You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@spamassassin.apache.org by Dave Jones <da...@apache.org> on 2018/04/11 21:50:14 UTC
Re: svn commit: r1828937 -
/spamassassin/trunk/rules/60_whitelist_auth.cf
On 04/11/2018 04:29 PM, billcole@apache.org wrote:
> Author: billcole
> Date: Wed Apr 11 21:29:08 2018
> New Revision: 1828937
>
> URL: http://svn.apache.org/viewvc?rev=1828937&view=rev
> Log:
> Google Forms has generated spam, befouling the google.com reputation
>
> Modified:
> spamassassin/trunk/rules/60_whitelist_auth.cf
>
> Modified: spamassassin/trunk/rules/60_whitelist_auth.cf
> URL: http://svn.apache.org/viewvc/spamassassin/trunk/rules/60_whitelist_auth.cf?rev=1828937&r1=1828936&r2=1828937&view=diff
> ==============================================================================
> --- spamassassin/trunk/rules/60_whitelist_auth.cf (original)
> +++ spamassassin/trunk/rules/60_whitelist_auth.cf Wed Apr 11 21:29:08 2018
> @@ -80,7 +80,6 @@ def_whitelist_auth *@visadpsmessage.com
> def_whitelist_auth *@*.pinterest.com
> def_whitelist_auth *@indeed.com
> def_whitelist_auth *@*.hyatt.com
> -def_whitelist_auth *@*.google.com
> def_whitelist_auth *@*.sears.com
> def_whitelist_auth *@*.jcpenney.com
> def_whitelist_auth *@*.landsend.com
>
>
Do you have an example email of this? If we report this to Google and
they handle it properly, it doesn't mean that we need to remove this
entry unless there is a major problem with trust. A single email
occurrence is not enough to remove them.
Besides, this *@*.google.com shouldn't be that common under a subdomain
of google.com. It's not *@google.com which would be a higher risk.
Dave
Re: svn commit: r1828937 -
/spamassassin/trunk/rules/60_whitelist_auth.cf
Posted by RW <rw...@googlemail.com>.
On Wed, 11 Apr 2018 18:18:36 -0400
Bill Cole wrote:
> On 11 Apr 2018, at 17:50 (-0400), Dave Jones wrote:
> > Besides, this *@*.google.com shouldn't be that common under a
> > subdomain of google.com. It's not *@google.com which would be a
> > higher risk.
>
> No, *@google.com is still apparently only Google corporate mail. The
> only spam I've ever seen from such addresses is stupid recruiter
> tricks.
>
>
At the moment all that's left is:
def_whitelist_from_dkim googlealerts-noreply@google.com
perhaps this could be replaced with some or all of:
def_whitelist_auth *@google.com
def_whitelist_auth *@accounts.google.com
def_whitelist_from_dkim *@*.google.com
it's the use of a google.com subdomain address for bounce handling that
caused the problem in the user list, the header 'From' address was
@gmail.com.
Re: svn commit: r1828937 -
/spamassassin/trunk/rules/60_whitelist_auth.cf
Posted by Dave Jones <da...@apache.org>.
On 04/11/2018 05:18 PM, Bill Cole wrote:
> On 11 Apr 2018, at 17:50 (-0400), Dave Jones wrote:
>
>> On 04/11/2018 04:29 PM, billcole@apache.org wrote:
>>> Author: billcole
>>> Date: Wed Apr 11 21:29:08 2018
>>> New Revision: 1828937
>>>
>>> URL: http://svn.apache.org/viewvc?rev=1828937&view=rev
>>> Log:
>>> Google Forms has generated spam, befouling the google.com reputation
>>>
>>> Modified:
>>> spamassassin/trunk/rules/60_whitelist_auth.cf
>>>
>>> Modified: spamassassin/trunk/rules/60_whitelist_auth.cf
>>> URL:
>>> http://svn.apache.org/viewvc/spamassassin/trunk/rules/60_whitelist_auth.cf?rev=1828937&r1=1828936&r2=1828937&view=diff
>>>
>>> ==============================================================================
>>>
>>> --- spamassassin/trunk/rules/60_whitelist_auth.cf (original)
>>> +++ spamassassin/trunk/rules/60_whitelist_auth.cf Wed Apr 11 21:29:08
>>> 2018
>>> @@ -80,7 +80,6 @@ def_whitelist_auth *@visadpsmessage.com
>>> def_whitelist_auth *@*.pinterest.com
>>> def_whitelist_auth *@indeed.com
>>> def_whitelist_auth *@*.hyatt.com
>>> -def_whitelist_auth *@*.google.com
>>> def_whitelist_auth *@*.sears.com
>>> def_whitelist_auth *@*.jcpenney.com
>>> def_whitelist_auth *@*.landsend.com
>>>
>>>
>>
>> Do you have an example email of this?
>
> Discussed on the Users list today. A mostly-Thai form with an internal
> Hotmail address.
>
>> If we report this to Google and they handle it properly, it doesn't
>> mean that we need to remove this entry unless there is a major problem
>> with trust.
>
> I disagree. Handling complaints (which Google mostly doesn't in any
> case) is entirely inadequate to justify trusting mail sent by users they
> don't actually know with an active backend that has a track record of
> abuse. Google Docs has become a phishing platform and we should not be
> telling people to trust it by default.
>
>> A single email occurrence is not enough to remove them.
>
> I don't have copies of the similar-sender garbage I've been rejecting
> because it has been aimed at bogus local addresses.
>
>> Besides, this *@*.google.com shouldn't be that common under a
>> subdomain of google.com. It's not *@google.com which would be a
>> higher risk.
>
> No, *@google.com is still apparently only Google corporate mail. The
> only spam I've ever seen from such addresses is stupid recruiter tricks.
>
>
I still contend that the benefits of that entry far outweigh a single
report of spam that Google will handle if reported to them. They do
handle abuse reports and lock accounts all of the time. I know this
first hand from my own customers.
The def_white_auth entries aren't only for perfect senders but for
senders that are targets of spoofing. They say that this email was from
Google so we can block other non-Google senders spoofing Google Docs
shares with malicious links.
No one can say that the have never sent spam outbound. It happens once
in a while even to the best of us that go to great lengths to detect and
prevent it. Most RBLs will tolerate a small amount junk email and only
list an IP when it's persistent. These def_whitelist_auth entries
should be treated the same way.
Dave
Re: svn commit: r1828937 -
/spamassassin/trunk/rules/60_whitelist_auth.cf
Posted by Bill Cole <sa...@billmail.scconsult.com>.
On 11 Apr 2018, at 17:50 (-0400), Dave Jones wrote:
> On 04/11/2018 04:29 PM, billcole@apache.org wrote:
>> Author: billcole
>> Date: Wed Apr 11 21:29:08 2018
>> New Revision: 1828937
>>
>> URL: http://svn.apache.org/viewvc?rev=1828937&view=rev
>> Log:
>> Google Forms has generated spam, befouling the google.com reputation
>>
>> Modified:
>> spamassassin/trunk/rules/60_whitelist_auth.cf
>>
>> Modified: spamassassin/trunk/rules/60_whitelist_auth.cf
>> URL:
>> http://svn.apache.org/viewvc/spamassassin/trunk/rules/60_whitelist_auth.cf?rev=1828937&r1=1828936&r2=1828937&view=diff
>> ==============================================================================
>> --- spamassassin/trunk/rules/60_whitelist_auth.cf (original)
>> +++ spamassassin/trunk/rules/60_whitelist_auth.cf Wed Apr 11 21:29:08
>> 2018
>> @@ -80,7 +80,6 @@ def_whitelist_auth *@visadpsmessage.com
>> def_whitelist_auth *@*.pinterest.com
>> def_whitelist_auth *@indeed.com
>> def_whitelist_auth *@*.hyatt.com
>> -def_whitelist_auth *@*.google.com
>> def_whitelist_auth *@*.sears.com
>> def_whitelist_auth *@*.jcpenney.com
>> def_whitelist_auth *@*.landsend.com
>>
>>
>
> Do you have an example email of this?
Discussed on the Users list today. A mostly-Thai form with an internal
Hotmail address.
> If we report this to Google and they handle it properly, it doesn't
> mean that we need to remove this entry unless there is a major problem
> with trust.
I disagree. Handling complaints (which Google mostly doesn't in any
case) is entirely inadequate to justify trusting mail sent by users they
don't actually know with an active backend that has a track record of
abuse. Google Docs has become a phishing platform and we should not be
telling people to trust it by default.
> A single email occurrence is not enough to remove them.
I don't have copies of the similar-sender garbage I've been rejecting
because it has been aimed at bogus local addresses.
> Besides, this *@*.google.com shouldn't be that common under a
> subdomain of google.com. It's not *@google.com which would be a
> higher risk.
No, *@google.com is still apparently only Google corporate mail. The
only spam I've ever seen from such addresses is stupid recruiter tricks.
--
Bill Cole
bill@scconsult.com or billcole@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Currently Seeking Steady Work: https://linkedin.com/in/billcole