You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Alex <my...@gmail.com> on 2017/08/29 16:27:33 UTC
Whitelisting amazon where no DKIM_VALID_AU exists
Hi, it appears SANS is using amazon to relay some of their mail, but
does not sign their messages with DKIM. The mail is sent as part of
some corporate training program they're doing, using the domain of the
company contracting with them for the training.
So the mail is signed with DKIM_VALID and SPF, but not DKIM_VALID_AU,
making it difficult to whitelist. It shouldn't need to be whitelisted
in the first place, but my users are demanding it be done.
More generally, how can I whitelist mail that originates from
something like 0101015e15fd907e-7806-4437-936b-47b4bf2a606b-000000@us-west-2.amazonses.com
and has no DKIM_VALID_AU, making it impossible to whitelist by From
address?
My concern is using whitelist_from_rcvd with a generic sender like
amazonses doesn't really provide much additional security when it's
effectively a freemail relay.
Maybe create a unique rule that subtracts points?
Re: Whitelisting amazon where no DKIM_VALID_AU exists
Posted by Benny Pedersen <me...@junc.eu>.
Alex skrev den 2017-08-29 18:27:
> More generally, how can I whitelist mail that originates from
> something like
> 0101015e15fd907e-7806-4437-936b-47b4bf2a606b-000000@us-west-2.amazonses.com
> and has no DKIM_VALID_AU, making it impossible to whitelist by From
> address?
whitelist_from_dkim *@* <-d tag in the signing mail>
if its 3dr party signed
for spf use *@<rest as shown in your example after @>
using other whitelist options opens a can of worms to solve, is it
tagged as spam ?, or just users requests ?
Re: Whitelisting amazon where no DKIM_VALID_AU exists
Posted by RW <rw...@googlemail.com>.
On Tue, 29 Aug 2017 12:27:33 -0400
Alex wrote:
> Hi, it appears SANS is using amazon to relay some of their mail, but
> does not sign their messages with DKIM. The mail is sent as part of
> some corporate training program they're doing, using the domain of the
> company contracting with them for the training.
>
> So the mail is signed with DKIM_VALID and SPF, but not DKIM_VALID_AU,
> making it difficult to whitelist. It shouldn't need to be whitelisted
> in the first place, but my users are demanding it be done.
>
> More generally, how can I whitelist mail that originates from
> something like
> 0101015e15fd907e-7806-4437-936b-47b4bf2a606b-000000@us-west-2.amazonses.com
> and has no DKIM_VALID_AU, making it impossible to whitelist by From
> address?
>
The definition is:
whitelist_from_dkim author@example.com [signing-domain]
so you can create a dkim-based whitelisting entry.
> My concern is using whitelist_from_rcvd with a generic sender like
> amazonses doesn't really provide much additional security when it's
> effectively a freemail relay.
It's probably the same for dkim - possibly amazon has something in
place to prevent one customer spoofing another, I don't know.
You might want to use def_whitelist_from_dkim instead.
Re: Whitelisting amazon where no DKIM_VALID_AU exists
Posted by David Jones <dj...@ena.com>.
On 08/30/2017 02:04 PM, John Hardin wrote:
> On Wed, 30 Aug 2017, Kevin Golding wrote:
>
>> On Wed, 30 Aug 2017 19:54:19 +0100, David Jones <dj...@ena.com> wrote:
>>
>>> That abuse@amazonaws.com address is on this page:
>>>
>>> https://aws.amazon.com/forms/report-abuse
>>>
>>> Surely you can forward as attachment or either paste in the original
>>> headers to provide them enough detail to track down their bad customer.
>>
>> Stick to copy & paste, the next line on that page says "Please note
>> that we will not open attachments under any circumstance."
>
> I generally forward the original mail as an attachment for evidence, but
> pull out the website/IP/email address/etc. into the main body of the
> report.
>
Same here. I look for special headers that are used to track the sender
specifically within that platform. For example, I would make sure these
(or similar) are included with the other standard headers:
Message-ID:
<01...@email.amazonses.com>
X-SES-Outgoing: 2017.08.30-54.240.10.18
Feedback-ID:
1.us-east-1.3zWOylQE8BHZIDKDumStTeJTJb5IHA8tMjgR7Q3udwg=:AmazonSES
--
David Jones
Re: Whitelisting amazon where no DKIM_VALID_AU exists
Posted by John Hardin <jh...@impsec.org>.
On Wed, 30 Aug 2017, Kevin Golding wrote:
> On Wed, 30 Aug 2017 19:54:19 +0100, David Jones <dj...@ena.com> wrote:
>
>> That abuse@amazonaws.com address is on this page:
>>
>> https://aws.amazon.com/forms/report-abuse
>>
>> Surely you can forward as attachment or either paste in the original
>> headers to provide them enough detail to track down their bad customer.
>
> Stick to copy & paste, the next line on that page says "Please note that we
> will not open attachments under any circumstance."
I generally forward the original mail as an attachment for evidence, but
pull out the website/IP/email address/etc. into the main body of the
report.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
I'm seriously considering getting one of those bright-orange prison
overalls and stencilling PASSENGER on the back. Along with the paper
slippers, I ought to be able to walk right through security.
-- Brian Kantor in a.s.r
-----------------------------------------------------------------------
153 days since the first commercial re-flight of an orbital booster (SpaceX)
Re: Whitelisting amazon where no DKIM_VALID_AU exists
Posted by Kevin Golding <kp...@caomhin.org>.
On Wed, 30 Aug 2017 19:54:19 +0100, David Jones <dj...@ena.com> wrote:
> That abuse@amazonaws.com address is on this page:
>
> https://aws.amazon.com/forms/report-abuse
>
> Surely you can forward as attachment or either paste in the original
> headers to provide them enough detail to track down their bad customer.
Stick to copy & paste, the next line on that page says "Please note that
we will not open attachments under any circumstance."
Re: Whitelisting amazon where no DKIM_VALID_AU exists
Posted by David Jones <dj...@ena.com>.
On 08/30/2017 01:27 PM, John Hardin wrote:
> On Wed, 30 Aug 2017, Kris Deugau wrote:
>
>> David Jones wrote:
>>> Report it to Amazon's abuse
>>
>> Have you found a sane way to do this?
>>
>> Last time I tried I couldn't just forward the offending message as an
>> attachment like nearly every other abuse contact accepts (and
>> generally insists on!); I got pointed to a webform clearly designed
>> for reporting abuse of their elastic compute services, not their SMTP
>> relay service.
>
> Try abuse@amazonaws.com
>
That abuse@amazonaws.com address is on this page:
https://aws.amazon.com/forms/report-abuse
Surely you can forward as attachment or either paste in the original
headers to provide them enough detail to track down their bad customer.
That form would be a real pain to have to fill out for a simple spam
abuse report.
--
David Jones
Re: Whitelisting amazon where no DKIM_VALID_AU exists
Posted by John Hardin <jh...@impsec.org>.
On Wed, 30 Aug 2017, Kris Deugau wrote:
> David Jones wrote:
>> Report it to Amazon's abuse
>
> Have you found a sane way to do this?
>
> Last time I tried I couldn't just forward the offending message as an
> attachment like nearly every other abuse contact accepts (and generally
> insists on!); I got pointed to a webform clearly designed for reporting
> abuse of their elastic compute services, not their SMTP relay service.
Try abuse@amazonaws.com
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Once more, please; I missed it the last time: what's the difference
between "Quantitative Easing" and "Counterfeiting"?
-----------------------------------------------------------------------
153 days since the first commercial re-flight of an orbital booster (SpaceX)
Re: Whitelisting amazon where no DKIM_VALID_AU exists
Posted by Kris Deugau <kd...@vianet.ca>.
David Jones wrote:
> Report it to Amazon's abuse
Have you found a sane way to do this?
Last time I tried I couldn't just forward the offending message as an
attachment like nearly every other abuse contact accepts (and generally
insists on!); I got pointed to a webform clearly designed for reporting
abuse of their elastic compute services, not their SMTP relay service.
-kgd
Re: Whitelisting amazon where no DKIM_VALID_AU exists
Posted by David Jones <dj...@ena.com>.
On 08/30/2017 08:19 AM, Joseph Brennan wrote:
> On Tue, Aug 29, 2017 at 2:24 PM, David Jones <dj...@ena.com> wrote:
>
>> From my experience, Amazon's Simple Email Service already has a good
>> reputation -- not on major RBLs. I have never had problems with spam from
>> Amazon SES and they seem to do a very good job of handling abuse:
>
>
> Clearly your domain (not being .edu) does not get 30,000 spams a day
> from amazonses by the scammers at honorsocietymail(dot)org. With that
> kind of volume I'd normally prefer to block the sending IPs but sad to
> say legitimate mail comes out of the same hosts, so we have to collect
> the 30,000 and look at content.
>
> It is interesting that Spamhaus does not list the sending IPs or the
> web hosts. Maybe their secret honeypot addresses do not have enough
> .edu presence.
>
> (google: "honor society" scam)
>
>
Do you mind posting one of those honorsocietymail(dot)org messages to
pastebin? Report it to Amazon's abuse and see how they respond. I bet
they will handle this properly and improve this situation for the
Internet as a whole.
--
David Jones
Re: Whitelisting amazon where no DKIM_VALID_AU exists
Posted by Joseph Brennan <br...@columbia.edu>.
On Tue, Aug 29, 2017 at 2:24 PM, David Jones <dj...@ena.com> wrote:
> From my experience, Amazon's Simple Email Service already has a good
> reputation -- not on major RBLs. I have never had problems with spam from
> Amazon SES and they seem to do a very good job of handling abuse:
Clearly your domain (not being .edu) does not get 30,000 spams a day
from amazonses by the scammers at honorsocietymail(dot)org. With that
kind of volume I'd normally prefer to block the sending IPs but sad to
say legitimate mail comes out of the same hosts, so we have to collect
the 30,000 and look at content.
It is interesting that Spamhaus does not list the sending IPs or the
web hosts. Maybe their secret honeypot addresses do not have enough
.edu presence.
(google: "honor society" scam)
--
Joseph Brennan
Columbia University
Re: Whitelisting amazon where no DKIM_VALID_AU exists
Posted by Alex <my...@gmail.com>.
Hi,
On Tue, Aug 29, 2017 at 2:24 PM, David Jones <dj...@ena.com> wrote:
> On 08/29/2017 11:27 AM, Alex wrote:
>>
>> Hi, it appears SANS is using amazon to relay some of their mail, but
>> does not sign their messages with DKIM. The mail is sent as part of
>> some corporate training program they're doing, using the domain of the
>> company contracting with them for the training.
>>
>> So the mail is signed with DKIM_VALID and SPF, but not DKIM_VALID_AU,
>> making it difficult to whitelist. It shouldn't need to be whitelisted
>> in the first place, but my users are demanding it be done.
>>
>> More generally, how can I whitelist mail that originates from
>> something like
>> 0101015e15fd907e-7806-4437-936b-47b4bf2a606b-000000@us-west-2.amazonses.com
>> and has no DKIM_VALID_AU, making it impossible to whitelist by From
>> address?
>>
>> My concern is using whitelist_from_rcvd with a generic sender like
>> amazonses doesn't really provide much additional security when it's
>> effectively a freemail relay.
>>
>> Maybe create a unique rule that subtracts points?
>>
>
> From my experience, Amazon's Simple Email Service already has a good
> reputation -- not on major RBLs. I have never had problems with spam from
> Amazon SES and they seem to do a very good job of handling abuse:
>
> https://aws.amazon.com/blogs/ses/tag/abuse-complaint/
>
> This is my definition of a trusted sender that could be safely whitelisted
> with:
>
> whitelist_auth *@amazonses.com
> whitelist_auth *@*.amazonses.com
>
> The SPF_PASS will be enough with the SANS domain to work with the
> whitelist_auth entries above without DKIM_VALID_AU hits.
Okay, awesome. I think I misunderstood the purpose of amazonses, and
thought it was more accessible to freemailers and spammers than it
actually appears to be.
In other words, I thought if someone had an amazonses account, they
could spoof a sender, and although as unlikely as it is for someone to
know it's whitelisted, the possibility exists.
Re: Whitelisting amazon where no DKIM_VALID_AU exists
Posted by RW <rw...@googlemail.com>.
On Tue, 29 Aug 2017 13:24:03 -0500
David Jones wrote:
//aws.amazon.com/blogs/ses/tag/abuse-complaint/
>
> This is my definition of a trusted sender that could be safely
> whitelisted with:
>
> whitelist_auth *@amazonses.com
> whitelist_auth *@*.amazonses.com
>
> The SPF_PASS will be enough with the SANS domain to work with the
> whitelist_auth entries above without DKIM_VALID_AU hits.
It's no more difficult to match either spf or dkim:
whitelist_from_spf *.amazonses.com
whitelist_from_dkim * amazonses.com
Re: Whitelisting amazon where no DKIM_VALID_AU exists
Posted by David Jones <dj...@ena.com>.
On 08/29/2017 11:27 AM, Alex wrote:
> Hi, it appears SANS is using amazon to relay some of their mail, but
> does not sign their messages with DKIM. The mail is sent as part of
> some corporate training program they're doing, using the domain of the
> company contracting with them for the training.
>
> So the mail is signed with DKIM_VALID and SPF, but not DKIM_VALID_AU,
> making it difficult to whitelist. It shouldn't need to be whitelisted
> in the first place, but my users are demanding it be done.
>
> More generally, how can I whitelist mail that originates from
> something like 0101015e15fd907e-7806-4437-936b-47b4bf2a606b-000000@us-west-2.amazonses.com
> and has no DKIM_VALID_AU, making it impossible to whitelist by From
> address?
>
> My concern is using whitelist_from_rcvd with a generic sender like
> amazonses doesn't really provide much additional security when it's
> effectively a freemail relay.
>
> Maybe create a unique rule that subtracts points?
>
From my experience, Amazon's Simple Email Service already has a good
reputation -- not on major RBLs. I have never had problems with spam
from Amazon SES and they seem to do a very good job of handling abuse:
https://aws.amazon.com/blogs/ses/tag/abuse-complaint/
This is my definition of a trusted sender that could be safely
whitelisted with:
whitelist_auth *@amazonses.com
whitelist_auth *@*.amazonses.com
The SPF_PASS will be enough with the SANS domain to work with the
whitelist_auth entries above without DKIM_VALID_AU hits.
--
David Jones