
> database, or the recipients database is dirty), or some intermediate MTA,
> we can't tell from the receiving end.
>
> You might want to contact the sender and see how the recipient list is
> being generated. While this shouldn't affect delivery, as you can see it's
> having effects on DKIM and spam scoring.
>
Thanks John, maybe this is a better example:
Recipients list in spam:
To: wayne watts <ed...@clear.net>, ebethbaize@yahoo.com,
jpmalone58@centurylink.net, jnrsmi@dishmail.com, reebjm@swbell.net,
"."
<bo...@US.army.mil>, training
<tr...@sheriff.co.coryell.tx.us>,
wills <wi...@yahoo.com>, jaredbruton <ja...@yahoo.com>,
darrell <da...@sbcglobal.net>, rthornley
<rt...@hot.rr.com>,
"Rocwood, Farron" <fl...@yahoo.com>, "Patterson, Randy"
<ra...@yahoo.com>, "mcminn, carolyn" <de...@yahoo.com>,
kenny
worthington <ke...@embarqmail.com>, hitt
<hi...@rocketmail.com>, "haines, mark" <ha...@yahoo.com>,
Debi4452
<De...@yahoo.com>, cpollock <cp...@embarqmail.com>, "cheek, tom"
<to...@netzero.net>, Chancy <ch...@embarqmail.com>,
cdneumann
<cd...@hot.rr.com>, "cantrell, james" <jl...@embarqmail.com>,
"@pop.embarq.synacor.com>, \"ballard\", \"aajhp" <bu...@aol.com>
Recipients list in ham:
To: wayne watts <ed...@clear.net>, ebethbaize@yahoo.com,
jpmalone58@centurylink.net, jnrsmi@dishmail.com, reebjm@swbell.net,
"."
<bo...@US.army.mil>, training
<tr...@sheriff.co.coryell.tx.us>,
wills <wi...@yahoo.com>, jaredbruton <ja...@yahoo.com>,
darrell <da...@sbcglobal.net>, rthornley
<rt...@hot.rr.com>,
"Rocwood, Farron" <fl...@yahoo.com>, "Patterson, Randy"
<ra...@yahoo.com>, "mcminn, carolyn" <de...@yahoo.com>,
kenny
worthington <ke...@embarqmail.com>, hitt
<hi...@rocketmail.com>, "haines, mark" <ha...@yahoo.com>,
Debi4452
<De...@yahoo.com>, cpollock <cp...@embarqmail.com>, "cheek, tom"
<to...@netzero.net>, Chancy <ch...@embarqmail.com>,
cdneumann
<cd...@hot.rr.com>, "cantrell, james" <jl...@embarqmail.com>,
ballard
<bu...@aol.com>, aajhp <aa...@embarqmail.com>
The two look the same except for the last few entries where the one
marked spam has the last few addressees borked. Apparently something is
intermittently adding the @pop.embarq.synacor.com to the list. Do these
lines mean he's using Embarqs webmail instead of sending direct from his
computer? If so, that could be where the glitches are coming from:
X-originating-ip: [76.0.87.41]
X-mailer: Zimbra 6.0.5_GA_2213.RHEL4_64 (ZimbraWebClient - IE8
(Win)/6.0.5_GA_2213.RHEL4_64)
X-senderip: 10.50.3.117
I'll have to watch for anymore tagged spam and compare to non-spam
--
Chris
KeyID 0xE372A7DA98E6705C
31.11°N 97.89°W (Elev. 1092 ft)
Re: Short Circuit USER_IN_DKIM_WHITELIST hits sometimes
Posted by John Hardin <jh...@impsec.org>.
On Sat, 5 Mar 2011, Chris wrote:
> In the example I posted I also see this in the To: headers when saved as
> a .txt file - "@pop.embarq.synacor.com>, \"ballard\", \"aajhp"
> <bu...@aol.com>
> I see the same thing -
> "@pop.embarq.synacor.com>, \"cantrell, james\", \"billybeckner\"
> <bi...@yahoo.com>, \"ballard\" <bu...@aol.com>, \"aajhp"
> <jl...@embarqmail.com>, I have no idea where the '\' are coming from.
That means the email address <bu...@aol.com> has the comment
"@pop.embarq.synacor.com>, \"ballard\", \"aajhp" associated with it, and
the email address <jl...@embarqmail.com> has the comment
"@pop.embarq.synacor.com>, \"cantrell, james\", \"billybeckner\"
> <bi...@yahoo.com>, \"ballard\" <bu...@aol.com>, \"aajhp"
A more-expected example would be: "John Hardin" <jh...@impsec.org>
That's why the quotes are escaped - they are embedded in the comment.
_something_ is farking up the recipients list. Whether it's whatever is
composing the message (perhaps it's not properly parsing a recipients
database, or the recipients database is dirty), or some intermediate MTA,
we can't tell from the receiving end.
You might want to contact the sender and see how the recipient list is
being generated. While this shouldn't affect delivery, as you can see it's
having effects on DKIM and spam scoring.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Of the twenty-two civilizations that have appeared in history,
nineteen of them collapsed when they reached the moral state the
United States is in now. -- Arnold Toynbee
-----------------------------------------------------------------------
8 days until Albert Einstein's 132nd Birthday
Re: Short Circuit USER_IN_DKIM_WHITELIST hits sometimes
Posted by Chris <cp...@embarqmail.com>.
On Sat, 2011-03-05 at 05:28 +0100, Karsten Bräckelmann wrote:
> On Fri, 2011-03-04 at 21:44 -0600, Chris Pollock wrote:
> > Two posts from the same person, one hits on the short circuit rule the
> > other doesn't. The line in my dkimwhitelist.cf is:
> >
> > whitelist_from_dkim ellisfain@embarqmail.com
> >
> > Headers from one that did hit and one that didn't are posted here:
> >
> > http://pastebin.com/j0j4pFb1
> >
> > Anyone see a reason for this?
>
> Not a DKIM expert, by far, so I might assume something stupid. But a
> naive approach to the DKIM-Signature header with the h= option would
> suggest the To header is a vital element of the signing.
>
> Well, comparing the headers side-by-side, after adding a bunch of
> newlines, flipping back and forth, there is one striking difference.
>
> The one that was NOT whitelisted has a To header like this:
>
> To: [...], @pop.embarq.synacor.com>, [...]
>
> Note that all addresses pruned above, for both mails, appear to be in
> the valid form "bar <fo...@example.com>", comma separated, EXCEPT that one
> shown. Which is utterly broken.
>
> Some server in the chain broke the To header?
>
>
Thanks Karsten, doing some more checking I've found the following:
In the example I posted I also see this in the To: headers when saved as
a .txt file - "@pop.embarq.synacor.com>, \"ballard\", \"aajhp"
<bu...@aol.com>, looking at another of his posts which I'd saved
because it was tagged spam I see the same thing -
"@pop.embarq.synacor.com>, \"cantrell, james\", \"billybeckner\"
<bi...@yahoo.com>, \"ballard\" <bu...@aol.com>, \"aajhp"
<jl...@embarqmail.com>, I have no idea where the '\' are coming from.
A message hitting the short circuit rule does not have the incorrectly
formatted list of addressees. I took a few minutes to look at RFC 4871
for DKIM sigs however I need to read it further to digest all that it
says. For now though I think the '\' in the To: addresses and the
@pop.... is somehow breaking the DKIM signature, though I may be wrong.
Chris
--
Chris
KeyID 0xE372A7DA98E6705C
31.11°N 97.89°W (Elev. 1092 ft)
Re: Short Circuit USER_IN_DKIM_WHITELIST hits sometimes
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Fri, 2011-03-04 at 21:44 -0600, Chris Pollock wrote:
> Two posts from the same person, one hits on the short circuit rule the
> other doesn't. The line in my dkimwhitelist.cf is:
>
> whitelist_from_dkim ellisfain@embarqmail.com
>
> Headers from one that did hit and one that didn't are posted here:
>
> http://pastebin.com/j0j4pFb1
>
> Anyone see a reason for this?
Not a DKIM expert, by far, so I might assume something stupid. But a
naive approach to the DKIM-Signature header with the h= option would
suggest the To header is a vital element of the signing.
Well, comparing the headers side-by-side, after adding a bunch of
newlines, flipping back and forth, there is one striking difference.
The one that was NOT whitelisted has a To header like this:
To: [...], @pop.embarq.synacor.com>, [...]
Note that all addresses pruned above, for both mails, appear to be in
the valid form "bar <fo...@example.com>", comma separated, EXCEPT that one
shown. Which is utterly broken.
Some server in the chain broke the To header?
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}