You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Chris <cp...@embarqmail.com> on 2010/09/28 00:22:24 UTC
Re: Phish triggered short circuit 'ham' (Solved)
On Thu, 2010-09-23 at 17:55 -0500, Chris wrote:
> http://pastebin.com/ypiHcyvK
>
> The above phish for my ISP came in this morning, it triggered the short
> circuit 'ham' rule. Is it because I have this in my local.cf and the
> message has a dkim signature?
>
> def_whitelist_from_dkim *@embarqmail.com
>
> DKIM-Signature: v=1; a=rsa-sha1; d=embarqmail.com; s=s012408;
> c=relaxed/simple; q=dns/txt; i=@embarqmail.com; t=1285235699;
> h=From:Subject:Date:To:MIME-Version:Content-Type;
> bh=9FOJPKqN2Ht/0QapcfDg7uQayg4=;
> b=WMoex2VshAez5cqfiXbdykBskGnhCxMtG4ojE3+VaHxS2tB466/bZ2YjLuY3afkV
> gSsc8wS1MU8RdOVs2AcIrWmIz/h8RQHuuN1hl2tPSHiN9vCBRbx5qEKa3qpTlnAy;
>
> Do I have def_whitelist_from_dkim configured incorrectly?
>
> Chris
>
Got this from my ISP today:
The phishing email was from a compromised user account. Some foreign
entity had logged onto to our outbound email server with a customer's
stolen credentials and sent out phishing emails. This is quite a
desirable scenario for phishers as their email goes out through a valid
server when they have pilfered ISP user accounts. This causes a couple
of issues. The phishing emails are more likely to be accepted from a
trusted SMTP server. After such an attack is detected, the formerly
trusted SMTP server is soon subject to blocking based on the smear to
its reputation.
--
Chris
KeyID 0xE372A7DA98E6705C