You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by "Robert A. Ober" <ro...@robob.com> on 2020/02/26 01:28:23 UTC
From Spoofed
Hey Folks,
I have a user that is getting many emails with obscene subjects. Someone
is spoofing the From to include the users domain so the email is hitting
"USER_IN_WHITELIST". I have installed the plugins from extremeshok and
it has not stopped the problem.
Emails have header info such as:
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on mail
X-Spam-Level:
X-Spam-Status: No, score=-60.8 required=5.0
tests=ALL_CODING,ALL_OZ,BAYES_99,
BAYES_999,FROM_EXCESS_BASE64,HTML_IMAGE_ONLY_12,HTML_MESSAGE,
HTML_SHORT_LINK_IMG_2,MIME_HTML_ONLY,RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_PBL,
RCVD_IN_PSBL,RCVD_IN_RP_RNBL,RCVD_IN_SBL_CSS,RCVD_IN_SORBS_WEB,RCVD_IN_XBL,
RDNS_NONE,SERGIO_SUBJECT_PORN014,SUBJECT_FUCKBUDDY,URIBL_ABUSE_SURBL,
URIBL_BLACK,URIBL_DBL_SPAM,URIBL_SBL,USER_IN_WHITELIST autolearn=no
version=3.3.2
The SUBJECT_FUCKBUDDY rule has a score of 3.0 .
Subject line has "Hungry for a Fuckbuddy" . Sorry I can't paste, it did
not come through formatted properly when the user forwarded from Outlook
and it's gone from her Inbox on the server.
If I send a test email with Fuckbuddy in the subject from my GMail
account spamassassin catches it and it and sends it to the spam folder.
Ideas?
Thanks,
Robert
Robert A. Ober
IT Consultant, Vidcaster, & Freelancer
www.infohou.com
Houston, TX
Re: From Spoofed
Posted by David B Funk <db...@engineering.uiowa.edu>.
On Wed, 26 Feb 2020, Benny Pedersen wrote:
> Robert A. Ober skrev den 2020-02-26 02:28:
>
>> I have a user that is getting many emails with obscene subjects.
>> Someone is spoofing the From to include the users domain so the email
>> is hitting "USER_IN_WHITELIST". I have installed the plugins from
>> extremeshok and it has not stopped the problem.
>
> remove whitelist_from in spamassassin, or change it to score -0.1
>
> i will not argue on why whitelist_from even exists
>
>> The SUBJECT_FUCKBUDDY rule has a score of 3.0 .
>
> change score to 300
>
> upgrade to 3.4.4 btw
I won't argue with the recommendation to upgrade but his real problem is:
> Someone is spoofing the From to include the users domain so the email is
hitting "USER_IN_WHITELIST"
That says somebody has taken the users' domain and added it to a
"whitelist_from" statement. That is -not- a SA default.
So first kill that ill-advised whitelist_from
Then find out why somebody did that and fix that problem properly, not with the
easily subverted "whitelist_from" sledge-hammer.
If they -must- have some form of whitelist_from, use something that is less
easily subverted (such as setting up DKIM or SPF for their domain and using
def_whitelist_auth or at least whitelist_from_rcvd ).
Even better, use def_whitelist_auth & def_whitelist_from_rcvd so it's not
such a sledge-hammer but just a mild "bump" to make sure locally generated
messages get a little extra help.
If it weren't from that bad "whitelist_from" the OP's message would have been
spam-tagged, it hit plenty of RBLs etc. It was just that sledge-hammer that got
it thru.
--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{
Re: From Spoofed
Posted by Benny Pedersen <me...@junc.eu>.
Robert A. Ober skrev den 2020-02-26 02:28:
> I have a user that is getting many emails with obscene subjects.
> Someone is spoofing the From to include the users domain so the email
> is hitting "USER_IN_WHITELIST". I have installed the plugins from
> extremeshok and it has not stopped the problem.
remove whitelist_from in spamassassin, or change it to score -0.1
i will not argue on why whitelist_from even exists
> The SUBJECT_FUCKBUDDY rule has a score of 3.0 .
change score to 300
upgrade to 3.4.4 btw
Re: From Spoofed
Posted by Bill Cole <sa...@billmail.scconsult.com>.
On 27 Feb 2020, at 8:12, RW wrote:
> On Tue, 25 Feb 2020 22:43:04 -0500
> Bill Cole wrote:
>
>> On 25 Feb 2020, at 20:28, Robert A. Ober wrote:
>>
>>> Hey Folks,
>>>
>>> I have a user that is getting many emails with obscene subjects.
>>> Someone is spoofing the From to include the users domain so the
>>> email is hitting "USER_IN_WHITELIST". I have installed the plugins
>>> from extremeshok and it has not stopped the problem.
>>
>> I have no idea how good or bad or trustworthy the "extremeshok"
>> plugins may be,
>
> Pretty bad, this would have earned you 7 points:
>
> From: "Bill Cole" <sa...@billmail.scconsult.com>
> Reply-To: users@spamassassin.apache.org
ROFL...
At least I am at no risk of offending its fans.
--
Bill Cole
bill@scconsult.com or billcole@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not For Hire (currently)
Re: From Spoofed
Posted by RW <rw...@googlemail.com>.
On Tue, 25 Feb 2020 22:43:04 -0500
Bill Cole wrote:
> On 25 Feb 2020, at 20:28, Robert A. Ober wrote:
>
> > Hey Folks,
> >
> > I have a user that is getting many emails with obscene subjects.
> > Someone is spoofing the From to include the users domain so the
> > email is hitting "USER_IN_WHITELIST". I have installed the plugins
> > from extremeshok and it has not stopped the problem.
>
> I have no idea how good or bad or trustworthy the "extremeshok"
> plugins may be,
Pretty bad, this would have earned you 7 points:
From: "Bill Cole" <sa...@billmail.scconsult.com>
Reply-To: users@spamassassin.apache.org
Re: From Spoofed
Posted by Bill Cole <sa...@billmail.scconsult.com>.
On 25 Feb 2020, at 20:28, Robert A. Ober wrote:
> Hey Folks,
>
> I have a user that is getting many emails with obscene subjects.
> Someone is spoofing the From to include the users domain so the email
> is hitting "USER_IN_WHITELIST". I have installed the plugins from
> extremeshok and it has not stopped the problem.
I have no idea how good or bad or trustworthy the "extremeshok" plugins
may be, but nothing is going to overcome the "USER_IN_WHITELIST"
misconfiguration with its default score of -100. You should NOT fully
whitelist *any* domain on a domain-wide basis without authentication of
the sender of some sort. At worst, use 'def_whitelist_from' instead,
which only scores -15 by default.
> Emails have header info such as:
>
> X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on mail
So: only 9 years out of date and with about a half-dozen publicly
documented significant security issues as well as about a dozen other
unpleasant bugs that can cause scans to just abort or run forever. And
hundreds of other bugs. Also: in a few weeks we will no longer publish
rule updates with verification hashes that 3.3.2 can use, so if this
system is getting rule updates, it won't be for long.
> X-Spam-Status: No, score=-60.8 required=5.0
> tests=ALL_CODING,ALL_OZ,BAYES_99,
The message would have scored 39.2 without the USER_IN_WHITELIST hit.
Modern SpamAssassin has the 'whitelist_from_auth' mechanism (and that
requires the whitelisted address to pass either SPF or DKIM testing,
which reduces the risk of whitelisting. I believe that dates back to
v3.1.x, so you should definitely change any system-wide 'whitelist_from'
directives to 'whitelist_from_auth' where the domains have working SPF
or DKIM, and to 'def_whitelist_from' You can also adjust the scores of
USER_IN_WHITELIST and USER_IN_DEF_WHITELIST to less overpowering values,
e.g. -10 and -5 instead of -100 and -15
[...]
> If I send a test email with Fuckbuddy in the subject from my GMail
> account spamassassin catches it and it and sends it to the spam
> folder.
Yes, because no one in their right minds would whitelist all of GMail.
> Ideas?
1. Update to SA 3.4.4. It has an anti-spoofing plugin that is in active
maintenance and which we believe to be good enough to distribute with
the project distribution.
2. Add lines like these (with whatever scores you deem reasonable...) to
your local.cf file:
score USER_IN_WHITELIST -10
score USER_IN_DEF_WHITELIST -5
3. Switch any system-wide whitelisting to mechanisms that are tighter
and/or weaker: whitelist_from_rcvd, whitelist_from_auth, and their
weaker def_* variants.
--
Bill Cole
bill@scconsult.com or billcole@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not For Hire (currently)
Re: From Spoofed
Posted by John Hardin <jh...@impsec.org>.
On Tue, 25 Feb 2020, Robert A. Ober wrote:
> I have a user that is getting many emails with obscene subjects. Someone is
> spoofing the From to include the users domain so the email is hitting
> "USER_IN_WHITELIST".
Does the user's domain have either SPF or DKIM enabled so that the mail
can be more reliably determined to actually *be* from that domain?
If not, implementing that may be a benefit. Then you can score higher any
mail from that domain that is NOT signed or that fails SPF...
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
If guns kill people, then...
-- pencils miss spel words.
-- cars make people drive drunk.
-- spoons make people fat.
-----------------------------------------------------------------------
253 days until the Presidential Election
Re: From Spoofed
Posted by Brent Clark <br...@gmail.com>.
Quite an overhead you are suggesting / proposing there, dont you think?
All the OP needs to do is, first and foremost, sort out that
USER_IN_WHITELIST.
Then I recommend throwing in KAM rules and extremeshoks fromreplyto plugin.
And if the OP is really serious, enable Sane security signatures.
I would also enable Googles Safe Browsing database via Clamav.
HTH
Brent
On 2020/02/26 11:02, Marc Roos wrote:
>
> You should maintain also your own rbl with soft and hard blocking of ip
> ranges. Problem with only marking emails is, is that the spam network is
> not 'learning' that their emails are being blocked.
>
>
>
>
>
> -----Original Message-----
> To: users@spamassassin.apache.org
> Subject: From Spoofed
>
> Hey Folks,
>
> I have a user that is getting many emails with obscene subjects.
> Someone is spoofing the From to include the users domain so the email is
> hitting "USER_IN_WHITELIST". I have installed the plugins from
> extremeshok and it has not stopped the problem.
>
> Emails have header info such as:
>
>
>
> X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on mail
>
> X-Spam-Level:
>
> X-Spam-Status: No, score=-60.8 required=5.0
> tests=ALL_CODING,ALL_OZ,BAYES_99,
>
>
> BAYES_999,FROM_EXCESS_BASE64,HTML_IMAGE_ONLY_12,HTML_MESSAGE,
>
>
> HTML_SHORT_LINK_IMG_2,MIME_HTML_ONLY,RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_PBL,
>
>
> RCVD_IN_PSBL,RCVD_IN_RP_RNBL,RCVD_IN_SBL_CSS,RCVD_IN_SORBS_WEB,RCVD_IN_X
> BL,
>
>
> RDNS_NONE,SERGIO_SUBJECT_PORN014,SUBJECT_FUCKBUDDY,URIBL_ABUSE_SURBL,
>
> URIBL_BLACK,URIBL_DBL_SPAM,URIBL_SBL,USER_IN_WHITELIST
> autolearn=no
>
> version=3.3.2
>
> The SUBJECT_FUCKBUDDY rule has a score of 3.0 .
>
> Subject line has "Hungry for a Fuckbuddy" . Sorry I can't paste, it
> did not come through formatted properly when the user forwarded from
> Outlook and it's gone from her Inbox on the server.
>
> If I send a test email with Fuckbuddy in the subject from my GMail
> account spamassassin catches it and it and sends it to the spam folder.
>
> Ideas?
>
> Thanks,
> Robert
>
> Robert A. Ober
> IT Consultant, Vidcaster, & Freelancer
> www.infohou.com
> Houston, TX
>
>
>
>
>
RE: From Spoofed
Posted by Marc Roos <M....@f1-outsourcing.eu>.
You should maintain also your own rbl with soft and hard blocking of ip
ranges. Problem with only marking emails is, is that the spam network is
not 'learning' that their emails are being blocked.
-----Original Message-----
To: users@spamassassin.apache.org
Subject: From Spoofed
Hey Folks,
I have a user that is getting many emails with obscene subjects.
Someone is spoofing the From to include the users domain so the email is
hitting "USER_IN_WHITELIST". I have installed the plugins from
extremeshok and it has not stopped the problem.
Emails have header info such as:
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on mail
X-Spam-Level:
X-Spam-Status: No, score=-60.8 required=5.0
tests=ALL_CODING,ALL_OZ,BAYES_99,
BAYES_999,FROM_EXCESS_BASE64,HTML_IMAGE_ONLY_12,HTML_MESSAGE,
HTML_SHORT_LINK_IMG_2,MIME_HTML_ONLY,RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_PBL,
RCVD_IN_PSBL,RCVD_IN_RP_RNBL,RCVD_IN_SBL_CSS,RCVD_IN_SORBS_WEB,RCVD_IN_X
BL,
RDNS_NONE,SERGIO_SUBJECT_PORN014,SUBJECT_FUCKBUDDY,URIBL_ABUSE_SURBL,
URIBL_BLACK,URIBL_DBL_SPAM,URIBL_SBL,USER_IN_WHITELIST
autolearn=no
version=3.3.2
The SUBJECT_FUCKBUDDY rule has a score of 3.0 .
Subject line has "Hungry for a Fuckbuddy" . Sorry I can't paste, it
did not come through formatted properly when the user forwarded from
Outlook and it's gone from her Inbox on the server.
If I send a test email with Fuckbuddy in the subject from my GMail
account spamassassin catches it and it and sends it to the spam folder.
Ideas?
Thanks,
Robert
Robert A. Ober
IT Consultant, Vidcaster, & Freelancer
www.infohou.com
Houston, TX