You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Mark Martinec <Ma...@ijs.si> on 2011/03/03 15:38:01 UTC
pharmaceuticals through faked Twitter
Just in case one would like to attach additional spam score to faked twitter
messages with original twitter text, faked signatures, and actual URL links
to spam sites, here are the rules (for SA 3.3.*, DKIM plugin enabled):
full __L_DKIM_VALID_TWITTER eval:check_dkim_valid(twitter.com)
header __L_FROM_TWITTER From:addr =~ /[\@.]twitter\.com$/mi
meta L_FAKE_TWITTER __L_FROM_TWITTER && !__L_DKIM_VALID_TWITTER
score L_FAKE_TWITTER 5
Mark
Re: pharmaceuticals through faked Twitter
Posted by Benny Pedersen <me...@junc.org>.
On Thu, 3 Mar 2011 19:53:47 +0100, Mark Martinec <Ma...@ijs.si>
>> > full __L_DKIM_VALID_TWITTER eval:check_dkim_valid(twitter.com)
> I don't want to whitelist valid mail from twitter - too much junk there.
lets hope it only be there, so far i have seen more problems with yahoo
here is only useing whitelist_from_dkim to friends i have seen in person,
all other valid dkim get def_whitelist if its not spam, and i more or less
then just adjust scores on that base
back to get rfc 2671 solved here :(
Re: pharmaceuticals through faked Twitter
Posted by Mark Martinec <Ma...@ijs.si>.
Benny,
> > full __L_DKIM_VALID_TWITTER eval:check_dkim_valid(twitter.com)
>
> why not check_dkim_invalid(foo) ?
There is not such eval rule 'check_dkim_invalid'.
Even if it were, it would be misleading: a bad signature is supposed
to be indistinguishable from a missing signature.
> if its valid, use def_whitelist_from_dkim *@twitter.com
> or whitelist_from_dkim foo@twitter.com if bigger whitelist score is needed
I don't want to whitelist valid mail from twitter - too much junk there.
Mark
Re: pharmaceuticals through faked Twitter
Posted by Benny Pedersen <me...@junc.org>.
On Thu, 3 Mar 2011 12:54:09 -0500, Michael Scheidell
<mi...@secnap.com> wrote:
> On 3/3/11 12:43 PM, Benny Pedersen wrote:
>> why not check_dkim_invalid(foo) ?
>>
> because if you, your isp, them, their isp, your dns provider, their dns
> provider have a problem, and you can't look up the public key, you just
> blacklisted them.
imho dkim checks are like postfix destingt between domain not found and
nameservers not answer, where postfix tempfaults if no answer, would dkim
test for invalid not do the same on no dns results ?
Re: pharmaceuticals through faked Twitter
Posted by Michael Scheidell <mi...@secnap.com>.
On 3/3/11 12:43 PM, Benny Pedersen wrote:
> why not check_dkim_invalid(foo) ?
>
because if you, your isp, them, their isp, your dns provider, their dns
provider have a problem, and you can't look up the public key, you just
blacklisted them.
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
>*| *SECNAP Network Security Corporation
* Certified SNORT Integrator
* 2008-9 Hot Company Award Winner, World Executive Alliance
* Five-Star Partner Program 2009, VARBusiness
* Best in Email Security,2010: Network Products Guide
* King of Spam Filters, SC Magazine 2008
______________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r).
For Information please see http://www.secnap.com/products/spammertrap/
______________________________________________________________________
Re: pharmaceuticals through faked Twitter
Posted by Benny Pedersen <me...@junc.org>.
On Thu, 3 Mar 2011 15:38:01 +0100, Mark Martinec <Ma...@ijs.si>
wrote:
> full __L_DKIM_VALID_TWITTER eval:check_dkim_valid(twitter.com)
why not check_dkim_invalid(foo) ?
if its valid, use def_whitelist_from_dkim *@twitter.com
or whitelist_from_dkim foo@twitter.com if bigger whitelist score is needed
> header __L_FROM_TWITTER From:addr =~ /[\@.]twitter\.com$/mi
> meta L_FAKE_TWITTER __L_FROM_TWITTER && !__L_DKIM_VALID_TWITTER
> score L_FAKE_TWITTER 5
anyway thanks for the rule
still just use 3.3.1 here so i dont know if check_dkim_invalid is possible