You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Yavuz Maslak <ma...@ihlas.net.tr> on 2008/12/05 23:54:35 UTC
about fake mails
Sometimes, although anyone don't use domain.com's server, he sends many mails using himself smtp service as if these mails come from @domian.com.
the domain.com may be hotmail.com , gmail.com.
is there a rule for that so that we can give some score for these mails?
Re: about fake mails
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
On 06.12.08 00:54, Yavuz Maslak wrote:
> Sometimes, although anyone don't use domain.com's server, he sends many
> mails using himself smtp service as if these mails come from @domian.com.
>
> the domain.com may be hotmail.com , gmail.com.
>
> is there a rule for that so that we can give some score for these mails?
implement SPF and/or DKIM checks at SMTP level.
use SPF and DKIM plugins.
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
WinError #99999: Out of error messages.
Re: about fake mails
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
> > From: Yavuz Maslak [mailto:maslak@ihlas.net.tr]
> > Sent: Sunday, December 07, 2008 3:02 PM
> > But I could not find how I give high score for a spammer who doesn't
> > use gmail's mail servers.
> >
> > Although a domain has domain keys, how can I give positive score for a
> > mail which comes from a fake smtp server ?
On 07.12.08 15:52, Giampaolo Tomassoni wrote:
> There is no direct way (to my knowledge) to do this.
>
> You have to apply a positive score to all mail claiming to be "From:" a
> gmail address, then apply a negative score voiding the first one to the
> DKim-verified ones.
I think that giving score that has gmail.com in From address, but is nor
DKIM Verified, should be just enough.
Generally, there should be a meta rule for domains that have sign-all policy
and the mail is not signed, e.g.:
meta DKIM_MISS (DKIM_POLICY_SIGNALL && !DKIM_VERIFIED)
score DKIM_MISS 3.0
and maybe for mail that is signed, but the signature was
meta DKIM_FAIL (DKIM_SIGNED && !DKIM_VERIFIED)
score DKIM_MISS 1.0
... I just guessed those scores, but maybe someone could run mass-check ?
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
A day without sunshine is like, night.
Re: about fake mails
Posted by Kai Schaetzl <ma...@conactive.com>.
Just that most of the spam with a gmail.com sender *is* coming from Gmail
..
Kai
--
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com
RE: about fake mails
Posted by Jeff Mincy <je...@delphioutpost.com>.
From: "Giampaolo Tomassoni" <Gi...@Tomassoni.biz>
Date: Sun, 7 Dec 2008 15:52:10 +0100
> -----Original Message-----
> From: Yavuz Maslak [mailto:maslak@ihlas.net.tr]
> Sent: Sunday, December 07, 2008 3:02 PM
>
> Ok
> I have started to use dkim verification. I defined whitelists in
> local.cf.
> it works.
> But I could not find how I give high score for a spammer who doesn't
> use
> gmail's mail servers.
>
> Although a domain has domain keys, how can I give positive score for a
> mail
> which comes from a fake smtp server ?
There is no direct way (to my knowledge) to do this.
You have to apply a positive score to all mail claiming to be "From:" a
gmail address, then apply a negative score voiding the first one to the
DKim-verified ones.
You can write a meta rule for email that claims to be from gmail that
does not have DKIM.
# add some penalty points to mail from yahoo and gmail.com which
# does not carry a valid signature; exempt mail from mailing lists
header __L_ML1 Precedence =~ m{\b(list|bulk)\b}i
header __L_ML2 exists:List-Id
header __L_ML3 exists:List-Post
header __L_ML4 exists:Mailing-List
header __L_HAS_SNDR exists:Sender
meta __L_VIA_ML (__L_ML1 || __L_ML2 || __L_ML3 || __L_ML4 || __L_HAS_SNDR)
header __L_FROM_Y1 From:addr =~ m{[@.]yahoo\.com$}i
header __L_FROM_Y2 From:addr =~ m{\@yahoo\.com\.(ar|br|cn|hk|my|sg)$}i
header __L_FROM_Y3 From:addr =~ m{\@yahoo\.co\.(id|in|jp|nz|uk)$}i
header __L_FROM_Y4 From:addr =~ m{\@yahoo\.(ca|de|dk|es|fr|gr|ie|it|pl|se)$}i
meta __L_FROM_YAHOO (__L_FROM_Y1 || __L_FROM_Y2 || __L_FROM_Y3 || __L_FROM_Y4)
header __L_FROM_GMAIL From:addr =~ m{\@gmail\.com$}i
meta L_UNVERIFIED_YAHOO (!DKIM_VERIFIED && !DK_VERIFIED && __L_FROM_YAHOO && !__L_VIA_ML)
priority L_UNVERIFIED_YAHOO 500
score L_UNVERIFIED_YAHOO 2.5
meta L_UNVERIFIED_GMAIL (!DKIM_VERIFIED && __L_FROM_GMAIL && !__L_VIA_ML)
priority L_UNVERIFIED_GMAIL 500
score L_UNVERIFIED_GMAIL 2.5
I got these rules from this list. I added !DK_VERIFIED to
L_UNVERIFIED_YAHOO.
-jeff
RE: about fake mails
Posted by Benny Pedersen <me...@junc.org>.
On Sun, December 7, 2008 15:52, Giampaolo Tomassoni wrote:
> There is no direct way (to my knowledge) to do this.
perldoc Mail::SpamAssassin::Conf see whitelist_auth
perldoc Mail::SpamAssassin::Plugin::DKIM
but okay make a default spam score for DKIM signed mails works :)
and subtract it when its VERIFIED
> You have to apply a positive score to all mail claiming to be
> "From:" a gmail address, then apply a negative score voiding
> the first one to the DKim-verified ones.
i just add negative score when verified here
--
Benny Pedersen
Need more webspace ? http://www.servage.net/?coupon=cust37098
RE: about fake mails
Posted by Giampaolo Tomassoni <Gi...@Tomassoni.biz>.
> -----Original Message-----
> From: Yavuz Maslak [mailto:maslak@ihlas.net.tr]
> Sent: Sunday, December 07, 2008 3:02 PM
>
> Ok
> I have started to use dkim verification. I defined whitelists in
> local.cf.
> it works.
> But I could not find how I give high score for a spammer who doesn't
> use
> gmail's mail servers.
>
> Although a domain has domain keys, how can I give positive score for a
> mail
> which comes from a fake smtp server ?
There is no direct way (to my knowledge) to do this.
You have to apply a positive score to all mail claiming to be "From:" a
gmail address, then apply a negative score voiding the first one to the
DKim-verified ones.
Giampaolo
> > Yavuz Maslak a écrit :
> >> Sometimes, although anyone don't use domain.com's server, he sends
> many
> >> mails using himself smtp service as if these mails come from
> @domian.com.
> >>
> >> the domain.com may be hotmail.com , gmail.com.
> >>
> >> is there a rule for that so that we can give some score for these
> mails?
> >
> > for gmail, you can use dkim verification. look at the rules in
> > http://www.ijs.si/software/amavisd/amavisd-new-docs.html#dkim
> > you may want to accept non signed gmail mail if it comes from nabble
> or
> > others.
> >
> >
> > for hotmail, there are already rules to catch such forgeries. take a
> look
> > at
> > http://spamassassin.apache.org/tests_3_2_x.html
> >
> > if you have sample false negatives, post them on pastebin.com.
> >
Re: about fake mails
Posted by mouss <mo...@netoyen.net>.
Yavuz Maslak a écrit :
> Let me explain my problem and goal;
>
> For instance, a spammer installs a smtp server and he has a tool to send
> his mails. He writes abc@gmail.com in from adress and He sends his
> mails using his smtp server. Namely, he doesn't use gmail's servers. I
> want to give high score for these sort of mails.
>
> Now I have written a rule according to Jeff and Matus,
> Thanks to both.
>
> header __L_ML1 Precedence =~ m{\b(list|bulk)\b}i
> header __L_ML2 exists:List-Id
> header __L_ML3 exists:List-Post
> header __L_ML4 exists:Mailing-List
> header __L_HAS_SNDR exists:Sender
> meta __L_VIA_ML (__L_ML1 || __L_ML2 || __L_ML3 || __L_ML4 ||
> __L_HAS_SNDR)
> header __L_FROM_GMAIL From:addr =~ m{\@gmail\.com$}i
> meta L_UNVERIFIED_GMAIL (!DKIM_VERIFIED && __L_FROM_GMAIL &&
> !__L_VIA_ML)
> priority L_UNVERIFIED_GMAIL 500
> score L_UNVERIFIED_GMAIL 2.5
> meta UNVERIFIED_GMAILMISS (!DKIM_VERIFIED && DKIM_SIGNED &&
> __L_FROM_GMAIL && !__L_VIA_ML)
> priority UNVERIFIED_GMAILMISS 600
> score UNVERIFIED_GMAILMISS 0.0
>
> any advances ?
>
copy the file
http://www.netoyen.net/sa/dkim.cf
to your spamassassin rules directory (the directory where you have
local.cf). This file contains the rules suggested on
http://www.ijs.si/software/amavisd/amavisd-new-docs.html#dkim
so that you don't need to copy-paste ;-p
run: spamassassin --lint
if you get an error, then either you or I did something wrong ;-p
you may increase the score of L_NOTVALID_GMAIL (and the like) if you
want, but 2.8 should be enough.
Re: about fake mails
Posted by Yavuz Maslak <ma...@ihlas.net.tr>.
Let me explain my problem and goal;
For instance, a spammer installs a smtp server and he has a tool to send his
mails. He writes abc@gmail.com in from adress and He sends his mails using
his smtp server. Namely, he doesn't use gmail's servers. I want to give high
score for these sort of mails.
Now I have written a rule according to Jeff and Matus,
Thanks to both.
header __L_ML1 Precedence =~ m{\b(list|bulk)\b}i
header __L_ML2 exists:List-Id
header __L_ML3 exists:List-Post
header __L_ML4 exists:Mailing-List
header __L_HAS_SNDR exists:Sender
meta __L_VIA_ML (__L_ML1 || __L_ML2 || __L_ML3 || __L_ML4 ||
__L_HAS_SNDR)
header __L_FROM_GMAIL From:addr =~ m{\@gmail\.com$}i
meta L_UNVERIFIED_GMAIL (!DKIM_VERIFIED && __L_FROM_GMAIL &&
!__L_VIA_ML)
priority L_UNVERIFIED_GMAIL 500
score L_UNVERIFIED_GMAIL 2.5
meta UNVERIFIED_GMAILMISS (!DKIM_VERIFIED && DKIM_SIGNED &&
__L_FROM_GMAIL && !__L_VIA_ML)
priority UNVERIFIED_GMAILMISS 600
score UNVERIFIED_GMAILMISS 0.0
any advances ?
> Yavuz Maslak a écrit :
>> Ok
>> I have started to use dkim verification. I defined whitelists in
>> local.cf. it works.
>> But I could not find how I give high score for a spammer who doesn't
>> use gmail's mail servers.
>>
>
> The link that I suggested in my previous post contains spamassassin rules.
>
>
>> Although a domain has domain keys, how can I give positive score for a
>> mail which comes from a fake smtp server ?
>>
>
> what is a "fake smtp server"? please explain your problem and goal
> clearly. It would also help to post a sample spam on pastebin.com.
>
Re: about fake mails
Posted by mouss <mo...@netoyen.net>.
Yavuz Maslak a écrit :
> Ok
> I have started to use dkim verification. I defined whitelists in
> local.cf. it works.
> But I could not find how I give high score for a spammer who doesn't
> use gmail's mail servers.
>
The link that I suggested in my previous post contains spamassassin rules.
> Although a domain has domain keys, how can I give positive score for a
> mail which comes from a fake smtp server ?
>
what is a "fake smtp server"? please explain your problem and goal
clearly. It would also help to post a sample spam on pastebin.com.
Re: about fake mails
Posted by Yavuz Maslak <ma...@ihlas.net.tr>.
Ok
I have started to use dkim verification. I defined whitelists in local.cf.
it works.
But I could not find how I give high score for a spammer who doesn't use
gmail's mail servers.
Although a domain has domain keys, how can I give positive score for a mail
which comes from a fake smtp server ?
> Yavuz Maslak a écrit :
>> Sometimes, although anyone don't use domain.com's server, he sends many
>> mails using himself smtp service as if these mails come from @domian.com.
>>
>> the domain.com may be hotmail.com , gmail.com.
>>
>> is there a rule for that so that we can give some score for these mails?
>
> for gmail, you can use dkim verification. look at the rules in
> http://www.ijs.si/software/amavisd/amavisd-new-docs.html#dkim
> you may want to accept non signed gmail mail if it comes from nabble or
> others.
>
>
> for hotmail, there are already rules to catch such forgeries. take a look
> at
> http://spamassassin.apache.org/tests_3_2_x.html
>
> if you have sample false negatives, post them on pastebin.com.
>
Re: about fake mails
Posted by mouss <mo...@netoyen.net>.
Yavuz Maslak a écrit :
> Sometimes, although anyone don't use domain.com's server, he sends many
> mails using himself smtp service as if these mails come from @domian.com.
>
> the domain.com may be hotmail.com , gmail.com.
>
> is there a rule for that so that we can give some score for these mails?
for gmail, you can use dkim verification. look at the rules in
http://www.ijs.si/software/amavisd/amavisd-new-docs.html#dkim
you may want to accept non signed gmail mail if it comes from nabble or
others.
for hotmail, there are already rules to catch such forgeries. take a look at
http://spamassassin.apache.org/tests_3_2_x.html
if you have sample false negatives, post them on pastebin.com.