You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by LuKreme <kr...@kreme.com> on 2010/06/28 10:08:16 UTC
blizzard (and others) faux messages
Been getting a lot of messages form hotmail and others claiming to be from Blizzard account management or Aeon account services, or a whole host of others.
They are not pegging SA at all, scoring usually close to 0 (they will get Bayes_00 and sometimes a spamcop hit to balance out, but nothing else).
Has anyone come up with anything to catch these without tripping on really messages from blizzard and whomever?
Blizzard, at least, publishes DKIM records, so is the syntax for dealing with that still the same in 3.3?
whitelist_from_dkim *@blizzard.com
whitelist_from_dkim *@battle.net
As I recall, however, what I actually want to do is blacklist anything from blizzard.com that FAILS (or lacks) DKIM, right?
I know I used to do this crap for paypal and citibanc and a few others, but now I don't remember what, exactly, I did.
--
'There's stranger people in this world than Corporal Nobbs, my lad.'
Carrot's expression slid into a rictus of intrigued horror. 'Gosh.'
--Men at Arms
Re: blizzard (and others) faux messages
Posted by LuKreme <kr...@kreme.com>.
On 29-Jun-2010, at 15:26, Kenneth Porter wrote:
> --On Tuesday, June 29, 2010 2:37 PM -0700 John Hardin <jh...@impsec.org> wrote:
>
>>> So it sounds like they're not sending everything through the same
>>> system. Time to post a report about that in one of their game forums.
>>> (Which one? Suggestions? Bug Reports? Customer Support? I think the last
>>> one, as that's where they deal with phish.)
>>
>> Postmaster?
>
> True, I'm over-thinking it. I should just send the request to the hacks address.
I don't think blizzard reads the mail at hacks, they just post-process it and send an ack to the sender.
I also don't think they read postmaster@
I don't care if the acks get scored as spam, they are pointless and identical every time.
--
"Back off, man. I'm a scientist."
Re: blizzard (and others) faux messages
Posted by Kenneth Porter <sh...@sewingwitch.com>.
--On Tuesday, June 29, 2010 2:37 PM -0700 John Hardin <jh...@impsec.org>
wrote:
>> So it sounds like they're not sending everything through the same
>> system. Time to post a report about that in one of their game forums.
>> (Which one? Suggestions? Bug Reports? Customer Support? I think the last
>> one, as that's where they deal with phish.)
>
> Postmaster?
True, I'm over-thinking it. I should just send the request to the hacks
address.
Re: blizzard (and others) faux messages
Posted by John Hardin <jh...@impsec.org>.
On Tue, 29 Jun 2010, Kenneth Porter wrote:
> I just checked some recent messages and found that auto-replies from the
> hacks@blizzard.com address (to which one should forward examples of
> phish) do NOT have DKIM signatures of any kind.
>
> Other recent mail from Blizzard does have a DKIM signature.
>
> So it sounds like they're not sending everything through the same
> system. Time to post a report about that in one of their game forums.
> (Which one? Suggestions? Bug Reports? Customer Support? I think the last
> one, as that's where they deal with phish.)
Postmaster?
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Mine eyes have seen the horror of the voting of the horde;
They've looted the fromagerie where guv'ment cheese is stored;
If war's not won before the break they grow so quickly bored;
Their vote counts as much as yours. -- Tam
-----------------------------------------------------------------------
5 days until the 234th anniversary of the Declaration of Independence
Re: blizzard (and others) faux messages
Posted by Kenneth Porter <sh...@sewingwitch.com>.
--On Tuesday, June 29, 2010 11:17 AM +0200 Mark Martinec
<Ma...@ijs.si> wrote:
>> What I want:
>>
>> 1) Message from blizzard that has no dkim gets scored +10
>
> adsp_override blizzard.com custom_high
I just checked some recent messages and found that auto-replies from the
hacks@blizzard.com address (to which one should forward examples of phish)
do NOT have DKIM signatures of any kind.
Other recent mail from Blizzard does have a DKIM signature.
So it sounds like they're not sending everything through the same system.
Time to post a report about that in one of their game forums. (Which one?
Suggestions? Bug Reports? Customer Support? I think the last one, as that's
where they deal with phish.)
Re: blizzard (and others) faux messages
Posted by Mark Martinec <Ma...@ijs.si>.
LuKreme,
> > adsp_override blizzard.com custom_high
> > adsp_override *.blizzard.com custom_high
> OK, and than I just do that for every doamin?
Yes, for every domain that you are sure to always provide a valid
DKIM or DK signatures and always send directly, and after you
make sure that your mailer setup or upstream relay does not
clobber them. Note that several of these are already listed
in the distributed rules ( 60_adsp_override_dkim.cf ),
but you may want to bump up the score of rules:
DKIM_ADSP_CUSTOM_LOW, DKIM_ADSP_CUSTOM_MED, DKIM_ADSP_CUSTOM_HIGH,
DKIM_ADSP_ALL, DKIM_ADSP_DISCARD, DKIM_ADSP_NXDOMAIN
For domains with normal users (not just direct-send-only) which also
send mail through mailing list (invalidating signatures) only a small
score penalty is suitable, which is why there are three additional
levels of ADSP overrides (_low, _med, _high), so that you can choose
which score to use for which domain. Actually, domains which sign
all mail but occasionally send through mailing lists (like gmail.com
and yahoo) are the reason for rules NML_ADSP_* in 25_dkim.cf,
which are much like their DKIM_ADSP_* counterparts, but avoid
hitting when mail appears to be coming through a mailing list.
> Sorry for the confusion, but I seem to have wiped the memory banks on all
> of this in the last 3 years or so.
Yes, the DKIM plugin and its underlying Mail::DKIM have advanced
with SpamAssassin 3.3.0.
> What I want:
>
> 1) Message from blizzard that has no dkim gets scored +10
adsp_override blizzard.com custom_high
(choose either 'discard' or 'custom_high' or 'custom_med',
then assign score 10 to the chosen DKIM_ADSP_* rule)
> 2) Message from blizzard that passes dkim gets scored -1 (or something)
full DKIM_VALID_BLIZZ eval:check_dkim_valid(blizzard.com)
score DKIM_VALID_BLIZZ -1
full DKIM_VALID_YG eval:check_dkim_valid(gmail.com, googlemail.com, googlegroups.com, yahoogroups.com, .yahoo.com, .yahoo.ca, .yahoo.de,
.yahoo.fr, .yahoo.in, .yahoo.co.in, .yahoo.co.jp, .yahoo.co.nz, .yahoo.co.uk, .yahoo.com.hk, .yahoo.com.ph, .yahoo.com.vn)
score DKIM_VALID_YG -0.5
This is similar to whitelist_from_dkim, but allows one to choose
different scores for different domains.
> 3) Message from random idiot that passes dkim gets scored -0.1
score DKIM_VALID -0.1
(which is a default anyway)
> 4) message that FAIL DKIM (or SPF hard fail) get scored +5
You'd only want to do that for domain which you know will always
provide a valid signature. Covered by adsp_override rules, as above.
There must not be a distinction between handling a mail with a
present but broken signature, and a mail with no signature, as
it is easy to forge either, and spammer can choose to use the one
which is most advantageous to him.
> 5) Message from random idiot that passes SPF gets scored -0.001
>
> I think that's about what I had in 3.2.5, only blizzard was a list of
> 'known' senders, like paypal, amazon, citibanc, apple.com, ebay, &c.
>
> adsp_override battle.net custom_high
> adsp_override blizzard.com custom_high
> adsp_override amazon.com custom_high
> adsp_override *.ebay.com custom_high
> adsp_override ebay.com custom_high
>
> and so on?
>
> And, since I'm here, how do I setup DKIM signing on my outbound mail?
By using either amavisd-new :
http://www.ijs.si/software/amavisd/amavisd-new-docs.html#dkim
or OpenDKIM milter (with sendmail or postfix):
http://www.opendkim.org/
Mark
Re: blizzard (and others) faux messages
Posted by LuKreme <kr...@kreme.com>.
On 28-Jun-2010, at 15:11, Karsten Bräckelmann wrote:
> On Mon, 2010-06-28 at 15:02 -0600, LuKreme wrote:
>> On 28-Jun-2010, at 04:51, Mark Martinec wrote:
>>> The syntax hasn't changed - the DKIM plugin docs is up-to-date, see there.
>
>> I assume I am looking in the wrong place?
>>
>> $ perldoc Mail::SpamAssasin::Plugin::DKIM
>> No documentation found for "Mail::SpamAssasin::Plugin::DKIM".
> ^^^^^^^^^^^
> Yes, wrong place. That doesn't translate to UBE-butt-butt-in.
Ah, I hate that word!
Thanks :)
--
All I know is that using the strap makes me feel lie a hot woman in
sunglasses. :-) ~jeffcarlson
Re: blizzard (and others) faux messages
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Mon, 2010-06-28 at 15:02 -0600, LuKreme wrote:
> On 28-Jun-2010, at 04:51, Mark Martinec wrote:
> > The syntax hasn't changed - the DKIM plugin docs is up-to-date, see there.
> I assume I am looking in the wrong place?
>
> $ perldoc Mail::SpamAssasin::Plugin::DKIM
> No documentation found for "Mail::SpamAssasin::Plugin::DKIM".
^^^^^^^^^^^
Yes, wrong place. That doesn't translate to UBE-butt-butt-in.
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: blizzard (and others) faux messages
Posted by LuKreme <kr...@kreme.com>.
On 28-Jun-2010, at 04:51, Mark Martinec wrote:
> The syntax hasn't changed - the DKIM plugin docs is up-to-date, see there.
perldoc Mail::DKIM was not in anyway helpful.
I assume I am looking in the wrong place?
$ perldoc Mail::SpamAssasin::Plugin::DKIM
No documentation found for "Mail::SpamAssasin::Plugin::DKIM".
$ perldoc Plugin::DKIM
No documentation found for "Plugin::DKIM".
> In this case all you need (since 3.3.0) is an ADSP override,
> no need for whitelisting:
>
> score DKIM_ADSP_CUSTOM_HIGH 100
>
> adsp_override battle.net custom_high
> adsp_override email.blizzard.com custom_high
>
> or more general:
>
> adsp_override blizzard.com custom_high
> adsp_override *.blizzard.com custom_high
>
> Adjust scores as needed, the defaults are very cautious
> (just in case someone is running SpamAssassin behind a
> mail path which clobbers messages, invalidating signatures):
OK, and than I just do that for every doamin?
Sorry for the confusion, but I seem to have wiped the memory banks on all of this in the last 3 years or so.
What I want:
1) Message from blizzard that has no dkim gets scored +10
2) Message from blizzard that passes dkim gets scored -1 (or something)
3) Message from random idiot that passes dkim gets scored -0.1
4) message that FAIL DKIM (or SPF hard fail) get scored +5
5) Message from random idiot that passes SPF gets scored -0.001
I think that's about what I had in 3.2.5, only blizzard was a list of 'known' senders, like paypal, amazon, citibanc, apple.com, ebay, &c.
adsp_override battle.net custom_high
adsp_override blizzard.com custom_high
adsp_override amazon.com custom_high
adsp_override *.ebay.com custom_high
adsp_override ebay.com custom_high
and so on?
And, since I'm here, how do I setup DKIM signing on my outbound mail?
--
Thunder rolled... It is said that the gods play games with the fates of
men. But what games, and why, and the identities of the actual pawns,
and what the game is, and what the rules are - who knows? Best not to
speculate. Thunder rolled... It rolled a six. --Guards! Guards!
Re: blizzard (and others) faux messages
Posted by Mark Martinec <Ma...@ijs.si>.
LuKreme,
> Been getting a lot of messages form hotmail and others claiming to be from
> Blizzard account management or Aeon account services, or a whole host of
> others.
>
> They are not pegging SA at all, scoring usually close to 0 (they will get
> Bayes_00 and sometimes a spamcop hit to balance out, but nothing else).
>
> Has anyone come up with anything to catch these without tripping on really
> messages from blizzard and whomever?
>
> Blizzard, at least, publishes DKIM records, so is the syntax for dealing
> with that still the same in 3.3?
>
> whitelist_from_dkim *@blizzard.com
> whitelist_from_dkim *@battle.net
The syntax hasn't changed - the DKIM plugin docs is up-to-date, see there.
Note that the above does not imply their subdomains (e.g. email.blizzard.com),
these may be whitelisted separately is desired.
> As I recall, however, what I actually want to do is blacklist anything from
> blizzard.com that FAILS (or lacks) DKIM, right?
>
> I know I used to do this crap for paypal and citibanc and a few others, but
> now I don't remember what, exactly, I did.
In this case all you need (since 3.3.0) is an ADSP override,
no need for whitelisting:
score DKIM_ADSP_CUSTOM_HIGH 100
adsp_override battle.net custom_high
adsp_override email.blizzard.com custom_high
or more general:
adsp_override blizzard.com custom_high
adsp_override *.blizzard.com custom_high
Adjust scores as needed, the defaults are very cautious
(just in case someone is running SpamAssassin behind a
mail path which clobbers messages, invalidating signatures):
score DKIM_ADSP_CUSTOM_LOW 0.001
score DKIM_ADSP_CUSTOM_MED 0.001
score DKIM_ADSP_CUSTOM_HIGH 0.001
score DKIM_ADSP_ALL 0 1.1 0 0.8
score DKIM_ADSP_DISCARD 0 1.8 0 1.8
Mark
Re: blizzard (and others) faux messages
Posted by Benny Pedersen <me...@junc.org>.
On Mon 28 Jun 2010 12:37:57 PM CEST, Ned Slider wrote
> Why not - that looks fine to me?
its less strong on something that one dont know what is, its still
valid yes, but never shot animals with atom bomps :)
> The only real difference I see between whitelist_from_dkim and
> def_whitelist_from_dkim is that they have different scores so one is
> 'more whitelisted' than the other
excatly my point def_* can most of the time solve it
--
xpoint http://www.unicom.com/pw/reply-to-harmful.html
Re: blizzard (and others) faux messages
Posted by Ned Slider <ne...@unixmail.co.uk>.
Yes, I do exactly the same - whitelist by dkim (or spf) the domain that
is being abused and then wack all mail from that domain that isn't signed.
On 28/06/10 10:07, Benny Pedersen wrote:
>
>> whitelist_from_dkim *@blizzard.com
>> whitelist_from_dkim *@battle.net
>
> first dont use wildcard
>
Why not - that looks fine to me?
> but as you want can be done like this
>
> blacklist_from foo@example.net
> whitelist_from_dkim foo@example.net
>
> if wildcard is needed do def_blacklist_from and def_whitelist_from_dkim
>
The only real difference I see between whitelist_from_dkim and
def_whitelist_from_dkim is that they have different scores so one is
'more whitelisted' than the other
There is some good documentation here:
http://www.ijs.si/software/amavisd/amavisd-new-docs.html#dkim-sa
Re: blizzard (and others) faux messages
Posted by Benny Pedersen <me...@junc.org>.
> whitelist_from_dkim *@blizzard.com
> whitelist_from_dkim *@battle.net
first dont use wildcard
but as you want can be done like this
blacklist_from foo@example.net
whitelist_from_dkim foo@example.net
if wildcard is needed do def_blacklist_from and def_whitelist_from_dkim
--
xpoint http://www.unicom.com/pw/reply-to-harmful.html