You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Glenn Terjesen <gl...@webcat.no> on 2008/03/18 09:40:24 UTC
from field with double @'s
Hello,
Dunno if this topic has bin talked about before but we keep getting spam
through with double @'s in the From: field.
Example:
Header src:
X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on SERVERNAME
X-Spam-Status: No, score=-81.7 required=5.0 tests=MISSING_DATE,
RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E8_51_100,RAZOR2_CHECK,RDNS_NONE,
URIBL_AB_SURBL,URIBL_BLACK,URIBL_JP_SURBL,URIBL_OB_SURBL,URIBL_SBL,
URIBL_SC_SURBL,URIBL_WS_SURBL,USER_IN_WHITELIST autolearn=no
version=3.2.3
To: user@domain.com
From: admin@viagra.com <us...@domain.com>
Problem is that user@domain.com is in a whitelist so the spam gets
through.
Can anyone hint me a way to create a rule that catch these mails ?
Thanks
Re: SV: from field with double @'s
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
On 18.03.08 15:20, Glenn Terjesen wrote:
> I wish I could remove the whitelist_from config but you wouldn't believe
> how many bad email-signatures and bad email-servers there are out there
> that our customers need to get email from..
if they are sending mail from broken servers, it's one more reason to use
your server for sending e-mail through. You won't need to whitelist your
domain, because all mail will be directly posted through your server.
And you will be able to protect your domain from being forged by setting up
DKIM and SPF records.
> Im gonna just create a script that removes "local" email accounts from
> our whitelist db. And lower the whitelist negative score.
maybe using default_whitelist_from instead of shitelist_from would help you
a bit. Note that it's still useless, when you are whitelisting addresses
that can be and are being forged by spammers.
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
- Have you got anything without Spam in it?
- Well, there's Spam egg sausage and Spam, that's not got much Spam in it.
SV: from field with double @'s
Posted by Glenn Terjesen <gl...@webcat.no>.
Thank you for all the feedback.
I wish I could remove the whitelist_from config but you wouldn't believe
how many bad email-signatures and bad email-servers there are out there
that our customers need to get email from..
Im gonna just create a script that removes "local" email accounts from
our whitelist db. And lower the whitelist negative score.
Vennlig Hilsen / Best Regards
Glenn Terjesen
Re: from field with double @'s
Posted by Joseph Brennan <br...@columbia.edu>.
> From: admin@viagra.com <us...@domain.com>
The above is almost OK. The only error is not having doublequotes
around the text part (admin@viagra.com), which should be quoted because
it has a @ in it. Other than that, having a @ in the text part is
normal for Outlook and maybe others. Outlook insists on having a
text part and if the person's name is not known it puts the email
address in the text inside crazyquotes, e.g.
From: "'user@example.com'" <us...@example.com>
Consider this:
header CU_FROMVIAGRA From =~ /viagra/i
It's very specific, isn't it? But it gets over 500 a day here,
so we're using it.
> Problem is that user@domain.com is in a whitelist
As others said, this is bad. Spammers often put the recipient's
domain in the sender address. Going by supposed sender address,
the most commonly seen domain in spam is... our own domain.
Probably you too. If you're getting a message from outside your
system without any smtp auth, it does not deserve any negative
points. It might even deserve a positive point, but we haven't
done that yet.
Joseph Brennan
Lead Email Systems Engineer
Columbia University Information Technology
Re: from field with double @'s
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
On 18.03.08 09:40, Glenn Terjesen wrote:
> Dunno if this topic has bin talked about before but we keep getting spam
> through with double @'s in the From: field.
> X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on SERVERNAME
> X-Spam-Status: No, score=-81.7 required=5.0 tests=MISSING_DATE,
> RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E8_51_100,RAZOR2_CHECK,RDNS_NONE,
> URIBL_AB_SURBL,URIBL_BLACK,URIBL_JP_SURBL,URIBL_OB_SURBL,URIBL_SBL,
> URIBL_SC_SURBL,URIBL_WS_SURBL,USER_IN_WHITELIST autolearn=no
> version=3.2.3
> To: user@domain.com
> From: admin@viagra.com <us...@domain.com>
> Problem is that user@domain.com is in a whitelist so the spam gets
> through.
>
> Can anyone hint me a way to create a rule that catch these mails ?
don't whitelist your own domain. Use whitelist_rcvd or whitelist_spf.
Spammers know that some people whitelist their own domains and fake the
sender to be the same (or at least in the same domain) as recipient.
whitelisting adds MANY negative points just not to be overriden (otherwise
than by blacklisting). If you'd even create a rule that would cath more @'s
in the From: address, you would have to give it very high score, which could
lead to false positives.
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. -- Benjamin Franklin, 1759
Re: from field with double @'s
Posted by Matt Kettler <mk...@verizon.net>.
Glenn Terjesen wrote:
> Thanks for reply but we cant use any of these plugins:
>
> whitelist_from_dkim, whitelist_from_spf, whitelist_from_dk,
> whitelist_auth
>
> Because our users and our customers users send from smarthosts all over
> the world wich don't have spf or dk or sends via exs internet providers
> mta.
>
Then you really need to find a way to handle whitelisting your customers
at some other level. whitelist_from is not a viable option for your own
domain, and hasn't been for years. whitelist_from_rcvd was created due
to this exact problem, and it was added years ago, probably 8 years or
more. If whitelist_from was a known problem then, it's still a known
problem now.
I'd suggest you drop the whitelist_from. Then find some way at the layer
that calls spamassassin to distinguish between valid email from your
customers, and email from the outside world, and only call SA for email
from the outside world. This has the added benefit of saving a lot of
CPU time wasted processing email from your customers.
Presumably when your customers send direct via your server they're using
some kind of SMTP auth, so you should be able to leverage that. It won't
whitelist them if they email themselves via their ISP's mta, but there's
not much you can do there without making your system wide-open to spammers.
Re: from field with double @'s
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
On 18.03.08 12:17, Glenn Terjesen wrote:
> Thanks for reply but we cant use any of these plugins:
>
> whitelist_from_dkim, whitelist_from_spf, whitelist_from_dk,
> whitelist_auth
>
> Because our users and our customers users send from smarthosts all over
> the world wich don't have spf or dk or sends via exs internet providers
> mta.
It's quite bad when users from whole world can send mail through any SMTP
server, using your domain in from address, just because you make all these
checks impossible. Note that SPF and DKIM were created to fight e-mail
forgery, while this setup makes forgery very easy.
You should set up SMTP authentication and start requiring users to send mail
through your server, if they want to use your domain in from address.
THEN, you can easily set up SPF and/or DKIM and filter all forgeries.
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Posli tento mail 100 svojim znamim - nech vidia aky si idiot
Send this email to 100 your friends - let them see what an idiot you are
RE: from field with double @'s
Posted by Glenn Terjesen <gl...@webcat.no>.
Thanks for reply but we cant use any of these plugins:
whitelist_from_dkim, whitelist_from_spf, whitelist_from_dk,
whitelist_auth
Because our users and our customers users send from smarthosts all over
the world wich don't have spf or dk or sends via exs internet providers
mta.
-----Opprinnelig melding-----
Fra: Daryl C. W. O'Shea [mailto:spamassassin@dostech.ca]
Sendt: 18. mars 2008 10:02
Til: Glenn Terjesen
Kopi: users@spamassassin.apache.org
Emne: Re: from field with double @'s
On 18/03/2008 4:40 AM, Glenn Terjesen wrote:
> Problem is that user@domain.com <ma...@domain.com> is in a
> whitelist so the spam gets through.
> Can anyone hint me a way to create a rule that catch these mails ?
Remove the user (or the glob@domain) from whitelist_from.
If you must whitelist your own domain use a whitelist method that isn't
forgeable (the appropriate MTA based mail auth method in addition to
SA's whitelist_from_dkim, whitelist_from_spf, whitelist_from_dk,
whitelist_auth OR let your MTAs deal with it entirely).
Daryl
Re: from field with double @'s
Posted by Loren Wilton <lw...@earthlink.net>.
> On 18/03/2008 4:40 AM, Glenn Terjesen wrote:
>> Problem is that user@domain.com <ma...@domain.com> is in a
>> whitelist so the spam gets through.
>
>> Can anyone hint me a way to create a rule that catch these mails ?
As everyone else has said, don't whitelist yourself.
But you may be able to do more than that. While I bcc mail to myself, I
virtually *never* send mail to myself. And I *NEVER* send mail to myself
with a display name of "Gloria Swanson" or "Elmer P. Dick", or anything
other than exactly one specific string.
So I have a "blacklist self" rule that checks for my name as the sender and
then checks the display string, and if it is "from me" but the display
string is wrong (or missing) I add 50 points to the mail. Works quite nicely
and no FPs. Of course, I'm not an ISP, and a rule like that would need to
be tailored to every specific recipient in an ISP situation.
One other thing you *could* consider would be to add a couple of points for
an @ in the display name. I would be quite hesitant to do this as a simple
rule, because it is perfectly valid, and it is used by at least some
perfectly legit senders. I would be considerably more inclined to look for
words like Canidian Pharm or Viaggra or some such as the sender name and
write rules against that.
Loren
Re: from field with double @'s
Posted by "Daryl C. W. O'Shea" <sp...@dostech.ca>.
On 18/03/2008 4:40 AM, Glenn Terjesen wrote:
> Problem is that user@domain.com <ma...@domain.com> is in a
> whitelist so the spam gets through.
> Can anyone hint me a way to create a rule that catch these mails ?
Remove the user (or the glob@domain) from whitelist_from.
If you must whitelist your own domain use a whitelist method that isn't
forgeable (the appropriate MTA based mail auth method in addition to
SA's whitelist_from_dkim, whitelist_from_spf, whitelist_from_dk,
whitelist_auth OR let your MTAs deal with it entirely).
Daryl