You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@spamassassin.apache.org by Jari Fredriksson <ja...@iki.fi> on 2015/09/09 21:35:36 UTC
KAM.cf ...
8.0 KAM_FACEBOOKMAIL Fake or Abused Facebook Mail
Ouch.
I received a valid mail from Facebook telling me that a friend
mentioned my name in a post. 8.0?
--
jarif.bit
Re: KAM.cf ...
Posted by Benny Pedersen <me...@junc.eu>.
Jari Fredriksson skrev den 2015-09-09 21:35:
> 8.0 KAM_FACEBOOKMAIL Fake or Abused Facebook Mail
is dkim protected
> Ouch.
what ? :=)
> I received a valid mail from Facebook telling me that a friend
> mentioned my name in a post. 8.0?
check if its DKIM valid AU, is it really facebookmail.com in From:
headers, not in enveloppe sender since its not dkim signed, did spf pass
for the envelope sender ?
if its a frien he should have being giving a way to send you mail
without facebookmail.com, users at facebook.com had one in a periode
random@facebook.com email addresses when facebook think abouted it it
was shourt down
Re: KAM.cf ...
Posted by "Kevin A. McGrail" <KM...@PCCC.com>.
On 9/10/2015 3:30 PM, Jari Fredriksson wrote:
> Yes, diseapps.com is the mx receiving all my mail. It has a new IP
> address now, and I had not made it trusted in SA. Fixed and hopefully
> works now.
Excellent! Always nice to know analysis was accurate.
Re: KAM.cf ...
Posted by Jari Fredriksson <ja...@iki.fi>.
On 10.9.2015 15:44, Kevin A. McGrail wrote:
> It appears to be a forward from an account for you at @diseapps.com
> which is breaking SPF and causing the issue.
>
> Regards,
> KAM
Yes, diseapps.com is the mx receiving all my mail. It has a new IP
address now, and I had not made it trusted in SA. Fixed and hopefully
works now.
br. jarif
> On 9/10/2015 4:51 AM, Jari Fredriksson wrote:
>
>> On 9.9.2015 22:41, Joe Quinn wrote:
>>
>>> On 9/9/2015 3:35 PM, Jari Fredriksson wrote:
>>>
>>>> 8.0 KAM_FACEBOOKMAIL Fake or Abused Facebook Mail
>>>>
>>>> Ouch.
>>>>
>>>> I received a valid mail from Facebook telling me that a friend
>>>> mentioned my name in a post. 8.0?
>>> Are you sure it was valid? Did the message hit SPF_FAIL or
>>> DKIM_ADSP_ALL? Can you post a sample? It's scored it 8.0 because
>>> Facebook uses SPF and DKIM, so the rule should be perfectly safe.
>>
>> I posted it to KAM off list.
>>
>> It has:
>>
>> 0.0 SPF_FAIL SPF: sender does not
>> match SPF record (fail)
>> [SPF failed: Please see
>>
>
> http://www.openspf.net/Why?s=mfrom;id=notification%2Bkjdmk5uhu7um%40facebookmail.com;ip=104.214.219.241;r=gamecock
>> [1]]
>> -1.9 BAYES_00 BODY: Bayes spam
>> probability is 0 to 1%
>> [score:
>> 0.0000]
>> 1.0 HTML_MESSAGE BODY: HTML included in
>> message
>> 0.0 HTML_FONT_LOW_CONTRAST BODY: HTML font color similar or
>> identical to
>> background
>> -0.1 DKIM_VALID_AU Message has a valid DKIM or DK
>> signature from author's
>> domain
>> -0.0 DKIM_VERIFIED No description available.
>> -0.1 DKIM_VALID Message has at least one
>> valid DKIM or DK signature
>> 0.1 DKIM_SIGNED Message has a DKIM or DK
>> signature, not necessarily valid
>> 0.0 UNPARSEABLE_RELAY Informational: message has
>> unparseable relay lines
>> 8.0 KAM_FACEBOOKMAIL Fake or Abused Facebook Mail
>> 0.0 T_REMOTE_IMAGE Message contains an external
>> image
>
> --
> KEVIN A. MCGRAIL
> CEO
>
> Peregrine Computer Consultants Corporation
> 3927 Old Lee Highway, Suite 102-C
> Fairfax, VA 22030-2422
>
> http://www.pccc.com/ [2]
>
> 703-359-9700 x50 / 800-823-8402 (Toll-Free)
> 703-798-0171 (wireless)
> KMcGrail@PCCC.com [3]
>
>
>
> Links:
> ------
> [1]
>
> http://www.openspf.net/Why?s=mfrom;id=notification%2Bkjdmk5uhu7um%40facebookmail.com;ip=104.214.219.241;r=gamecock
> [2] http://www.pccc.com/
> [3] mailto:kmcgrail@pccc.com
--
jarif.bit
Re: KAM.cf ...
Posted by Benny Pedersen <me...@junc.eu>.
Kevin A. McGrail skrev den 2015-09-10 14:44:
> It appears to be a forward from an account for you at @diseapps.com
> which is breaking SPF and causing the issue.
in that case jari could add that server ip to trusted_networks and the
spf check will get pass imho :=)
(any forwarding ip must be trusted)
but note here, if this is added, it could be any domain sending mail
from that ip YMNK
Re: KAM.cf ...
Posted by "Kevin A. McGrail" <KM...@PCCC.com>.
It appears to be a forward from an account for you at @diseapps.com
which is breaking SPF and causing the issue.
Regards,
KAM
On 9/10/2015 4:51 AM, Jari Fredriksson wrote:
> On 9.9.2015 22:41, Joe Quinn wrote:
>> On 9/9/2015 3:35 PM, Jari Fredriksson wrote:
>>>
>>> 8.0 KAM_FACEBOOKMAIL Fake or Abused Facebook Mail
>>>
>>> Ouch.
>>>
>>> I received a valid mail from Facebook telling me that a friend
>>> mentioned my name in a post. 8.0?
>>>
>> Are you sure it was valid? Did the message hit SPF_FAIL or
>> DKIM_ADSP_ALL? Can you post a sample? It's scored it 8.0 because
>> Facebook uses SPF and DKIM, so the rule should be perfectly safe.
>
> I posted it to KAM off list.
>
> It has:
>
> 0.0 SPF_FAIL SPF: sender does not match SPF record (fail)
> [SPF failed: Please see
> http://www.openspf.net/Why?s=mfrom;id=notification%2Bkjdmk5uhu7um%40facebookmail.com;ip=104.214.219.241;r=gamecock]
> -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
> [score: 0.0000]
> 1.0 HTML_MESSAGE BODY: HTML included in message
> 0.0 HTML_FONT_LOW_CONTRAST BODY: HTML font color similar or identical to
> background
> -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature
> from author's
> domain
> -0.0 DKIM_VERIFIED No description available.
> -0.1 DKIM_VALID Message has at least one valid DKIM or DK
> signature
> 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not
> necessarily valid
> 0.0 UNPARSEABLE_RELAY Informational: message has unparseable
> relay lines
> 8.0 KAM_FACEBOOKMAIL Fake or Abused Facebook Mail
> 0.0 T_REMOTE_IMAGE Message contains an external image
>
>
--
*Kevin A. McGrail*
CEO
Peregrine Computer Consultants Corporation
3927 Old Lee Highway, Suite 102-C
Fairfax, VA 22030-2422
http://www.pccc.com/
703-359-9700 x50 / 800-823-8402 (Toll-Free)
703-798-0171 (wireless)
KMcGrail@PCCC.com <ma...@pccc.com>
Re: KAM.cf ...
Posted by Joe Quinn <jq...@pccc.com>.
On 9/10/2015 7:42 AM, Benny Pedersen wrote:
> Jari Fredriksson skrev den 2015-09-10 10:51:
>
>> 0.0 SPF_FAIL SPF: sender does not match SPF record (fail)
>> [SPF failed: Please see
>> http://www.openspf.net/Why?s=mfrom;id=notification%2Bkjdmk5uhu7um%40facebookmail.com;ip=104.214.219.241;r=gamecock]
>>
>> -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
>
> gamecock rejected a message that claimed an envelope sender address of
> notification+kjdmk5uhu7um@facebookmail.com.
> gamecock received a message from diseapps.com (104.214.219.241) that
> claimed an envelope sender address of
> notification+kjdmk5uhu7um@facebookmail.com.
>
> However, the domain facebookmail.com has declared using SPF that it
> does not send mail through diseapps.com (104.214.219.241). That is why
> the message was rejecte
>
> does you friend play games at diseapps.com ?
>
>> -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature
>> from author's
>> domain
>
> what dkim key is it ?
For what it's worth, googling "diseapps.com" yields nothing but "about
this domain" sites like domainwho.is, bgp.he.net, etc. While obviously
not an absolute indicator, the number of legitimate domains with SEO
that poor I have seen is quite small.
Re: KAM.cf ...
Posted by Benny Pedersen <me...@junc.eu>.
Jari Fredriksson skrev den 2015-09-10 10:51:
> 0.0 SPF_FAIL SPF: sender does not match SPF record
> (fail)
> [SPF failed: Please see
> http://www.openspf.net/Why?s=mfrom;id=notification%2Bkjdmk5uhu7um%40facebookmail.com;ip=104.214.219.241;r=gamecock]
> -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
gamecock rejected a message that claimed an envelope sender address of
notification+kjdmk5uhu7um@facebookmail.com.
gamecock received a message from diseapps.com (104.214.219.241) that
claimed an envelope sender address of
notification+kjdmk5uhu7um@facebookmail.com.
However, the domain facebookmail.com has declared using SPF that it does
not send mail through diseapps.com (104.214.219.241). That is why the
message was rejecte
does you friend play games at diseapps.com ?
> -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature
> from author's
> domain
what dkim key is it ?
Re: KAM.cf ...
Posted by "Kevin A. McGrail" <KM...@PCCC.com>.
Hi Jari.
Looks like FB has an issue with their spf record? According to this, the SPF failed so we have no choice but to think it is fake. Will look at the sample.
Regards,
KAM
>> Are you sure it was valid? Did the message hit SPF_FAIL or
>> DKIM_ADSP_ALL? Can you post a sample? It's scored it 8.0 because
>> Facebook uses SPF and DKIM, so the rule should be perfectly safe.
>
>I posted it to KAM off list.
>
>It has:
>
> 0.0 SPF_FAIL SPF: sender does not match SPF record
>(fail)
>[SPF failed: Please see
>http://www.openspf.net/Why?s=mfrom;id=notification%2Bkjdmk5uhu7um%40facebookmail.com;ip=104.214.219.241;r=gamecock]
Re: KAM.cf ...
Posted by Jari Fredriksson <ja...@iki.fi>.
On 9.9.2015 22:41, Joe Quinn wrote:
> On 9/9/2015 3:35 PM, Jari Fredriksson wrote:
>>
>> 8.0 KAM_FACEBOOKMAIL Fake or Abused Facebook Mail
>>
>> Ouch.
>>
>> I received a valid mail from Facebook telling me that a friend
>> mentioned my name in a post. 8.0?
>>
> Are you sure it was valid? Did the message hit SPF_FAIL or
> DKIM_ADSP_ALL? Can you post a sample? It's scored it 8.0 because
> Facebook uses SPF and DKIM, so the rule should be perfectly safe.
I posted it to KAM off list.
It has:
0.0 SPF_FAIL SPF: sender does not match SPF record
(fail)
[SPF failed: Please see
http://www.openspf.net/Why?s=mfrom;id=notification%2Bkjdmk5uhu7um%40facebookmail.com;ip=104.214.219.241;r=gamecock]
-1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
[score: 0.0000]
1.0 HTML_MESSAGE BODY: HTML included in message
0.0 HTML_FONT_LOW_CONTRAST BODY: HTML font color similar or identical
to
background
-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature
from author's
domain
-0.0 DKIM_VERIFIED No description available.
-0.1 DKIM_VALID Message has at least one valid DKIM or DK
signature
0.1 DKIM_SIGNED Message has a DKIM or DK signature, not
necessarily valid
0.0 UNPARSEABLE_RELAY Informational: message has unparseable
relay lines
8.0 KAM_FACEBOOKMAIL Fake or Abused Facebook Mail
0.0 T_REMOTE_IMAGE Message contains an external image
--
jarif.bit
Re: KAM.cf ...
Posted by Joe Quinn <jq...@pccc.com>.
On 9/9/2015 3:35 PM, Jari Fredriksson wrote:
>
> 8.0 KAM_FACEBOOKMAIL Fake or Abused Facebook Mail
>
> Ouch.
>
> I received a valid mail from Facebook telling me that a friend
> mentioned my name in a post. 8.0?
>
Are you sure it was valid? Did the message hit SPF_FAIL or
DKIM_ADSP_ALL? Can you post a sample? It's scored it 8.0 because
Facebook uses SPF and DKIM, so the rule should be perfectly safe.