You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Benny Pedersen <me...@junc.eu> on 2019/08/26 23:20:12 UTC
spf none and dkim not pass domains
i see that bitcoins phinshing is trying to make use of not dkim signed
and use domains without spf, sounds silly and maybe its just not
detected yet anywhre, problem is as example
From: "nets kundeservice" <in...@nets.eu>
how to block this if its not dkim signed ?
same for spf, is it just checking spf none ?, and score that with 100 so
spamas-milter will reject it ?
what does others do to signal its not accepted, i am begin to be very
tired of phising and spaming abusers
current 2033 ipv4 addresses listed here localy for trying sasl auth on
port 25
Re: spf none and dkim not pass domains
Posted by hg user <me...@gmail.com>.
Is it the spam coming as a empty subject, empty message and a pdf
attachment ?
I received about 3000 of them in the weekend and I'm starting to check the
logs of yesterday.
A lot of them got an high score, from 8 to 13 thanks to RBL...
score=9.692 required=5.6 tests=[BAYES_60=1.5, MY_RULE_1=-0.001,
FORGED_MUA_MOZILLA=2.309, KAM_LAZY_DOMAIN_SECURITY=1, KAM_MANYTO=0.2,
RCVD_IN_BL_SPAMCOP_NET=1.347, RCVD_IN_SBL_CSS=3.335, SPF_HELO_NONE=0.001,
SPF_NONE=0.001] autolearn=disabled
Yesterday I loaded some of them in the bayes engine and the results are
very, how can I say, "strange" and I may also add "dangerous"...
From the info of the debug I'm testing a rule that checks for empty text,
empty body, pdf attachment, since, unfortunately, not all the sender
servers are in RBL...
Aug 27 08:08:20.993 [29203] dbg: check:
subtests=__ANY_TEXT_ATTACH,__ANY_TEXT_ATTACH_DOC,__BOTH_INR_AND_REF,...,....,__CT,
__CTYPE_HAS_BOUNDARY,__CTYPE_MULTIPART_ANY,__CTYPE_MULTIPART_MIXED,__DKIM_DEPENDABLE,
__DOS_RCVD_MON,__DOS_RCVD_SUN,__DOS_RELAYED_EXT,__EMPTY_BODY,__ENV_AND_HDR_FROM_MATCH,
__FORGED_SENDER,__HAS_DATE,__HAS_FROM,__HAS_MESSAGE_ID,__HAS_MSGID,__HAS_RCVD,
__HAS_SUBJECT,__HAS_TO,__HAS_UA,__HDRS_LCASE_KNOWN,__KAM_DROPBOX2,__KAM_FAKEDELIVER12,
__KAM_FAKEDELIVER4,__KAM_FAKEDELIVER6,__KAM_FAKEDELIVER8,__KAM_GOOGLE2_2,
__KAM_HARP3,__KAM_HAS_0_URIS,__KAM_JURY3,__KAM_MAILSPLOIT2,__KAM_MANYTO,
__KAM_MANYTO,__KAM_MANYTO,__KAM_MANYTO,__KAM_MANYTO,__KAM_MANYTO2,
__KAM_MANYTO2,__KAM_MANYTO2,__KAM_MANYTO2,__KAM_MANYTO2,__KAM_MANYTO2,
__KAM_MANYTO2,__KAM_MULTIPLE_FROM,__KAM_PAYPAL3B,__KAM_SPF_NONE,
__KAM_UPS2,__KAM_URIBL_PCCC,__KAM_WU1,__KB_WAM_FROM_NAME_SINGLEWORD,
__KHOP_NO_FULL_NAME,__LAST_EXTERNAL_RELAY_NO_AUTH,__LAST_UNTRUSTED_RELAY_NO_AUTH,
__LCL__ENV_AND_HDR_FROM_MATCH,__MIME_ATTACHMENT,__MIME_BASE64,__MIME_VERSION,
__MISSING_REF,__MISSING_REPLY,__MOZILLA_MUA,__MSGID_APPLEMAIL,__MSGID_GUID,
__MSGID_OK_HOST,__MUA_TBIRD,__PART_STOCK_CD_F,__PDF_ATTACH,
__PDF_ATTACH_FN1,__PDF_ATTACH_FN2,__PDF_ATTACH_MT,__RCVD_IN_ZEN,
__RDNS_SHORT,__RP_MATCHES_RCVD,__SANE_MSGID,__SUBJECT_EMPTY,__SUBJ_SHORT,
__TOCC_EXISTS,__TVD_MIME_ATT_AP,__TVD_MIME_ATT_TP,__UA_MOZ5,__UNPARSEABLE_RELAY_COUNT
On Tue, Aug 27, 2019 at 1:40 AM Kevin A. McGrail <km...@apache.org>
wrote:
> I believe you will find lazy domain security rules in KAM.cf that can
> help with this. ?all, for example, is lazy SPF.
>
> On 8/26/2019 19:20, Benny Pedersen wrote:
> > i see that bitcoins phinshing is trying to make use of not dkim signed
> > and use domains without spf, sounds silly and maybe its just not
> > detected yet anywhre, problem is as example
> >
> > From: "nets kundeservice" <in...@nets.eu>
> >
> > how to block this if its not dkim signed ?
> >
> > same for spf, is it just checking spf none ?, and score that with 100
> > so spamas-milter will reject it ?
> >
> > what does others do to signal its not accepted, i am begin to be very
> > tired of phising and spaming abusers
> >
> > current 2033 ipv4 addresses listed here localy for trying sasl auth on
> > port 25
>
> --
> Kevin A. McGrail
> KMcGrail@Apache.org
>
> Member, Apache Software Foundation
> Chair Emeritus Apache SpamAssassin Project
> https://www.linkedin.com/in/kmcgrail - 703.798.0171
>
>
Re: spf none and dkim not pass domains
Posted by Benny Pedersen <me...@junc.eu>.
Kevin A. McGrail skrev den 2019-08-27 01:40:
> I believe you will find lazy domain security rules in KAM.cf that can
> help with this. ?all, for example, is lazy SPF.
added whole kam.cf now, one problem solved another created :=)
Aug 28 00:05:23.366 [7470] info: rules: meta test JMQ_CONGRAT has
dependency 'KAM_RAPTOR_ALTERED' with a zero score
Aug 28 00:05:23.371 [7470] info: rules: meta test KAM_JURY has
dependency 'KAM_RAPTOR_ALTERED' with a zero score
Aug 28 00:05:23.379 [7470] info: rules: meta test KAM_BADPDF2 has
dependency 'KAM_RPTR_SUSPECT' with a zero score
Aug 28 00:05:23.382 [7470] info: rules: meta test KAM_INSURE has
dependency 'CBJ_GiveMeABreak' with a zero score
Aug 28 00:05:23.384 [7470] info: rules: meta test
KAM_REALLY_FAKE_DELIVER has dependency 'KAM_RPTR_PASSED' with a zero
score
Aug 28 00:05:23.385 [7470] info: rules: meta test KAM_CARD has
dependency 'KAM_RPTR_SUSPECT' with a zero score
Aug 28 00:05:23.386 [7470] info: rules: meta test KAM_WARRANTY3 has
dependency 'CBJ_GiveMeABreak' with a zero score
Aug 28 00:05:23.386 [7470] info: rules: meta test KAM_AUTO has
dependency 'CBJ_GiveMeABreak' with a zero score
Aug 28 00:05:23.389 [7470] info: rules: meta test KAM_FAKE_DELIVER has
dependency 'KAM_RAPTOR_ALTERED' with a zero score
Aug 28 00:05:23.391 [7470] info: rules: meta test KAM_INSURE2 has
dependency 'CBJ_GiveMeABreak' with a zero score
Aug 28 00:05:23.394 [7470] info: rules: meta test KAM_NOTIFY2 has
dependency 'KAM_IFRAME' with a zero score
Aug 28 00:05:23.395 [7470] info: rules: meta test KAM_WARRANTY has
dependency 'CBJ_GiveMeABreak' with a zero score
Re: spf none and dkim not pass domains
Posted by "Kevin A. McGrail" <km...@apache.org>.
I believe you will find lazy domain security rules in KAM.cf that can
help with this. ?all, for example, is lazy SPF.
On 8/26/2019 19:20, Benny Pedersen wrote:
> i see that bitcoins phinshing is trying to make use of not dkim signed
> and use domains without spf, sounds silly and maybe its just not
> detected yet anywhre, problem is as example
>
> From: "nets kundeservice" <in...@nets.eu>
>
> how to block this if its not dkim signed ?
>
> same for spf, is it just checking spf none ?, and score that with 100
> so spamas-milter will reject it ?
>
> what does others do to signal its not accepted, i am begin to be very
> tired of phising and spaming abusers
>
> current 2033 ipv4 addresses listed here localy for trying sasl auth on
> port 25
--
Kevin A. McGrail
KMcGrail@Apache.org
Member, Apache Software Foundation
Chair Emeritus Apache SpamAssassin Project
https://www.linkedin.com/in/kmcgrail - 703.798.0171