You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Alex <my...@gmail.com> on 2016/05/12 14:37:16 UTC

Received header and matching

Hi,

I'm trying to match some Apple/iTunes fraud and would like to use the
lack of the email having been passed through anything relating to
Apple (contains apple.com, etc), and having some difficulty with this
header:

Received: from 56.119.233.220.static.exetel.com.au ([220.233.119.56]
helo=smtp.vic.exemail.com.au)
        by pecan.exetel.com.au with esmtps (TLSv1:DHE-RSA-AES256-SHA:256)
        (Exim 4.84)
        (envelope-from <ID...@ssl.apple.com>)
        id 1b0RAr-0003bC-72
        for milgrp@example.com; Wed, 11 May 2016 20:15:43 +1000

This rule apparently matches due to the envelope-from line above.

header  __LOC_APPLE_RCVD        Received =~ /apple\.com/

How can I get it to only match on the server name in that line?

Perhaps someone has a more effective rule for spam such as this one?
I'm using pypolicyd-spf and it's detected that there is an SPF
permerror, but apparently not a SA rule detected the SPF fail. It
would be good to add a few points for that somehow...

http://pastebin.com/SYq3Rysr

Thanks,
Alex

Re: Received header and matching

Posted by John Hardin <jh...@impsec.org>.

On Thu, 12 May 2016, Alex wrote:

> I'm trying to match some Apple/iTunes fraud and would like to use the
> lack of the email having been passed through anything relating to
> Apple (contains apple.com, etc), and having some difficulty with this
> header:
>
> Received: from 56.119.233.220.static.exetel.com.au ([220.233.119.56]
> helo=smtp.vic.exemail.com.au)
>        by pecan.exetel.com.au with esmtps (TLSv1:DHE-RSA-AES256-SHA:256)
>        (Exim 4.84)
>        (envelope-from <ID...@ssl.apple.com>)
>        id 1b0RAr-0003bC-72
>        for milgrp@example.com; Wed, 11 May 2016 20:15:43 +1000
>
> This rule apparently matches due to the envelope-from line above.
>
> header  __LOC_APPLE_RCVD        Received =~ /apple\.com/
>
> How can I get it to only match on the server name in that line?

Try matching on the external relays pseudo-header where that all gets 
normalized.

-- 
  John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
  jhardin@impsec.org    FALaholic #11174     pgpk -a jhardin@impsec.org
  key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
  142 days since the first successful real return to launch site (SpaceX)

Re: Received header and matching

Posted by David Jones <dj...@ena.com>.

>From: Alex <my...@gmail.com>
>Sent: Thursday, May 12, 2016 9:37 AM
>To: SA Mailing list
>Subject: Received header and matching

>Hi,

>I'm trying to match some Apple/iTunes fraud and would like to use the
>lack of the email having been passed through anything relating to
>Apple (contains apple.com, etc), and having some difficulty with this
>header:

>Received: from 56.119.233.220.static.exetel.com.au ([220.233.119.56]
>helo=smtp.vic.exemail.com.au)
>        by pecan.exetel.com.au with esmtps (TLSv1:DHE-RSA-AES256-SHA:256)
>        (Exim 4.84)
>        (envelope-from <ID...@ssl.apple.com>)
>        id 1b0RAr-0003bC-72
>        for milgrp@example.com; Wed, 11 May 2016 20:15:43 +1000

>This rule apparently matches due to the envelope-from line above.

>header  __LOC_APPLE_RCVD        Received =~ /apple\.com/

>How can I get it to only match on the server name in that line?

>Perhaps someone has a more effective rule for spam such as this one?
>I'm using pypolicyd-spf and it's detected that there is an SPF
>permerror, but apparently not a SA rule detected the SPF fail. It
>would be good to add a few points for that somehow...

>http://pastebin.com/SYq3Rysr

whitelist_auth *@apple.com
whitelist_auth *@*.apple.com
whitelist_auth *@*.icloud.com
whitelist_auth *@itunes.com
whitelist_auth *@*.itunes.com

Then increase your scores a little for BAYES_*, SPF_FAIL,
T_DMARC_TESTS_FAIL, etc.

Over time, you can build up the whitelist_auth list of trusted
senders that are not human accounts that can be compromised
then the major domains that are commonly spoofed will be
covered properly to let them through.  Then you train your bayes
with the bad ones to get those BAYES_* hits up closer to BAYES_99
which will help scoring overall.

>Thanks,
>Alex